Topics

Hi,
I have 2 questions, but they could be connected maybe to one solution.

I would like to know if there some utility or settings to have some rule to block simple port scanning???
It is like in Mikrotik, where you could have some detection of portscanning by setting weight to scanned ports.
There are some rules which then put remote attackers on list and blocks them before they get to IDS/IPS.
Some solution for this ?

There is another request from my customer to have option to use portknock.
Is some way to use it in OPNsense firewall ? Mainly it works that there is some defined port opening sequence and when it is used from allowed address it opens some port in firewall.

This could be some option to have as feature in OPNsense maybe ???
Or is it solved by Suricata or SENSEI ?

I have specific requirement for filtering.
My customer wants to have some group of local IP addresses which will be changeable - probably aliases.
This group he wants to limit access to ONLY specific server or servers(*.example.com) and also subdomains (*.server.example.com,  *.example.*).
Is that possible in opnsense ? Or there should be some special plugin for this ?

Thank to anybody who could find some advice how to do this...

I have this for use as opnsense firewall:
Barebone XtendLan EBF-224-V1605B
Barebone, Ryzen V1605B 4x 2,0GHz, 2x SO-DIMM, HDMI+DP, 2x LAN, 7x USB 2.0/ 3.0/ typ C, 1x COM, TDP 15W, fanless
There is installed 16GB RAM and M.2 64 GB SSD
I tried to install normal DVD image with latest opnsense and it stops with "power button".
I have 19.1. serial, so I tried it and there is copy of terminal text in attachements

When I boot FreeBSD 12 latest it goes well to run and it is possible to install FreeBSD 12 on it.

Is there some possibility to solve "power button" to finish the setup ?

Thanks for reply

Hi,
does anybody tested to install opnsense over freebsd 12(bootstrap) ?
I have HW which could not boot opnsense, but freebasd 12 is OK.
Should I test HBSD latest or it will work on freebsd 12 ?

I have opnsense on Supermicro HW and it was working about 1 your ok.
About 2 weeks ago there started problem with captive portal. Users could not login and sessions was not visible and there was not possible to delete them.
That time there was version 19.1 and I upgraded to last versions.
I have also done clean of captive portal DB by command line
Now the problem is still there - in log are some users as AUTH some as DENY, but there is no session in GUI visible and it is not working well.
Is there some solution for this strange behavior ?

Thanks for answers

Hi all,
I will have this HW configuration:

MB: ASUS MB Sc AM4 TUF B450M-PRO GAMING, AMD B450, 4xDDR4, VGA, mATX
CPU: AMD RYZEN 7 2700, 8-core, 3.2 GHz (4.1 GHz Turbo), 20MB cache, 65W, socket AM4, BOX (Wraith cooler)
RAM 16GB: 2 x DIMM DDR4 8GB 2666MHz CL19 KINGSTON ValueRAM
M2 SSD: ADATA SSD XPG SX8200 PCIe Gen3x4 M.2 2280 240 GB
NET card: Intel Ethernet Server Adapter I350-T2V2, bulk¨

On ASUS board is Realtek RTL8111H NIC 1 port and I have Intel i350 added as more 2 ports.

On this HW should be VMWARE and 2 virtuals - 1 for opnsense(mainly firewall, security, filtering https, sensei, ids maybe) and 1 for Mikrotik (just for wifi central management - capsman)

Is this config good for opnsense or there are some problems with drivers or so ?

Let me know if you have some experiences..

I have new install of opnsense 18.7 from last image on PC EnginesAPU.3C4 system board with 60GB SSD msata.
Topology is :
Internet:
PROVIDER - cable - OPNSENSE WAN by PPPOE
LAN:
OPNSENSE LAN - Mikrotik switch RB2011 (10 ports) - to this unit is connected by cable WIFI CISCO(only transparent AP) and also WIFI MIIKROTIK HAP LITE (only transparent AP) and also rest of network by cables.

OPNSENSE is set in basic configuration and DNS from provider set in General settings.

Cable hosts - computers, printer, cameras and others are without problem - only have to some times refresh pages to get content - mainly https.
BIG problem is in case wireless clients connected to wifi units (Cisco or Mikrotik) - they do not have internet connectivity and problem is in DNS - I could ping for example 8.8.8.8 but not www.google.com.

I have installed opnsense several times but did not have any problems, but now with actual version is maybe some problem with DNS ???
What is needed to report or look in configuration ?
I will need some help to solve this to have working network.
Now I have to set all on Mikrotik, but I need to have opnsense working...

Thanks for any reply...

Is there possible to have TACACS+ authentification support ?
Also there is question if opnsense could use SCEP (Simple Certificate Enrollment protocol ) for X.509 certificates ?

Hi,
Is possible to have feature I know well from Mikrotik - WATCHDOG funtion???
It tests IP address on internet and when it is not reachable it restarts itself.
It also restarts itself in case of HW failure and makes some file to have data for diagonstics.

Does anybody know if this is possible on opnsense or is possible to use some freebsd utility ?

Thanks

Hi,
has anyone experience with some form of request for social login to captive portal?
Mainly to have option to log by account from Facebook or Google or twitter and so on...
Not two-factor, but just to use these social logins to access captive portal guest network and also the other effect is in likes and social data to web page which is usually interconnected with this solution...

Thanks for reply

Hi,
for one customer I need to add around 400 users to local user manager. These users will be used for captive portal. Is there some limit on it ? How much users could be in system ?

I have found that it is possible by XML configuration script which I restore, but only system part, where I manualy edit xml file and add user details...but it is not so comfortable...

Does anybody has some good advice how to add them by some script ? Or is there any option how to add them ?
I have them in Excel table with fields First Name, Surname, Mail and Password. Customers will accept mail as username and I put to all same password. Each user will then change their password by web gui.

Thanks for some reply..

Hi,
I have done security audit on version 18.1.12 and there is security vulnerabilty:

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
libressl-2.6.5 is vulnerable:
OpenSSL -- Client DoS due to large DH parameter
CVE: CVE-2018-0732
WWW: https://vuxml.freebsd.org/freebsd/c82ecac5-6e3f-11e8-8777-b499baebfeaf.html

1 problem(s) in the installed packages found.
***DONE***

Versions on box:
OPNsense 18.1.12-amd64
FreeBSD 11.1-RELEASE-p11
LibreSSL 2.6.5

Is it Ok, or there will be some patch ?

Thanks for reply...

Hi,
I have opnsense in customer network where is provider who does 1:1 NAT in his network. So I have 2 WAN IP from him in local private subnet. From outside they are showing 2 public IP.
It is mainly for dividing traffic and speed for customer - it is hotel where some speed has office and some speed guests.
I need to significaly divide and source nat both networks to have for each of them public ip from outside.
I have set first local IP from ISP to WAN interface and it is working now for both network all with NAT. I have also set second IP as VIRTUAL IP and now I would like to do some NAT and another settings.
How to send traffic from on of local networks to second local ip (ISP nat to public) ?
Should I use NAT 1:1 or how to set this ?
I also need to have later guests in captive portal...

Thanks for some answer and help... ;)