Messages

Hey Franco,

I removed suricata and squid completely from ports.conf but they still get build. Is there a reference build config somewhere else?

Hey France,

I want to build a custom kernel and have it loaded by default. I tinkered around with the source and build is done but it still says OPNSense as default kernel. How do i make it to "test-kernel" from the default F1 OPNSense which shows up without secondary selection? Seondly, i want to raise the selection time limit as i might be testing 3 or 4 kernel configurations .

Hmm. How big is your CF card? The reason why you are facing slow downs is because of low storage space. Do a df -h perhaps? See if you can purge the cache and proceed with upgrade.

If your ISP router is acting as an RFC bridged device and you are using OPNsense as your primary connection (pppoe or static IP) then you shouldn't experience any problems. So now lets say that you are facing problems, use you can google around for IP helper script. The one which is mentioned by bcjenkins is perfect! Save it as a bash script and add it to cron updates for like 5 minutes to do the job. Hope this helped.

Perhaps you can do a "restore defaults" and then import your config to solve the issue. Please try.

I actually tested it quite a lot in the case with SYN flooding and the sweet spot for pfsense/opnsense is 4 cores on the same socket and 4GB memory.

It performs damn well on that exact combo and dont ask me why.

Its like when you move across sockets something fucks up pf and the whole route of packets and the attached CPU's does a bad job spreading the load.

Thats cool Supermule.

With what pre-processors enabled? 4 Cores is pretty good and is above moderate hardware. If you open up and see the insides of Juniper SRX200 series then you will see Dual OCTEON chips. That brings us to a never ending debate created by them so called "hardware based crap" :D

4 IPS instances gave me max 5+ Gbps IPS througput per device with the 12 Cores clocked at 2.25Ghz. Can you run some benchmarks with OPNsense on your current hardware please?

Franco,

Even the guardian component needs ipfw to work (http://www.chaotic.org/guardian/guardian-1.7.tar.gz) . Its basically designed for snort but i can make it work with suricata . The only issue is using ipfw . I am now building OPNSense with ipfw for testing. Will report in few hours.

Running on LAN will able you to take the infected host offline quickly. Running on WAN you only see the traffic src ahnd dest. IP which is the public one. Then you have to dig deeper to find the culprit.

Notice time here is of essence. The faster you find it, the better for everybody.

I run 2 instances of Snort on every single firewall that I have (46) to be precise for that exact reason.

They run as frontend and then I have a L7 able backend to sort traffic further based on rulesets and buzzwords before passed on to the servers.

You are absolutely right. I clearly mentioned "moderate hardware" . I run 4 instances of IPS on every single appliance that i ship but thats on carrier grade 12 core machines with 32G of minimum RAM.

Right now it complains of experimental support in libpcap using two interfaces in the same instance, but it runs. To enable intrusion prevention we need to migrate to ipfw or pf hooks, which takes care of that problem. If we have two instances, should they have completely separate configs?

Trust me on this. You don't want to run two different instances at the same time on moderate hardware. The preprocessors totally bog down the CPU. Besides, running on LAN side creates extra load on suricata daemon as devices on LAN always engage the preprocessors of IDS. The WAN is sufficient. Take an example, you have a LAN infection and your device is trying to communicate with Command & Control servers for Botnet, Malware, Adware, etc then outbound LAN connection also triggers an alert on the IDS.

True, ipfw is the way to go if IPS is under consideration. Or have like Barnyard + Snort with the current stable release for a total IPS solution.

Can not start service squid

System Information:
FreeBSD 10.1-RELEASE-p12 #0 84c8e2b(master): Mon Jun 15 12:47:34 CEST 2015     root@sensey32:/usr/obj/usr/src/sys/SMP
OPNsense 15.1.12-eac7cdde6 (i386)
OpenSSL 1.0.2c 12 Jun 2015

PHP Errors:
[01-Jul-2015 14:43:01 Europe/Moscow] PHP Fatal error:  Uncaught exception 'Exception' with message 'Timeout (120) executing :proxy start' in /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php:90
Stack trace:
#0 /usr/local/etc/inc/util.inc(148): OPNsense\Core\Backend->configdRun('proxy start', false)
#1 /usr/local/etc/inc/service-utils.inc(401): configd_run('proxy start')
#2 /usr/local/www/status_services.php(43): service_control_start('squid', Array)
#3 {main}
  thrown in /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php on line 90

Does the error appear if you start Squid from command line?

You network design seems simple. What you can do is spare 1 physical port, assign it as secondary LAN interface and start DHCP on it for your local direct wired internet access on PC. IF you require, you can also have another port assigned for a dedicated Access Point. Then you can bridge the remaining ports with the firebox for your private VPN internet access.

The ISO installs do that . On the other hand, the image based installs are mostly mounted as Read Only and chances of a corrupt file system are rare.

Welcome hgeorge,

Indeed it will be incorporated. 15.7 is the stable production release and things will eventually fall into place and it will be pretty quick.

Greetings Neo,

The PCEngines APU 1D4 has no issues with the nano image. Sometimes the write procedure doesn't write things correctly to the CF card. Please try to use Win32DiskImager Freeware utility (http://sourceforge.net/projects/win32diskimager/files/) to do a direct burn on the card and a serial cable with universal settings. Unless you have a good burn and a good cable, its hard to know whats up with it. Waiting for your feedback.

I will look into the IPS component starting now Franco. Since I am doing hourly builds across 2 different machines, i can test things pretty quickly.