Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - bimmerdriver

Pages: [1] 2 3
1
General Discussion / Merry Christmas and Happy New Year
« on: December 23, 2017, 10:07:49 am »
Since Christmas is just around the corner, I wanted to wish everyone a safe and enjoyable festive season and a great new year. In particular, best wishes and many thanks for the pfsense developers and those who contribute to pfsense in other ways such as testing and supporting this forum.

All the best, everyone.

2
DHCP and DNS / android 8 dhcpv4 client-hostname missing
« on: November 12, 2017, 02:58:27 pm »
I have a nexus 5X. It's running oreo. Since updating to oreo, the dhcpv4 client-hostname is missing. I'm wondering if this is unique to my device for some reason or if it's the same for all android 8 devices.

UPDATE: Apparently this is a feature. Android 8 is using the RFC 7844 anonymity profile, so the hostname is blank. I wish they would allow users to make this decision for themselves, rather than being forced to use it.

3
2.4 Development Snapshots / sendmsg: No route to host
« on: November 11, 2017, 09:13:32 pm »
I'm running the latest snapshot: 2.4.2.a.20171110.1936

It's running on a hyper-v and it was working before this update. There is one windows 10 client, also virtual. ipv4 is working, but not ipv6. Both ipv6-test.com and test-ipv6.com are reporting that ipv6 is not working, as well as the adapter status on the client. The client has ipv4 and ipv6 addresses. Everything looks normal, except the routing log is filled with messages such as the following:

Code: [Select]
Nov 11 18:58:07 radvd 42580 sendmsg: No route to host
Nov 11 18:58:18 radvd 42580 sendmsg: No route to host
Nov 11 18:58:29 radvd 42580 sendmsg: No route to host
Nov 11 18:58:38 radvd 42580 sendmsg: No route to host
Nov 11 18:58:43 radvd 42580 sendmsg: No route to host
Nov 11 18:58:49 radvd 42580 sendmsg: No route to host
Nov 11 18:59:08 radvd 42580 sendmsg: No route to host
Nov 11 18:59:23 radvd 42580 sendmsg: No route to host

Anyone else experiencing this? Any suggestions to locate the problem?

4
2.4 Development Snapshots / Update from 2.4.1 to 2.4.2 dev failed
« on: October 25, 2017, 10:54:19 pm »
I was running 2.4.1 since it was released and tried to switch over to 2.4.2 dev. The update failed. Below is a screen capture of the console. freebsd boots, but pfsense is non-functional. I was going to download a snapshot and reinstall, but I thought I'd ask if anyone wants me to look at any files that may indicate what happened before I blow it away.

5
IPv6 / Why so many NDP entries for iPhone?
« on: October 09, 2017, 03:56:15 pm »
I (unfortunately) just got an iPhone from my employer. I'm an android user so not familiar with iOS. Phone is running iOS 11.0.2, if that makes any difference. I've noticed that there are numerous entries in the NDP table for this device, multiple 10s of them. I've seen a few entries at a time for a specific MAC address due to privacy addresses, but never so many for a single device. Just to see what would happen, I tried deleting them, but they did not go away, even with the device turned off. (I'm running pfsense 2.3.4 P1.) The only way I was able to get rid of them was to SAVE, APPLY the LAN interface. They disappeared, only to come back. This isn't a big deal, but I'm just wondering why this device seems to uniquely have so many NDP table entries.

6
IDS/IPS / What to use to report and analyse snort alerts?
« on: September 09, 2017, 01:07:36 pm »
Before I switched to pfsense, I used Sophos UTM. It is closed source, but had some nice features, in particular analysis and reporting of intrusion attempts. UTM used snort for collecting and detecting information and it had an analysis and reporting layer on top of snort. Even a few years ago, it generated reports and it was possible to query alerts to find out what addresses are attacking, what addresses are being attacked, etc. Without this capability, I find that snort is not nearly as useful as it could be. It basically fills the general log with events.

I looked on the snort wikipedia page and it lists snorby, BASE, squil and aanva as "third-party" applications. I've seen other references to squert and ELSA. The only one of these packages that appears to be under active development is aanval. aanval is not open-source, but they have a free "lite" version.

I'm interested to know what everyone is using and if anyone has tried aanval.

7
IDS/IPS / Suppress list defined, but could not be found
« on: September 04, 2017, 06:44:04 pm »
I was looking at services / snort / alerts and clicked on the + of SID for the most recent alert. An error message was displayed saying that the suppress list was defined, but could not be found. It's the same for any of the alerts. Any idea what is causing this problem and how to fix this? I don't recall ever creating a suppress list. A screen capture of the error is attached.

8
I've tested quite a few patches and never noticed that they did not get applied until the first reboot after updating. I noticed that just now because the patch to fix the startup of unbound does not work the first time pfsense reboots after updating. After the first reboot, the patch is applied and works every time thereafter. I noticed on the console that the last thing that happens before the boot process is finished that packages are loaded. Since patches are handled by the patch package, this behavior is not a surprise. I'm wondering why I didn't notice this before. Is it a new feature?

9
A while back, I tried to set up a dual-stack openvpn client and server using windows 10 hosts. I was able to get the vpn to work for ipv4 and I was able to get the client and server to ping each other using both ipv4 and ipv6, but I could never get the server to forward the ipv6 traffic. I tried to get help on the openvpn forum and openvpn-users email list and was told I have a routing problem. I may be a noob, but I had already reached that conclusion myself. I was not able to get anyone with a working configuration to explain how they configured the routing on the server, so I gave up on it and now I'm trying to configure a linux server. I'm stuck at exactly the same place, so I thought I'd ask here if anyone is willing to help a noob set up an openvpn server.

I have two independent networks, one with pfsense 2.3.4 and one with pfsense 2.4 beta. The client is on the former. The server is on the latter. Both networks have separate /56 prefixes and one LAN each with a /64. I'm using a hyper-v server, so I can add another /64 if it's required.

The ubuntu server is completely up-to-date. The client and server both the latest version of openvpn (2.4.2). The client is working properly (ipv6-test.com) when the vpn is disconnected. The server can also ping and traceroute external addresses.

When the vpn is connected, the client and server can ping each other using ipv4 and ipv6. The client can access external sites using ipv4, but not ipv6. I've tried using several ipv6 addressing configurations including ULA, prefix::/64 and prefix:8000::/65. I found that with prefix::/64 it was not possible for the server to ping the client, I guess because it was using the default route. prefix:8000::/65 solved that, but the traffic still isn't being forwarded.

I have made the following changes on the server:

sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv6.conf.eth0.accept_ra=2
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
ip6tables -A FORWARD -s prefix:8000::/65 -i tun0 -o eth0 -j ACCEPT

If anyone is willing to take a look and offer suggestions, I would be most grateful. I will post whatever info is required.

10
2.4 Development Snapshots / unbound ipv6 problems anyone?
« on: June 14, 2017, 08:23:36 pm »
Yesterday, I noticed issues with ipv6 dns using dig and nslookup (windows 10). The problem went away but seems to be back. I updated to the latest snapshot, but it made no difference. I also tried adding an ACL, but that also made no difference. I've never added an ACL before.

I posted about it in the dns section: https://forum.pfsense.org/index.php?topic=132067.0

Is anyone experiencing this?

11
IPv6 / IPv6-test.com
« on: June 13, 2017, 01:51:11 pm »
ipv6-test.com has been my go-to website for ensuring I've got good dual-stack connectivity. I have two separate networks, one running pfsense 2.3.4 and one running 2.4 beta. (I have 50+ Mbps down and 10+ Mbps up.) I have icmp echo-request enabled for ipv4 and ipv6 and on the windows 10 clients, I have the windows firewall "Virtual Machine Monitoring (Echo Request - ICMPv6-In)" rule enabled. With this configuration, normally, I get 20/20 on both networks and the ping test also works for both protocols. (I normally only use chrome.)

Lately (as in the last month or so), however, I've found the website to give inconsistent results. Often, the ipv6 icmp test says filtered or not tested and often, the one or more of the three dns tests are slow to respond or come back as unreachable. If I refresh the dns test several times, a different one of the three dns tests may fail. Less often, the website reports the browser default protocol is ipv4 instead of ipv6. If I refresh the website a few times, it usually will eventually report 20/20. Maybe I have to come back in a while.

To my knowledge, nothing has changed on either of my networks, aside from updates to the pfsense 2.4 beta snapshot. My other network is more stable, since I'm using pfsense 2.3.X release.

I'm wondering if anyone else is seeing these problems.

12
DHCP and DNS / Windows 10 nslookup not working on 2.4 beta
« on: June 12, 2017, 01:47:20 pm »
I have two independent lans, one running 2.3.4, one running 2.4 beta. Both are identically configured with unbound.

I have windows 10 clients on both lans.

If I do nslookup on the 2.3.4 lan, it works properly.

If I do nslookup on the 2.4 beta lan, it fails.

Screen captures are attached.

Any idea what could be causing this?

13
IDS/IPS / Snort alert logging
« on: May 28, 2017, 10:34:16 pm »
Snort is installed using mostly defaults. Logging of alerts is enabled and the system log facility is LOG_AUTH. Snort is completely flooding the general log. I guess that's expected, since it doesn't have its own log. Other logs can be selected, but it's not obvious (to me) what they are.

I raised a bug that snort was flooding the general log because it doesn't have its own log, but no idea if anything will be done (or even should be done). Here is the only reply:

Quote
Do you have it configured to log alerts to the system log? Otherwise, it does not put too much info into the system log other than some messages from the scheduled rule updates. Logging alerts to the sytem log is not the best idea because that can cause a lot of stuff in the log. Better to use Barnyard2 and either its remote syslog option or one of the SQL DB options there.

What is the recommended setting for snort logs, in particular to prevent flooding the general log? Is barnyard2 the way to go or are there other solutions?

Also, when I was using Sophos UTM, it had a very nice built-in reporting facility so you could get a good idea what alerts are being raised and from where. Is there a reporting facility for snort?

14
IDS/IPS / Snort dying
« on: May 22, 2017, 11:13:09 am »
I'm running pfsense 2.3.4 with snort. Snort periodically dies. I'm not very familiar with it, so I would appreciate suggestions to find out what's causing it to die.

Here are the rules:

Snort VRT Rules   face1054adccff0db267eb911a056e4c   Thursday, 18-May-17 00:07:20 PDT
Snort GPLv2 Community Rules   c3aeed15c958358c3d7fdbc039f3d421   Tuesday, 09-May-17 12:07:03 PDT
Emerging Threats Open Rules   c317cada4fb95353e3742a0be59c3f5e   Saturday, 20-May-17 00:05:26 PDT
Snort OpenAppID Detectors   Not Enabled   Not Enabled
Snort OpenAppID RULES Detectors   Not Enabled   Not Enabled

Here are the most recent messages in the log. As you can see, it's been stopped for a few days.

Code: [Select]
May 18 00:10:00 php /usr/local/pkg/snort/snort_check_cron_misc.inc: [Snort] Alert pcap file cleanup job removed 1 pcap file(s) from /var/log/snort/snort_hn120641/...
May 18 00:07:51 check_reload_status Syncing firewall
May 18 00:07:50 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
May 18 00:07:49 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for WAN...
May 18 00:07:38 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN ...
May 18 00:07:21 kernel hn1: promiscuous mode disabled
May 18 00:07:21 kernel pid 26541 (snort), uid 0: exited on signal 11
May 18 00:07:10 snort 26541 [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3] {TCP} 5.79.11.202:80 -> 162.156.4.171:43486
May 18 00:06:37 snort 26541 [137:1:2] (spp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 2001:569:74c8:4000:c08f:d541:a3c1:12b8:47624 -> 2a03:2880:f013:1:face:b00c:0:1:443
May 18 00:06:29 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
May 18 00:06:09 snort 26541 [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3] {TCP} 5.79.11.202:80 -> 162.156.4.171:43486
May 18 00:06:09 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
May 18 00:06:09 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules are up to date...
May 18 00:06:08 php /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
May 18 00:05:40 snort 26541 [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 162.156.4.171:64024 -> 74.120.184.194:80

Here are the messages in the log from when I restarted the service:
Code: [Select]
May 22 09:11:58 kernel hn1: promiscuous mode enabled
May 22 09:11:41 SnortStartup 74801 Snort START for WAN(20641_hn1)...

15
DHCP and DNS / Frequent unbound restarts
« on: May 10, 2017, 11:12:47 am »
Upgraded to 2.3.4 last night. The upgrade did not go well (https://forum.pfsense.org/index.php?topic=130297.0), so it's possible there are underlying problems.

I have the log set to hold 2000 entries. Since this morning, the log is only holding 5 hours of messages, including almost 40 restarts of unbound. During this time, there was virtually no load on the system. A sample of the messages is below. There is no obvious error.

In Services / DNS Resolver / General Settings, DNSSEC, DHCP registration and Static DHCP are enabled. Aside from that, unbound is configured with defaults.

In System / General Setup / DNS Server Settings, no DNSes are configured and DNS Server Override is unchecked.

Is there a reason for so many restarts?

Code: [Select]
May 10 08:55:36 unbound 13085:0 info: start of service (unbound 1.6.1).
May 10 08:55:36 unbound 13085:0 notice: init module 1: iterator
May 10 08:55:36 unbound 13085:0 notice: init module 0: validator
May 10 08:55:36 unbound 13085:0 notice: Restart of unbound 1.6.1.
May 10 08:55:36 unbound 13085:0 info: 16.000000 32.000000 1
May 10 08:55:36 unbound 13085:0 info: 0.524288 1.000000 2
May 10 08:55:36 unbound 13085:0 info: 0.262144 0.524288 38
May 10 08:55:36 unbound 13085:0 info: 0.131072 0.262144 46
May 10 08:55:36 unbound 13085:0 info: 0.065536 0.131072 54
May 10 08:55:36 unbound 13085:0 info: 0.032768 0.065536 36
May 10 08:55:36 unbound 13085:0 info: 0.016384 0.032768 27
May 10 08:55:36 unbound 13085:0 info: 0.008192 0.016384 42
May 10 08:55:36 unbound 13085:0 info: 0.004096 0.008192 1
May 10 08:55:36 unbound 13085:0 info: 0.000000 0.000001 2
May 10 08:55:36 unbound 13085:0 info: lower(secs) upper(secs) recursions
May 10 08:55:36 unbound 13085:0 info: [25%]=0.0268516 median[50%]=0.0855609 [75%]=0.201594
May 10 08:55:36 unbound 13085:0 info: histogram of recursion processing times
May 10 08:55:36 unbound 13085:0 info: average recursion processing time 0.246546 sec
May 10 08:55:36 unbound 13085:0 info: server stats for thread 3: requestlist max 20 avg 3.25703 exceeded 0 jostled 0
May 10 08:55:36 unbound 13085:0 info: server stats for thread 3: 332 queries, 83 answers from cache, 249 recursions, 0 prefetch, 0 rejected by ip ratelimiting
May 10 08:55:36 unbound 13085:0 info: 1.000000 2.000000 1
May 10 08:55:36 unbound 13085:0 info: 0.524288 1.000000 2
May 10 08:55:36 unbound 13085:0 info: 0.262144 0.524288 8
May 10 08:55:36 unbound 13085:0 info: 0.131072 0.262144 13
May 10 08:55:36 unbound 13085:0 info: 0.065536 0.131072 17
May 10 08:55:36 unbound 13085:0 info: 0.032768 0.065536 13
May 10 08:55:36 unbound 13085:0 info: 0.016384 0.032768 5
May 10 08:55:36 unbound 13085:0 info: 0.008192 0.016384 10
May 10 08:55:36 unbound 13085:0 info: lower(secs) upper(secs) recursions
May 10 08:55:36 unbound 13085:0 info: [25%]=0.0384394 median[50%]=0.0905939 [75%]=0.199129
May 10 08:55:36 unbound 13085:0 info: histogram of recursion processing times
May 10 08:55:36 unbound 13085:0 info: average recursion processing time 0.150241 sec
May 10 08:55:36 unbound 13085:0 info: server stats for thread 2: requestlist max 11 avg 0.521739 exceeded 0 jostled 0
May 10 08:55:36 unbound 13085:0 info: server stats for thread 2: 82 queries, 13 answers from cache, 69 recursions, 0 prefetch, 0 rejected by ip ratelimiting
May 10 08:55:36 unbound 13085:0 info: 4.000000 8.000000 1
May 10 08:55:36 unbound 13085:0 info: 0.262144 0.524288 7
May 10 08:55:36 unbound 13085:0 info: 0.131072 0.262144 9
May 10 08:55:36 unbound 13085:0 info: 0.065536 0.131072 14
May 10 08:55:36 unbound 13085:0 info: 0.032768 0.065536 7
May 10 08:55:36 unbound 13085:0 info: 0.016384 0.032768 9
May 10 08:55:36 unbound 13085:0 info: 0.008192 0.016384 8
May 10 08:55:36 unbound 13085:0 info: 0.000256 0.000512 1
May 10 08:55:36 unbound 13085:0 info: 0.000000 0.000001 3
May 10 08:55:36 unbound 13085:0 info: lower(secs) upper(secs) recursions
May 10 08:55:36 unbound 13085:0 info: [25%]=0.0213902 median[50%]=0.0725577 [75%]=0.16384
May 10 08:55:36 unbound 13085:0 info: histogram of recursion processing times
May 10 08:55:36 unbound 13085:0 info: average recursion processing time 0.172102 sec
May 10 08:55:36 unbound 13085:0 info: server stats for thread 1: requestlist max 4 avg 0.389831 exceeded 0 jostled 0
May 10 08:55:36 unbound 13085:0 info: server stats for thread 1: 86 queries, 27 answers from cache, 59 recursions, 0 prefetch, 0 rejected by ip ratelimiting
May 10 08:55:36 unbound 13085:0 info: 1.000000 2.000000 1
May 10 08:55:36 unbound 13085:0 info: 0.524288 1.000000 1
May 10 08:55:36 unbound 13085:0 info: 0.262144 0.524288 19
May 10 08:55:36 unbound 13085:0 info: 0.131072 0.262144 33
May 10 08:55:36 unbound 13085:0 info: 0.065536 0.131072 37
May 10 08:55:36 unbound 13085:0 info: 0.032768 0.065536 29
May 10 08:55:36 unbound 13085:0 info: 0.016384 0.032768 19
May 10 08:55:36 unbound 13085:0 info: 0.008192 0.016384 26
May 10 08:55:36 unbound 13085:0 info: 0.004096 0.008192 2
May 10 08:55:36 unbound 13085:0 info: 0.000000 0.000001 5
May 10 08:55:36 unbound 13085:0 info: lower(secs) upper(secs) recursions
May 10 08:55:36 unbound 13085:0 info: [25%]=0.0250072 median[50%]=0.0743922 [75%]=0.174763
May 10 08:55:36 unbound 13085:0 info: histogram of recursion processing times
May 10 08:55:36 unbound 13085:0 info: average recursion processing time 0.120666 sec
May 10 08:55:36 unbound 13085:0 info: server stats for thread 0: requestlist max 17 avg 2.08721 exceeded 0 jostled 0
May 10 08:55:36 unbound 13085:0 info: server stats for thread 0: 219 queries, 47 answers from cache, 172 recursions, 0 prefetch, 0 rejected by ip ratelimiting
May 10 08:55:36 unbound 13085:0 info: service stopped (unbound 1.6.1).

Pages: [1] 2 3