Messages

1

Tutorials and FAQs / Re: Fast and easy way to protect your home and/or small office network with OPNsense

« on: August 20, 2018, 08:05:19 am »

Do you use the URLHaus list? ATM it's too big and unusable.

Thanks mimugmail.  I do have that list enabled at the moment.  Would it be better to disable the URLhaus lst and re-enable hyperscan?  Or leave the rule list enabled with the default pattern matcher?

I tried disabling that list and switched back to hyperscan.  Suricata still stalled out and stopped running with hyperscan enabled.  I have not re-checked my speed on my 1 Gbps up/down since switching to default pattern matcher, but plan to do so once I am back on ethernet instead of wifi, but I imagine it is not going to be a great speed.

2

Intrusion Detection and Prevention / Re: Rules recomended for Home Network

« on: August 20, 2018, 07:19:57 am »

I know this is a late reply, but I hope you were able to find this guide.

https://forum.opnsense.org/index.php?topic=6893.0

3

Tutorials and FAQs / Re: Fast and easy way to protect your home and/or small office network with OPNsense

« on: August 20, 2018, 07:18:05 am »

3. If you have newer Intel CPU (so not an AMD) in the OPNsense box, most probably you can select as pattern matcher 'Hyperscan'. You will have to dmesg in the console to verify. If no SSE3 (so a newer Intel CPU), leave the default Aho-Corasick
4. Select WAN and LAN in interfaces. If you have a PPPoE link, WAN won't work.

Hello @elektroinside

I followed your guide to the end and after downloading the rules (and after changing the ones you pointed out that caused issues with windows update to alert), I was able to get IDS/IPS to run, but only for less than a minute before it would stop itself.  I would watch the cpu graph and memory usage on the dashboard steadily climb and then I would see the cpu graph drop dramatically and watch my memory usage (4 GB RAM) drop from about 52% to 14%.  I would then refresh the dashboard to see that IDS had stopped.

I did some googling and it seems that my issue is that I had set pattern matcher to "Hyperscan"  (it's been staying on ever since I changed it back to default).  My i5 - 5250u has Intel SSE 4.1 and SSE 4.2, which are backwards compatible with SSE 3, so I rechecked your instructions to use dmesg to verify SSE3. I did use dmesg to verify the SSE3 set is there, but the only change I made was switching from hyperscan to default to make it work.  So, I am at a loss on that front.  My WAN is PPPoE, so I made sure that was not included and I double-checked all hardware acceleration was disabled.
 
  I see a small point that a little clarification could help those of us that need to follow this wonderful guide step by step.  The first part of step 3 says (to me) that if I have a newer Intel CPU, then I should have SSE3, but then the last part indicates that no SSE3 is indicative of a newer Intel CPU.  I re-read that part a few times, but was not sure which whether a newer intel CPU should have SSE3 or not.

Thanks again for this great guide and other guidance you have shared.

4

General Discussion / Re: Question on Firewall Rules

« on: August 11, 2018, 02:02:59 am »

Okay, I really don't understand this.

I took screenshots of the 3 rules I had created, then deleted the 3 rules and alias.

I re-created the alias and recreated the 3 rules and placed them exactly in the same place as I had them in the rules list prior to deleting them. 

I disabled Rule 2 and tried to send a test email from the camera while simultaneous watching the live log (filtered for that camera's IP) and saw the firewall block the attempt at port 587, as expected.  I then re-enabled Rule 2 and sent another test email and I could watch the firewall log pass that packet as I had hoped for Rule 2 in green.  I then saw my Rule 3 block a few attempts at port 53 at my LAN address, so I know that the firewall rules are working now.  I'm still not sure why they work now when they didn't before.

5

General Discussion / Question on Firewall Rules

« on: August 10, 2018, 07:30:42 pm »

Hello,

I am trying to setup my security cameras (only one is connected to the network while I figure this out) with 3 goals:

• The individual camera can email me if there is an alert (I have a separate email that is used only for this purpose)
• The individual camera cannot be reached by the internet (all remote viewing will be done through OpenVPN)
• The individual camera cannot reach the internet (so that they cannot be used as part of a botnet in the case that they ever become infected)

First, I created an alias for my security cameras and added the static IP I had setup for the camera (so I can just add IPs here as I add more cameras to the network).

I setup 3 rules in OPNsense

• Rule 1 - Action - Block, Interface - WAN, Protocol - any, Destination - security_cameras, destination port range - any (goal is to keep anything from the internet from reaching the camera)
• Rule 2 - Action - Pass, Interface - LAN, Protocol - TCP, Source - security_cameras, Destination - any, Destination Port Range - from 587 to 587 (port needed for smtp.gmail.com with TLS on camera), (goal is to allow the cameras to contact the smtp server)
• Rule 3 - Action - Block, Interface - LAN, Protocol - any, Source - security_cameras, Destination - any, Destination Port Range - any (goal is to block the cameras from reaching the internet)

Rule 1 is on the WAN rules page and Rules 2 and 3 are on the on LAN rules page.  Rule 2 is higher on the list than Rule 3, so I thought that should take precedence.

If I have all 3 rules enabled, using the cameras test email setting, the email fails to send. 
If I have Rule 1 and Rule 2 enabled, and Rule 3 enabled, the camera test email will send.

I plan on using the same types of rules to block other items from the internet as much as possible as I add them back to the network, so if I could just get the basics down using this one example, I think I can move forward from there.  I was able to use aliases and WAN rules to get my Xbox ONE from a strict NAT to a moderate NAT using one of the threads on this forum.  With a little bit more research, I was able to get that NAT from moderate to open.

I'm hoping someone with more networking experience can help me out with this and help guide me on this.

Thank you.

6

18.1 Legacy Series / Re: PPPoE with VLAN Tagging

« on: August 09, 2018, 07:47:26 pm »

At that point see if connects and logs in. Check the logs and see what's reported.

Thanks marjohn56.  the only thing I did differently than what I had posted is it seems that OPNsense does not allow for  enabling Dial-On-Demand with a 0 timeout.  So, I did not check "Dial-On-Demand" and left the time out blank.  It's been working great since (other than the igb with pppoe "feature").

Thanks again for the help.  If nothing else, hopefully this thread can help another networking noob figure out pppoe with vlan tagging eith opnsense.

7

18.1 Legacy Series / [SOLVED] PPPoE with VLAN Tagging

« on: August 03, 2018, 11:25:48 pm »

Hello everyone.  It's been a while since I have posted, but I have learned a lot from many people here.

I have a qotom q355-g4 running opnsense 18.1.13 (waiting a little bit to upgrade to 18.7) sitting on my desk and I hope to be able to plug it back in as my main router.  The WAN is currently set as dhcp.

I upgraded to CenturyLink gigabit fiber service and had issues trying to connect the OPNsense box and resorted to using the isp's gateway, so I pulled the OPNsense box to when I had more time to figure this out.

Thanks to the help of many here and some other tutorials I found online, I was able to setup and successfully connect to 2 different OpenVPN Servers through OPNsense and I was also able to SSH and install the Ubiquity Unifi controller on the qotom box.

Now I need to setup the VLAN -tagged PPPoE interface to connect to Centurylink's service.  The VLAN tag is 201.   I have my PPPoE username and password (encrypted and non-encrypted).  I looked to see if there is a guide for noobs, but I am kind of at a loss.

The qotom has for nics (igb0 - WAN, igb1 - LAN, igb2 - OPT1, igb3 - OPT2).  I plan on using OPT1 later on as a LTE failover for certain IP addresses, but that is a future item.

I have setup a VLAN in Interfaces --> Other Types --> VLAN and made the following selections:

• Parent Interface - igb0 - wan
• VLAN tag - 201
• VLAN Priority - Best Effort (0, default)

I'm not sure where to go from here.  I know I will need to go to Interfaces --> WAN and select PPPoE from the IPv4 Configuration Type and then enter my username, password, enable Dial-On-Demand, and enter 0 Idle timeout. 

What would I do after this point?

I appreciate any help on this.  Thanks in advance. 

8

General Discussion / Re: New User - Hopefully Easy Question

« on: March 15, 2018, 01:35:51 am »

Now I don't feel so dumb for not being able to find it through the GUI.

Now that I know to either use the console directly (won't be an option for much longer) or use SSH, I'm good to go on that front.

I appreciate everyone's help.  I especially appreciate the fact that a developer came here and explained the rationale behind the omission of the CLI without being asked.

Now, more to read and learn before putting it in use full time.  I think I'm going to enjoy learning more about this product.

9

General Discussion / Re: New User - Hopefully Easy Question

« on: March 14, 2018, 05:14:58 am »

I just wanted to say thanks again.

I was able to connect with PuTTY by following your post (after enabling ssh in the GUI) and ran the script to install the Unifi controller.  I checked that I could connect to the Unifi controller's webpage (but did not actually use the wizard as my AP is not connected to it).  I already configured Dynamic DNS and confirmed it works.  Now I just need to configure OpenVPN and test it before putting it in service.

I tried to find boot/loader.config.local but was unable to find it using WinSCP.

I will also need to learn more about failover WAN as I want to setup an LTE modem as a backup, but will need to figure out how to use rules to limit access to the backup WAN to only certain devices.

I still need to read up on some of the popular services I see mentioned and what they do.  I don't think I need a traffic shaper, but some other items look interesting.

Lots to learn and I am already glad I am trying this route.

10

General Discussion / Re: New User - Hopefully Easy Question

« on: March 13, 2018, 08:42:21 pm »

Thank you, elektroinside.

I'll take a look at that post and try to follow along.  My box is not in use yet, so if I mess something up, I am not opposed to a clean install (at this point).

May I ask what issues did you have at install?

I actually had the segmentation fault issue that you posted the workaround to when installing to the Qotom box.
https://forum.opnsense.org/index.php?topic=7329.msg33100#msg33100

The issues I was having with the VM had to do I think with NIC configuration.  I couldn't get in the GUI for OPNSense and when I had the OPNSense VM running, I had computers on my network having issues connecting to the internet.  Didn't have that issue when running another product running in VM to test.

11

General Discussion / New User - Hopefully Easy Question

« on: March 13, 2018, 07:35:15 pm »

Hello.

I had hoped to have a better first post to the forum, but I keep coming to a dead-end to such a simple question.

This is my first time using OPNSense.  I had played around with another product in a virtual machine prior to ordering a Qotom q355-g4, but once I had the actual hardware, I decided to try OPNSense (for some reason,I had issues trying to load it into a VM, so abandoned that endeavor until I had dedicated hardware).

I had the issue trying to do a bare metal clean install of 18.1 directly, so I installed 17.5 and then eventually upgraded to 18.1.4 through the GUI.

As I am still setting this up, I only have 1 computer in use behind it through wired LAN (double NAT behind OPNsense box and ISP gateway (will bridge ISP gateway to PPPoE once OPNSense setup is complete and tested)).  Already have a Ubiquiti AC-Pro running for WIFI. OPNSense box is still connected to a KB and monitor in case I need to make changes on the console.

I am still learning a lot about networking and reading different forum posts and logs, but I have a really simple question.

Where can I find the command line to run scripts?  I looked through out the GUI, used the search function (GUI, Wiki, forums), Google, etc. but I am unable to find where to actually open the CLI to be able to run scripts.

Thanks in advance.