29
Oct
2018

OPNSense – Dark Theme!

OPNSense is great and all, however it’s quite the strain on the eyes to look at:

Phowar… blindin!

The UI is lovely and all, however when you’re messing with it late at night (like me), you might want to grab the Cicada theme:

Aaah… that’s better!

To enable the theme after getting it from System > Firmware > Plugins, go to System > Settings > General and select it from the Theme dropdown:

And that is it! There are other themes too, but I do like the black and orange look of Cicada!

19
Oct
2018

Adding another 4TB to the NAS

So, I managed to make it around two-and-a-half years before I started to get low on space in the 2016 NAS. It was time to add 4 more terabytes and expand the storage!

The NAS (top) sitting happy in the “rack”

The three 4TB Seagate Barracuda NAS drives I got in 2016 are still running perfectly, so I had no concerns in getting another to throw into the fourth bay.

The design of the drive has changed a little bit since they have now moved from ST4000VN000 being the model number to ST4000VN008. The drive still runs at 5900 RPM and is physically very similar to the others.

I am using RAID5 in the CentOS-based Rockstor – although it is based on BTRFS and isn’t “production ready” it has been working just fine for me. Than again, I haven’t suffered any drive failures.

I left the NAS running and installed the drive. It span up, then I went into Rockstor and used the “Resize/ReRaid Pool” option to add the drive into the main storage pool. It added successfully and informed me that it had started a re-balance to spread the data across the new drive.

The new storage space was immediately accessible:

14.5TB is what SMB reports before the RAID5 overhead is accounted for – really the drive pool is around 12TB. They really should fix this.

The rebalance took around two days to complete, but the pool was slow but usable until it was done. Now, lets wait until I run out of space again and then I will have to replace the entire drive set… that might be expensive! Let’s hope 8+TB drives come down in price before then!

18
Oct
2018

OPNSense 18.7: Higher CPU usage?

Just a short one – I made an observation going from OPNSense 18.1 to 18.7 that the average CPU usage has gone up slightly:

The first half of this year showed about 0.05% CPU usage on average, and after the update this has sprung up to 0.20-0.25%. 

The CPU is the Intel J3455, a 10W TDP chip with a Passmark score of 2144 points. This is a low power chip that would be more sensitive to the changes in background usage than for a desktop chip for instance – however the actual CPU usage is still tiny on average and I’m not worried about it (0.25% is still a tiny, tiny amount).

Zooming in on the data, you can see why:

Every 30 minutes there is a spike (though sometimes there isn’t one) – these were not there before the update. Some routine task has probably been added – though I have no idea what it is looking at the update notes.

I hadn’t changed anything about the network or setup between the updates, just to be clear. The spikes are quite a high usage – on the order of up to 6% CPU usage. This is still negligible though, and I can’t tell when it’s happening during online games or anything like that.

If someone knows what this is about or if they are getting the same behaviour – please feel free to let me know!

17
Oct
2018

OPNSense – Installing On Intel Apollo Lake

So, I’ve had some issues getting OPNSense (or pFsense, anything based on FreeBSD) to install and boot properly on my shiny new router. The router is based on the Intel J3455 CPU, which uses the Apollo Lake architecture.

The Gigabyte (Gigabyte GA-J3455N-D3H) board’s BIOS is rather basic – it does not allow you to configure ACPI or HPET settings; these are what cause issues in FreeBSD 11. To get around this, some stuff is needed to be done:

Booting the USB:

  • Ensure the CSM is enabled and set “Other Devices” to “Legacy”
  • Boot the USB installer in UEFI mode
  • Press “3” 
  • Type: set hint.hpet.0.clock=0
  • Type: set hint.acpi.0.msi=2 – repeat four times for “0” to “3”
  • Type: set machdep.disable_msix_migration=1
  • Type: boot

Install OPNSense/pFsense as normal.

Once installed:

  • When the machine reboots, repeat the steps above
  • Login to the console
  • Select the “Shell” option
  • Type: cd /boot
  • Use vi to add the following lines to loader.conf.local:
    • hint.hpet.0.clock=”0″
    • hint.ahci.0.msi=”2″ (add 4 lines from “0” to “3”)
    • machdep.disable_msix_migration=”1″
  • Reboot the machine

Now, the device should boot up without hanging or intervention required. This guide is what worked for me on this particular system installing to an SSD connected via SATA – hopefully FreeBSD 12 fixes this problem.

Hope this helps – good luck!

16
Oct
2018

Configuring DNS-over-TLS with OPNSense

Privacy is becoming more and more important in the ever-developing world of the Internet. Of course, you have the ongoing issues with security on the Internet – a lot of the main workings are ancient. And the other thing we now have more and more is targeted advertisement – where companies exist solely to gather as much information about an individual as possible and present to them adverts that they think would matter to them.

One mechanism that is used for this is the ancient DNS system – used to translate something like “google.com” to it’s IP address “216.58.212.110”. Typically, DNS operates unencrypted using UDP – where a request is sent in plain-text and is open to being interrupted and replaced with something else (called a “man-in-the-middle” attack).

maninthemiddleattack

The main problem here is that there is no way with traditional DNS of knowing if the returning answer is from the DNS server you originally requested. The effect of leaving everything unencrypted is allowing companies (like your ISP) to be able to log your DNS traffic (and maybe sell it to advertisers).

So we need to do two things:

  • Verify connections back from the DNS server are legit
  • Encrypt the connection

This is where DNS-over-TLS comes in! TLS uses a TDP connection to form a two-way conversation with the DNS server and then also encrypts the traffic to prevent snooping. There is also DNS-over-HTTPS which employs a similar method to “hide” your DNS traffic as standard HTTPS requests to websites.

TLS is an encrypted protocol that makes it extremely difficult (although not impossible) to read the DNS requests sent from your browser to the DNS server. A handshake is made using keys to ensure all the traffic is between the router and DNS server is legitimate. Mozilla is currently trialling built in DNS-over-TLS functionality in Firefox, however this still limits you to one browser on your desktop PC – you may also want to use your phone for instance. The best way to go about this is to perform the encryption of DNS requests in the router.

Fortunately, pfSense and OPNsense support the new 1.1.1.1 service provided by CloudFlare. There are alternatives (such as Quad9 – 9.9.9.9) that can also be used – infact you can use these as backups in case CloudFlare goes down (or use Quad9 as your primary). Either way it is recommended to use a secondary DNS service as a backup, and then a tertiary service such as 8.8.8.8 can be used as a final backup to ensure you never go offline.

I am running OPNsense – though the setup for pfSense is very similar to this. The bulk of the configuration is achieved through the Unbound DNS > General page:

Above is my configuration – you should add multiple “forward-addr” lines to allow for multiple DNS servers to be used if one or more are offline. You will want “DNS Query Forwarding” to be disabled.

And that is it! Once that is set, make sure that Unbound is restarted using the restart icon at the top of the screen. You can test if it works using the “Packet Capture” tool under Interfaces > Diagnostics and looking at data transmitted over port 853:

You will see your public IP connecting to the DNS service using TCP over port 853! 

And that’s it! Your DNS requests will now be encrypted. Safe browsing!