Messages

151

Intrusion Detection and Prevention / Re: Energy Efficiency Tunable

« on: June 12, 2022, 01:05:30 pm »

As mentioned earlier, your Network interface must support energy efficient ethernet.

EEE is something you don't really need unless you have a switch which is providing power over ethernet to 20+ APs and switch itself is power hungry as heck.

Downside of EEE is that it can slow down connections and even cut them outright if not properly setup.

Benefit of EEE is in lowering your electric bill and keeping your switches cool by lowering their power consumption based on how many clients connected to them require full network speed or how much power APs need thru PoE ports.

In other words EEE is method which is used to automatically determine how much power your network REALLY needs instead of letting everything run at max power consumption levels

152

Intrusion Detection and Prevention / Re: Suricata IPS Mode Ruleset

« on: June 12, 2022, 12:46:01 pm »

Forgot to mention that you can also fetch rulesets using SSH or console connection, which enables you to see the progress of things in realtime.

https://suricata.readthedocs.io/en/latest/quickstart.html has in depth guide, though guide in question assumes you have external server which runs it. So you need to change every command and file location to what matches opnsense.

There's also option to send logs to your PC which you can read in realtime with syslog server client or wireshark, but web gui doesn't have progress bar or anything that would display progress or possible errors in detail

153

Intrusion Detection and Prevention / Re: Suricata IPS Mode

« on: June 12, 2022, 12:16:21 pm »

Check the logs for any errors.

If there are no errors, then depending on your internet speed and hardware of your server or firewall, it can take literally hours to download all the rulesets.

You can also install plugins and go to surricatas website, follow instructions on how to fetch rulesets on BSD and manually do things via SSH which will display the progress in realtime, just locations differ in opnsense from the guide.

154

Virtual private networks / Re: Ping over VPN

« on: June 12, 2022, 12:05:15 pm »

If your VPN is hosted by some server outside your network and VPN connection works just fine (meaning you can access internet and everything you need), then it means VPN host is blocking ICMP traffic either because it's hosted on router or server behind a router which has enabled DoS attack protection or simply firewall which server is protected by blocks ICMP traffic.

155

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 12, 2022, 10:00:37 am »

Firewall rules do not prevent devices on the same network from communicating with each other.  You'd have to use VLANs or other means to prevent that.

Ah good point.

Firewalls won't allow or block communication per say, they pass, block or reject traffic which meets specific conditions. With right rules you are able to reject or block certain communications which use specific protocols and ports, but not communications which don't rely on protocols, ports AND meet the conditions of Default allow LAN to any rule or other rules which firewall passes.

156

General Discussion / Re: Your low power PoE Switch recommendation

« on: June 11, 2022, 02:05:00 pm »

thank you for your input.

maybe i just look for managed 8 port switch and use a poe injector for my Access point.
i understand that its costly but 450€is more than most of my Homelab combined ... thans in no relation.

i stumbled upon the https://mikrotik.com/product/crs112_8p_4s_in but even that is 250€.

The Cisco CBS220 looks nice tho that definitively gets into the closer circle. Even tho i rather buy linksys equivalent just to not own a cisco product :'D for me Cisco is like Nestle ^^

Well there's good reason why most companies use Cisco network gear. Cisco is best that money can buy (though you need to spend quite a bit of money. Cheap models are utter garbage). I used Catalyst 2960 48 port model released in 2007 till I decided to switch to new one, though it still works like a charm with stock coolers and all, it's just *ahem* SLIGHTLY dirty ^^.

157

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 11, 2022, 01:45:49 pm »

Oh, really? Devices on the same network will communicate directly with each other? I was using the same two devices for all my testing and I thought I would need that rule for them to communicate.

Yes, they do that, unless something is wrong.

Just to clarify.

Devices connected to same network (not same as same interface) will be able to communicate with eachother without issues unless you setup firewall rule, which prevents it or there's something wrong with routing.

Devices connected to different networks won't be able to communicate with each other even if you setup firewall rules, without having correct routes which usually is done by L3 switches, firewall or router automatically but not always.

The 3 first rows on IP address and subnet mask define network, as long as all those match, devices which begin with same IP and have same subnet mask are in same network.

192.168.0.0/16 is CIDR and allow you to create networks from 192.168.0.1 to 192.168.255.253 and that is required for VLANs which networks belong to that range.

You can for example setup LAN to use 192.168.0.1 IP, sign VLANs and setup routes, DNS and DHCP on a switch , and no one can access your firewall and you don't need firewall rules for it. Then only way to access firewall, is to physically connect to it and set static IP belonging to that network, using console or connecting keyboard and monitor to firewalls usb and video ports. That's what your ISP does, gateway your WAN connects to is either just unmanaged router or switch, or their remote management requires some form of authentication.

Above mentioned facts are also reason why you shouldn't connect your computer directly to the internet, as with private IP blocks, also public networks have unrestricted access to any device within the same network or CIDR (Not that I encourage to do so, but just scan your public IPs CIDR with nmap and you see what I mean. Depending where you are, it could be illegal as heck though)

158

General Discussion / Re: Help setting up Static IPs

« on: June 11, 2022, 11:39:31 am »

Now before you start playing with routes, connect your PC to opnsense and google "what is my IP". If google shows different IP than your router has, then your opnsense has different IP, if it's same, then your opnsense is using routers IP allready.

It is better to call your ISP and confirm if it is routing issue and assistance with setting things right. Getting routes wrong will lock you out from router and opnsense management and disconnect from internet completely and you need to reset everything to last working configuration (that is if you haven't disabled automatic backups)

159

General Discussion / Re: Help setting up Static IPs

« on: June 11, 2022, 11:21:16 am »

You can't use routers IP on WAN interface (You can assign only 1 IP per client).

Way you are able to use routers public IP on WAN, is to connect the WAN port to LAN port, enable DHCP on router and use DHCP on WAN (also un-tick "Block private IPs" on WAN interface settings.)

What you are able to do, is to sign another public static IP for your WAN interface (that is if there's one which isn't in use.)

To assign public static IP, you need set routers IP as a gateway (otherwise it is same as with assigning IP when directly connected to internet), as long as router has route for that specific network, it will work, otherwise you need to route the traffic to right gateway on the Internet side.

If your office / home has second ethernet port which connects directly to the internet, then you can assign public IP like you assigned the public IP on the router.

160

General Discussion / Re: Your low power PoE Switch recommendation

« on: June 11, 2022, 10:52:31 am »

Also CiscoCBS220 8G 2SFP PoE 67W smart switch is decent price. But depending on the size of network you're going to connect it to, you might be better off with 16 port model.

What you should check (especially when using VLANs) is switching capacity on of the switch as well, 20Gb/s (which CiscoCBS220 8G 2SFP has) is enough if you're using it at home and devices connected to it never reach even close to 20Gb/s speeds, but connecting it to for example NAS with 10Gb/s NIC or having 20+ clients connected to VLANs can easilly be too much for it.

Also Cisco uses bit different terminology (for example trunk mode is one which you don't find on many other brands switches), so with other brands, you sometimes need to read manuals to setup VLANs etc.

161

General Discussion / Re: Your low power PoE Switch recommendation

« on: June 11, 2022, 10:33:22 am »

Sadly any good switch is going to cost you a bit.

I would recommend checking Cisco Catalyst 1000 which are cheapest catalyst switches out there or SG-350 series (stay away from Meraki)

162

Intrusion Detection and Prevention / Re: Suricata IPS Mode Ruleset

« on: June 11, 2022, 10:04:31 am »

I had subscribe to etPro but it cannot download, it takes few hours and it doesn't complete it. Why like this?

Is there any Block tab in Intrusion detection menu?

Check logs for errors.

Depending on your hardware and network speed, it can take from 5 minutes to 24 hours to download rules (there's ALOT of them)

163

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 11, 2022, 06:10:29 am »

You need to create routes to be able to allow traffic from 2 different networks to communicate with eachother.

First add your LAN IP 192.168.1.1 to gateways.

After that create rule where network is 192.168.0.0/16 and gateway is 192.168.1.1 (or whatever is LAN IP of any LAN interface your opnsense has. IP MUST BE LAN gateway in use and within same same IP block.)

Voïla, now all traffic between IPs 192.168.0.1 - 192.168.255.254 goes to 192.168.1.1 (or whichever LAN interface you use as route gateway) and can talk with eachother.

Basic network stuff. Deviceses which belong to different networks can't communicate with eachother

Well, I am configuring my OPNsense to be the gateway for both LANs. To be more precise, it is the gateway for all 4 LANs, so I don't need a gateway for that. The person in the tutorial video did the same thing. He was able to get communication working between the two LANs.

It is possible that your Opnsense didn't create the routes (usually routers and firewalls will create routes automatically), I've had same issue as you do couple of times, and adding the routes manually usually fixed them.

You can check if routes are there, but usually when Ping fails to certain destination other than gateway, it is sign that you don't have working route going on

164

Virtual private networks / Re: openvpn and gaming - server access issue

« on: June 10, 2022, 11:47:50 pm »

Check firewall rules of interface which network your minecraft server belongs to.

By default incoming traffic from different networks is blocked.

but wouldn't ping count as traffic and thus be blocked..?

I'll make a rule and try it out though.

Not quite. Ping tells you if route exists and you can block Pingign by blocking ICMP traffic (firewall blocks TCP/UDP traffic by default, ping is neither of those).

Also you will be able to ping pretty much any IP to which there's a route to and if ICMP traffic isn't blocked. Again, ping only tells you if there's a working route to that address, traceroute would give you more detailed results on routes.

165

Virtual private networks / Re: openvpn and gaming - server access issue

« on: June 10, 2022, 08:00:18 pm »

Check firewall rules of interface which network your minecraft server belongs to.

By default incoming traffic from different networks is blocked.

Also clients won't be able to access different network clients without proper routes, but pinging tells that routes are fine.