Messages

This is going to make me sound a little dumb, no doubt...  I will ask anyway. 

Why does it seem that both of the remote IPs you used are not publically routable?

There is no difference between virtual and physical machines in this scenario.  What kind of hypervisor are you using?  Tell us about the virtual NIS you installed.  Are they NAT, bridged, what?  Also, what about the router you are using.  Are you forwarding ports from your router to opnsense and then are the ports open on opnsense?  Did you remove the "block local IP" on the wan interface like you should have?

Those are places to start looking.  Also, be sure your IP is correct or that dynamic DNS is correct.

That wasn't a snipe.  Perhaps I need to work on my diplomacy. 

You think IDS on opnsense only alerts?  Even if a rule stipulates drop? 

Well...   I suppose that is the D in IDS.  Not super useful for most people if that is true, but I'm going to test it. 

Inline IDS is such a great feature.  I'm really only now getting used to it myself.  I will take a closer look in the next day or two.  I've been busy with a little work and fighting with a hypervisor. 

In that case the block is per IP.  Yes.  It would have to be.

Not sure about setting times.  I need another day or so to dig into the feature in opnsense. 

Inline?  On opnsense or pfsense?
Either way, there is no time since no IP is placed on a block.

Each packet/connection is evaluated each time to see if it violates a rule.  If so, it alerts or drops. 

If you are in inline mode on pfsense and have a time set, that setting isn't doing anything. 

IDS has two modes on pfsense.  Legacy and inline. 
Legacy blocks an IP for a specified period of time if any rule is triggered.
Inline blocks each offense as it occurs without considering the IP unless the IP itself is the trigger... 

Legacy blocks by IP.
Inline drops by offended rule.

Blocking by IP is not optimal.

Smart move.  Plus, think about this.  Lets say you have 10 or 20 computers all sucking down lots of files.
1 little opnsense scanning all those files is going to create a big processor load. 

If the endpoints handle it, the processing load is distributed and you won't notice a performance hit.  Plus, the scanners on the endpoints are typically better anyway. 

For clamAV to work, all your traffic has to be intercepted by a proxy.  Squid. 
Basically, any traffic that will become a file on a host computer has to become a file in squid cache first.
Then it gets scanned and if its ok, send on along to its ultimate destination. 

It's nice, but it introduces LATENCY big time.  I personally think that feature is best reserved for mail servers and file servers.  AV works best at the endpoint on windows machines and linux, unix, posix, mac, bsd etc really do not need it. 

I created an easy brute force and ignorance solution to turn all the ACTIVE rules to "drop".  Haven't tested it on opnsense.  I've been busy.  Basically, I apply a wildcard to all the alphanumerics A-Z, a-z, 0-9 in a drop file.  Its much easier than it sounds. 

For me it is a perfect fix, but for many it might not be.  I will see how it works with opnsense in the next few days. 

IDS (suricata) is a pro level tool.  Actually, it often stumps pros.  It would be nice if there was a way to make it simple. 

In my opinion, there isn't much you can do to make your box fast with openvpn.  However, this is one of those rare times when I would say give ipsec a try if you are intent on keeping your watchguard. 

They haven't banned me yet...  Maybe its because they would miss the village idiot.
Suricata in pfsense works for me in VM.  So does Opnsense.  It is fairly easy to shoot yourself in the foot with either distro for sure.  I think most of the problems people have with Suricata are self-inflicted in a VM.  On hardware, netmap compatibility is picky.

The firewall with no open ports and no pass rules will silently drop unsolicited incoming packets.  In my opinion, that is usually best.  Now, if I had SSH running on the WAN or other service installed in opensense that listened on the WAN, then there would be a great need to have IDS checking the WAN. Again, just an opinion.  I'm definitely not the IDS expert. 

(duplicate - sorry)