Recent posts

#1
Intrusion Detection and Prevention / Can't download rules
Last post by ljhardy - Today at 04:42:50 PM
For example, I check ET open/emerging-current_events and click Download & Update Rules, spinner spins, but not installed is still listed.  After trying a bunch of times I was able to get ET open/emerging-attack_response installed, but it doesn't seem to install anything else consistently
#2
25.7, 25.10 Series / Re: Block randomized MAC addre...
Last post by BetaPrinz - Today at 04:28:10 PM
I'm also looking for a way to ignore the random MAC address.
I found something interesting here.

https://community.ui.com/questions/Block-Random-MAC-Addresses/8fbf5f69-b965-4c05-bd2f-aa62548dc35c#answer/e896d1f6-e375-4663-ae15-3c1470c83295

dhcp-host=02:*:*:*:*:*,ignore
dhcp-host=12:*:*:*:*:*,ignore
dhcp-host=22:*:*:*:*:*,ignore
dhcp-host=32:*:*:*:*:*,ignore
dhcp-host=42:*:*:*:*:*,ignore
dhcp-host=52:*:*:*:*:*,ignore
dhcp-host=62:*:*:*:*:*,ignore
dhcp-host=72:*:*:*:*:*,ignore
dhcp-host=82:*:*:*:*:*,ignore
dhcp-host=92:*:*:*:*:*,ignore
dhcp-host=A2:*:*:*:*:*,ignore
dhcp-host=B2:*:*:*:*:*,ignore
dhcp-host=C2:*:*:*:*:*,ignore
dhcp-host=D2:*:*:*:*:*,ignore
dhcp-host=E2:*:*:*:*:*,ignore
dhcp-host=F2:*:*:*:*:*,ignore
dhcp-host=06:*:*:*:*:*,ignore
dhcp-host=16:*:*:*:*:*,ignore
dhcp-host=26:*:*:*:*:*,ignore
dhcp-host=36:*:*:*:*:*,ignore
dhcp-host=46:*:*:*:*:*,ignore
dhcp-host=56:*:*:*:*:*,ignore
dhcp-host=66:*:*:*:*:*,ignore
dhcp-host=76:*:*:*:*:*,ignore
dhcp-host=86:*:*:*:*:*,ignore
dhcp-host=96:*:*:*:*:*,ignore
dhcp-host=A6:*:*:*:*:*,ignore
dhcp-host=B6:*:*:*:*:*,ignore
dhcp-host=C6:*:*:*:*:*,ignore
dhcp-host=D6:*:*:*:*:*,ignore
dhcp-host=E6:*:*:*:*:*,ignore
dhcp-host=F6:*:*:*:*:*,ignore
dhcp-host=0A:*:*:*:*:*,ignore
dhcp-host=1A:*:*:*:*:*,ignore
dhcp-host=2A:*:*:*:*:*,ignore
dhcp-host=3A:*:*:*:*:*,ignore
dhcp-host=4A:*:*:*:*:*,ignore
dhcp-host=5A:*:*:*:*:*,ignore
dhcp-host=6A:*:*:*:*:*,ignore
dhcp-host=7A:*:*:*:*:*,ignore
dhcp-host=8A:*:*:*:*:*,ignore
dhcp-host=9A:*:*:*:*:*,ignore
dhcp-host=AA:*:*:*:*:*,ignore
dhcp-host=BA:*:*:*:*:*,ignore
dhcp-host=CA:*:*:*:*:*,ignore
dhcp-host=DA:*:*:*:*:*,ignore
dhcp-host=EA:*:*:*:*:*,ignore
dhcp-host=FA:*:*:*:*:*,ignore
dhcp-host=0E:*:*:*:*:*,ignore
dhcp-host=1E:*:*:*:*:*,ignore
dhcp-host=2E:*:*:*:*:*,ignore
dhcp-host=3E:*:*:*:*:*,ignore
dhcp-host=4E:*:*:*:*:*,ignore
dhcp-host=5E:*:*:*:*:*,ignore
dhcp-host=6E:*:*:*:*:*,ignore
dhcp-host=7E:*:*:*:*:*,ignore
dhcp-host=8E:*:*:*:*:*,ignore
dhcp-host=9E:*:*:*:*:*,ignore
dhcp-host=AE:*:*:*:*:*,ignore
dhcp-host=BE:*:*:*:*:*,ignore
dhcp-host=CE:*:*:*:*:*,ignore
dhcp-host=DE:*:*:*:*:*,ignore
dhcp-host=EE:*:*:*:*:*,ignore
dhcp-host=FE:*:*:*:*:*,ignore

Hopefully I can limit it to one interface.

The manual says:
Ethernet addresses (but not client-ids) may have wildcard bytes, so for example --dhcp-host=00:20:e0:3b:13:*,ignore will cause dnsmasq to ignore the given range of hardware addresses. Note that the "*" will need to be escaped or quoted on a command line, but not in the configuration file.

#3
25.7, 25.10 Series / Re: SSD get's massively writte...
Last post by franco - Today at 03:36:05 PM
/var MFS was a very volatile idea for what /var/log was supposed to do. The NetFlow dump in /var/netflow is a historic artifact that predates the removal of /var MFS, but so far it hasn't come up as far as I can remember.


Cheers,
Franco
#4
German - Deutsch / Re: Problem mit sftp Backup üb...
Last post by harald99 - Today at 03:19:20 PM
Ich komme momentan nicht an die OPNs, aber hab die konfigs und ziehe mir das im vm lab hoch, dann prüfe ich die Routen.
#5
General Discussion / Re: Trouble with VLAN setup on...
Last post by pfry - Today at 03:04:54 PM
Quote from: User074357 on Today at 12:33:14 PMI was under the impression the "Default allow LAN to any rule" would be enough to allow pinging devices in the DMZ from LAN.[...]

It should be, and blocked packets would be logged, assuming default block logging is enabled. Valid sessions would be visible regardless of logging.

How about "Interfaces: Devices: Bridge" and "Interfaces: Overview"?
#6
25.7, 25.10 Series / Re: SSD get's massively writte...
Last post by senseOPN - Today at 03:04:26 PM
Quote from: xavx on Today at 02:41:02 PMWhat I did is include the netflow storage path in the var/log ram disk by modifying the end of /usr/local/etc/rc.subr.d/var :
        echo -n "Setting up /var/log memory disk..."
        mount -t tmpfs -o size=$((MAX_MEM_SYS / 100 * MAX_MFS_VAR)) tmpfs /var/log
        echo "done."

ln -s /var/log/netflow /var/netflow
mkdir -p /var/log/netflow
chown root:wheel /var/log/netflow
chmod 750 /var/log/netflow

fi

# prep boog log
: > /var/log/boot.log

I also did something similar for the unbound.duckdb.

You'll need to re-apply these changes after each opnsense update as they'll be overwritten.

That's a nice idea, great many thanks!

I am wondering why this is not bound to /var/log anyways - so that it lands in RAM if you decide to configure a RAM disk for this.
#7
25.7, 25.10 Series / Re: SSD get's massively writte...
Last post by xavx - Today at 02:41:02 PM
What I did is include the netflow storage path in the var/log ram disk by modifying the end of /usr/local/etc/rc.subr.d/var :
        echo -n "Setting up /var/log memory disk..."
        mount -t tmpfs -o size=$((MAX_MEM_SYS / 100 * MAX_MFS_VAR)) tmpfs /var/log
        echo "done."

ln -s /var/log/netflow /var/netflow
mkdir -p /var/log/netflow
chown root:wheel /var/log/netflow
chmod 750 /var/log/netflow

fi

# prep boog log
: > /var/log/boot.log

I also did something similar for the unbound.duckdb.

You'll need to re-apply these changes after each opnsense update as they'll be overwritten.
#8
German - Deutsch / Re: Einsteigerfrage zu NAT
Last post by meyergru - Today at 12:33:34 PM
Dann ändere den Thread-Titel bitte und hänge [Solved] davor.
#9
General Discussion / Re: Trouble with VLAN setup on...
Last post by User074357 - Today at 12:33:14 PM
Quote from: InvalidHandle on Today at 04:59:41 AMIt sounds like you are missing firewall configuration for the vlan interfaces that you set up and I don't think you need the bridge.
If you want to allow traffic between both LAN and vLAN networks I'm not sure what you gain with the vlan unless you really need to split a single port into multiple subnets.  Here is the documentation on vlans: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Just food for thought, vLANs can be very tricky if you are using IDS/IPS.  If you have enough ports on your hardware and aren't trying to segment traffic, create a separate LAN subnet interface for your TrueNAS, skip the vLAN, and setup firewall rules accordinly if you want to isolate the NAS LAN from WAN.  That is my two bits.


I was under the impression the "Default allow LAN to any rule" would be enough to allow pinging devices in the DMZ from LAN.
My end goal is to have 2 VLANs going to the NAS, one of which will be isolated (DMZ) and one will be added to the LAN bridge. That way I can use the DMZ VLAN for the VMs on TrueNAS while the NAS itself can be inside LAN.
#10
25.7, 25.10 Series / Re: SSD get's massively writte...
Last post by franco - Today at 12:30:55 PM
ZFS can be a bit annoying in this regard writing metadata for no apparent reason all the time even when the disk content is not (significantly) changing.

You can tweak the tunable 'vfs.zfs.txg.timeout' to your liking by increasing it at the expense of losing more data during an outage.


Cheers,
Franco