Messages

136

21.7 Legacy Series / Re: Are the default CARP rules incorrect?

« on: October 06, 2021, 04:59:09 pm »

carp traffic uses non routable multicast traffic (destination 224.0.0.18, https://en.wikipedia.org/wiki/Multicast_address). Originally we started with the following two rules when carp was enabled:

Code: [Select]

block in quick proto carp from (self) to any
pass quick proto carp

https://github.com/opnsense/core/blob/92dbe83e75637f478697abfbaaaf8bd3a424e846/src/etc/inc/filter.inc#L3428-L3431

Eventually the first (block) rule translated into being discarded, which wasn't really intentional, but likely doesn't change much either since the source address doesn't really matter to determine which machine has the highest priority.

Looking into the origin of the block rule https://github.com/pfsense/pfsense/commit/986a3accd40a7d45c0a3d48d2b42d2c58a231d99
 and https://redmine.pfsense.org/issues/598 one could argue that deleting it wouldn't be an issue at all... we've never seen these issues in the years we accidentally disabled it...

Best regards,

Ad

137

General Discussion / Re: Aliases - feature request

« on: October 04, 2021, 10:07:22 am »

Hi Patrick,

If you mean a "port group" type in addition to the network group type, that's not in there, but certainly worth a feature request. Technically nesting ports is supported, if adding a dropdown would ease administration it might be a good idea to add that to OPNsense at some point in time.

Best regards,

Ad

138

General Discussion / Re: Aliases - feature request

« on: October 03, 2021, 06:15:44 pm »

Hi,

You can easily describe hosts by creating an alias object per host and grouping them together using the integrated nesting feature. ( machineA + machineB = myWorkgroup for example)

The question pops-up from time to time (https://github.com/opnsense/core/issues/4190#issuecomment-653140801), but we strongly believe every unique object should be exactly that... unique. In which case a single host identifying itself with a set of addresses has one name, one description and a set of addresses. Grouping them together turns into a new object which describes what the placeholder is for.

Theoretically one could build a form to edit multiple aliases at the same time, but that is currently out of our scope.

Best regards,

Ad

139

Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)

« on: September 21, 2021, 11:31:42 am »

@alh, in case of ESXI most relevant details are likely already documented in https://forum.opnsense.org/index.php?topic=18754.msg90576#msg90576, the 14Gbps are probably measured with default settings, the D-1518 isn't a very fast machine so that would be reasonable using all hardware accelerated offloading settings.

140

General Discussion / Re: Privilege for System: Settings: Logging / targets

« on: September 02, 2021, 09:38:28 pm »

Hi,

The syslog target component seems to miss an ACL, just added one in https://github.com/opnsense/core/commit/badd7cd8273b109be054b2c1e4eb1bece02e5e8a

You should be able to install is using the following command:

Code: [Select]

opnsense-patch badd7cd82

Best regards,

Ad

141

Hardware and Performance / Re: Poor Throughput (Even On Same Network Segment)

« on: August 24, 2021, 09:07:40 pm »

@Kallex Can you try to update to 21.4.3? the axgbe driver from AMD had an issue with larger packets in vlans, which lead to a lot of spam in dmesg (and reduced performance). If you do suffer from the same issue, I expect quite some kernel messages (..Big packet...) when larger packets are being processed.

The release notes for 21.4.3 are available here https://docs.opnsense.org/releases/BE_21.4.html#august-11-2021

o src: axgbe: remove unneccesary packet length check (https://github.com/opnsense/src/commit/bee1ba0981190dabcd045b6c8debfc8b8820016c)

Best regards,

Ad

142

21.7 Legacy Series / Re: Firewall and ASN

« on: August 18, 2021, 10:00:36 am »

https://api.bgpview.io/asn/[asn]/prefixes

But looks like an Oracle company, it would probably be more safe to query the source databases directly, which is likely what aslookup is doing (http://aslookup.bgpview.org/index-e.html).

If there's a "open" source for the data, I don't mind adding an ASN type at some point in time in the core product, but trying to query commercial databases is waiting for trouble to happen.

143

Intrusion Detection and Prevention / Re: Need Oink Code for ET Rulset Purchase

« on: August 09, 2021, 08:22:39 pm »

Contacted via email. should be fixed asap

144

21.1 Legacy Series / Re: Upgrade to Business Edition not possible

« on: July 19, 2021, 07:34:30 pm »

Hi,

At a first glance I would expect some issue with plugins (versions locking), can you try to remove the following packages using the commands below and try to update again via the gui?

Code: [Select]

pkg remove -f os-cache
pkg remove -f os-iperf
pkg remove -f p5-Net-IP-1.26_1

The "business" type is indeed the correct one by the way.

Best regards,

Ad

145

Dutch - Nederlands / Re: NAT regel om de server op het lan te bereiken.

« on: June 28, 2021, 09:14:41 am »

Je vraag bevat niet zoveel informatie, wat het lastig maakt om hier een simpel antwoord op te geven, daarnaast zijn de engelstalige fora een stuk actiever.

Als ik zou moeten gokken, dan verwacht ik dat de regel die je aanmaakt om verkeer door te laten vooraf gegaan wordt door een andere regel die hetzelfde verkeer tegenhoud.

Om beter te begrijpen wat er gebeurd, raden wij eigenlijk altijd aan om de live log viewer (https://docs.opnsense.org/manual/logging_firewall.html#live-view) te gebruiken om te controleren of regels doen wat je ervan verwacht (zet log aan op een regel en geef deze een duidelijke omschrijving zodat je hem eenvoudig terug kan zoeken). Daarnaast geeft de "inspect" knop bij de regels ook een redelijk inzicht of regels van toepassing zijn.

Mvg,

Ad
 

146

21.1 Legacy Series / Re: captive portal force disconnect user

« on: June 14, 2021, 09:45:45 pm »

Not really, it was marked "support" (nobody dived into it yet). I just tried it on my end, could reproduce it and pushed a patch (see ticket for further info).

Best regards,

Ad

147

General Discussion / Re: Please Make a Donation to OPNsense

« on: May 23, 2021, 11:22:17 am »

Hi Thomas,

If you would like to receive an invoice for the donation, just drop us an email with the amount and company details and we'll send you one including payment details (IBAN).

Thanks in advance,

Best regards,

Ad

148

Intrusion Detection and Prevention / Re: IPS not working: Enable Drop Filter not visible

« on: May 09, 2021, 01:58:50 pm »

About where to find the filters, it was indeed, we changed that in 21.1.

Why rules won't match can have different reasons, I would always start by checking if an alert is triggered and what suricata thinks it should do with it (the Alerts tab). The quickest test usually is to enable our test rule (opnsense ruleset) and download eicar over http (your curl command looks ok in that regard).

The rules tab represents the current settings after applying your changes (query for eicar to see if it's set to drop).

Best regards,

Ad

149

Intrusion Detection and Prevention / Re: IPS not working: Enable Drop Filter not visible

« on: May 09, 2021, 11:03:02 am »

As of 21.1 you can use policies to change rule behaviour (https://docs.opnsense.org/manual/ips.html#policies), to mimic the old behaviour just add a single policy rule matching the rulesets you want to drop and select "alert" as action (which is default for almost all supplied rules) and set "new action" to drop.

Old settings should have been migrated automatically.

The policy editor is available in the menu on the left (Services -> Intrusion detection -> Policy).

Best regards,

Ad

150

General Discussion / Re: Please Make a Donation to OPNsense

« on: April 29, 2021, 09:02:00 pm »

Much appreciated, thanks!