Problem with configuring the Netgate 1100
-
@netgate1100guy Not the VPN, the Squid package. eMMC storage has a more limited write life so Netgate recommends using an SSD for Squid, Snort, and Suricata. We don't use Squid so I don't have much advice on limiting disk writes. Is there a way to disable caching?
On other packages we haven't had problems but generally don't have a high level of logging, and we use a RAM disk for temp storage as our clients have a 2100 model or higher, with 4 GB RAM.
-
Yup, Snort/Suricata can generate a lot of logging so if you're running them from eMMC you will want to limit that severly to prevent excess ware. The 1GB RAM in the 1100 is also a significant issue for either. It can run there but you need to select he ruleset carefully to avoid exhausting it.
However I'm not sure any of those things will help with your situation.
What exactly are you seeing? You have a hacker inside your network using a VPN to connect out?Some external VPN is connecting to your client machine?
Why do you think a VPN is in use here at all?
Steve
-
Duh, I apparently misread all of OP's message. Still in vacation mode I guess.
@Netgate1100guy
I am way more confused now.Snort AND Suricata? That seems...absurd. They do the same thing.
Outside hackers can't "get into" your computer over the Internet unless you've allowed the inbound connection and/or have weak passwords. It's far easier to get a victim to run a program, connect to a web page, etc. and infect themselves.
If unexpected changes are being made to network settings on your PC (??) it sounds more like they have already gotten into your PC, thus trying to block external connections is kind of irrelevant.
-
@stephenw10 Okay.
I believe the hacker could be inside and wonder if there are tools/packages on pfsense
that can detect this. Yes, a hacker is using VPN to attack me.
VPN is encrypted and you can seem to be anywhere in the world which could
maybe confuse user of firewall or firewall itself.Not sure what to do.
-
At a basic level what are you seeing that makes you think you are seeing attacks?
When I say an attacker inside your network what I mean is if you are running, for example, a public wifi network and an attack is coming from that subnet inside the firewall.
Steve
-
Hi, I wonder why I dont see the Squid certificate in the padlock icon by clicking on it on websites in web browser. If you dont see it, then it can mean it doesnt work.
-
You would only see that if you implemented a 'full bump' MITM style Squid install where it's intercepting all traffic.
-
@stephenw10 you mean "splice whitelist, bump otherwise"?
I also wonder why I dont see the IPv4 address from my netgate router in system settings on computer.
-
@netgate1100guy I can see IPv4 adress now, fixed it. Still wonder about the padlock icon and Squid in webbrowser.
-
@netgate1100guy And wonder how to fix "ICAP protocol error" when I try to visit websites
-
You should see the Netgate LAN IP as the gateway on a client behind it. Assuming you're using DHCP.
-
@stephenw10 Now I get the error message "ERR_CONNECTION_TIMED_OUT" when try to view the default admin site with 192.168.1.1 IP adress, how do I fix this?
Am running Squid with MITM mode..
-
Undo whatever you last did?
If you have console access you can roll back the config there.
I would disable Squid though.
-
@stephenw10 Hi thanks, got Squid enabled but have it on just "splice all" with HTTP proxy active, works much better. I wonder about something:
If a hacker somehow blocks downloads from the internet (happens often) and there is a hacker (numerous unknown IP addresses), does that mean the hacker is inside my local network?
Can a hacker block and interfere with downloads by hitting the internet modem/central or maybe even WAN port on Netgate 1100, but without getting inside and into my computer? -
@netgate1100guy said in Problem with configuring the Netgate 1100:
If a hacker somehow blocks downloads from the internet (happens often) and there is a hacker (numerous unknown IP addresses)
What exactly are you seeing that makes you think this is happening?
It's far more likely to be a compromise on your local client if it really is malicious activity.
However simply being unable to download is probably a config issue.
Either way Squid won't help you at all here. And on an 1100 could well be causing more problems.
Steve
-
-