Topics

I was trying to find out why every day I get a CARP failover and finally figured out that it happens right after Suricata rules are download and suricata (Promiscuous-Mode) is restarted (stopped part of it specifically I think).  The firewalls failover to the secondary and then not back again.  This happens on the two OPNsense 20.7.7_1-amd64 cluster systems that I have installed on hardware platforms (dell).

Suricata is in IPS Mode

[Error (1)]

I became Suricata Error (1) when i try to download the actual rules.

Does the Suricata service have to restart or does the firewall have to be completely restarted?

I change rules and they don't work until I restart everything

We have NtopNG Error since Update (OPNsense 20.1.8_1-amd64) is there an fix? Or how to fix?

2020-07-07T18:09:00   ntopng: [LuaEngine.cpp:12141] WARNING: Script failure [/usr/local/share/ntopng/scripts/callbacks/system/housekeeping.lua][/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:142: attempt to index a nil value (field 'alert_type')]
2020-07-07T18:00:00   ntopng: [host.lua:8] [alert_consts.lua:207] ERROR: Missing required field 'alert_key' in /var/db/ntopng/plugins0/alert_definitions/alert_request_reply_ratio.lua
2020-07-07T18:00:00   ntopng: [system.lua:8] [alert_consts.lua:207] ERROR: Missing required field 'alert_key' in /var/db/ntopng/plugins0/alert_definitions/alert_slow_purge.lua
2020-07-07T17:56:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:56:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:56:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:56:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:45:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:45:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:45:00   ntopng: [host.lua:8] [alert_consts.lua:207] ERROR: Missing required field 'alert_key' in /var/db/ntopng/plugins0/alert_definitions/alert_user_activity.lua
2020-07-07T17:45:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:45:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:45:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:45:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/host.lua] [/usr/local/share/ntopng/scripts/lua/modules/alerts_api.lua:321: attempt to index a nil value (field 'alert_type')]
2020-07-07T17:12:00   ntopng: [minute.lua:11] [alert_consts.lua:207] ERROR: Missing required field 'alert_key' in /var/db/ntopng/plugins0/alert_definitions/alert_host_pool_disconnection.lua
2020-07-07T17:12:00   ntopng: [minute.lua:11] [alert_consts.lua:207] ERROR: Missing required field 'alert_key' in /var/db/ntopng/plugins0/alert_definitions/alert_quota_exceeded.lua
2020-07-07T17:11:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/flow.lua] [.../local/share/ntopng/scripts/callbacks/interface/flow.lua:444: attempt to index a nil value (local 'flow_status_type')]
2020-07-07T17:11:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/flow.lua] [.../local/share/ntopng/scripts/callbacks/interface/flow.lua:444: attempt to index a nil value (local 'flow_status_type')]
2020-07-07T17:11:00   ntopng: [AlertCheckLuaEngine.cpp:167] WARNING: Script failure[/usr/local/share/ntopng/scripts/callbacks/interface/flow.lua] [.../local/share/ntopng/scripts/callbacks/interface/flow.lua:444: attempt to index a nil value (local 'flow_status_type')]

How do I have to set up the NAT for Nginx on the OPNsense? Must port forwarding (RDR) have to look at the firewall itself?

Or how is this to be set up correctly?

Hi,

We have the problem that Carp switches sporadically to the backup OPNsense for certain addresses.
And the Gateway shown offline. When i restart the dping servicen on the for this gateway it comes online on the Backup.

Interfaces are set the same on both systems and are also plugged in the same way.

Suricata is on, IPS mode is enabled and also the Promiscuous mode. Hardware CRC, Hardware TSO, Hardware LRO, VLAN Hardware Filtering are disabled.  ARP handling is not suppressable on "ARP messages"

On the OPNsense1-1, synchronization is set up to the OPNsense1-2. preempt is disabled.
On the OPNsense1-2 the status synchronization is checked and the IP address of the sync network of the OPNsense1-1 is entered. preempt is activated.

OPNsense1-1 and OPNsense1-2 are directly connected with a patch cable on igb0

In the attachment you can find the system logs and screenshots unfortunately I have not been able to find the source of the error.

OPNsense1-1 (Master):

Versionen   OPNsense 20.1.6-amd64
FreeBSD 11.2-RELEASE-p19-HBSD
OpenSSL 1.1.1g 21 Apr 2020
CPU-Typ   Intel(R) Xeon(R) Silver 4114 CPU @ 2.20GHz (20 cores)

and

OPNsense1-1 (Backup):

Versionen   OPNsense 20.1.6-amd64
FreeBSD 11.2-RELEASE-p19-HBSD
OpenSSL 1.1.1g 21 Apr 2020
CPU-Typ   Intel(R) Xeon(R) Silver 4114 CPU @ 2.20GHz (20 cores)

On each OPNsense following Interfaces:

1N Schnittstelle (opt7, igb1)   
DMZ Schnittstelle (opt2, ix0_vlan8)
Demo Schnittstelle (opt3, ix0_vlan9)
LAN Schnittstelle (lan, ix0)
SQL Schnittstelle (opt8, ix0_vlan17)
SYNC Schnittstelle (opt1, igb0)
TCOMPCO1 Schnittstelle (opt5, ix3)
TCOMPCO2 Schnittstelle (opt6, igb3)
UNITY Schnittstelle (wan, igb2)
VMNetz Schnittstelle (opt4, ix0_vlan128)

Carp:

OPNsense1-1:

192.168.8.251/24 (vhid 1 , freq. 1 / 0)   DMZ   CARP   DMZ      
10.255.255.251/9 (vhid 2 , freq. 1 / 0)   VMNetz   CARP   VMNetz      
172.20.8.251/24 (vhid 3 , freq. 1 / 0)   Demo   CARP   Sandbox      
192.168.7.251/24 (vhid 4 , freq. 1 / 0)   LAN   CARP   LAN      
37.24.96.70/29 (vhid 5 , freq. 1 / 0)   UNITY   CARP   UNITY      
37.24.96.69/29 (vhid 6 , freq. 1 / 0)   UNITY   CARP   UNITY      
194.25.93.139/29 (vhid 7 , freq. 1 / 0)   TCOMPCO1   CARP   TCOMPCO      
194.25.44.171/29 (vhid 8 , freq. 1 / 0)   TCOMPCO2   CARP   TCOMPCO2      
194.25.44.172/29 (vhid 9 , freq. 1 / 0)   TCOMPCO2   CARP   TCOMPCO2      
172.16.1.254/24 (vhid 10 , freq. 1 / 0)   LAN   CARP   HV      
37.24.96.68/29 (vhid 11 , freq. 1 / 0)   UNITY   CARP   UNITY      
194.25.93.138/29 (vhid 12 , freq. 1 / 0)   TCOMPCO1   CARP   TCOMPCO      
194.25.93.141/29 (vhid 13 , freq. 1 / 0)   TCOMPCO1   CARP   TCOMPCO      
192.168.1.251/24 (vhid 14 , freq. 1 / 0)   LAN   CARP   WSUS      
192.168.0.251/24 (vhid 15 , freq. 1 / 0)   LAN   CARP   Mgmt      
185.239.82.15/31 (vhid 16 , freq. 1 / 0)   1N   CARP   1N      
192.168.2.254/24 (vhid 17 , freq. 1 / 0)   LAN   CARP   asvdc.de      
172.17.1.254/24 (vhid 18 , freq. 1 / 0)   SQL   CARP   SQL      

OPNsense1-2:

192.168.8.251/24 (vhid 1 , freq. 1 / 100)   DMZ   CARP   DMZ      
10.255.255.251/9 (vhid 2 , freq. 1 / 100)   VMNetz   CARP   VMNetz      
172.20.8.251/24 (vhid 3 , freq. 1 / 100)   Demo   CARP   Sandbox      
192.168.7.251/24 (vhid 4 , freq. 1 / 100)   LAN   CARP   LAN      
37.24.96.70/29 (vhid 5 , freq. 1 / 100)   UNITY   CARP   UNITY      
37.24.96.69/29 (vhid 6 , freq. 1 / 100)   UNITY   CARP   UNITY      
194.25.93.139/29 (vhid 7 , freq. 1 / 100)   TCOMPCO1   CARP   TCOMPCO      
194.25.44.171/29 (vhid 8 , freq. 1 / 100)   TCOMPCO2   CARP   TCOMPCO2      
194.25.44.172/29 (vhid 9 , freq. 1 / 100)   TCOMPCO2   CARP   TCOMPCO2      
172.16.1.254/24 (vhid 10 , freq. 1 / 100)   LAN   CARP   HV      
37.24.96.68/29 (vhid 11 , freq. 1 / 100)   UNITY   CARP   UNITY      
194.25.93.138/29 (vhid 12 , freq. 1 / 100)   TCOMPCO1   CARP   TCOMPCO      
194.25.93.141/29 (vhid 13 , freq. 1 / 100)   TCOMPCO1   CARP   TCOMPCO      
192.168.1.251/24 (vhid 14 , freq. 1 / 100)   LAN   CARP   WSUS      
192.168.0.251/24 (vhid 15 , freq. 1 / 100)   LAN   CARP   Mgmt      
185.239.82.15/31 (vhid 16 , freq. 1 / 100)   1N   CARP   1N      
192.168.2.254/24 (vhid 17 , freq. 1 / 100)   LAN   CARP   asvdc.de      
172.17.1.254/24 (vhid 18 , freq. 1 / 100)   SQL   CARP   SQL

We have two OPNsense 20.1.6 in HA. XMLRPC Sync works if i force it over the "Synchronize config to backup" Button. But not automatically when i change Firewall Rules or something else.

Is it no more supported or why could this be?

Hi,

we upgraded one of our opnsense to 20.1. actually we can't login with ssh and the web gui is on some pages extrem slowly. I can open System-Firmware without problems but pages like firewall or konfiguration i cant reach.
has anybody an idea? or a solution?

We have Problems with NAT Reflection if we set in Firewall Rules Gateway to Gatewaygroup

If we set the Rule to default Gateway which is the "1 Tier" in GW Group its working.

How to do NAT Reflection right with GW Group?

Hi,

i cant upgrade OPNsense from 18.7.10 to 19.1
i tried multiple times OPNsense shows in WEB GUI Firewall ist upgraded reboots but Firmware is the same (18.7.10)

Hi,

OPNsense 18.7.8-amd64
FreeBSD 11.1-RELEASE-p15
OpenSSL 1.0.2q 20 Nov 2018
strongswan 5.7.1

When connecting a VPN, the following message appears:

Dec 3 13:48:08
charon: 09[CFG] <con1|52> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
Dec 3 13:48:08
charon: 09[CFG] <con1|52> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ

Config:

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = 37.xx.xx.xx
  right = 78.xx.xx.xx
  leftid = 37.xx.xx.xx
  ikelifetime = 108000s
  lifetime = 28800s
  ike = aes256-sha256-modp2048,aes256-sha1-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = 78.xx.xx.xx
  rightsubnet = 10.xx.xx.0/24
  leftsubnet = 192.xx.xx.0/24
  esp = aes256-sha1-modp1024,aes256-sha256-modp1024!
  auto = add

However, in the phase 2 of the VPN connection, the PFS group was set to "Group 14" via the OPNsense web interface. But, in the configuration file stays always "esp = aes256-sha1-modp1024, aes256-sha256-modp1024!".

Any Solution?

Hallo Leute,

OPNsense 18.7.8-amd64
FreeBSD 11.1-RELEASE-p15
OpenSSL 1.0.2q 20 Nov 2018
strongswan 5.7.1


Beim verbinden einer VPN kommt es zu folgender Meldung:

Dec 3 13:48:08
charon: 09[CFG] <con1|52> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
Dec 3 13:48:08
charon: 09[CFG] <con1|52> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ

Konfiguration sieht folgendermaßen aus:

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = 37.xx.xx.xx
  right = 78.xx.xx.xx
  leftid = 37.xx.xx.xx
  ikelifetime = 108000s
  lifetime = 28800s
  ike = aes256-sha256-modp2048,aes256-sha1-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = 78.xx.xx.xx
  rightsubnet = 10.xx.xx.0/24
  leftsubnet = 192.xx.xx.0/24
  esp = aes256-sha1-modp1024,aes256-sha256-modp1024!
  auto = add

Über die OPNsense Weboberfläche wurde allerdings in der Phase 2 der VPN Verbindung die PFS Gruppe auf "Group 14" eingestellt. Dennoch wird in der Konfigurationsdatei "esp = aes256-sha1-modp1024,aes256-sha256-modp1024!" übernommen.

Gibt es hierfür eine Lösung?