"Recent posts
#1
Development and Code Review / Re: Automating configuration o...
Last post by Patrick M. Hausen - Today at 11:09:05 AMYou can always brute force edit the XML configuration. For an example you can have a look at my (currently neglected, because I switched to an Apple silicon Mac) Vagrant project:
https://github.com/punktDe/vagrant-opnsense
Or you write what you want to do in PHP and use a proper XML library. I am not much of a PHP developer and I managed to achieve everything I needed with sed and friends.
https://github.com/punktDe/vagrant-opnsense
Or you write what you want to do in PHP and use a proper XML library. I am not much of a PHP developer and I managed to achieve everything I needed with sed and friends.
#2
German - Deutsch / Re: Core Switch zusätzlich als...
Last post by MikeH - Today at 11:02:56 AMWar bei mir jahrelang problemlos so im Einsatz (halt einfach mit VDSL/G.fast).
Modem stand irgendwo, ging auf einen Switch mit dem WAN VLAN, danach über die Hausverkabelung zum Switch ins Büro wo der Router stand. Am Anfang hatte ich sogar Router on a Stick auf einem Intel NUC, nund hab ich etwas mehr LAN Ports an der OPNsense.
Aktuell gehts wieder über ein eigenes LAN Kabel, da ich genügend Kabel in der Wand habe und mir so ein paar LAN Ports am Switch sparen kann.
Ich hab einzig darauf geachtet, dass der Switch nur vom Management VLAN aus konfiguriert werden kann.
Modem stand irgendwo, ging auf einen Switch mit dem WAN VLAN, danach über die Hausverkabelung zum Switch ins Büro wo der Router stand. Am Anfang hatte ich sogar Router on a Stick auf einem Intel NUC, nund hab ich etwas mehr LAN Ports an der OPNsense.
Aktuell gehts wieder über ein eigenes LAN Kabel, da ich genügend Kabel in der Wand habe und mir so ein paar LAN Ports am Switch sparen kann.
Ich hab einzig darauf geachtet, dass der Switch nur vom Management VLAN aus konfiguriert werden kann.
#3
General Discussion / Monit What does "Read Bytes" r...
Last post by smarty2651 - Today at 10:58:50 AMI am monitoring a process for 'Domoticz' home automation software.
This is a snippett of the info I get.
....
Total filedescriptors 37
Read bytes 14.5 kB/s [8.3 GB total]
Disk read bytes 0 B/s [6.9 MB total]
.....
My question is the "Read Bytes" line. What does this refer to?
This is a snippett of the info I get.
....
Total filedescriptors 37
Read bytes 14.5 kB/s [8.3 GB total]
Disk read bytes 0 B/s [6.9 MB total]
.....
My question is the "Read Bytes" line. What does this refer to?
#4
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by VG Gerolstein - Today at 10:25:02 AMHello,
we have disabled the mpm_event module in OPNsense on a trial basis and loaded the mpm_prefork module instead by adjusting the httpd.conf:
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
We then restarted the service (service apache24 restart).
Unfortunately, the behaviour is the same.
Merry Christmas and best regards
Thomas
we have disabled the mpm_event module in OPNsense on a trial basis and loaded the mpm_prefork module instead by adjusting the httpd.conf:
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
We then restarted the service (service apache24 restart).
Unfortunately, the behaviour is the same.
Merry Christmas and best regards
Thomas
#5
Development and Code Review / Re: Automating configuration o...
Last post by lgrant - Today at 10:12:40 AMPlease forgive me if this makes no sense, because I am still trying to understand the problem.
Could you work on an exported XML configuration file, then reload it? If, for example, you have a standard configuration that you want to apply to a bunch of routers, with customization of names, IP addresses, etc., you might configure the standard configuration via the GUI, download it, then modify it with an XML tool like XSLT or XQuery. If you were just changing names, it should not be too bad. If you are changing the number of interfaces, it would be a little trickier, because you would have to generate new XML code in the right place.
BTW, on of the coolest products (I don't remember what it was) had an XML configuration, and if the had an upgrade that changed the configuration files in not-backward-compatible ways, they would ship an XML stylesheet (XSLT) with the update to upgrade the old configuration file.
The FreeBSD way is that configuration is done view files (usually rc.conf), rather than commands. Even sysctl, which modifies tuning variables view the sysctl command, has a sysctl.conf that sets up the initial sysctl commands.
I am thinking about how this concept could apply to OPNsense. It is a little trickier with an XML file, because the nature of rc.conf is that stuff can pretty much be in any order, and you can use the sysrc command to add stuff to the bottom of the file. Since XML files have structure, you can't just insert lines any old place.
Perhaps I just need to go to bed.
Could you work on an exported XML configuration file, then reload it? If, for example, you have a standard configuration that you want to apply to a bunch of routers, with customization of names, IP addresses, etc., you might configure the standard configuration via the GUI, download it, then modify it with an XML tool like XSLT or XQuery. If you were just changing names, it should not be too bad. If you are changing the number of interfaces, it would be a little trickier, because you would have to generate new XML code in the right place.
BTW, on of the coolest products (I don't remember what it was) had an XML configuration, and if the had an upgrade that changed the configuration files in not-backward-compatible ways, they would ship an XML stylesheet (XSLT) with the update to upgrade the old configuration file.
The FreeBSD way is that configuration is done view files (usually rc.conf), rather than commands. Even sysctl, which modifies tuning variables view the sysctl command, has a sysctl.conf that sets up the initial sysctl commands.
I am thinking about how this concept could apply to OPNsense. It is a little trickier with an XML file, because the nature of rc.conf is that stuff can pretty much be in any order, and you can use the sysrc command to add stuff to the bottom of the file. Since XML files have structure, you can't just insert lines any old place.
Perhaps I just need to go to bed.
#6
Virtual private networks / request GRE tunnel support tun...
Last post by knigth - Today at 08:33:37 AMI am using OPNSENSE to connect with another network via GRE. The peer side requires GRE to use a tunnel key. After reading the FreeBSD manual, I found that FreeBSD GRE supports tunnel keys, but the GRE implementation in OpnSense does not yet support tunnel keys. Is there any way to temporarily enable tunnel key support for GRE in OpnSense, such as an interim solution? Thank you for your help.
#7
25.7, 25.10 Series / Re: IGMP Proxy broken after up...
Last post by Rene78 - Today at 08:07:14 AMAlso use IGMP Proxy here. No issues with the upgrade and IGMP is working as it should. I have a standard configuration for KPN (NLD ISP) IPTV.
Upstream is configured for the IPTV platform
213.75.0.0/16, 217.166.0.0/16, 195.121.0.0/1
Downstream has my IPTV LAN VLAN 192.168.40.0/24
Upstream is configured for the IPTV platform
213.75.0.0/16, 217.166.0.0/16, 195.121.0.0/1
Downstream has my IPTV LAN VLAN 192.168.40.0/24
#8
25.7, 25.10 Series / Re: DNS failures after upgrade...
Last post by pseudonym3k - Today at 07:28:46 AMI have not tried to enable Unbound again since for the most part things have been working without it. It hasn't been entirely stable but I haven't had time to figure out what or why (dealing with a sudden death in the family and other issues). Hopefully soon after the first of year I will find time to reformat with ZFS and try a fresh install with defaults as before, tweaking little else. Thanks for the followup.
#9
Intrusion Detection and Prevention / Re: Linux mint has apparmor bu...
Last post by someone - Today at 05:46:33 AMIf you are on linux or similar, check if apparmor is built in or available in your repository. After you do an update, install apparmor-utils, apparmor-profiles, apparmor-profiles-extra, apparmor-notify, and auditd to monitor everything. I have connections through the browser attacking my system trying to break through apparmor. It shows up in auditd log file. Its a mile long. Using this as your endpoint protection or a similar app protects your operating system and the LAN side backend of opnsense which is open and everything is allowed, thats how they were breaking my separate opnsense router. The app called apparmor can be more or less restrictive to suit your needs. I am using it on default. When the other extensions are installed then execute sudo systemctl restart apparmor, or just restart your computer. It updates the profiles. There are browser jails but most research said they cause problems due to being to restrictive. Only use in extreme cases of attack. Auditd log will show the actual commands they tried to execute on your computer. Hope this helps anyone experiencing intrusion through the browser or just need some more security. These are the kind of attacks suricata is working on, but will be in the future, maybe suricata 9. We have to start decrypting. Which will take more processing power, opnsense may be split due to size of unit to do this., I mean more security will mean a bigger unit to run it all., or have options on how much security is running with different size router units as they already do. Decrypting headers is one thing, decrypting full payload and checking it is another.
#10
Intrusion Detection and Prevention / Suricata is asking for encrypt...
Last post by someone - Today at 05:18:32 AMSuricata is asking for decoded pcaps in HTTP3 which is based on QUIC
They are running tests on the newer scanning of key words.
The big companies just decode it all, and dont separate out what they are looking for.
They are running tests on the newer scanning of key words.
The big companies just decode it all, and dont separate out what they are looking for.
