"
Might be a silly question, but why not just use one floating rule across all interfaces with the direction set to any?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#47
20.7 Legacy Series / Re: Acquiring ipv6 address can take 5 to 10 minutes.
August 19, 2020, 10:32:37 AM
I'm experiencing this with an Android device. Not noticeable on my Win10 box because as soon as ipv4 connectivity's established Windows is happy; but Android reports my WLAN has no internet connectivity until IPv6 kicks in which can take ~20 seconds. For the time being I've just disabled IPv6 on my WLAN.
#48
20.7 Legacy Series / Re: PCEngines APU2/APU3/APU4 running on 20.7
August 06, 2020, 01:09:39 PM
Sorry to hijack this thread, but what does the watchdog feature actually do?
#49
Hardware and Performance / Re: WiFi or not WiFi? Any suggestions for USB WiFi dongle or M.2 WiFi card?
July 27, 2020, 01:59:10 PM
BSD's wifi support is kinda limited. It works if you're looking for the cheapest solution, but I ended up going with a UniFi AP. The controller software doesn't need to be constantly online (there's a Java app you can fire up when needed) unless you want all the logging and sys stats; it doesn't limit configuration in any way.
#50
20.1 Legacy Series / Re: Redis failing to start
July 15, 2020, 02:12:45 PM
Jesus, what a numpty.
#51
20.1 Legacy Series / Redis failing to start
July 14, 2020, 06:22:28 PM
Installed the Ntopng plugin, then Redis, but Ntopng failed to start.
Thought a reboot might help and saw the following output via serial:
Opnsense's dash did report Ntopng as running, but it's GUI was inaccessible.
Uninstalled; rebooted; reinstalled; same problem.
Thought a reboot might help and saw the following output via serial:
Code Select
Starting ntopng.
14/Jul/2020 17:09:48 [Ntop.cpp:2240] Setting local networks to 127.0.0.0/8
14/Jul/2020 17:09:50 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:09:51 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 14]
14/Jul/2020 17:09:52 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:09:53 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 13]
14/Jul/2020 17:09:55 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:09:56 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 12]
14/Jul/2020 17:09:57 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:09:58 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 11]
14/Jul/2020 17:10:00 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:01 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 10]
14/Jul/2020 17:10:02 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:03 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 9]
14/Jul/2020 17:10:05 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:06 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 8]
14/Jul/2020 17:10:07 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:08 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 7]
14/Jul/2020 17:10:10 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:11 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 6]
14/Jul/2020 17:10:13 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:14 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 5]
14/Jul/2020 17:10:15 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:15 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 4]
14/Jul/2020 17:10:17 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:18 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 3]
14/Jul/2020 17:10:19 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:20 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 2]
14/Jul/2020 17:10:22 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:23 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 1]
14/Jul/2020 17:10:25 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:26 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 0]
14/Jul/2020 17:10:27 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:28 [Redis.cpp:148] ERROR: ntopng requires redis server to be up and running
14/Jul/2020 17:10:28 [Redis.cpp:149] ERROR: Please start it and try again or use -r
14/Jul/2020 17:10:28 [Redis.cpp:150] ERROR: to specify a redis server other than the default
/usr/local/etc/rc.d/ntopng: WARNING: failed to start ntopng
>>> Invoking start script 'ntopng'
Starting ntopng.
14/Jul/2020 17:10:32 [Ntop.cpp:2240] Setting local networks to 127.0.0.0/8
14/Jul/2020 17:10:34 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:35 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 14]
14/Jul/2020 17:10:36 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:37 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 13]
14/Jul/2020 17:10:39 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:40 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 12]
14/Jul/2020 17:10:41 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:42 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 11]
14/Jul/2020 17:10:44 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:45 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 10]
14/Jul/2020 17:10:46 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:47 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 9]
14/Jul/2020 17:10:49 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:50 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 8]
14/Jul/2020 17:10:51 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:52 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 7]
14/Jul/2020 17:10:54 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:55 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 6]
14/Jul/2020 17:10:56 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:10:58 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 5]
14/Jul/2020 17:10:59 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:11:00 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 4]
14/Jul/2020 17:11:02 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:11:03 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 3]
14/Jul/2020 17:11:04 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:11:05 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 2]
14/Jul/2020 17:11:07 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:11:08 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 1]
14/Jul/2020 17:11:09 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:11:10 [Redis.cpp:83] Redis has disconnected, reconnecting [remaining attempts: 0]
14/Jul/2020 17:11:12 [Redis.cpp:99] ERROR: Connection error [Operation timed out]
14/Jul/2020 17:11:13 [Redis.cpp:148] ERROR: ntopng requires redis server to be up and running
14/Jul/2020 17:11:13 [Redis.cpp:149] ERROR: Please start it and try again or use -r
14/Jul/2020 17:11:13 [Redis.cpp:150] ERROR: to specify a redis server other than the default
/usr/local/etc/rc.d/ntopng: WARNING: failed to start ntopng
>>> Error in start script 'ntopng'Opnsense's dash did report Ntopng as running, but it's GUI was inaccessible.
Uninstalled; rebooted; reinstalled; same problem.
#52
Tutorials and FAQs / Re: HOWTO - Redirect all DNS Requests to Opnsense
June 25, 2020, 06:11:53 PMQuoteNormally ::1 is the IPv6-localhost-Address. I must configure the IPv6-Address of the Interface (created an Alias) instead of ::1 in the NAT Rule and then it works. The clients resolves DNS-Records even if using his own IPv6-DNS-Servers.
Hey p1n0ck10, could you go in to a little more detail regarding this?
NAT redirects now use floating rules when the rule's running across multiply interfaces.
You saying I'm going to have to create individual rules & aliases for each interfaces ipv6 address?
Currently I've got a floating ipv6 NAT rule redirecting to ::1, and it's clearly not working.
#53
Intrusion Detection and Prevention / Re: Samba (smb) with slow speeds because of Suricata
May 10, 2020, 05:15:22 PM
Someone with a deeper understanding of this may be able to provide a better answer, but in short I suspect it's because SMB traffic isn't encrypted by default, meaning Suricata can run DPI on it, hence the slowdown.
You're not seeing a similar slowdown in throughput elsewhere because Suricata's not touching most of you network traffic, which is likely encrypted (especially web traffic).
For packages such as Snort and Suricata to work properly you need to implement SSL inspection, which is essentially a man-in-the-middle attack.
For example, one of your endpoints (Mac, Linux, whatever) tries to contact an HTTPS site:
- NAT intercepts this request and routes it in to Squid.
- Using a cert authority you configure within opnsense Squid creates two encrypted sessions: one between itself and the endpoint; the other between itself and the site.
- Squid is now sat-in-the-middle, with unencrypted traffic flowing through it, providing a window during which Suricata can inspect traffic.
This is CPU intense stuff, so I believe you can expect a reduction in throughput.
If you have SSL inspection set up, you're probably not seeing the same degree of slowdown because Suricata's not having to churn through similar sized files in other network traffic.
Just a guess.
You're not seeing a similar slowdown in throughput elsewhere because Suricata's not touching most of you network traffic, which is likely encrypted (especially web traffic).
For packages such as Snort and Suricata to work properly you need to implement SSL inspection, which is essentially a man-in-the-middle attack.
For example, one of your endpoints (Mac, Linux, whatever) tries to contact an HTTPS site:
- NAT intercepts this request and routes it in to Squid.
- Using a cert authority you configure within opnsense Squid creates two encrypted sessions: one between itself and the endpoint; the other between itself and the site.
- Squid is now sat-in-the-middle, with unencrypted traffic flowing through it, providing a window during which Suricata can inspect traffic.
This is CPU intense stuff, so I believe you can expect a reduction in throughput.
If you have SSL inspection set up, you're probably not seeing the same degree of slowdown because Suricata's not having to churn through similar sized files in other network traffic.
Just a guess.
#54
Intrusion Detection and Prevention / Re: Maltrail doesn't log unless monitor interface set to nothing
April 02, 2020, 10:47:35 PM
Looks like something's not working as it should.
Torrents generate reports, so I've been using Ubuntu to test.
Judging from CPU and memory usage (which goes through the roof with heuristics enabled), Maltrail is monitoring regardless of its config.
With Maltrail disabled I manually selected all int's (physical and logical), started the service, and logs were generated.
I switched to physical int's only and restarted the service, and continued to see new reports.
Then switched to internal physical int's, restarted the service, but still saw WAN reports unrelated to torrents.
Finally switched to internal physical and logical int's, rebooted, and now I'm only seeing reports related to internal interfaces.
Hope that made some kind of sense.
Torrents generate reports, so I've been using Ubuntu to test.
Judging from CPU and memory usage (which goes through the roof with heuristics enabled), Maltrail is monitoring regardless of its config.
With Maltrail disabled I manually selected all int's (physical and logical), started the service, and logs were generated.
I switched to physical int's only and restarted the service, and continued to see new reports.
Then switched to internal physical int's, restarted the service, but still saw WAN reports unrelated to torrents.
Finally switched to internal physical and logical int's, rebooted, and now I'm only seeing reports related to internal interfaces.
Hope that made some kind of sense.
#55
Intrusion Detection and Prevention / Maltrail doesn't log unless monitor interface set to nothing
April 02, 2020, 08:44:32 AM
Think I may have found a bug in Maltrail.
Logging works fine so long as Monitor Interface is set to Nothing Selected.
Since I've got nothing listening on the WAN I specified internal interfaces only and everything stopped working.
If i manually specify all interfaces logging stops working; if I uncheck everything, Maltrail starts working again.
Two of my interfaces are vlans though, so would that mess things up? Should I just be selecting the parent interface for inspection?
Logging works fine so long as Monitor Interface is set to Nothing Selected.
Since I've got nothing listening on the WAN I specified internal interfaces only and everything stopped working.
If i manually specify all interfaces logging stops working; if I uncheck everything, Maltrail starts working again.
Two of my interfaces are vlans though, so would that mess things up? Should I just be selecting the parent interface for inspection?
#56
19.7 Legacy Series / Re: Services: Maltrail: Server GUI OK but empty
April 02, 2020, 08:33:56 AM
I seam to be experiencing this to.
To tets I set MalTrail to listen on LAN and WAN as surely you'd see all sorts of results from the WAN, but so far the log's empty (it's been running for a while now).
To tets I set MalTrail to listen on LAN and WAN as surely you'd see all sorts of results from the WAN, but so far the log's empty (it's been running for a while now).
#57
Intrusion Detection and Prevention / Suricata results
February 13, 2020, 04:07:48 PM
I'm seeing results that make me wonder to what extent Suricata is really opperating.
I have PPPoE WAN, so I'm running Suricata on the LAN and WLAN:
First I tried adding FB's SHA1 fingerprint to a custom rule:
Then, using Edge, browsed to FB and it loaded without aleting; changing from alert to drop didn't help.
I did clear Edge's caches beforehand, just to make sure.
I then took a closer look at OPNsense-App-detect/media-streaming which, afaict, is a DNS filter.
I downloaded and enabled to block, restarted both OPNsense and Pi-Hole DNS services to clear their caches, then cleared Edge's caches, and was still able to browse to Netflix and YouTube.
I then enabled to block OPNsense-App-detect/test and tried downloading the Eicar test:
So that worked, but over port 80.
Do I really need to enable full MiTM SSL inspection? I believed some of these rules worked fine without this as they inspected packet headers, or SSL fingerprints, or matched traffic against an IP or DNS blacklist?
Anyone able to shed some light on this, so I better understand how this product works?
Many thanks.
I have PPPoE WAN, so I'm running Suricata on the LAN and WLAN:
First I tried adding FB's SHA1 fingerprint to a custom rule:
Then, using Edge, browsed to FB and it loaded without aleting; changing from alert to drop didn't help.
I did clear Edge's caches beforehand, just to make sure.
I then took a closer look at OPNsense-App-detect/media-streaming which, afaict, is a DNS filter.
I downloaded and enabled to block, restarted both OPNsense and Pi-Hole DNS services to clear their caches, then cleared Edge's caches, and was still able to browse to Netflix and YouTube.
I then enabled to block OPNsense-App-detect/test and tried downloading the Eicar test:
So that worked, but over port 80.
Do I really need to enable full MiTM SSL inspection? I believed some of these rules worked fine without this as they inspected packet headers, or SSL fingerprints, or matched traffic against an IP or DNS blacklist?
Anyone able to shed some light on this, so I better understand how this product works?
Many thanks.
#58
General Discussion / Strange address within LAN netflow data
February 13, 2020, 03:07:34 PM
Hey,
Is it odd that I'm seeing this 93.* IP address in the neflow data of my LAN?
Is it odd that I'm seeing this 93.* IP address in the neflow data of my LAN?
#59
Hardware and Performance / Re: APU2 with MCE: CPU 0 COR OVER BUSLG Responder RD Memory
February 11, 2020, 02:04:03 PM
I'd direct this question to PC Engines support team if I were you: support@pcengines.ch
#60
Intrusion Detection and Prevention / Re: Suricata/IPS not working
February 08, 2020, 04:13:34 PM
I don't really understand why PPPOE isn't supported, because Suricata's page states the following:
QuoteProtocol parsers
Support for packet decoding of
IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE
Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN
App layer decoding of:
HTTP, SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP, DHCP, TFTP, KRB5, IKEv2, SIP, SNMP, RDP
New protocols developed in the Rust language, for safe and fast decoding.
