Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - HackedComputer

Pages: [1]
1
IDS/IPS / Suricata netmap_transmit error
« on: February 12, 2018, 09:34:30 am »
Hey,


I have been running pfSense+Snort within ESXi without a hiccup an Intel NIC is passed through directly via VT-d. Recently, I decided to give Suricata another go. I cloned the current setup, and deployed it under a different name. I removed Snort and installed Suricata. Spent the next few days configuring it in IPS Inline mode utilising Hyperscan. It has been running flawless for the past few weeks.

My network setup as follows:

Three VLANs:
Management
Secure Line (oVPN)
VM (Unused)

Three Physical:
Untagged LAN
WiFi
WAN

Suricata Listening on:
WAN
LAN
WIFI

The issue I am currently facing is that yesturday, I was unable to obtain a DHCP lease from Management, nor Secure Line. I gave the box a reset and had brief access. However, the console was found to be full of the following errors:



If I set a Static IP on the management vlan, I am able to communicate with the ESXi interface, and other hosts. However, I am unable to communicate with pfSense interface.

So far, I have been able to remotely dial in and access the interface. I found that if I disabled suricata on the LAN interface, things would return back to normal... So at this current time I have suricata only listening to the WAN interface, while the LAN and WiFi interface remain disabled.

Anyone have any pointers as to what has caused these issues to start, and how do I go about rectifying it?

Kindest Regards
HC

2
General Questions / Re: How to use pfsense as a transparent sniffer only
« on: February 09, 2018, 11:03:54 am »
Why wouldn't you just use a switch with a mirror port there and do whatever you want with the traffic? Wireshark, tcpdump, etc.

Certainly easier than trying to be transparent with a proxy.

You don't need to hammer a square firewall into that round hole.

This or a LAN TAP such as a Throwing Star LAN TAP

3
General Questions / Re: netmap_transmit error
« on: February 09, 2018, 09:15:36 am »
I've narrowed the issue to Suricata on the LAN Interface, can a mod please move this thread to the relevant section?

I've disabled Suricata on the LAN interface, and it appears to be working fine now, what gives?

4
General Questions / netmap_transmit error
« on: February 09, 2018, 07:52:44 am »
Hey,

Sorry if this is in the wrong section!

I have been running pfSense+Snort within ESXi without a hiccup an Intel NIC is passed through directly via VT-d. Recently, I decided to give Suricata another go. I cloned the current setup, and deployed it under a different name. I removed Snort and installed Suricata. Spent the next few days configuring it in IPS Inline mode utilising Hyperscan.

My network setup as follows:

Three VLANs:
Management
Secure Line (oVPN)
VM (Unused)

Three Physical:
Untagged LAN
WiFi
WAN

The issue I am currently facing is that yesturday, I was unable to obtain a DHCP lease from Management, nor Secure Line. I gave the box a reset and had brief access. However, the console was found to be full of the following errors:



If I set a Static IP on the management vlan, I am able to communicate with the ESXi interface, and other hosts. However, I am unable to communicate with pfSense interface. Doing a soft resart (stops services, and re-runs the boot) I would appear that it would work briefly, and then stop prompting the above console errors.

At this current time, I have tried restarting pfSense fully, fully power cycled the switch and the server itself, to no avail. There has been no software or configuration changes and has been running sweetly, it has really on just started happening. As such, I have reverted back to the pfSense Snort VM which appears to be working fine.

Anyone have any pointers as to what has caused these issues to start, and how do I go about rectifying it?

Kindest Regards
HC

5
OpenVPN / Re: PIA speeds and connection drops
« on: May 07, 2017, 06:48:35 pm »
So, I've looked into this, and I don't think it's a DNS issue. I have resolved it my end, after many attempts at getting it correct. I believe it to be pfSense/OpenVPN fighting between Gateways.

What I did was, create an interface for a VPN Gateway and set the MTU and MSS within the interface settings, set the policy routing for the traffic I want over the VPN by setting the gateway to the VPN. What I did next was disable automatic gateway switching within pfSense. Then within the VPN Client settings disabled the ability of the VPN server to push routes.

With the NAT settings, I did the VPN Gateway to the Local IP Address I want translating to the VPN IP Address.

Voila! Web browsing is now as it should be, no time outs or long resolve times. For good measure, I simply rebooted the system.

As above, if you'd like to stop DNS leaks you can set the DNS IP address within the General settings and apply it to the VPN Gateway that was created from the Interface.  Or apply it to all.

6
OpenVPN / Re: PIA speeds and connection drops
« on: May 07, 2017, 03:12:23 pm »
I think I have the same issue as you, at first, I thought it was underpowered hardware (APU2C4), but then when I migrated to a dedicated server appliance (Quad Core Xeon) It was exactly the same!

The connection is sound, and when the fast.com eventually loads I pull my full line speed, or at least >200 Mbps 

I have tried NATing the address, and also creating an interface for more granular control. I will try and set the DNS servers to that of the VPN provider.

Edit: I've just noticed you've got cryptodev enabled, its reccomended to disable this as it adds overhead, OpenVPN and OpenSSL already use AES-NI of the CPU.

7
OpenVPN / OpenVPN Client Slow DNS Resolution
« on: May 07, 2017, 03:35:39 am »
So, I've had some issues with regards to pfSense acting as a VPN Client across two installations and hardware.

The first piece of hardware was an APU2C4, which has now been decommissioned. I am now on a VMware pfSense with the Intel NICs with DirectIO. Powered by an Xeon.

The issue is when I'm having pfSense act as a VPN client, the DNS resolution seems to be awfully slow and at times time out. The way I have the VPN pass it's address is via NAT. SecureVLAN > OpenVPN Address via the NAT page. I have also tried creating an interface and setting rules to use the VPN gateway etc, same issue.

However, if pfSense acts as a VPN Server, remote clients are working just fine.

I am using Unbound in Forwarding mode.

I have tried various things such as making adjustments to the VPN config, and disabling the AES kernel module to reduce overhead. As OpenVPN and OpenSSL use these by default anyway.

Here's the current VPN client configuration:

persist-tun;persist-key;persist-remote-ip;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA;ns-cert-type server;verify-x509-name gb name-prefix;

Oh, one last thing, I have made sure that I have cleared the states upon making changes to NAT and among other things.

This also happens across multiple providers, I do however have an MTU of 9000 set on LAN and VLANs, but the WAN remains as 1500.

 

8
Hardware / Re: Advice for new user - APU2C
« on: January 25, 2017, 04:57:35 pm »
To be honest, the APU2C4 is cracking for what it can handle.

I have a 320/20 connection, and to be fair it handles it very well with Snort running on 3 interfaces with a decent amount of rules added - I get my full connection speeds.

However, FreeBSD is the limiting factor in terms of interface throughput. Throughput between two interfaces is roughly 550 - 650Mbps. However, if you are to run a Linux based OS such as Sophos UTM then the throughput is ~950 between two interfaces.

9
OpenVPN / Re: PIA - bad speeds
« on: December 16, 2016, 05:59:46 pm »
Yeah, that's encryption for you :)

I've had my APU2C4 for the past week - It's a great little thing for sure. I had known that this wouldn't push more than 100Mbit via oVPN. Unfortunately, I now have the itch to repurpose my unRAID server (A HP MicroServer G8 with Xeon 1240v2)

10
OpenVPN / Re: PIA - bad speeds
« on: December 16, 2016, 05:03:50 pm »
Unless oVPN becomes multi-threaded, there's not a whole lot one can do. My APU2C4 can push roughly 80 to 100Mbps.

11
OpenVPN / Re: PIA - bad speeds
« on: December 16, 2016, 04:56:52 pm »
You'll want to try AES-128 as that is faster than BlowFish.

I'm afraid that it's down to the hardware used. oVPN isn't multi-threaded. More often than not it boils down to a single core clock speed. Crypto support in the CPU does help, but right now we only see substantial gains with IPSec.

12
Hardware / Re: PC Engines apu2 experiences
« on: December 15, 2016, 12:00:51 pm »
Just an update:

So, changing the cryptographic options within pfSense didn't yield any differences. Perhaps, by 5Mbps.

However, I looked more into the OpenVPN configuration and appended the following to the client configuration:

sndbuf 393216;
rcvbuf 393216

and thus, this was achieved:



13
Hardware / Re: PC Engines apu2 experiences
« on: December 14, 2016, 05:05:48 pm »
Quote
From what total line speed you archived the 30Mbps? And how strong was the other VPN pear end?

Connecting from a 317Mbps line, the other end is serviced by a 10Gbit (SFP) line @ Rackspace

Quote
At the moment only IPsec is really benefitting from the AES-NI, so you might be having
perhaps more luck if the OpenVPN version 2.4 is out there.

I'll hold out, I'm not too fussed - I didn't expect a lot. But I expected a tad better as my old equipment was a dual core 800Mhz MiPS. I had tried the "fix" here:

http://1101entrails.blogspot.co.uk/2016/05/getting-aes-ni-to-work-using-pfsense-on.html

14
Hardware / Re: PC Engines apu2 experiences
« on: December 12, 2016, 09:39:11 am »
Hey,

I recently took delivery of an APU2C4. It is certainly a decent performer for the size of it!

I am wondering, has anyone got the AES-NI to work with the OpenVPN? The reason I ask is that I don't appear to see any acceleration happening with AES-128-CBC / AES-256-CBC. The rough maximum I have achieved is 30Mbps.

I have tried enabling the AES-NI within Advanced Options, and then enabling the cryptodev within OpenVPN. As well as disabling AES-NI and leaving Cryptodev enabled vice-versa.

However, I see no changes whatsoever.

I am on the latest PFSense 2.3.x release

Kindest Regards
HC

Pages: [1]