"Recent posts
#81
Intrusion Detection and Prevention / Re: Block non HTTP/S traffic
Last post by meyergru - September 16, 2025, 04:42:49 PMYou could do one of two things:
1. Check, were that VPN traffic is going to and block those IPs / ASN in the cloud. That will work only if there is some fixed couterpart in the cloud where this is headed to.
2. Install a proxy and transparently redirect all traffic that goes to port 443 on outbound connections to that proxy. If the traffic does not adhere to HTTPS standards, it will be blocked. If it does, you can see where it is going to because of SNI and block that site.
1. Check, were that VPN traffic is going to and block those IPs / ASN in the cloud. That will work only if there is some fixed couterpart in the cloud where this is headed to.
2. Install a proxy and transparently redirect all traffic that goes to port 443 on outbound connections to that proxy. If the traffic does not adhere to HTTPS standards, it will be blocked. If it does, you can see where it is going to because of SNI and block that site.
#82
Intrusion Detection and Prevention / Re: Block non HTTP/S traffic
Last post by Monviech (Cedrik) - September 16, 2025, 04:38:16 PMYou could use squid to force a transparent web proxy on 443, only sni inspection without tls termination, should be enough to kill most vpns.
Another way would be zenarmor with application filter.
Though stopping the misuse totally is almost impossible.
E.g when using openvpn on tcp 443 with obfuscation, or something like a websocket tunnel https://github.com/erebe/wstunnel, is almost undetectable.
Best to just let it through... that fight cannot be won.
Another way would be zenarmor with application filter.
Though stopping the misuse totally is almost impossible.
E.g when using openvpn on tcp 443 with obfuscation, or something like a websocket tunnel https://github.com/erebe/wstunnel, is almost undetectable.
Best to just let it through... that fight cannot be won.
#83
Intrusion Detection and Prevention / Block non HTTP/S traffic
Last post by rafaelbs - September 16, 2025, 04:24:08 PMHi,
I'm facing a situation where hosts on network are using VPN via 443 port. Looks like non HTTPS packets are going via TCP/443 port.
Setup is new, and I would like a suggestion about the quickest solution to avoid this kind of misuse.
Is there any kind of protocol standards validation that could be applied on rules? Or IPS (Suricata) would solve this problem?
Thanks a lot.
Rafael
I'm facing a situation where hosts on network are using VPN via 443 port. Looks like non HTTPS packets are going via TCP/443 port.
Setup is new, and I would like a suggestion about the quickest solution to avoid this kind of misuse.
Is there any kind of protocol standards validation that could be applied on rules? Or IPS (Suricata) would solve this problem?
Thanks a lot.
Rafael
#84
25.7 Series / Re: Problem with OpenVPN Insta...
Last post by viragomann - September 16, 2025, 03:31:31 PMYou should adhere the official docs: Setup SSL VPN site to site tunnel.
A /30 tunnel might not be recommended anymore, even for a P2P VPN.
Further development of OpenVPN goes on. The recent OpenVPN versions support data channel offloading (in OPNsense this is also supported in the free version, differently to pfSense). But DCO is not compatible with a /30 tunnel network. This is also applied to pfSense.
Instead use a larger tunnel network and configure a client specific override for the client.
A /30 tunnel might not be recommended anymore, even for a P2P VPN.
Further development of OpenVPN goes on. The recent OpenVPN versions support data channel offloading (in OPNsense this is also supported in the free version, differently to pfSense). But DCO is not compatible with a /30 tunnel network. This is also applied to pfSense.
Instead use a larger tunnel network and configure a client specific override for the client.
#85
25.7 Series / odroid H4+ with net card v2 (i...
Last post by 0n3man - September 16, 2025, 02:52:04 PMI have an odroid H4+ with the net card v2 giving a total of 6 intel i226-v interfaces. This is a clean install as I was looking to replace my current FW. I initially had issues with the hard drive, which I got past. I then noticed the WAN interface seemed to be dropping out every couple of days. I found the post that provided steps to update the nic firmware. So I'm running the latest version of the intel nic firmware (FXVL_125C_V_2MB_2.32.bin). This did not fix the issue. I found a post where it was recommended to disable Energy-Efficient-Ethernet by setting the sysctl value for each nic to 1. Turns out 1 is the default value after the install. There was another post that indicated fc (flow-control) on the NIC could be a problem. The default value here was 3, which means flow control is on. I set it to 0 for each NIC. Still no help. I also turned off ASPM with sysctrl and also via the bios.
Once I noticed the WAN interface was dropping I decided to see how things faired while streaming video. This causes the communications to drop out usually under an hour. It's strange how things happen. First normal traffic like DNS will stop being sent out over the WAN port. However the video will keep streaming for a while. Anyway I'm looking for any other suggestions on how I might fix this. I'm considering loading some form of VM host as I did that initially when I put my previous hardware in place. Any thoughts on how to get pass this issue are appreciated.
Once I noticed the WAN interface was dropping I decided to see how things faired while streaming video. This causes the communications to drop out usually under an hour. It's strange how things happen. First normal traffic like DNS will stop being sent out over the WAN port. However the video will keep streaming for a while. Anyway I'm looking for any other suggestions on how I might fix this. I'm considering loading some form of VM host as I did that initially when I put my previous hardware in place. Any thoughts on how to get pass this issue are appreciated.
#86
German - Deutsch / Re: LAN-Port der DEC42xx geht ...
Last post by Patrick M. Hausen - September 16, 2025, 02:09:31 PMKabel? Was kommt als Ausgabe von "dmesg"?
#87
German - Deutsch / LAN-Port der DEC42xx geht stän...
Last post by dsn-bt - September 16, 2025, 01:58:52 PMGuten Tag,
nach der Ersteinrichtung (IP-Adresse des LAN-Ports, Deaktivierung des DHCP) einer DEC42xx über eine direkte Verbindung soll die Firewall über das bestehende LAN weiter konfiguriert werden.
Sobald die Firewall aber mit dem LAN-Port am bestehenden LAN angeschlossen ist, geht dieser alle ca. sieben Sekunden DOWN.
Ist jemanden dieses Verhalten zufällig bekannt? Woran könnte es liegen?
Vielen Dank und Gruß
nach der Ersteinrichtung (IP-Adresse des LAN-Ports, Deaktivierung des DHCP) einer DEC42xx über eine direkte Verbindung soll die Firewall über das bestehende LAN weiter konfiguriert werden.
Sobald die Firewall aber mit dem LAN-Port am bestehenden LAN angeschlossen ist, geht dieser alle ca. sieben Sekunden DOWN.
Ist jemanden dieses Verhalten zufällig bekannt? Woran könnte es liegen?
Vielen Dank und Gruß
#88
German - Deutsch / Re: SNMP? Bin ich blind?
Last post by knebb - September 16, 2025, 01:36:56 PMOh man! Ja, danke, gefunden...
#89
German - Deutsch / Re: extrem langsame DNS-Auflös...
Last post by Monviech (Cedrik) - September 16, 2025, 01:36:21 PMDNS mit dnsmasq als erstes hab ich extra hier in den docs beschrieben:
https://docs.opnsense.org/manual/dnsmasq.html#dnsmasq-as-primary-dns-resolver
https://docs.opnsense.org/manual/dnsmasq.html#dnsmasq-as-primary-dns-resolver
#90
German - Deutsch / Re: SNMP? Bin ich blind?
Last post by Patrick M. Hausen - September 16, 2025, 01:32:11 PMGuckst du hier:
