Messages

106

Zenarmor (Sensei) / Bug report: localhost cannot be used for reverse lookups

« on: May 06, 2021, 08:35:43 pm »

So for some weird reason Sensei does not accept 127.0.0.1 to be used for DNS lookups under Reporting & Data

107

Hardware and Performance / Re: The Holy Grail of Home Lab and Office Hardware

« on: April 21, 2021, 09:29:58 pm »

I picked up two Dell VFP1445 for $125/ea as new open box on eBay this week. This is my holy grail. I didn't even know it existed until last week. Just keep your eyes posted and you can find some amazing gems.

Specs here: https://i.dell.com/sites/csdocuments/Product_Docs/en/vep-1405-spec-sheet.pdf

VEP1445
C3758 Processor (8 core w/ QAT)
M.2 240 SSD with 16G eMMC Flash for recovery OS
16G DDR4 ECC
(6 x 1G) + (2x 10G SFP+)
2 Fans
8"x 8"x 2"

It has WiFi, but I won't be using it.
802.11ac, 2x2 MIMO, max. phy rate: 866.7 Mbps w/ Bluetooth

Management is via serial port only, there is no video out.

Damn. That is an amazing find at that price .

Never seen that hardware before. I'll be on the lookout for sure. Let me know if you find any more

108

Intrusion Detection and Prevention / Re: IDP and HAProxy

« on: March 22, 2021, 09:31:57 pm »

You could apply rate-limiting in HAProxy to block the bruteforce attempts, something like:
https://www.loadbalancer.org/blog/simple-denial-of-service-dos-attack-mitigation-using-haproxy-2/

109

Intrusion Detection and Prevention / Re: Error with abuse.ch/ThreatFox rules

« on: March 22, 2021, 09:09:22 pm »

https://github.com/opnsense/core/issues/4821

Feel free to add any additional information you may have

110

General Discussion / Re: Config third DNS in DHCP

« on: March 16, 2021, 10:16:07 pm »

I haven't tested but I think it should be possible with additional options in DHCP config.

DNS would be number 6 as per: https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml

111

Intrusion Detection and Prevention / Re: Help setting up Intrusion Detection Policy

« on: March 14, 2021, 08:02:08 pm »

Well, in all honesty, noone knows your network better than you do.

The thing that I did is that I took a look at what each specific category is for and then made a decision if that is something that I want to drop, alert or have no need for at all, based on what I use on my network. Then edited policies accordingly.

This pdf explains each Emerging Threat ruleset very well:
https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf

Best of luck and stay safe!

112

21.1 Legacy Series / Re: Dashboard problem after update to 21.1.3

« on: March 13, 2021, 10:58:41 pm »

Yes, it's known and solved:

https://github.com/opnsense/core/issues/4795

113

21.1 Legacy Series / Re: Is OPNsense stable or not? Is it really production safe or not?

« on: March 13, 2021, 10:11:33 pm »

Btw, your question could be the same for any product.  I've had friends with Cisco TAC cases open > 1 year for bugs that needed to be resolved.

Very much that.

OP:
No matter which product you use there will always be bugs.

Is Exchange production safe or not when you get hit by a HAFNIUM 0day?
Is Solarwinds production safe or not when you they get totally wrecked by a supply chain attack?

So, it comes down to how you want to handle it. If you want to play it safe, then I would wait a while when a new update is released.

114

21.1 Legacy Series / Re: Logging targets stopped after 21.1.3 upgrade

« on: March 10, 2021, 05:04:02 pm »

There were updates to syslog-ng so you should take a look at System: Settings: Logging / targets and verify that everything is configured correctly.

115

21.1 Legacy Series / Re: Console menu gone in 21.1.3 / 21.7.a_159?

« on: March 10, 2021, 02:40:04 pm »

I just updated and get the normal console

116

21.1 Legacy Series / Re: Default Gateway is the only gateway that works

« on: March 10, 2021, 01:32:08 am »

Missing outbound NAT is my guess

117

21.1 Legacy Series / Re: WHAT am I missing?!? (Adding a subnet)

« on: March 03, 2021, 04:08:07 pm »

Yeah probably missing outbound NAT rules for the new subnet like chemlund said

118

21.1 Legacy Series / Re: wireguard performance is better on linux, expected?

« on: March 02, 2021, 10:39:10 am »

I'm bottlenecking my home bandwidth (500/500Mbit) with Wireguard in virtual OPNSense to Wireguard running on TrueNAS (FreeBSD) at my offsite backup (1Gbit).

So looking at your results there must be something else causing the bad performance and not the Wireguard BSD implementation. You are not wasting CPU cycles by running iperf on the same hosts that you are running wireguard on are you?

119

Web Proxy Filtering and Caching / Re: HAProxy chainloading Lua Scripts

« on: March 01, 2021, 11:10:50 pm »

Hi There, I would love to hear more about how you have set this up.  I have been wanting to get authelia set up and working with HAProxy.  Are you running Authelia in a docker somewhere on your lan?  Have any tips for getting it setup and how to use it on specific subdomains?

Yes I'm running it in a docker container in my DMZ.

The biggest gotcha in running it under HAProxy stable in OPNSense with HA is the loading of all lua scripts.
However, that will be alot easier when os-haproxy 3.0 will be merged which should hopefully be pretty soon.

Otherwise the config is pretty much the same as the Authelia examples in their documentation. Just translate those examples to Conditions and Rules in OPNSense webui and take a look at the generated HAProxy config file via CLI to verify it looks the same if you are unsure 

120

Zenarmor (Sensei) / Re: Sensei - questions on reporting and status

« on: February 03, 2021, 04:56:00 pm »

I've been suffering from the 10 000 connections since October when I look through my mail reports.

https://forum.opnsense.org/index.php?topic=20625.0