496
18.1 Legacy Series / Re: PPPoE and pf restart after OPNsense reboot
« on: January 17, 2018, 11:51:04 am »
Confirming, works as expected.
Thanks again Franco!
Thanks again Franco!
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
497
18.1 Legacy Series / Re: PPPoE and pf restart after OPNsense reboot
« on: January 17, 2018, 08:45:10 am »
Mine survived the nightly reboot only with this: https://forum.opnsense.org/index.php?topic=6891.msg30086#msg30086
Just noticed, essentially the same thing as #386938
Just noticed, essentially the same thing as #386938
498
Intrusion Detection and Prevention / Re: Windows Updates
« on: January 17, 2018, 07:49:44 am »
That's strange, IDS alone doesn't block, i've been using suricata for quite some time now, true, always with IPS, not necessarily with OPNsense, but i don't remember having this issue and i don't remember IDS blocking anything without IPS.
If this is true, how can it log blocked traffic if it doesn't block?
Please note that when i said that all my rules are set to block, i did it from the GUI, from the download tab, which doesn't set all the rules to drop (most of them, but not all). And i only get this behavior with Windows Updates and RDP (so far). Everything else i customized and unblocked works perfectly.
If this is true, how can it log blocked traffic if it doesn't block?
Please note that when i said that all my rules are set to block, i did it from the GUI, from the download tab, which doesn't set all the rules to drop (most of them, but not all). And i only get this behavior with Windows Updates and RDP (so far). Everything else i customized and unblocked works perfectly.
499
Intrusion Detection and Prevention / Re: Windows Updates
« on: January 16, 2018, 11:24:14 pm »
All my rules are set to drop (all except the ones i don't want to drop)...
Blocked rules are logged, this is how i usually allow the ones i don't want to drop.
I also noticed that it has some difficulties with RDP as well. I can sometimes connect to clients very fast, sometimes not at all. No dropped alerts for these either.
Disabling IPS fixes this every time..
Blocked rules are logged, this is how i usually allow the ones i don't want to drop.
I also noticed that it has some difficulties with RDP as well. I can sometimes connect to clients very fast, sometimes not at all. No dropped alerts for these either.
Disabling IPS fixes this every time..
500
Tutorials and FAQs / Fast and easy way to protect your home and/or small office network with OPNsense
« on: January 16, 2018, 11:09:39 pm »
I use these techniques for my home network and many of my clients. IDS/IPS needs occasional maintenance. Combine these with 'Security through obscurity' philosophies and techniques and you should be safe enough. Obviously, nobody but yourself is responsible for your deployment.
INTRO
IDS/IPS will not block viruses like an AV but rather they are complementary to each other. IDS/IPS will scan network traffic (packets) while the AV scans files. Both work with rules/signatures, both heavily dependent on these (except some newer technologies).
There's always a compromise to be made between speed and security. I prefer obviously both if possible, but this is difficult sometimes.
I prefer IDS/IPS in inline mode as it's lightning fast. The protection it offers is as good as your rules are. Combine this with a good DNS service and you will get a nice and fast security.
Please be aware that IPS rulesets like ET open/emerging-current_events and ET open/emerging-dos - I don't know the exact rule(s) in the ruleset(s), though - can cause issues, in between internal interfaces, like RDP sessions, Windows Updates, Veeam Back-up speed/ sustainability, etc. The most important thing, those issues weren't listed on "Alerts" list. Neither as blocked, neither otherwise. The advise for everyone would be, especially if on a production/ critically available network, to check rulesets and rules on an one-by-one activation/ deactivation approach, especially if network services are crippled without any apparent reason.
Getting ready
1. BACKUP OPNSENSE FIRST (absolutely mandatory and first step): System: Configuration: Backups
In the case something goes wrong, you can always revert using the backup set.
2. Copy-paste this comment in a txt file on your test machine and save it
3. Run a few speedtest.net to verify performance and throughput before and after these techniques are deployed in your environment
Networking
1. Go to System: Settings: Networking
2. Disable all hardware offloading (they are by default, but please verify)
DNS
Some particular public DNS servers will block queries pointing to malicious websites. I use OpenDNS or AdGuard DNS servers. OpenDNS will block no ads but more malware, AdGuard will block ad servers but less malware.
OpenDNS servers: there is a client integrated into OPNsense for this, create an account on OpenDNS.com and just fill in the form in OPNsense:Services:OpenDNS, the GUI will fill in the DNS servers from step 1 below for you. Follow/verify the rest of the steps.
AdGuard: https://adguard.com/en/adguard-dns/overview.html
Let's go with AdGuard as it is easy to verify and this one you need to manually configure:
1. Go to System: Settings: General
2. In the DNS servers field, delete everything and add these (don't configure gateways, leave it on none):
176.103.130.130
176.103.130.131
2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff
3. Uncheck if not already: 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and 'Do not use the DNS Forwarder/Resolver as a DNS server for the firewall'
SAVE
4. if you use Unbound DNS (OPNsense default), go to Services: Unbound DNS: General
5. Check if not already: 'Enable Forwarding Mode'
6. Uncheck 'Enable DNSSEC Support' (if you use OpenDNS or AdGuard, none of these supports this feature)
SAVE
7. Just to be sure everything works, reboot and check your internet connection on that one machine
IDS/IPS
1. Go to Services: Intrusion Detection: Settings tab
2. Check these: Enabled, IPS mode (do not check promiscuous mode unless you have multiple interfaces or VLANs)
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.
5. Select all Home networks
6. Choose something for log rotation (whatever suits you best).
APPLY
7. Go to Download tab, select all, Enable then Download & Update rules
8. After everything is downloaded and enabled, edit each one, one by one, and select "Change all alerts to drop actions"
9. Select all again, download and update rules
10. Reboot just to be sure
11. Open this website https://www.wicar.org/test-malware.html and click on "EICAR TEST-VIRUS"
12. If nothing downloads, it works. If it doesn't work, a txt file will be downloaded (will not harm your PC in any way, it is a test virus)
13. Go to Services: Intrusion Detection: Schedule tab and configure a cron job so that the rules are automatically refreshed once a day (for 12AM each day, enabled: check, minutes: 0, hours: 0, day month: *, months: *, days week: *, command: update and reload ids rules)
What to do when something is not working (can't open a website, torrents don't work, can't connect to something)
1. Go to Services: Intrusion Detection: Alerts tab
2. In the search box, type blocked
3. If you found a rule you wish to unblock, edit it (click on the pencil icon) and select 'Alert' for 'Configure action', instead of 'Drop'
4. Go back to Services: Intrusion Detection : Rules tab and click 'Apply'
Further debugging
1. Go to to Services: Intrusion Detection and disable IPS mode.
Please verify things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.
2. Then, go back to Services: Intrusion Detection and enable IPS mode.
Then, go to 'Download', take each ruleset one by one, and set to 'Alert'.
Then, go to 'Rules' and hit 'Apply'.
Please verify things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.
3. Then, go to 'Download', take each ruleset one by one, and set to 'DROP'.
Then, go to 'Rules' and hit 'Apply'.
Please verify things are (at least partially) working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'
4. Go to 'Alerts', select a 'blocked' packet (do this with the eicar test file), edit it and set it to 'Alert'.
Go back to 'Rules' and hit 'Apply'.
Try to download the eicar file again, it should work this time. If it does, set it back to 'Drop' and hit. 'Apply' again from the 'Rules' tab.
Please verify things are (at least partially) working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'
If still absolutely nothing works, verify each step here, concentrate, read every word, don't skip anything unless you know what you are doing. If still nothing is working, go to System: Configuration: Backups and restore your backup. Then stop reading
Verify results:
1. wicar tests should fail (most of them) -> the site with the eicar test virus, there are more tests there
2. if you choose AdGuard dns servers, most of the ads in websites/ games etc will disappear and everything will load faster
3. if everything works, run a few speedtest.net again and compare
With these techniques, you should have a good protection and speed as well. If you wish to tweak these more, you can configure your OpenDNS account and filter out more categories to block. With another set of AdGuard servers, you can block Default + blocking adult websites + safe search (Family protection DNS servers).
Relying also on DNS, you may want to make sure all DNS queries from the clients go to the ones you configured, even if the clients override them locally. So if you wish, you can enforce this with a firewall rule:
Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY
With these settings, I just got these results (from Romania, ISP is RDS with Fiberlink 1000 line, 1Gbit/sec download, 500Mbit/sec upload theoretical link, both are up-to values, with an i3-8100 CPU):
-with Amsterdam: http://www.speedtest.net/result/6972207406
-with Romania: http://www.speedtest.net/result/6972210834
That's it
INTRO
IDS/IPS will not block viruses like an AV but rather they are complementary to each other. IDS/IPS will scan network traffic (packets) while the AV scans files. Both work with rules/signatures, both heavily dependent on these (except some newer technologies).
There's always a compromise to be made between speed and security. I prefer obviously both if possible, but this is difficult sometimes.
I prefer IDS/IPS in inline mode as it's lightning fast. The protection it offers is as good as your rules are. Combine this with a good DNS service and you will get a nice and fast security.
Please be aware that IPS rulesets like ET open/emerging-current_events and ET open/emerging-dos - I don't know the exact rule(s) in the ruleset(s), though - can cause issues, in between internal interfaces, like RDP sessions, Windows Updates, Veeam Back-up speed/ sustainability, etc. The most important thing, those issues weren't listed on "Alerts" list. Neither as blocked, neither otherwise. The advise for everyone would be, especially if on a production/ critically available network, to check rulesets and rules on an one-by-one activation/ deactivation approach, especially if network services are crippled without any apparent reason.
Getting ready
1. BACKUP OPNSENSE FIRST (absolutely mandatory and first step): System: Configuration: Backups
In the case something goes wrong, you can always revert using the backup set.
2. Copy-paste this comment in a txt file on your test machine and save it
3. Run a few speedtest.net to verify performance and throughput before and after these techniques are deployed in your environment
Networking
1. Go to System: Settings: Networking
2. Disable all hardware offloading (they are by default, but please verify)
DNS
Some particular public DNS servers will block queries pointing to malicious websites. I use OpenDNS or AdGuard DNS servers. OpenDNS will block no ads but more malware, AdGuard will block ad servers but less malware.
OpenDNS servers: there is a client integrated into OPNsense for this, create an account on OpenDNS.com and just fill in the form in OPNsense:Services:OpenDNS, the GUI will fill in the DNS servers from step 1 below for you. Follow/verify the rest of the steps.
AdGuard: https://adguard.com/en/adguard-dns/overview.html
Let's go with AdGuard as it is easy to verify and this one you need to manually configure:
1. Go to System: Settings: General
2. In the DNS servers field, delete everything and add these (don't configure gateways, leave it on none):
176.103.130.130
176.103.130.131
2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff
3. Uncheck if not already: 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and 'Do not use the DNS Forwarder/Resolver as a DNS server for the firewall'
SAVE
4. if you use Unbound DNS (OPNsense default), go to Services: Unbound DNS: General
5. Check if not already: 'Enable Forwarding Mode'
6. Uncheck 'Enable DNSSEC Support' (if you use OpenDNS or AdGuard, none of these supports this feature)
SAVE
7. Just to be sure everything works, reboot and check your internet connection on that one machine
IDS/IPS
1. Go to Services: Intrusion Detection: Settings tab
2. Check these: Enabled, IPS mode (do not check promiscuous mode unless you have multiple interfaces or VLANs)
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.
5. Select all Home networks
6. Choose something for log rotation (whatever suits you best).
APPLY
7. Go to Download tab, select all, Enable then Download & Update rules
8. After everything is downloaded and enabled, edit each one, one by one, and select "Change all alerts to drop actions"
9. Select all again, download and update rules
10. Reboot just to be sure
11. Open this website https://www.wicar.org/test-malware.html and click on "EICAR TEST-VIRUS"
12. If nothing downloads, it works. If it doesn't work, a txt file will be downloaded (will not harm your PC in any way, it is a test virus)
13. Go to Services: Intrusion Detection: Schedule tab and configure a cron job so that the rules are automatically refreshed once a day (for 12AM each day, enabled: check, minutes: 0, hours: 0, day month: *, months: *, days week: *, command: update and reload ids rules)
What to do when something is not working (can't open a website, torrents don't work, can't connect to something)
1. Go to Services: Intrusion Detection: Alerts tab
2. In the search box, type blocked
3. If you found a rule you wish to unblock, edit it (click on the pencil icon) and select 'Alert' for 'Configure action', instead of 'Drop'
4. Go back to Services: Intrusion Detection : Rules tab and click 'Apply'
Further debugging
1. Go to to Services: Intrusion Detection and disable IPS mode.
Please verify things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.
2. Then, go back to Services: Intrusion Detection and enable IPS mode.
Then, go to 'Download', take each ruleset one by one, and set to 'Alert'.
Then, go to 'Rules' and hit 'Apply'.
Please verify things are fully working, browse some websites, and also check that you have alerts and all are reported as 'Allowed'.
3. Then, go to 'Download', take each ruleset one by one, and set to 'DROP'.
Then, go to 'Rules' and hit 'Apply'.
Please verify things are (at least partially) working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'
4. Go to 'Alerts', select a 'blocked' packet (do this with the eicar test file), edit it and set it to 'Alert'.
Go back to 'Rules' and hit 'Apply'.
Try to download the eicar file again, it should work this time. If it does, set it back to 'Drop' and hit. 'Apply' again from the 'Rules' tab.
Please verify things are (at least partially) working, do some wicar tests (please try at least the eicar test file), browse some websites, and also check that you have alerts, some are reported as 'Allowed' and some as 'Blocked'
If still absolutely nothing works, verify each step here, concentrate, read every word, don't skip anything unless you know what you are doing. If still nothing is working, go to System: Configuration: Backups and restore your backup. Then stop reading
Verify results:
1. wicar tests should fail (most of them) -> the site with the eicar test virus, there are more tests there
2. if you choose AdGuard dns servers, most of the ads in websites/ games etc will disappear and everything will load faster
3. if everything works, run a few speedtest.net again and compare
With these techniques, you should have a good protection and speed as well. If you wish to tweak these more, you can configure your OpenDNS account and filter out more categories to block. With another set of AdGuard servers, you can block Default + blocking adult websites + safe search (Family protection DNS servers).
Relying also on DNS, you may want to make sure all DNS queries from the clients go to the ones you configured, even if the clients override them locally. So if you wish, you can enforce this with a firewall rule:
Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY
With these settings, I just got these results (from Romania, ISP is RDS with Fiberlink 1000 line, 1Gbit/sec download, 500Mbit/sec upload theoretical link, both are up-to values, with an i3-8100 CPU):
-with Amsterdam: http://www.speedtest.net/result/6972207406
-with Romania: http://www.speedtest.net/result/6972210834
That's it
501
Development and Code Review / Re: dark theme first look
« on: January 16, 2018, 10:29:05 pm »
Very nice, hope to see this on my box soon
502
General Discussion / Re: How to open specific ports?
« on: January 16, 2018, 09:21:03 pm »
Getting ready
1. BACKUP OPNSENSE FIRST (absolutely mandatory and first step): System: Configuration: Backups
In the case something goes wrong, you can always revert using the backup set.
2. Copy-paste this comment in a txt file on your test machine and save it
3. Run a few speedtest.net to verify performance and throughput before and after these techniques are deployed in your environment
3. Disable the proxy server in OPNsense and configure clients not to use the proxy Do this on one machine first, see if it works.
DNS
Some particular public DNS servers will block queries pointing to malicious websites. I use OpenDNS or AdGuard DNS servers. OpenDNS will block no ads but more malware, AdGuard will block ad servers but less malware.
OpenDNS servers: there is a client integrated into OPNsense for this, create an account on OpenDNS.com and just fill in the form in OPNsense:Services:OpenDNS, the GUI will fill in the DNS servers from step 1 below for you.
AdGuard: https://adguard.com/en/adguard-dns/overview.html
Lets go with AdGuard as it is easy to verify and this one you need to manually configure:
1. Go to System: Settings: General
2. In the DNS servers field, delete everything and add these (don't configure gateways, leave it on none):
176.103.130.130
176.103.130.131
2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff
3. Uncheck if not already: 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and 'Do not use the DNS Forwarder/Resolver as a DNS server for the firewall'
SAVE
4. if you use Unbound DNS (OPNsense default), go to Services: Unbound DNS: General
5. Check if not already: 'Enable Forwarding Mode'
SAVE
6. Just to be sure everything works, reboot and check your internet connection on that one machine
IDS/IPS
1. Go to Services: Intrusion Detection: Settings tab
2. Check these: Enabled, IPS mode (do not check promiscuous mode)
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.
5. Select all Home networks
6. Choose something for log rotation (whatever suits you best).
APPLY
7. Go to Download tab, select all, Enable then Download & Update rules
8. After everything is downloaded and enabled, edit each one, one by one, and select "Change all alerts to drop actions"
9. Select all again, download and update rules
10. Reboot just to be sure
11. Open this website https://www.wicar.org/test-malware.html and click on "EICAR TEST-VIRUS"
12. If nothing downloads, it works. If it doesn't work, a txt file will be downloaded (will not harm your PC in any way, it is a test virus)
13. Go to Services: Intrusion Detection: Schedule tab and configure a cron job so that the rules are automatically refreshed once a day (for 12AM each day, enabled: check, minutes: 0, hours: 0, day month: *, months: *, days week: *, command: update and reload ids rules)
What to do when something is not working (can't open a website, torrents don't work, can't connect to something)
1. Go to Services: Intrusion Detection: Alerts tab
2. In the search box, type blocked
3. If you found a rule you wish to unblock, edit it (click on the pencil icon) and select 'Alert' for 'Configure action', instead of 'Drop'
4. Go back to Services: Intrusion Detection : Rules tab and click 'Apply'
If absolutely nothing works, verify each step here, concentrate, read every word, don't skip anything unless you know what you are doing. If still nothing is working, go to System: Configuration: Backups and restore your backup. Don't forget to reconfigure the clients to previous settings, in your case the proxy.
Verify results:
1. wicar tests should fail (most of them) -> the site with the eicar test virus, there are more tests there
2. if you choose AdGuard dns servers, most of the ads in websites/ games etc will disappear and everything will load faster
3. if everything works, run a few speedtest.net again and compare
With these techniques, you should have a good protection and speed as well without the proxy. If you wish to tweak these more, you can configure your OpenDNS account and filter out more categories to block. With another set of AdGuard servers, you can block Default + blocking adult websites + safe search (Family protection DNS servers).
Relying also on DNS, you may want to make sure all DNS queries from the clients go to the ones you configured. If you wish, you can enforce this with a firewall rule:
Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY
With these settings, I just got these results (from Romania, ISP is RDS with Fiberlink 1000 line, 1Gbit/sec download, 500Mbit/sec upload theoretical link, both are up-to values, with an i3-8100 CPU):
-to Amsterdam: http://www.speedtest.net/result/6972207406
-to Romania: http://www.speedtest.net/result/6972210834
Thats it
1. BACKUP OPNSENSE FIRST (absolutely mandatory and first step): System: Configuration: Backups
In the case something goes wrong, you can always revert using the backup set.
2. Copy-paste this comment in a txt file on your test machine and save it
3. Run a few speedtest.net to verify performance and throughput before and after these techniques are deployed in your environment
3. Disable the proxy server in OPNsense and configure clients not to use the proxy
Do this on one machine first, see if it works.DNS
Some particular public DNS servers will block queries pointing to malicious websites. I use OpenDNS or AdGuard DNS servers. OpenDNS will block no ads but more malware, AdGuard will block ad servers but less malware.
OpenDNS servers: there is a client integrated into OPNsense for this, create an account on OpenDNS.com and just fill in the form in OPNsense:Services:OpenDNS, the GUI will fill in the DNS servers from step 1 below for you.
AdGuard: https://adguard.com/en/adguard-dns/overview.html
Lets go with AdGuard as it is easy to verify and this one you need to manually configure:
1. Go to System: Settings: General
2. In the DNS servers field, delete everything and add these (don't configure gateways, leave it on none):
176.103.130.130
176.103.130.131
2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff
3. Uncheck if not already: 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and 'Do not use the DNS Forwarder/Resolver as a DNS server for the firewall'
SAVE
4. if you use Unbound DNS (OPNsense default), go to Services: Unbound DNS: General
5. Check if not already: 'Enable Forwarding Mode'
SAVE
6. Just to be sure everything works, reboot and check your internet connection on that one machine
IDS/IPS
1. Go to Services: Intrusion Detection: Settings tab
2. Check these: Enabled, IPS mode (do not check promiscuous mode)
3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.
5. Select all Home networks
6. Choose something for log rotation (whatever suits you best).
APPLY
7. Go to Download tab, select all, Enable then Download & Update rules
8. After everything is downloaded and enabled, edit each one, one by one, and select "Change all alerts to drop actions"
9. Select all again, download and update rules
10. Reboot just to be sure
11. Open this website https://www.wicar.org/test-malware.html and click on "EICAR TEST-VIRUS"
12. If nothing downloads, it works. If it doesn't work, a txt file will be downloaded (will not harm your PC in any way, it is a test virus)
13. Go to Services: Intrusion Detection: Schedule tab and configure a cron job so that the rules are automatically refreshed once a day (for 12AM each day, enabled: check, minutes: 0, hours: 0, day month: *, months: *, days week: *, command: update and reload ids rules)
What to do when something is not working (can't open a website, torrents don't work, can't connect to something)
1. Go to Services: Intrusion Detection: Alerts tab
2. In the search box, type blocked
3. If you found a rule you wish to unblock, edit it (click on the pencil icon) and select 'Alert' for 'Configure action', instead of 'Drop'
4. Go back to Services: Intrusion Detection : Rules tab and click 'Apply'
If absolutely nothing works, verify each step here, concentrate, read every word, don't skip anything unless you know what you are doing. If still nothing is working, go to System: Configuration: Backups and restore your backup. Don't forget to reconfigure the clients to previous settings, in your case the proxy.
Verify results:
1. wicar tests should fail (most of them) -> the site with the eicar test virus, there are more tests there
2. if you choose AdGuard dns servers, most of the ads in websites/ games etc will disappear and everything will load faster
3. if everything works, run a few speedtest.net again and compare
With these techniques, you should have a good protection and speed as well without the proxy. If you wish to tweak these more, you can configure your OpenDNS account and filter out more categories to block. With another set of AdGuard servers, you can block Default + blocking adult websites + safe search (Family protection DNS servers).
Relying also on DNS, you may want to make sure all DNS queries from the clients go to the ones you configured. If you wish, you can enforce this with a firewall rule:
Go to Firewall: NAT: Port Forward and click on the plus sign (create new rule)
1. Interface: LAN
2. TCP/IP Version: IPv4
3. Protocol: TCP/UDP
4. Source: any
5. Destination/Invert: checked
6. Destination: LAN address
7. Destination port range: from DNS to DNS
8. Redirect target port: DNS
9. Description: whatever you want
10. NAT reflection: Disabled
SAVE/APPLY
With these settings, I just got these results (from Romania, ISP is RDS with Fiberlink 1000 line, 1Gbit/sec download, 500Mbit/sec upload theoretical link, both are up-to values, with an i3-8100 CPU):
-to Amsterdam: http://www.speedtest.net/result/6972207406
-to Romania: http://www.speedtest.net/result/6972210834
Thats it
503
General Discussion / Re: How to open specific ports?
« on: January 16, 2018, 08:39:09 pm »
IDS/IPS will not block viruses like an AV but rather they are complementary to each other. IDS/IPS will scan network traffic (packets) while the AV scans files. Both work with rules/signatures., both heavily dependent on these (except some newer technologies).
There's always a compromise to be made between speed and security. I prefer obviously both if possible, but this is difficult.
I prefer IDS/IPS in inline mode as it's lightning fast. The protection it offers is as good as your rules are. Combine this with a good DNS service and you will get a nice and fast security.
I will write you in the next comment a little howto.
There's always a compromise to be made between speed and security. I prefer obviously both if possible, but this is difficult.
I prefer IDS/IPS in inline mode as it's lightning fast. The protection it offers is as good as your rules are. Combine this with a good DNS service and you will get a nice and fast security.
I will write you in the next comment a little howto.
504
18.1 Legacy Series / Re: PPPoE and pf restart after OPNsense reboot
« on: January 16, 2018, 06:46:05 pm »
So far so good, i'll reply again if i manage to reproduce.
I can also see the IP renew in the logs (same gdrive link as in the last pm).
Thank you Franco!
I can also see the IP renew in the logs (same gdrive link as in the last pm).
Thank you Franco!
505
18.1 Legacy Series / Re: PPPoE and pf restart after OPNsense reboot
« on: January 16, 2018, 05:58:46 pm »
Thanks Franco!
This is what i noticed:
-calling /usr/local/etc/rc.interfaces_wan_configure from the console breaks the connection entirely, not even pf restart (or any other service exposed in the GUI for that matter) repairs it, i need to reboot the box
-with the script, pf restart fixes it, but still needed..
This is what i noticed:
-calling /usr/local/etc/rc.interfaces_wan_configure from the console breaks the connection entirely, not even pf restart (or any other service exposed in the GUI for that matter) repairs it, i need to reboot the box
-with the script, pf restart fixes it, but still needed..
506
18.1 Legacy Series / Re: PPPoE and pf restart after OPNsense reboot
« on: January 16, 2018, 05:10:55 pm »
Well, all i can say at the moment is that everything was fine with 17.7.12
I have a cron job to reboot every early morning, did not wake up before without a working internet connection.
Maybe i should create a startup script or cron job which runs a command which executes a pf restart from the console.
Didn't research yet.
I hope it's possible, at least until a fix is available.
I have a cron job to reboot every early morning, did not wake up before without a working internet connection.
Maybe i should create a startup script or cron job which runs a command which executes a pf restart from the console.
Didn't research yet.
I hope it's possible, at least until a fix is available.
507
18.1 Legacy Series / Re: [18.1.r2] ***** is Insight working?
« on: January 16, 2018, 04:59:19 pm »
Yep, all good, guess we were replying at the same time, i just hit POST sooner
508
18.1 Legacy Series / Re: [18.1.r2] ***** is Insight working?
« on: January 16, 2018, 04:53:57 pm »
I spoke too soon. Guess it didn't have any data to display yet.
Confirming, Insights works
Great job Franco, as usual, thank you!
Confirming, Insights works
Great job Franco, as usual, thank you!
509
18.1 Legacy Series / Re: [18.1.r2] ***** is Insight working?
« on: January 16, 2018, 04:42:36 pm »
I too installed flowd-0.9.1_3.txz.
Unfortunately, i still don't have any data in insight. Rebooted, twice.
Maybe it's worth mentioning that i use ram disk for /var & /temp. I have no idea if this affects this, just saying
Unfortunately, i still don't have any data in insight. Rebooted, twice.
Maybe it's worth mentioning that i use ram disk for /var & /temp. I have no idea if this affects this, just saying
510
18.1 Legacy Series / PPPoE and pf restart after OPNsense reboot
« on: January 16, 2018, 04:32:19 pm »
Figured i should not keep this to myself and open a new topic not to flood another.
So, sometimes the PPPoE interface is not loading when it should (18.1.r1, 18.1.r2) and pf restart is required after an OPNsense reboot in order for the interface to work (otherwise, no internet connection for LAN clients, just the OPNsense box).
@Franco, i have sent you a PM with system logs, as you asked me the other day.
Thank you!
So, sometimes the PPPoE interface is not loading when it should (18.1.r1, 18.1.r2) and pf restart is required after an OPNsense reboot in order for the interface to work (otherwise, no internet connection for LAN clients, just the OPNsense box).
@Franco, i have sent you a PM with system logs, as you asked me the other day.
Thank you!