466
General Discussion / Re: How to open specific ports?
« on: January 19, 2018, 02:49:38 pm »
Another good point, all offloading must be disabled. They are by default, but who knows 
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
467
Intrusion Detection and Prevention / Re: OpenVPN interface + IDS/IPS
« on: January 19, 2018, 02:09:29 pm »
My device has two modes: router and bridge. In router mode, it has a working wifi interface, and works just as any commercially available wifi routers, and it is NAT-ing. In bridge mode (this is how it works now) it's basically a fiber media converter (fiber to ethernet), which is not NAT-ing...
Yes, i did have a conversation with them (the ISP). It is possible, but only for legal entities, to sign a contract for a symmetric link with static IP addresses (no PPPoE). The costs are significantly higher though, and the bandwidth lower...
Yes, i did have a conversation with them (the ISP). It is possible, but only for legal entities, to sign a contract for a symmetric link with static IP addresses (no PPPoE). The costs are significantly higher though, and the bandwidth lower...
468
General Discussion / Re: How to open specific ports?
« on: January 19, 2018, 12:56:23 pm »
Do you have dropped alerts you may have missed to set to 'alert' from that host, in the 'Alerts' tab? Refresh the 'Alerts' tab, delete the 'blocked' from search, verify the results again... It has to be there..
469
General Discussion / Re: How to open specific ports?
« on: January 19, 2018, 11:16:11 am »Now i cant login to joomla panel, i have found rule which was blocking it, changed to alert. Now when i switch to Rules tab should i check and apply all rules?
Just go the Rules tab, don't select anything, just hit 'Apply'. It should work. Don't worry, there won't be that many stuff blocked. They will be, some, but once you allow them (aka. set the to 'alert'), everything will work
470
General Discussion / Re: How to open specific ports?
« on: January 19, 2018, 11:11:21 am »
It definitely shouldn't. Actually, if you only set the rulesets (so not the rules on a one by one basis, just the rulesets from the 'download' tab), all of them, to drop, you will notice that not all of the rules will actually be set to drop. This is how it should work, don't set to 'drop' anything else (the rules) manually unless you know what you are dropping. Unless something went wrong, it should never isolate you completely.
You will have issues, that's for sure, some stuff will be blocked right after the first deployment, but if you only set the rulesets to drop, you should be able to set the actually dropped packets to 'alert' in the 'Alerts' tab in order to allow it for future use. After you have set a rule to 'alert', hit 'Apply' in the rules tab, otherwise, it won't be applied.
You will have issues, that's for sure, some stuff will be blocked right after the first deployment, but if you only set the rulesets to drop, you should be able to set the actually dropped packets to 'alert' in the 'Alerts' tab in order to allow it for future use. After you have set a rule to 'alert', hit 'Apply' in the rules tab, otherwise, it won't be applied.
471
Intrusion Detection and Prevention / Re: Feature request: use of suricata 'ignoring traffic' features
« on: January 19, 2018, 09:41:00 am »
Oh, nice, somebody else is interested in this as well 
Thank you both
Thank you both
472
General Discussion / Re: OpenVPN not connecting from WAN
« on: January 19, 2018, 07:35:36 am »
Also, this is how your ovpn file should look like.
It's edited, it is a general config but it works.
It's edited, it is a general config but it works.
Code: [Select]
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
reneg-sec 0
remote <addr_edited>
lport 0
verify-x509-name "OpenVPN Server Certificate" name
auth-user-pass
remote-cert-tls server
comp-lzo adaptive
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
473
General Discussion / Re: OpenVPN not connecting from WAN
« on: January 18, 2018, 09:54:25 pm »
I got another idea why this might be failing.
There is an option to add alternative names to the certificates (ip(s) & dns name(s) among others). I would fill in those with the dns name of your opnsense box from both the LAN side and the WAN side, for the server certificate. And also the IP if it's static on both sides. You have to recreate the certificate of course (and export/import the ovpn or other profile as well, in the client). verify-x509-name might fail to validate if you don't get this right (if you set to verify the cn in the client export).
It would also be useful to know what client are you using.
There is an option to add alternative names to the certificates (ip(s) & dns name(s) among others). I would fill in those with the dns name of your opnsense box from both the LAN side and the WAN side, for the server certificate. And also the IP if it's static on both sides. You have to recreate the certificate of course (and export/import the ovpn or other profile as well, in the client). verify-x509-name might fail to validate if you don't get this right (if you set to verify the cn in the client export).
It would also be useful to know what client are you using.
474
General Discussion / Re: OpenVPN not connecting from WAN
« on: January 18, 2018, 08:18:18 pm »
I think i got it. Just noticed that your server mode is SSL/TLS + User Auth
In this mode, in the vpn client, you also need to add the ca's cert, user cert and user key.
Did you do that? The client-export should do this automatically.. but just in case you should verify this.
In this mode, in the vpn client, you also need to add the ca's cert, user cert and user key.
Did you do that? The client-export should do this automatically.. but just in case you should verify this.
475
General Discussion / Re: OpenVPN not connecting from WAN
« on: January 18, 2018, 07:46:22 pm »
So you are sure that you have created the CA, then you have created a server certificate for the CA, then you have created the vpn user, then you have created the client certificate for the user, both signed by the same CA you have created, and all assignments are in place.. right?
I still believe you should retry, it's easy to miss something. Personally, i got it right the third time, and i had the same errors as you
I still believe you should retry, it's easy to miss something. Personally, i got it right the third time, and i had the same errors as you
476
General Discussion / Re: OpenVPN not connecting from WAN
« on: January 18, 2018, 07:27:56 pm »
I think you've missed something while creating the CA/user certs.
My suggestion is to delete all vpn users, certificates and CAs created during the OpenVPN tutorial and recreate/reassign them.
I too missed something (don't remember anymore what exactly), but instead of debugging, simply recreate them (much faster) paying attention to the 'trust' part of this tutorial: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
My suggestion is to delete all vpn users, certificates and CAs created during the OpenVPN tutorial and recreate/reassign them.
I too missed something (don't remember anymore what exactly), but instead of debugging, simply recreate them (much faster) paying attention to the 'trust' part of this tutorial: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
477
Intrusion Detection and Prevention / Feature request: use of suricata 'ignoring traffic' features
« on: January 18, 2018, 06:40:55 pm »
This would be the starting point:
https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html
It would be very nice if these could be implemented in the GUI, at least capture filters, as they look like easy to implement
Many thanks!
https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html
It would be very nice if these could be implemented in the GUI, at least capture filters, as they look like easy to implement
Many thanks!
478
Web Proxy Filtering and Caching / Re: block lists not including urls nor expressions?
« on: January 18, 2018, 05:54:26 pm »
I'm not using proxies for quite a while now, so i've lost my touch. Hopefully, somebody else is more trained and can answer your questions
479
Intrusion Detection and Prevention / Re: OpenVPN interface + IDS/IPS
« on: January 18, 2018, 05:48:53 pm »
I'm not blocking local clients, i'm dropping connections from the internet to the OPNsense box (mostly for NAT, not necessarily the box itself), except a few, some of them being identified by aliases in form of dynamic dns hostnames. If i put my modem in router mode, all the traffic will come from, let's say, 192.168.1.1, which is the modem's internal ip. My aliases (dynamic dns hostnames) won't work, OPNsense will not be able to identify from whom the traffic comes from, to allow it or to block/drop/reject it, as all the traffic comes from eg. 192.168.1.1. And in this case, i'm also double NATting, which is not a good idea (double maintenance at least)...
I am exposing with NAT quite a few ports (delicate services) from a few LAN clients to the internet... well, to a handful of trusted clients coming from the internet anyway, so i'm trusting pf to do what it does best, but nothing else, with emphasis on 'as few points of failures as possible'
I am exposing with NAT quite a few ports (delicate services) from a few LAN clients to the internet... well, to a handful of trusted clients coming from the internet anyway, so i'm trusting pf to do what it does best, but nothing else, with emphasis on 'as few points of failures as possible'
480
Intrusion Detection and Prevention / Re: OpenVPN interface + IDS/IPS
« on: January 18, 2018, 04:13:40 pm »
Normally yes, but i need the wan on the OPNsense box to get the 'real' IP, the one assigned by my ISP, otherwise i can't limit connections, i use aliases, and the modem is to dumb to handle/resolve dynamic DNS names... Otherwise, i could put the OPNsense in DMZ and all would be fine.
But I'm a stubborn bastard, I'm refusing to drop the idea of obscurity
But I'm a stubborn bastard, I'm refusing to drop the idea of obscurity