Messages

166

Intrusion Detection and Prevention / Re: OpenVPN interface + IDS/IPS

« on: January 22, 2018, 01:25:05 pm »

Clear now!

In another beam of light, I wonder what should most of users around here think about us, especially reading your signature stating 1 Gb/s download, 0.5 Gb/s upload, since we keep on firing "crappy devices" our ISP is using for residential.

167

Intrusion Detection and Prevention / Re: OpenVPN interface + IDS/IPS

« on: January 22, 2018, 11:27:09 am »

I suppose you do have the same Huawei ”all-in-one” crap as I have, doing Media Conversion (from fiber to UTP) + GW/ NAT + DNS FWD + DHCP + Wi-Fi (2.4 GHz only, crappy throughput).

Again, just to be clear (and again, I might be the one who's wrong), but instead of

My device has two modes: router and bridge

you have

My device has two modes: GW/ FW/ NAT and bridge

Again (did I say ”again” for the third time? ), as far as I know, a router never does NAT or port forwarding (PAT) - hence FW stuff - it only routes every packet from one interface (IP address) to another interface (IP address). Am I correct? Or maybe I'm not, and with or without NAT/ PAT, there is only one thing, and it's named ”routing”?!?!

PS. I bring up that even in OPNsense, you have the option to disable ”Firewall”, which states in the help comments that

Warning: This will convert into a routing-only platform!
Warning: This will also turn off NAT!
If you only want to disable NAT, and not firewall rules, visit the Outbound NAT page.

This, again, makes me conclude that a router is a router, and only routes packets from one interface to another based on routing rules - but not FW/ GW/ NAT/ PAT rules - never replacing the source IP address (NAT) and/ or source port (PAT) of the originating packet.

168

Tutorials and FAQs / Re: OPNSense as WiFi Client + WiFi access piont + LAN Router

« on: January 22, 2018, 09:58:21 am »

It detects:
USB Wifi as ath0
Internal WiFi as ath0_wlan0
LAN Card as msk0

Assign interfaces as follows:

ATH0 - WAN
MSK0 - LAN
ATH0_WLAN0 - OPT1 (if you want, rename it to something like Wi-Fi LAN, or alike...)

If you need clients from MSK0 and ATH0_WLAN0 to be in the same network, you need to bridge these two interfaces.

169

17.1 Legacy Series / Re: OPNsense vs. pfSense article - any thoughts on that?

« on: January 22, 2018, 09:20:01 am »

Oh, Franco, you're so mean!...

170

Tutorials and FAQs / Re: Update SSL Road Warrior VPN Wiki

« on: January 22, 2018, 09:15:06 am »

Sure thing!

I didn't even observe it's not in the Documentation/ How-To/ Wiki.... But sure thing it's not working without, I have Access Lists in Outbound for HQ + 4 branches.

I only regret I didn't provide this sooner, didn't realize so many people needed it and didn't know it.

171

Intrusion Detection and Prevention / Re: Windows Updates

« on: January 22, 2018, 08:54:28 am »

Hey elektroinside ,

Thanks for the heads-up! This one should do it?

https://github.com/opnsense/core/commit/573612d48


Cheers,
Franco

And maybe (rather, surely) from now on it is a lot more easy to find the culprit rule(s) or ruleset(s) crippling any other network service.

172

17.1 Legacy Series / Re: OPNsense vs. pfSense article - any thoughts on that?

« on: January 22, 2018, 08:48:59 am »

We have our own interesting announcement to share on top of the 18.1 release next week. It's mainly a twist to what is already possible, but it may have major implications for making a favourable decision towards OPNsense in the future.


Cheers,
Franco

Is it 29th of January yet?!?!

I can barely wait, would you please spoil something, better now then latter?

173

General Discussion / Re: How to open specific ports?

« on: January 19, 2018, 01:59:11 pm »

nope, i have unchecked those and then everything is blocked.
Im going home, if you give me any tips ill try them on wednesday. Have a nice weekend guys!

PS
This should be official guide.

hutiucip - its all checked by default

Leave them checked: as they state "Disable hardware 'bla-bla-bla' offload" it means unchecking them enables/ activates offloads. Negation of negation = affirmation / non p and non p = non non p = p (if I remember it accurately)

174

General Discussion / Re: How to open specific ports?

« on: January 19, 2018, 01:51:08 pm »

As far as I remember, Hardware Offloading is, by default, OFF.
Only check!

175

General Discussion / Re: How to open specific ports?

« on: January 19, 2018, 10:39:17 am »

im trying this but i have problem in IDS/IPS part. If i check IPS it blocks access to internet and access to opnsense.

It shouldn't! Maybe you checked (as in, enabled and set to block) every and each rule in every and each ruleset, without checking what each is doing?!?!

Also in point 5. Select all Home networks - i dont have such option, only LAN and WAN.

Click on "advanced mode" (upper left corner - vis-a-vis of "full Help)

176

Intrusion Detection and Prevention / Re: OpenVPN interface + IDS/IPS

« on: January 19, 2018, 10:27:31 am »

And in this case, i'm also double NATting, which is not a good idea (double maintenance at least)...

I am exposing with NAT quite a few ports (delicate services) from a few LAN clients to the internet... well, to a handful of trusted clients coming from the internet anyway, so i'm trusting pf to do what it does best, but nothing else, with emphasis on 'as few points of failures as possible'

I might be wrong, but if a device works in route mode, this implies that it's not NAT-ing anything: route <> NAT/ PAT.
For the rest of it (not quoted) you're right.

Sad day it is...

I would need to talk with my ISP, see if there is any possibility to ditch the PPPoE link, way too many issues with it... well none of them critical, just annoying

[Sorry for the off-topic, I'll keep it short] Tell me if you obtained such a thing from ISP, I have the same ISP and bandwidth as you. Maybe it would be a good idea to be several of us to ask for this?!?! 

177

17.7 Legacy Series / Re: Insights tracking to Host Name

« on: January 19, 2018, 09:20:56 am »

It's not in there, yet.
I'll have the ticket posted.

178

17.7 Legacy Series / Re: Insights tracking to Host Name

« on: January 19, 2018, 09:17:15 am »

Hello!

Is it possible to have name resolution for the Details tab as well? And maybe even in the Export (exported file)?
Thank you!

179

17.7 Legacy Series / Re: vLAN Traffic - Allow Internet, Block Inter-vLAN Routing

« on: January 18, 2018, 01:42:43 pm »

Hi!

I would follow (and adapt, if needed) the guide regarding guest networks (found in the documentation, at https://docs.opnsense.org/manual/how-tos/guestnet.html).

I suggest, since it's about more than one guest net, to make a group of interfaces, containing the guest VLANs you have for your neighbors.

PS I am not quite aware of what your VLANs represent

example vLAN10 can access vLAN20, But vLAN20 (guests,neighbor) cannot acess vLAN10.

but I wouldn't allow traffic in between neighbors - assuming VLAN 10 is a neighbor's net, and VLAN 20 is another's...

180

Tutorials and FAQs / Re: Fast and easy way to protect your home and/or small office network with OPNsense

« on: January 18, 2018, 12:54:03 pm »

Not because you're from Romania (mee too ), but bravo for your guide, excellent work.

Only one add (and maybe you can add this to your post?!): Please be aware that IPS rulesets like ET open/emerging-current_events and ET open/emerging-dos - I don't know the exact rule(s) in the ruleset(s), though - caused issues for me, in between internal interfaces (eg. CorpLan <-> Servers, Core <-> Management) traffic, like RDP session, Veeam Back-up speed/ sustainability, etc. The most important thing, those issues weren't listed on "Alerts" list. Neither as blocked, neither otherwise. This being the reason I didn't identified the exact problematic rules, didn't had the time and/ or patience to "ad labam" verify every rule in every ruleset.

I advise everyone, especially if on a production/ critically available network, to check rulesets and rules on an one-by-one activation/ deactivation approach, especially if network services are crippled without any apparent reason.

Cheers.