Messages

121

20.7 Legacy Series / Re: 20.7.4 Success!! PPPoE?

« on: November 05, 2020, 11:03:41 pm »

I guess I'm after a next-gen firewall and for almost free

Like allebone I pay for a Monthly Sensei sub and donate to OPNsense as I think the total package is amazing and easily worth these costs.
This solution covers my home setup which is relatively complicated as I work in IT and it changes on almost a daily basis... so the easy configuration and ability to adapt to my needs is excellent.
Ideally I would have modern Cyber Sec from my firewall including IPS (not IDS) and application-level inspection. Most users can now get this when using OPNsense with Sensei and Suricata, Hopefully netmap support will come for PPPoE for us other users

Any info on progress of this and how we can help if needed is what we are after.

@Franco I think you have answered this now as its basically unknown, not a priority currently and in the hands of the FreeBSD netmap Gods.

122

20.7 Legacy Series / Re: 20.7.4 Success!! PPPoE?

« on: November 05, 2020, 01:38:25 am »

@franco
Thanks for the reply, do you know if netmap support for PPPoE is currently being progressed or if it has been postponed?
I agree that thanks to the Sensei backed effort, a substantial improvement has been made to overall netmap support for FreeBSD. A few of us would love to see PPPoE supported but personally I would understand if this cannot be achieved anytime soon.

@allebone
For me personally I cannot currently run both Suricata and Sensei at the same time but do know that Sensei have on their roadmap to support both on the same interface sometime in the near future.
Ideally it would be great to have full netmap support in FreeBSD for PPPoE so I could run either Suricata OR Sensei on that interface type.

123

20.7 Legacy Series / Re: 20.7.4 Success!! PPPoE?

« on: November 01, 2020, 04:11:07 am »

Just bumping this one up again.

Any update from the Sensei or OPNsense teams on the progress of netmap support for PPPoE when using Suricata or Sensei.
Last I heard was that it would hopefully be progressed after that main netmap updates were comitted, which I think went into 20.7.4

Thanks for any official update on this!
Would just be good to know if its still possible or if it had to be postponed.

124

Zenarmor (Sensei) / Youtube Moderate or Restricted

« on: October 30, 2020, 10:26:14 pm »

Hi,

Is it possible to use Sensei to force youtube to either moderate or restricted within a policy?
Either on an entire VLAN or set of IP addresses?

Similar to what is being done here
https://forum.opnsense.org/index.php?topic=16876.0

Thanks

125

20.7 Legacy Series / Re: 20.7.4 Success!! PPPoE?

« on: October 24, 2020, 10:34:23 pm »

Thanks for the reply @heresjody, but I was hoping for a more official update on the state of PPPoE and netmap support. Just wondering if it is still actively in development or if it has been re-prioritised to a later date?

My setup is really quite stable now with Sensei on the LAN on vtnet thanks to all the great work that has been done.
I'd also like to get Suricata IPS running on the WAN which for me is PPPoE again on vtnet.
 

126

20.7 Legacy Series / 20.7.4 Success!! PPPoE?

« on: October 24, 2020, 04:47:09 am »

Hi all,

I have successfully upgraded to 20.7.4 after running the pkill syslog-ng via shell.
All looks great so far and thanks for the great effort to all those involved with getting us here.

I was wondering what that state of play is with PPPoE in the WAN interface.
Is there a recommended approach here like Suricata on the PPPoE Interface and Sensei on LAN?
Or are we still not there yet with netmap support on a PPPoE interface.

I'm running OPNsense as a guest on Proxmox so using vtnet.

Thanks for any advice on this
Dan

127

20.7 Legacy Series / Re: Resize OPNSense Partition

« on: September 22, 2020, 10:41:06 pm »

A walk-through of this process would be great for OPNsense users!

I had the same issue a while back and after reading a load on FreeBSD (I'm noob to it) and how to resize, testing and making changes, I ended up reinstalling OPNsense as a new VM with the size I needed.

Resizing the primary partition in FreeBSD is a dark art to me. There's loads of info for resizing other partitions...

128

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: August 27, 2020, 03:44:03 am »

@mb,

Thanks for the updates.
Let me know when you have a PPPoE solution that needs testing.

129

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: August 26, 2020, 10:05:10 am »

@mb,

I now can see the used 'LAN (vtnet0)' interface, but not PPPoE. Only it's parent interface 'Unassigned (vtnet1)'

130

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: August 26, 2020, 05:17:48 am »

OK am running latest Kernel:

12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #6  39e30dc05(master)-dirty: Sat Aug 22 09:35:48 PDT 2020     root@sunnyvalley12.localdomain:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

And am running Sensei 1.6 Beta1

I can't see any interfaces in Sensei to apply to. Not even vtnet0 LAN which it is currently running on.

Should I hack in some bypasses https://forum.opnsense.org/index.php?topic=9521.msg84199#msg84199

131

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: August 25, 2020, 10:52:14 pm »

Hi @mb,

When I try to apply the 1.6 package via SSH I get the following:

the most recent version of os-sensei-1.5.2_1 is already installed

Just to confirm, this is the latest Sensei version, do we also need the latest kernel version?
What versions do you recommend we test with?

132

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: August 23, 2020, 04:42:04 am »

Firstly, thanks for the awesome effort so far in getting these netmap issues sorted out.

Confirmed running
FreeBSD 20gw.local 12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #6  39e30dc05(master)-dirty: Sat Aug 22 09:35:48 PDT 2020     root@sunnyvalley12.localdomain:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

Unfortunately I am having trouble making my PPPoE interface available for Sensei.
I have gone as far as adding an additional vtnet interface to my Proxmox OPNsense guest at OPT1. This was to ensure I could move Suricata to an unused interface (Suricata is disabled).

My only available interfaces in Sensei are:

LAN vtnet0 - Currently running on this interface
(Unassigned) vtnet1 - this is the interface that PPPoE resides on
OPT1 (vtnet2) - The new interface I added and moved Suricata to. To be sure it was not conflicting.

Should I be expecting to see PPPoE as an available interface?

133

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: August 20, 2020, 11:45:26 pm »

Help with Sensei App Controls (Home Edition)

UPDATE - I'm making some progress using Sensei Reports and discovering what rule is blocking my progress.
Is it possible to show 'Block Sub Category' in the Reports view?
I can see for example Blocked by 'Application Category Online Utility' but not specifically what Signature it is. Like 'Microsoft Licensing' for example.

I'm trying to create a Policy that restricts internet usage for my kids. More out of interest than anything really, and they are the best testers to be honest.

My approach so far is 'select option>save>test' which is really slow considering the number of options.
Also browser caching on the client is annoying.

My Policy is controlling a set of IP addresses (not an entire subnet) that are assigned to their devices. Being an android phone, android tablet and two windows 10 laptops.
Ultimately I'd like to create a 'Family Safe' setup for the kids and maybe even restrict it to certain times.
Any help or advice on what to do or where to look with regards to configuring Sensei for info on this would be great.

Thanks in advance

 

134

20.7 Legacy Series / Re: Call for testing: netmap on 20.7

« on: August 20, 2020, 03:41:20 am »

I have run up the following kernel on my Proxmox vtnet pppoe setup

FreeBSD ... 12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #3  87f253a0d(master)-dirty: Sat Aug 15 09:29:08 PDT 2020     root@bsd12_openssl:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

I was getting hi CPU usage from flowd_aggregate which settled down after about 5 mins

Code: [Select]

39226 root 101 0 38M 29M CPU0 0 0:56 98.97% /usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py (python3.7)
11 root 155 ki31 0 32K RUN 0 8:24 50.98% [idle{idle: cpu0}]
syslog_ng starts then stops (I manually started this up again although I do not do remote logging so not sure if I need this for any local OPNsense logging?)

Sensei is running successfully on vtnet LAN interface
Suricata enables on vtnet/PPPoE but does not work

Looking forward to testing out some PPPoE netmap updates

135

Intrusion Detection and Prevention / New Logs view in 20.7

« on: August 10, 2020, 11:29:43 pm »

Hi,

My Suricata logs seem to be broken into two types within Services>Intrusion Detection>Log File.

The first type is the original detailed information about success of rule downloads and startup of services.
This always appears at the top of the log view.
These can be cleared using the button 'Clear Log' within this view

The second is more like a set of general Suricata statistics.
This always begins after all ALL of the above logs. This also cycles continuously in my case.
These can only be cleared by System>Settings>Logging 'Reset Log Files'

Is this perhaps to do with a move to syslog-ng?
Just wondering if my setup is broken or are others seeing this too?
Any help to fix would be greatly appreciated.
Ideally I do not need to see the 'stats' logs in my Suricata logs

I have disabled Circular Logging as I understand this sets OPNsense to use the newer syslog-ng.

I also have loads of these in my General Logs

2020-08-11T09:19:24   syslog-ng[33964]: Destination timeout has elapsed, closing connection; fd='6'
2020-08-11T09:18:24   syslog-ng[33964]: Destination timeout has elapsed, closing connection; fd='6'
2020-08-11T09:17:24   syslog-ng[33964]: Destination timeout has elapsed, closing connection; fd='6'
2020-08-11T09:16:24   syslog-ng[33964]: Destination timeout has elapsed, closing connection; fd='27'
2020-08-11T09:15:32   syslog-ng[33964]: Destination timeout has elapsed, closing connection; fd='6'
2020-08-11T09:14:32   syslog-ng[33964]: Destination timeout has elapsed, closing connection; fd='23'