Messages

91

General Discussion / Re: What rules should I make to find short lived connections?

« on: June 06, 2022, 02:34:37 pm »

you can off course block all (internet -  !rfc1918) destinations and check the firewall blocks. But this creating bulk of logging. So unusable. You have any valid reason the suspect any malice?

92

General Discussion / Re: Challenges of a Beginner/Hobbyist/Home User

« on: June 06, 2022, 12:19:54 pm »

It is difficult to make a good starting guide. The "n00bs" will just use the ISP hardware. The advanced users do not need a comprehensive guide but just usually some steps.

People need basis network knowledge to configure this stuff. Usually they have wishes which are not (easily) doable. Like expecting virus scanning in a HTTPS (encrypted) world. Or blocking children to access some pages. Also sometimes difficult because of DoH or DoT.

Some hobbyist use stuff like Ubiquity which hides lots of stuff for the enduser. Some people what to configure each VLAN )(in the right order) themselves. They need to first use the DHCP of the switch. Connect. Configure the device which will drop your connection.

But i can see the potential of a first-steps guide. Especially about dual NAT'ting. Or warn about ISP's which are using a VLAN for the internet connection.

93

General Discussion / Re: ADSL PPPoE reliability issues, ISP blames OPNsense

« on: June 06, 2022, 11:59:11 am »

In the past i had ADSL, switched to fiber. The distance to their serverspace is long and had regulary problems:
* once had a own modem/router that caused the DSLAM (ISP side) to crash. Engineers had to drive to the server space to reset
* Modems try to train to the max. This made my connection unstable. Had to ask the ISP to limit the MAX connection

I think only you can determine the issue. Start with their hardware. Is this stable?
Use their modem and opnsense. Is this stable?

94

General Discussion / Re: How to shutdown automatically when UPS gets empty?

« on: June 06, 2022, 11:46:30 am »

The UPS default is using battery.charge.low or battery.runtime.low. Usually something like 20%.

That said, draining the batteries seems bad so i usually overrule the threshold with "ignorelb" and "lowbatt = 86". But for the last one you have to calculate the value. You need to know the power consumption and the capacity. In my case it will shutdown the stuff after a couple of minutes.

I find 20% somewhat dangerous in my case (attached a NAS)
* Services can "hang" or timeout
* You are starting a shutdown process. This will consume more power
*  Usually shutdown will write to disk. Especially this moment you do not want to reach the empty UPS battery. In that case i think a idle power loss is safer.

95

General Discussion / Re: What rules should I make to find short lived connections?

« on: June 06, 2022, 11:31:02 am »

a firewall rule is permanent. Is this for prevention or are you investigating something?
Malware sessions are from inside to outside (internet). You can block known destinations.

96

General Discussion / Re: Define connection state in firewall

« on: May 18, 2022, 11:23:16 pm »

AFAIK not available and not neccessary. ESTABLISHED (and RELATED) connections back are allowed by default. Do you have a use case for NEW?

97

General Discussion / Re: How to re-order firewall rules?

« on: May 12, 2022, 06:38:06 pm »

Although it is not a real major issue. It is not as intuitive as it could be. Every other application i know just has "handles" to drag/drop rows to the right place. That said, i think this should not a high priority issue to improve.

98

General Discussion / Re: How to re-order firewall rules?

« on: May 11, 2022, 08:13:38 pm »

i agree, they have a really weird/confusing re-ordering system.

99

General Discussion / Re: unknown lan address in statistics

« on: May 06, 2022, 07:32:49 pm »

I do not trusted the leases page. Use a system on your network (192.168.6.x) to ping that ip. Or try to eliminate the other devices. I am not sure we can help.

100

General Discussion / Re: Block ICMP to/from interfaces

« on: May 05, 2022, 09:56:35 pm »

Are you testing this ping from the router or using an actual node on the network?
https://forum.opnsense.org/index.php?topic=28105.msg136786#msg136786

101

22.1 Legacy Series / Re: how to block unknown IPs on LAN?

« on: May 05, 2022, 09:46:47 pm »

not tested. But this is not intended as security. If a person set a static IP (in the range) it will probably just work.

102

22.1 Legacy Series / Re: Unbound API

« on: May 04, 2022, 08:36:03 pm »

wild speculation. Restart the service (like normally you have to press "apply/save")

103

General Discussion / Re: Time to refactor?

« on: May 04, 2022, 08:25:04 pm »

What would be the benefits? Especially for this project. They are still refactoring the old pfsense/monowall codebase to a more mvc design. Why throw away all that work? And creating new bugs in the process probably.

104

22.1 Legacy Series / Re: HowTo Alliase and Firewall Rule to only allow DHCP devices Access to Internet

« on: May 04, 2022, 10:46:43 am »

Yes, i was suspecting a bug also because of "is Not a valid ip Adress".

105

22.1 Legacy Series / Re: HowTo Alliase and Firewall Rule to only allow DHCP devices Access to Internet

« on: May 04, 2022, 01:13:27 am »

I'll will answer in English. Can not write German.

I think i understood your use case. I tried to present a (better) altnative.

The rule of thumb is that ALL systems on ONE network (subnet) can talk to each other. That should be the starting point. To make it clear. If you use a NORMAL network switch, then all connected devices can talk to each other. You can not block this using Opnsense. Simply, because the switch (L2 OSI) will manage this and the traffic will never reach the router.

Yes, i know some Wifi Access points do something like "guest isolation". So, they can not "see" each other even on the same subnet. I assume this is usually enforced by the built in (smart) switch.

So, with normal opnsense it should be possible to allow some ranges to access/deny traffic to the internet. (all clients NEED to pass through the router to access the internet). Your current use case is possible. You can create an alias with all hosts and make to firewall rules.

But in the future you want probably to disallow your printer to start a connection to your nas on the SAME network. You can not disallow this. Not without specials hardware.

To sum it up. i would advice to just create multiple networks. And that probably also means that you have to buy a managed (vlan aware) switch and vlan aware AP. Makes you setup logical and save.

Or use the Securepoint device which includes this smart switch and probably made it really simple for end-users. But inflexible for additional use cases.