Messages

31

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: April 04, 2018, 10:03:04 am »

This is also how some MITM attacks/behaviors look like.
Not saying that your ISP does something similar, but something/somebody is interfering with it. Maybe a service running on that same port?

32

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: April 04, 2018, 09:00:22 am »

I'm also using Quad9 with LibreSSL. Still working fine

33

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: April 04, 2018, 08:20:07 am »

No such thing here... Still working fine

34

18.1 Legacy Series / Re: New dhcp entries in the LAN are not resolved by unbound

« on: April 04, 2018, 07:00:14 am »

Are you using actually using DHCP for the clients or static IPs?
Also, did you verify that the leases are there (in Services: DHCPv4: Leases)?

35

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: April 04, 2018, 06:37:04 am »

Works perfectly fine here (so far).
Well done!

Although I would need to see those packets over a dump, to check if these are really going over TLS.

36

18.1 Legacy Series / Re: Image backup using Clonezilla

« on: April 03, 2018, 08:00:51 pm »

I have a Linux machine which i use for many other things. You get to use it for many things once you have it

My Google Drive backup works perfectly, do you need any help with it?

37

General Discussion / Re: Insight - Which LAN IP's visited which websites

« on: April 03, 2018, 05:26:13 pm »

Welcome to OPNsense!
Indeed, proxy would be one idea. The other would be to use a custom DNS server and monitor queries.

38

General Discussion / Re: OpenVPN seems not to use AES-NI

« on: April 03, 2018, 04:50:15 pm »

I'm just pointing out clues that may also help you.
For example, there may be some tunables out there available for virtio drivers, as they influence OpenVPN as well.
Also, considering your test results, indeed, OpenVPN performance should be better, but only CPU-wise, as there is no real network traffic included in those benchmarks.

But rest assured, OpenVPN will be using AES-NI whatever the setting in the OPNsense GUI if this CPU instruction set is available.

39

General Discussion / Re: OpenVPN seems not to use AES-NI

« on: April 03, 2018, 03:28:59 pm »

It doesn't matter how many cores you have, as the OpenVPN server instance is single threaded, meaning it will always use one cpu core. This is true with any OpenVPN implementation. If you have a good single-core performance, it should be fast enough, if not, it won't.

You could also follow this thread for better OpenVPN performance, even though it was written for something else (IDPS):
https://forum.opnsense.org/index.php?topic=6590.0

40

18.1 Legacy Series / Re: OPNsense panics in my multiwan setup

« on: April 03, 2018, 02:22:33 pm »

Thanks, but I just needed to go to any store and buy a longer HDMI cable, which I did

41

Intrusion Detection and Prevention / Re: Integration with Mail, Joomla, Wordpress security

« on: April 03, 2018, 12:38:24 pm »

Yes, but I could only imagine the impact if a WP plugin could also be made, published and advertised in their software repository:

"Protect your WP website with a hardware/software appliance - powered by OPNsense" or something.
Existing wp software "firewalls" could also extend their products to include live OPNsense blocking.

I think it would be cool.

42

Intrusion Detection and Prevention / Re: Integration with Mail, Joomla, Wordpress security

« on: April 03, 2018, 11:42:34 am »

Because the blocking has to be done dynamically, commanded by something (a wp plugin for example, or extension of an existing one etc). If the bruteforce is coming from an ip that isn't listed in any of those lists (usually the case of targeted attacks), something has to feedback the OPNsense box and temporarily slow down or completely block the attack.

While aliases can be used and a list could be maintained somewhere on some webserver, which OPNsense could constantly read, it's an added resource to maintain. It's much more simple to call an API and add the offending ip in a blacklist which a floating rule can later use. And that list could be maintained from the WebGUI.

43

Intrusion Detection and Prevention / Re: Integration with Mail, Joomla, Wordpress security

« on: April 03, 2018, 10:57:50 am »

I wanted to build something like that but never had the time to write it. The idea is creating an API endpoint which can be used to report bad IPs which then will be blocked (and maybe released after some time).

This would be simply awesome

44

18.1 Legacy Series / Re: OPNsense panics in my multiwan setup

« on: April 03, 2018, 09:29:57 am »

So, I'm not the only one.
mimugmail, I've attached some dump file in the google drive, does that helps or you need something else?

45

Development and Code Review / Re: Cicada Theme -> Franco didnt want the cicada theme - so deleted!

« on: April 03, 2018, 09:07:44 am »

Welcome back! Looking forward to your new theme and productive cooperation