Messages

91

18.1 Legacy Series / Re: unbound dns problem

« on: June 26, 2018, 12:54:55 pm »

I have experienced the same issue. I'd like to point out that I use dns-over-tls.

Changing the interfaces from the selected few to all (default), makes Unbound stop dead. I'm running 18.1.10 with LibreSSL and with Unbound 1.73 test version.

https://forum.opnsense.org/index.php?topic=8943.0

92

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: June 22, 2018, 03:25:23 pm »

Upgrading to 18.1.10 I stayed with the OpenSSL version for a few hours, my default. I had no issues. It was a plain upgrade from 18.1.9 without any changes to the configuration. I then switched to the LibreSSL version (I did not forget the compulsory upgrade) and for the first time, dns-over-tls worked equally well as with OpenSSL. At least as far as I can assess. It's been close to 24 h since I made the switch.

93

18.1 Legacy Series / Re: Routing question

« on: June 08, 2018, 11:40:17 pm »

I'm also interested in an answer to this question. However, I'm no proficient enough to wrap my head around it, but I found an interesting Cisco-post where at least a related issue was discussed.

https://learningnetwork.cisco.com/thread/28157

94

Hardware and Performance / AirCube a WiFi access point

« on: May 27, 2018, 06:54:10 pm »

Does anyone have experience with the Ubiquiti AirCube ISP and/or AC? The AirCube is a consumer grade WiFi access point. The "ISP" version is 2.4 Ghz only device, whereas the "AC" version supports both 2.4 and 5 GHz mode. The May 7th firmware changelog (the latest) contains a comprehensive description of features.

https://www.ubnt.com/accessories/aircube/

https://www.ubnt.com/downloads/firmwares/airCube/v2.2.0/changelog.txt

https://community.ubnt.com/t5/airCube/bd-p/airCube

https://www.youtube.com/watch?v=UnYRT7wI-Vs

A few points of sale in the EU.

https://www.amazon.co.uk/
https://www.amazon.de/
https://www.eurodk.com/
https://www.irishwireless.net/

95

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: May 07, 2018, 04:22:41 pm »

Switching from LibreSSL to OpenSSL and DNS-over-TLS (Quad9 and Cloudflare) has been working for 48 h straight. Few and expected entries in the Unbound log during that time frame. I'm still on 18.1.7_1

96

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: May 04, 2018, 10:22:02 pm »

For me it works for an hour or two, then it stops. The Unbound log is swamped with these. I'm on 18.1.7_1, LibreSSL flavour.

97

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: April 04, 2018, 10:14:07 am »

There is an updated version of unbound available - 1.7.0

Amongst the features:

"Accept tls-upstream in unbound.conf, the ssl-upstream keyword is also recognized and means the same. Also for tls-port, tls-service-key, tls-service-pem, stub-tls-upstream and forward-tls-upstream."

http://www.unbound.net/download.html

98

Hardware and Performance / Re: PC Engines - about Spectre and Meltdown vulnerabilities

« on: March 15, 2018, 04:08:34 pm »

Thank you for straightening this out. I'm however convinced that this is not the last take on this issue. 



Regards,


Miroco

99

Hardware and Performance / PC Engines - about Spectre and Meltdown vulnerabilities

« on: March 15, 2018, 01:58:32 pm »

In view of the upcoming speculative execution kernel patch för amd64, planned for 18.1.5 and the APU2C4 board.

https://forum.opnsense.org/index.php?topic=7595.0

PC Engines - about Spectre and Meltdown vulnerabilities

http://pcengines.ch/spectre.htm

On one hand a microcode update seems to be necessary in part to mitigate the effects of the Spectre vulnerability. On the other hand it seems that PC Engines standpoint is that "the vulnerability must be handled at the OS level". That's consistent with the upcoming patch, but not a word about a microcode update?

Is there a discrepancy, or have I misunderstood the complexity of the problem?


Regards,


Miroco

100

17.7 Legacy Series / Re: Using Dynamic DNS for OpenVPN server

« on: December 17, 2017, 01:31:13 pm »

Hi think24,


If I got you right, you can do that under VPN -> OpenVPN -> Client Export -> Host Name Resolution - > Dynamic DNS: YourDynamicDns.com

Then you export your client (.ovpn) file.


miroco

101

17.7 Legacy Series / Re: I seriously cannot install opnsense on to USB

« on: December 04, 2017, 10:44:21 pm »

Give Etcher a try.

https://etcher.io

It writes images to both SD cards and USB drives.


Windows x86/x64

macOS x64

Linux x86/x64

102

17.7 Legacy Series / Re: HAProxy: OpenVPN & Webpage on port 443

« on: November 20, 2017, 11:42:26 am »

I wonder if the "port-share" option in OpenVPN server could be of help?

https://www.bestvpn.com/how-to-hide-openvpn-traffic-an-introduction/

Look for "Sinister Brain" in the comments section.


Regards,


Miroco

103

17.7 Legacy Series / Re: [SOLVED] Suricata and port 443

« on: September 22, 2017, 12:49:05 pm »

The root to the problem was that the 3 x hardware offload was already disabled by default. That gave the impression of a false dubble negative that confused me.

Both the DDNS service updating and OpenVPN are now working.


Miroco

104

17.7 Legacy Series / [SOLVED] Suricata and port 443

« on: September 16, 2017, 03:51:24 pm »

Suricata and port 443

As soon as I enable IPS mode under Intrusion Detection, the No-IP DynamicDNS update fails. This also makes my OpenVPN Server to fail. It’s a road warrior style configuration using port 443.

I sat out to try the abuse.ch ruleset and IPS. The ruleset does not seem to play a part in this, but IPS definitely does. The mandatory 3x hardware offloading is disabled.

Sep 14 20:38:348         opnsense:/usr/local/etc/rc.dyndns: curl error occurred: Failed to connect to dynupdate.no-ip.com port 443: Operation timed out

If I uncheck IPS mode, the problem goes away and I can connect to my OpenVPN server.

Sep 14 20:47:36         opnsense:/usr/local/etc/rc.bootup: DynamicDNS (xxxxxxxxxxxx.ddns.net): (Success) DNS hostname update successful.

I’m on OPNsense ver. 17.7.2


Perhaps a related issue.

https://forum.opnsense.org/index.php?topic=4727.0

Miroco

105

Hardware and Performance / Re: apu2c4 with SSDNow mS200

« on: August 25, 2017, 12:12:49 am »

Hi Bart and Franco,


Thank you both for straightening this out. I’m using this setup in a home environment (5 devices). I’m planning to activate at least Suricata intrusion detection (when I learn how to), does that mean I’m low on storage?


Miroco