For my link archive: [WayBack] Forced routing of selective emails to ISP SMTP via Mikrotik Routing | Syed Jahanzaib Personal Blog to Share Knowledge !
–jeroen
Posted by jpluimers on 2021/01/14
For my link archive: [WayBack] Forced routing of selective emails to ISP SMTP via Mikrotik Routing | Syed Jahanzaib Personal Blog to Share Knowledge !
–jeroen
Posted in Development, MikroTik, Power User, RouterOS, Routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2020/11/04
Multi-WAN routing always involves marking incoming connections to the replies go out on the same connection: [WayBack] Mikrotik Remote Access via Multiple WAN Links | Syed Jahanzaib Personal Blog to Share Knowledge !
# Mirkotik IP Firewall Mangle Section
/ ip firewall mangle
# Mark traffic coming via WAN-1 link
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_incoming_conn
# Mark traffic coming via WAN-2 link
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_incoming_conn
# Mark traffic routing mark for above marked connection for WAN-1 , so that mikrotik will return traffic via same interface it came in
add chain=output connection-mark=WAN1_incoming_conn action=mark-routing new-routing-mark=to_WAN1
# Mark traffic routing mark for above marked connection for WAN-2, so that mikrotik will return traffic via same interface it came in
add chain=output connection-mark=WAN2_incoming_conn action=mark-routing new-routing-mark=to_WAN2
# Finally Add appropriate routes in ROUTE section
/ ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.2 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=to_WAN2 check-gateway=ping
Related:
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, Routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2020/09/28
Saving an initial configuration without changing anything gives these errors:
If you are OK with self-signed certificates, then the first is solved by using this as the Server certificate
:
The second needs an additional step: you have to select or create a certificate authority first at hostname/system_camanager.php?act=new where hostname
is the hostname or IP address of your pfSense configuration.
This order is actually explained in [WayBack] OpenVPN – The Open Source VPN: HOWTO and [WayBack] OpenVPN Configuration (pfSense) – ELITS, but I like stronger security.
For the Internal Certificate Authority (CA), use at least these settings:
2048
bits, but I prefer 3072
bits (to be safe after about 2030) as per
sha256
, but I prefer sha512
as it will be safe for a longer period of time.3650
(10 years); can you keep your VM safe for that long? If longer, you can increase the lifetime, but also have to ensure you take large enough values for the Key length
and Digest Algorithm
.You can view the possible settings in [WayBack] pfsense/system_camanager.php at master · pfsense/pfsense · GitHub.
Use a TLS Key
TLS Key
TLS Key Usage Mode
Peer Certificate Authority
Peer Certificate Revocation list
Use a TLS Key
Use a TLS Key
ECDH Curve
Hardware Crypto
RDRAND
instruction is available, this choice allows to use it. I think OpenVPN (via OpenSSL) on BSD uses this in a similar way as Linux: i.e. not as the only source for randomness. See [WayBack] Torvalds shoots down call to yank ‘backdoored’ Intel RdRand in Linux crypto • The Register/usr/bin/openssl engine -t -c
command:DH Parameter Length
This means they can potentially be re-used as an attack-vector, so you need to manually re-generate them as per [WayBack] DH Parameters – pfSense Documentation by using /usr/bin/openssl dhparam
In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools
and rebooting.
This can take quite some time as it depends on /dev/random
as a pure random number source, which will wait if there is not enough initial entropy available yet (see [WayBack] prng – differences between random and urandom – Stack Overflow).
In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools
and rebooting.
On a single-coreIntel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz, the timings of these
/usr/bin/openssl dhparam -out /etc/dh-parameters.1024 1024
/usr/bin/openssl dhparam -out /etc/dh-parameters.2048 2048
/usr/bin/openssl dhparam -out /etc/dh-parameters.4096 4096
using the [WayBack] FreeBSD Manual Pages: time command are (each measured twice):
4096
Encryption Algorithm
AES
.AES-256-GCM
(256 bit key, 128 bit block)
AES-128-GCM
.Enable NCP
(Negotiable Cryptographic Parameters)
NCP Algorithms
AES-256-GCM
AES-192-GCM
AES-128-GCM
Auth digest algorithm
SHA512
(which I use) or SHA256
is fine. Do not use SHA1
unless you need backward compatibility with pre 2.4 OpenVPN installations or pre-configured clients. See [WayBack] How safe to change default SHA1 to other encryption algorithm?Certificate depth
All networks are in CIDR notation, like 192.168.3.0/24
.
IPv4 Tunnel network
172.x.y.0
networks as they are far less used than 192.168.x.0
and 10.x.y.0
networks. Note that some networks starting with 172
are in public use, so limit yourself to 172.16.0.0 – 172.31.255.255
.IPv6 Tunnel network
IPv4 Local networks
IPv4 Remote networks
IPv4 Remote networks
Concurrent connections
Compression
compression lz4
or compression lz4-v2
in the future.Push compression
Type-of-Service
Inter-client communication
Duplicate Connection
Dynamic IP
Topology
: choose subnet
(use net30
only for old 2.0.9 client compatibility on Windows; use p2p
if you only have non-Windows clients)Advanced client options
Custom options
UDP Fast I/O
Send/Receive Buffer
Gateway creation
Both
Verbosity level
Even if the underlying Intel/AMD processor supports AES, it is not enabled by default in pfSense as per web UI home page:
Intel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz
AES-NI CPU Crypto: Yes (inactive)
I was quite surprised, but then remembered that enabling RDRAND
in the OpenVPN settings was also non-default and dug a bit deeper into ….
There I found you have to go to the System
menu, choose Advanced
, then the Miscellaneous
tab:
From there, browse down (or search for Hardware
) to “Cryptographic & Thermal Hardware”, then enable the CPU based accelleration:
After pressing the Save
button at the bottom, you are done:
AES-NI CPU Crypto: Yes (active)
I got this via [WayBack] AES-IN Inactive?, which also mentions this:
- AES-NI loads aesni.ko
- BSD Crypto loads cryptodev.ko
- AES-NI and BSD Crypto loads both
Note that AES – as of FreeBSD-10 – AES-NI and other hardware implementations are only indirectly incorporated into /dev/random
. The Linux kernel already did this in an indirect way. I think that is a good idea as when multiple entropy sources are merged together, it makes it much harder to influence to total entropy. FreeBSD implemented this using the Yarrow algorithm – Wikipedia and now has moved to a successor, the Fortuna (PRNG) – Wikipedia.
More background information:
Note there is a message about ACE support on the console and in the boot log that is related to AES:
padlock0: No ACE support.
aesni0: <AES-CBC, AES-XTS, AES-GCM, AES-ICM> on motherboard
The cause is that in the past, VIA PadLock Advanced Cryptography Engine (ACE) in the mid 2000s introduced encryption acceleration (see [WayBack] VIA PadLock support for Linux) a few years before AES-NI, so ACE is incompatible with AES-NI. AES-NI is now much more widespread than ACE, even the wikipedia VIA page padlock information has been removed.
An odd thing: unlike AES-NI which needs to be specifically enabled, VIA Padlock is always enabled, see
Ensure you install the (optional, but highly recommended) [WayBack] OpenVPN Client Export Package:
Allows a pre-configured OpenVPN Windows Client or Mac OS X’s Viscosity configuration bundle to be exported directly from pfSense.
These config files work with Tunnelblick as well, which is a great free and open source OpenVPN tool on Mac OS X / MacOS:
I have yet to cover these two; for now read [WayBack] How to setup OpenVPN on pFSense? | IT Blog and [WayBack] OpenVPN Remote Access Server – pfSense Documentation.
I like this overview a lot:
–jeroen
Posted in Internet, pfSense, Routers | Leave a Comment »
Posted by jpluimers on 2020/09/25
If during a pfSense reboot you get one or more messages from syslog
about “operation not supported by device” on various log files, then they are likely corrupt.
I had this when a pfSense 2.4.x RELEASE version VM was accidentally power-cycled during initial setup.
A side effect was that no logs showed in the web UI either, nor would clog
on any file in the /var/log
directory.
The solution was to choose option 8
(Shell), then in the /var/log
directory, remove all files with extension .log
, then reboot.
Now the messages were gone and the web UI showed logs. clog /var/log/system.log
showed content as well.
Solution based on these posts:
–jeroen
Posted in Internet, pfSense, Power User, Routers | Leave a Comment »
Posted by jpluimers on 2020/08/24
Interesting devices running OpenWrt:
–jeroen
Posted in Internet, Power User, Routers | Leave a Comment »