1
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.1 Production Series / Changes in the update of GeoIP databases
« on: March 13, 2024, 04:56:13 pm »
https://www.reddit.com/r/opnsense/comments/1bchr5v/maxmind_transition_to_r2_presigned_urls/
https://dev.maxmind.com/geoip/updating-databases?utm_campaign=R2%20presigned%20URLs&utm_medium=email&_hsmi=297747371&utm_content=297747371&utm_source=hs_email#directly-downloading-databases
https://github.com/maxmind/geoipupdate/issues/290
https://dev.maxmind.com/geoip/updating-databases?utm_campaign=R2%20presigned%20URLs&utm_medium=email&_hsmi=297747371&utm_content=297747371&utm_source=hs_email#directly-downloading-databases
https://github.com/maxmind/geoipupdate/issues/290
3
Zenarmor (Sensei) / High ram consumption Zenarmor 1.16.1
« on: January 05, 2024, 03:08:30 pm »
Mini-pc Opnsense 8 GB ram
Suricata deactivated
With version 1.16 I had 55% of ram memory used and with the new version 1.16.1 I am now using 80 - 85% of ram memory used.
Suricata deactivated
With version 1.16 I had 55% of ram memory used and with the new version 1.16.1 I am now using 80 - 85% of ram memory used.
4
Intrusion Detection and Prevention / Suricata in Wan does not work with ppoe
« on: December 19, 2023, 06:27:51 pm »
So far I had Suricata working correctly on Wan but I have changed internet provider and use ppoe. I have created the corresponding ppoe VLAN assigned to Wan and I have configured the Wan interface with ppoe with user - password. In interface assignments I have assigned the VLAN ppoe created earlier to Wan. With this configuration I have access to the internet without any problems. The problem is that Suricata in Wan does not work even if I put the Wan ip that I have assigned something that before if it worked perfectly, with that it does not work I mean that it does not block absolutely nothing, it is as if it did not recognise the interface. So that it recognizes it in interface assignments I have to put Wan in igb xxxxxx and create a new virtual interface for ppoe.
5
23.7 Legacy Series / Native/Emulated Mode Netmap
« on: September 06, 2023, 02:08:34 pm »
Mini-Pc Opnsense 23.7.3
-Wireguard
-Suricata ( Wan )
-Zenarmor ( Routed mode L3 native Netmap ) Lan + LAGG
Interfaces ( Igb ):
-Wan
-Lan
-Wg
-LAGG
Access to Opnsense via SSH: sysctl -a |grep netmap
Native Netmap does not work.
-Wireguard
-Suricata ( Wan )
-Zenarmor ( Routed mode L3 native Netmap ) Lan + LAGG
Interfaces ( Igb ):
-Wan
-Lan
-Wg
-LAGG
Access to Opnsense via SSH: sysctl -a |grep netmap
Native Netmap does not work.
6
Zenarmor (Sensei) / The futility of Zenarmor in Opnsense
« on: August 09, 2023, 01:13:44 am »
Zenarmor started as Sensei and at the beginning it required a huge amount of resources to work, later those requirements were lowered but it still did not work well giving problems of all kinds and today it still does despite the time elapsed, a good example of this is the new update 1.4 that despite having had its testing time is a real disaster including subsequent patches which is incredible. Suricata is a good example of user-friendly integration with its Telemetry rules that provide an extra benefit to Opnsense, however, Zenarmor in its free version is still a bad and cheap ad blocker with very limited settings and features, provided it works well, which it never does. It doesn't even bother to work in the Wireguard interface. Without going any further, Adguard or even Pfblocker do it much better and without needing so many resources for its operation. Does it make sense today to keep Zenarmor as a plugin? Clearly not, it would be much better for Opnsense users that Franco integrates Adguard as has been done with Wireguard-kmod and Zenarmor is abandoned. If something works and benefits users it should be promoted, but if something like Zenarmor not only does not provide any value but it is a real disaster better to abandon it and replace it with something better.
7
23.7 Legacy Series / Suricata 7
« on: August 01, 2023, 02:05:00 am »
After formatting my mini-pc with the Opnsense 23.7 Release Candidate today I upgraded to the stable version. Once upgraded I decided to try Suricata 7 and I had the same problems as mentioned here:
https://forum.opnsense.org/index.php?topic=34997.0
To solve these problems I have added the command mentioned in this post in Suricata's custom.yaml file and indeed these problems are solved. Suricata 7 brings a lot of changes and among them are the support for http2 and quic but in the suricata.yaml file they don't appear unlike the suricata.yaml file in Github. I don't know if I did it right but to activate this support I added the following commands in the custom.yaml file
stream.midstream-policy: ignore
http2:
enabled: yes
quic:
enabled: yes
This way Suricata 7 works great, in fact it has a much better performance compared to Suricata 6.x.x.
The problem comes when I restart Opnsense, the custom.yaml file appears blank without the modifications added and I have to put it back by accessing Opnsense via ssh. That is, the custom.yaml file does not survive Opnsense restarts.
The custom.yaml file is located in the path usr/local/etc/suricata
I don't know if there is another custom.yaml file elsewhere that survives Opnsense restarts.
https://forum.opnsense.org/index.php?topic=34997.0
To solve these problems I have added the command mentioned in this post in Suricata's custom.yaml file and indeed these problems are solved. Suricata 7 brings a lot of changes and among them are the support for http2 and quic but in the suricata.yaml file they don't appear unlike the suricata.yaml file in Github. I don't know if I did it right but to activate this support I added the following commands in the custom.yaml file
stream.midstream-policy: ignore
http2:
enabled: yes
quic:
enabled: yes
This way Suricata 7 works great, in fact it has a much better performance compared to Suricata 6.x.x.
The problem comes when I restart Opnsense, the custom.yaml file appears blank without the modifications added and I have to put it back by accessing Opnsense via ssh. That is, the custom.yaml file does not survive Opnsense restarts.
The custom.yaml file is located in the path usr/local/etc/suricata
I don't know if there is another custom.yaml file elsewhere that survives Opnsense restarts.
8
23.7 Legacy Series / Firewall block rules not working
« on: July 27, 2023, 07:10:28 pm »
NAS ( 192.168.1.3 - 192.168.1.6 )
Computer ( 192.168.1.2 )
I want to block all outgoing connections to my nas except one. By setting the nas blocking rules at the top, my entire local network is cut off from the internet. If I create a rule that allows traffic to the internet for my computer and put it at the top the computer has internet connection but no outgoing connection from the nas is blocked.
Computer ( 192.168.1.2 )
I want to block all outgoing connections to my nas except one. By setting the nas blocking rules at the top, my entire local network is cut off from the internet. If I create a rule that allows traffic to the internet for my computer and put it at the top the computer has internet connection but no outgoing connection from the nas is blocked.
9
23.7 Legacy Series / Adguard Home blocks different services
« on: July 27, 2023, 03:53:18 pm »
When installing and configuring Adguard and then restarting Opnsense, Adguard does not start as well as Cron, ddclient and Suricata. Once Opnsense is started, when Adguard is started, all other services start without problems.
11
23.7 Legacy Series / Static ARP block Opnsense
« on: July 24, 2023, 08:04:27 pm »
OPNsense 23.7-RC2
When configuring static mappings in DHCPv4 - Lan if I enable ARP Table Static Entry Opnsense it crashes to such an extent that it has to be formatted. The same happens when I first enable Enable Static ARP entries in DHCPv4 - Lan before configuring static mappings, Opnsense crashes and needs to be formatted. After the two formatting I have configured the static mappings without enabling ARP static entries.
When configuring static mappings in DHCPv4 - Lan if I enable ARP Table Static Entry Opnsense it crashes to such an extent that it has to be formatted. The same happens when I first enable Enable Static ARP entries in DHCPv4 - Lan before configuring static mappings, Opnsense crashes and needs to be formatted. After the two formatting I have configured the static mappings without enabling ARP static entries.
12
Virtual private networks / Wireguard interface down
« on: June 28, 2023, 05:47:52 pm »
Opnsense 23.1.10
Plugin: os-wireguard
I have had Wireguard configured and running smoothly for some time now. I have made a change to the Wireguard configuration by adding a DDNS + port in the Endpoints section.
Plugin: os-wireguard
I have had Wireguard configured and running smoothly for some time now. I have made a change to the Wireguard configuration by adding a DDNS + port in the Endpoints section.
13
23.1 Legacy Series / Duckdns configuration in ddclient
« on: June 25, 2023, 04:12:18 am »
1: Stop ddclient
2: Access via ssh with Filezilla or similar to /usr/local/sbin
3: Download and edit the file ddclient
2: Access via ssh with Filezilla or similar to /usr/local/sbin
3: Download and edit the file ddclient
14
23.1 Legacy Series / Wireguard in FreeBSD 13.2
« on: April 22, 2023, 04:09:54 pm »
Netgate ( Pfsense ) has re-integrated the Wireguard driver into the FreeBSD 13.2 kernel and hopefully it will work better than last time. Just out of curiosity but I would like to ask franco how this is going to be implemented in Opnsense. Are the current wireguard plugins going to be kept or is the integration going to be done differently?