31
Intrusion Detection and Prevention / Re: Suricata rule modifications via suricata-update
« Last post by franco on Today at 09:26:45 am »You can modify HOME_NET via advanced settings, you know?
Cheers,
Franco
Cheers,
Franco
Recent Posts
32
24.7 Production Series / Re: Double NAT, IPV6 Issue
« Last post by stefan00 on Today at 09:25:15 am »The Asus router must delegate a prefix to OPNsense. You need to check with the vendor documentation if it can do that and how to configure.Long story short ... while I was writing ;-)
33
24.7 Production Series / Re: Double NAT, IPV6 Issue
« Last post by stefan00 on Today at 09:23:56 am »It sounds like the ASUS router is your first problem. But that is just a guess without knowing this piece of hardware.
1. ISP prefix length
good thing. Where can you see this? in the ASUS router? Let's assume YES.
2. ASUS DHCPv6 / Router advertisment setup
The most important prerequisite for a IPv6 router chain is prefix delegation. Your ASUS router must be able to delegate a part of its available /56 network down to the next router in the chain (OPNsense).
Assigning addresses to clients is not the same as delegating a subnet (prefix) to another router. As I understand from what you write, the ASUS router is assigning addresses to its connected clients on its LAN ports.
3. "second prefix" does not exist
There is no such thing as a "second /64" prefix. The client router (OPNsense) can only request 1 prefix. That's why, it must be bigger than /64, at the minimum /63
4. summary
You must find a setting in your ASUS box to delegate a prefix down to OPNsense. In your current configuration, your OPNsense only gets an address. Please try to find some documentation on the ASUS router or post a link here.
Thank of it this way: Let's assume you can convince the ASUS router to delegate a /58 block down. The OPNsense box then simply asks "Hey Asus, give me a /58 subnet which I can handle. Not you, me". That's prefix delegation.
The OPNsense box then grabs the prefix and divides it into smaller chunks to assign it to its own clients. That's the /64 address assignment as you see it on the ASUS router too.
The bad news: If your ASUS router can not delegate subnets (=prefixes) to downstream routers, IPv6 will not work the right way. But honestly, I doubt it.
1. ISP prefix length
Quote from: aeg90
I have a WAN prefix length of 56.
good thing. Where can you see this? in the ASUS router? Let's assume YES.
2. ASUS DHCPv6 / Router advertisment setup
Quote from: aeg90
The uplink router has a lan prefix of 64 ... The ASUS Router LAN is set to 64 and can't be changed.
The most important prerequisite for a IPv6 router chain is prefix delegation. Your ASUS router must be able to delegate a part of its available /56 network down to the next router in the chain (OPNsense).
Assigning addresses to clients is not the same as delegating a subnet (prefix) to another router. As I understand from what you write, the ASUS router is assigning addresses to its connected clients on its LAN ports.
3. "second prefix" does not exist
Quote from: aeg90
Thus I won't be able to do a second prefix length of 64 with opnsense.
There is no such thing as a "second /64" prefix. The client router (OPNsense) can only request 1 prefix. That's why, it must be bigger than /64, at the minimum /63
4. summary
You must find a setting in your ASUS box to delegate a prefix down to OPNsense. In your current configuration, your OPNsense only gets an address. Please try to find some documentation on the ASUS router or post a link here.
Thank of it this way: Let's assume you can convince the ASUS router to delegate a /58 block down. The OPNsense box then simply asks "Hey Asus, give me a /58 subnet which I can handle. Not you, me". That's prefix delegation.
The OPNsense box then grabs the prefix and divides it into smaller chunks to assign it to its own clients. That's the /64 address assignment as you see it on the ASUS router too.
The bad news: If your ASUS router can not delegate subnets (=prefixes) to downstream routers, IPv6 will not work the right way. But honestly, I doubt it.
34
24.7 Production Series / Re: 24.7.9 - Can't login WebGUI with 2FA
« Last post by franco on Today at 09:21:14 am »> So I assume that there is a difference in how the web UI detects if a reboot is neccessary vs. the CLI.
None that I can think of. It's probably right, minus locks on base or kernel set. But the GUI behaves the same: locks are ignored for the check so it says it likes to reboot but if the kernel or base is locked then it will not reboot later on as per user request.
Cheers,
Franco
None that I can think of. It's probably right, minus locks on base or kernel set. But the GUI behaves the same: locks are ignored for the check so it says it likes to reboot but if the kernel or base is locked then it will not reboot later on as per user request.
Cheers,
Franco
35
24.7 Production Series / Re: Requesting help with One-to-One NAT setup
« Last post by joursin on Today at 09:12:26 am »Yes, I have these rules active on the WAN interface:
1. Allow Traffic from PiKVM (from WAN) to Firewall Web interface
2. Floating Rule: Block Traffic to Management Lan unless coming from Management Lan (sn 10.10.0.0/24)
3. Block mDNS and netBIOS traffic from Uplink router to oLAN network 10.10.0.0/16. (unnecessary traffic)
The last rule is just for experimentation, but disabling it had not effect on the issue discussed.
1. Allow Traffic from PiKVM (from WAN) to Firewall Web interface
2. Floating Rule: Block Traffic to Management Lan unless coming from Management Lan (sn 10.10.0.0/24)
3. Block mDNS and netBIOS traffic from Uplink router to oLAN network 10.10.0.0/16. (unnecessary traffic)
The last rule is just for experimentation, but disabling it had not effect on the issue discussed.
36
24.7 Production Series / Re: Double NAT, IPV6 Issue
« Last post by Patrick M. Hausen on Today at 09:08:34 am »The Asus router must delegate a prefix to OPNsense. You need to check with the vendor documentation if it can do that and how to configure.
37
24.7 Production Series / Re: 24.7 does not restore backup like 24.1 used to
« Last post by hakuna on Today at 08:59:33 am »Yes, I have checked the backup files and all the rules are there but 24.7 refuses to restore them all.
38
24.7 Production Series / 24.7 does not restore backup like 24.1 used to
« Last post by hakuna on Today at 08:53:38 am »I thought I was going crazy after 24.7 clean install but there are indeed 2 bugs.
Clean install due to it being a major release and to avoid problems, I noticed that:
1. WireGuard crashes for no reason without error. I have a cron job to restart the WireGuard every 0:00AM.
2. Backups aren't restored like 24.1 used to.
This post will cover backups only.
When I restored the backup from 24.1 to 24.7, I picked section by section to be restored, NIC name and a few things won't be the same if swapping to another hardware so why.
Restore from 24.1 to 24.7:
1. Does not recognize "Firewall Groups" with error messages.
2. All the Outbound rules were not imported with no error. I had to manually enable "automatically generated rules are applied after manual rules" and create them.
I got a new box to clean install and as usual, restore section by section, DHCP, VPN and Firewall since these are the only ones I care.
I have done this process countless times with the previous version as I have tested 2 boxes and Proxmox, it always worked, no issue, no dramas.
Restore from 24.7 to 24.7:
1. The entire Firewall section does not restore no matter what.
I have so many rules and NAT to force all my devices to both DNS ( Pi-Hole + Unbound ) and block DoT and DoH among other rules, and hard coded DNS on IoT.
I had to put the older box back because I am not screenshotting all those rules to manually create them haha
Has anybody else who have performed a clean 24.7 install noticed that their backups were not imported in full??
Thank you
Clean install due to it being a major release and to avoid problems, I noticed that:
1. WireGuard crashes for no reason without error. I have a cron job to restart the WireGuard every 0:00AM.
2. Backups aren't restored like 24.1 used to.
This post will cover backups only.
When I restored the backup from 24.1 to 24.7, I picked section by section to be restored, NIC name and a few things won't be the same if swapping to another hardware so why.
Restore from 24.1 to 24.7:
1. Does not recognize "Firewall Groups" with error messages.
2. All the Outbound rules were not imported with no error. I had to manually enable "automatically generated rules are applied after manual rules" and create them.
I got a new box to clean install and as usual, restore section by section, DHCP, VPN and Firewall since these are the only ones I care.
I have done this process countless times with the previous version as I have tested 2 boxes and Proxmox, it always worked, no issue, no dramas.
Restore from 24.7 to 24.7:
1. The entire Firewall section does not restore no matter what.
I have so many rules and NAT to force all my devices to both DNS ( Pi-Hole + Unbound ) and block DoT and DoH among other rules, and hard coded DNS on IoT.
I had to put the older box back because I am not screenshotting all those rules to manually create them haha
Has anybody else who have performed a clean 24.7 install noticed that their backups were not imported in full??
Thank you
39
Intrusion Detection and Prevention / Re: Suricata rule modifications via suricata-update
« Last post by jonny5 on Today at 08:14:13 am »In short OPNSense's rule management has got me quite far... but I might be ready for a rather larger logic/control application.
See here:
https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules
https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-modify-rules-modify-conf
OPNSense has suricata-update already, and if we can safely mod away/quite the OPNSense SID management, and/or, somehow in-between-mod the rule set. Huge win! There are a few hosts that trip rules that if I could filter that rule away from that host, it would be the best win.
On a few rules replacing $HOME_NET with [$HOME_NET, ![192.168.0.20,192.168.0.21]] (for example) would make thing great ^_^
See here:
https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules
https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-modify-rules-modify-conf
OPNSense has suricata-update already, and if we can safely mod away/quite the OPNSense SID management, and/or, somehow in-between-mod the rule set. Huge win! There are a few hosts that trip rules that if I could filter that rule away from that host, it would be the best win.
On a few rules replacing $HOME_NET with [$HOME_NET, ![192.168.0.20,192.168.0.21]] (for example) would make thing great ^_^
40
24.7 Production Series / Re: OpenVPN - Client specific overrides
« Last post by kozistan on Today at 08:09:11 am »got it, 1st address server, 2nd broadcast so that's why +2