Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ArminF

Pages: 1 ... 7 8 [9] 10 11 ... 14

121

20.1 Legacy Series / Re: DNSCrypt-Proxy crashed with error "no servers configured"

« on: March 04, 2020, 04:01:28 pm »

Maybe this helps.

I had some faulty Servers entered in the server list.
As soon as i added those into the preferred list the Proxy service did not start.

Had to test it adding one by one and save the config and sorted the faulty ones out.

122

20.1 Legacy Series / Re: Suricata and Sensei - Which NICs to activate

« on: February 28, 2020, 12:29:39 pm »

Mercie vielmol!

Thanks Siga, will continue to run as proposed and configured.

Keep safe and happy!
cheers A

123

20.1 Legacy Series / Re: Suricata and Sensei - Which NICs to activate

« on: February 28, 2020, 11:49:27 am »

Siga, thank you for your answer.

What do you think. Would Sensei replace the IDS/IPS?

From the features it looks much more "intellegent"
Ok maybe the reporting on the IDS/IPS is poor designed within opnsense.

thanks for your thoughts!
A

124

20.1 Legacy Series / Suricata and Sensei - Which NICs to activate

« on: February 27, 2020, 04:27:56 pm »

Hello,
i did installed Sensei and it told me that some NICs are already used by the IDS/IPS Suricata.

What would be your proposal where to run which one of the apps?

IDS/IPS -> WAN
Rest NICs -> Sensei

AND my WAN is an PPOE so not sure if suricata runs on PPPOE

Looks like you cannot run it on the same nics together.

Curious how you handle this.

thanks
armin

125

Intrusion Detection and Prevention / Re: Give Suricata Engine more RAM

« on: February 26, 2020, 05:09:48 pm »

So, first attempt was not better than the default.
As you wrote just changing the RAM does not make a difference.
Have to tune on more variables and therefore read more.

Details/Results:
WAN is 250 mbit down / 25 up
CPU intel i3 4100 / 1.8 GHZ
Promiscuous ON
Full Rulesets 47168 set to DROP except P2P

Speedtest default config
Destination Solnet -> 238/24 mbit -> lost 12 mbit
CPU peak max 45%
RAM 1500 MB

Speedtest “tuned” config
Destination Solnet -> 230/24 mbit --> lost 20mbit
CPU peak max 45%
RAM 1500 MB

No RAM change…
back to default settings…

changes:
File Location
/usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml
/usr/local/etc/suricata/suricata.yaml

Default Settings

defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60

flow:
memcap: 64mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30

stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: {% if OPNsense.IDS.general.ips|default(“0”) == “1” %}true{% else %}auto{% endif %}

reassembly:
memcap: 128mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes

Tuned Settings

defrag:
memcap: 512mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60

flow:
memcap: 1gb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30

stream:
memcap: 512mb
checksum-validation: yes # reject wrong csums
inline: {% if OPNsense.IDS.general.ips|default(“0”) == “1” %}true{% else %}auto{% endif %}

reassembly:
memcap: 2gb
depth: 2mb # reassemble 2mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes

126

Intrusion Detection and Prevention / Re: Give Suricata Engine more RAM

« on: February 26, 2020, 03:58:43 pm »

Just found this as well. As soon as you know what you looking you usually find more

https://forum.opnsense.org/index.php?topic=13445.0

127

Intrusion Detection and Prevention / Re: Give Suricata Engine more RAM

« on: February 26, 2020, 03:50:55 pm »

Excellent, thank you very much Siga!

128

Intrusion Detection and Prevention / Re: Give Suricata Engine more RAM

« on: February 26, 2020, 03:33:53 pm »

Siga,

thank you very much.
No i do not see any message of reaching the memcap.

Can you give me the location of the config file?
And would the settings be changed there and would they be reboot consistent?

thank you
A

129

Intrusion Detection and Prevention / Give Suricata Engine more RAM

« on: February 25, 2020, 04:26:28 pm »

Hello,
my box feels boring and has a lot of free memory.
So i thought to give DNS and Suricata more memory.

But there is no system tune option or settings on the GUI.

Is it possible to set more RAM to Suricata?

thanks
armin

130

20.1 Legacy Series / Re: Plugins orphaned, unable to view available plugins

« on: February 25, 2020, 08:01:18 am »

check if your DNS does resolve Names.

Had to play around with DNS and Unbound to fix it.
- System - General -DNS
- Services - Unbound - General (enable Forwarding Mode)

131

20.1 Legacy Series / Re: Firewall/routing - DMZ to LAN - preserve Source IP

« on: February 25, 2020, 07:50:11 am »

Maurice and bartjsmit,

first of all i want to thank you for being patience with me!
Second i should not write my frustration down and stay professional.

So default outbound NAT is enabled. That was why my request always got translated and the ip's were replaced. Afterwards i did overwrite these settings. Actually i should (like you both wrote) just disabled the whole feature and try again. So here is where i had my blockade. The default is ON and i did overwrite by a manual outbound NAT.

More research i found on
https://docs.opnsense.org/manual/nat.html#outbound
https://docs.netgate.com/pfsense/en/latest/nat/outbound-nat.html
https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html

Again, thank you for helping me!

I will mark this case as solved and have documented the issue.
Armin

PS:
About the Setup

--
\-

+------+
| WAN |
+--|---+ - -
- |
+---|----+ -
| DMZ Ext
+--------+
+--------+
| DMZ Int|
+--------+
+--------+
| FW LAN|
+----|---+
| -
|
+--------------|----------------+
| |
| Corporate Network |
| |
| |
| |
| |
| +---------------------+ |
| |Ringfenced Infrastructures
| | + | |
| +---------------------+ |
+-------------------------------+ -

Some of Corporate Networks (several /16 Networks) do have an extra layer of security inside the Network.
Mostly Certificate CAs where we do pull SCEP Certificates for client connections and authorization.
These Firewall do react on Port and Source IP and even app which requests the action.

And here i was blocked as long as the default Option which is Automatic Outbound / Automatic translation of the Source IP was enabled. So overwrite or completely disable it was the solution.

132

20.1 Legacy Series / Re: Firewall/routing - DMZ to LAN - preserve Source IP

« on: February 24, 2020, 10:05:03 pm »

Thank you.

Question is would the disabling of NAT outbound then show the Source IP when it get's through the LAN Gateway?

As i wrote i had to enable it to get the source ip preserved behind the LAN GW.

This really makes no sense to me i have to say. What would be the reason to replace an IP while routing it to another Segment.

thank for your explanation. I will take a look on your description.
A

133

20.1 Legacy Series / Re: Firewall/routing - DMZ to LAN - preserve Source IP

« on: February 24, 2020, 07:27:18 pm »

Thanks,

i did not had a NAT (outbound) in place. Just the routing table pointing to the LAN Gateway to reach the resources behind it.

But then figured out that the IP from a DMZ Server was replaced by the IP of the Firewall while reaching out to the resources behind the LAN Gateway.

So does every connection from the DMZ or Any Other Interface which is not LAN get's his IP replaced with the one from the Firewall?

If this is an option i would like to disable it. Makes it pretty hard to troubleshoot.
We do run several servers in DMZs and so everyone talking to a resource behind the LAN segment will have the firewall IP. This is impossible to handle for me. And should not be in my opinion.

Do you have any explanation which would shed more light into this?

Much appreciated.
thanks A

134

20.1 Legacy Series / Re: Firewall/routing - DMZ to LAN - preserve Source IP

« on: February 24, 2020, 01:34:30 pm »

Anyone?

This is mission critical for us as we do have firewalls on the lan sides as well and they do filter via source IP.

So if every request from the DMZ onto the LAN will get a source IP replacement i would need to do a NAT for every source.
Also its a bit bad when every connection then comes from the same ip. Makes it hard to troubleshoot with the logs.

Would really need to know if this is a default settings which could be changed somewhere.

thanks A

135

20.1 Legacy Series / (solved) Firewall/routing -DMZ to LAN -preserve Source IP ->Disable Outbound NAT

« on: February 21, 2020, 04:52:39 pm »

Hello,

today i realised that if the DMZ IP talks to a LAN Source behind the LAN Gateway the Firewall replaces the Source IP with the IP of the Firewall itself.

Example:
DMZ Source IP 192.168.10.10
Firewall LAN IP 192.168.20.20
Destination IP 192.168.30.30 (a LAN server behind the firewall segment)

The request went from the DMZ through the LAN gateway to the server in a different segment.
But Source IP on the was suddenly the Firewall LAN IP. So the LAN IP where the LAN Gateway resides.

192.168.10.10 -> LAN/FW GW -> 192.168.30.30.
But 192.168.30.30 received as 192.168.20.20 instead of 192.168.10.10

Is this a default setting?
Can this be changed to reflect the origin Source IP instead of replacing it in a setting?
Or do i have to setup for those actions an Outbound NAT always?
And if outbound nat is OPNSense able to use Groups/Aliases then?

thanks
armin

Pages: 1 ... 7 8 [9] 10 11 ... 14