So im new to opnsense. I set up my system it works fine for a few day. Until it doesnt. Everytime i connect it to my modemn. It freeses completely only when i hit the power button to shut down does it work again. Until i plug it back in the modemn. I check the logs and all there is is random queries from python311. Which is weird. The only way to fix it for me is to fresh install. Which works for upwards of 48 hours.
If your in IPS mode did you set it to hyperscan(should be), just a thought
Quote from: someone on June 26, 2025, 11:09:53 PMIf your in IPS mode did you set it to hyperscan(should be), just a thought
Yes i did, ive alway had it like that since day 1. And all my hardware is more than required alot more than needed for a bare metal.
thoughts for starters: unsupported NICs (realtek) without the vendor driver causing hardware disconnections, IPS enabled on unsuitable hardware.
Notice we can't guess correctly your setup.
Quote from: cookiemonster on June 27, 2025, 05:24:00 PMthoughts for starters: unsupported NICs (realtek) without the vendor driver causing hardware disconnections, IPS enabled on unsuitable hardware.
Notice we can't guess correctly your setup.
Nope it turned out I was being buffer overflowed. I did a host name check and some kids were using google and aws VMS. And there was a bot called buffoverflow.run pinging my network. One kid left his IP in my network or an IP if he used a public ip
Quote from: cookiemonster on June 27, 2025, 05:24:00 PMthoughts for starters: unsupported NICs (realtek) without the vendor driver causing hardware disconnections, IPS enabled on unsuitable hardware.
Notice we can't guess correctly your setup.
they are all Intel NICs i225 I did my research on what NICs before hand.
Quote from: opnsenseuser8473 on July 05, 2025, 01:32:52 AMQuote from: cookiemonster on June 27, 2025, 05:24:00 PMthoughts for starters: unsupported NICs (realtek) without the vendor driver causing hardware disconnections, IPS enabled on unsuitable hardware.
Notice we can't guess correctly your setup.
they are all Intel NICs i225 I did my research on what NICs before hand.
still at my wits end because I put a general inbound connection block and they still managed to negotiate past that.crowd sec had to stop them from port scanning but I look away for an hour and the system is overrun and bloated with bot IP trying to swap the system at an attempt to distract from the real people. This IP was a Verizon FiOS user there were more but my system is frozen so. All i know is port 22 and 23 was the target
As cookiemonster already mentioned: Please provide more details of your setup. There are no open ports on the WAN interface per default, no attack vector there.
Have you opened ports on WAN? Is the ISP modem also a router or does OPNsense get a public IP?
Generally if you log the connection attemps on WAN you will see lots of them. But they are only attemps and nothing you can do about that.
To underline what patient0 says, blocking unrequested connections from the outside is the job of the firewall and default settings do that.
Please provide the setup for context of what might be happening so we can help.
Only other thought on this is to check if you have the syncookies active (not enabled by default).
Quote from: patient0 on July 05, 2025, 05:47:41 AMAs cookiemonster already mentioned: Please provide more details of your setup. There are no open ports on the WAN interface per default, no attack vector there.
Have you opened ports on WAN? Is the ISP modem also a router or does OPNsense get a public IP?
Generally if you log the connection attemps on WAN you will see lots of them. But they are only attemps and nothing you can do about that.
i7 12900, 16 gig ram, nic I225,and I know that's what's concerning I have no idea how that are managing this.
And nothing unusual and nothing for incoming. Yet I'm being port scanned then flooded
The settings syncookie is always on. But I'm still being port scanned then flooded. After i w8 out the attack or reinstall, i usually have to add an extra block rule, with the bots/ attackers host names and IP. That ussually keeps it at bay for a few days until I see new bot host name and i fail to respond in time
You're not really giving any useful information to help you.
Have you some IDS/IPS running on WAN and no open WAN ports, if yes you can stop the IDS/IPS - at least on WAN.
QuoteAfter i w8 out the attack or reinstall, i usually have to add an extra block rule,
How does an attack look like? What does flooding mean for you, how many connection attemps (which will not get past the TCP:Sync). And why would reinstall solve anything? What rules do you have on WAN?
You do not tell, but how can you be port scanned (which is normal), but then "flooded" if no ports are open? I must assume you have opened ports like 22 and 23, either willingly or by accident.
There are several lines of defense against that:
1. Check if those ports are open and if you deliberately opened them.
2. If you need SSH access from outside, make sure the machine behind it is configured securely and is up-to-date.
3, If you opened Telnet, you you decommission all of your internet-bound devices immediately.
4. Consider changing the ports to non-standard port numbers, which will reduce the attacks by two orders of magnitude.
5. Use either a whitelist or a blacklist of countries or ASNs you expect valid connections to originate from and change your firewall rules to make use of those.
6. Use crowdsec and/or DNSBL blacklists like Firehol for known attackers.
Quote from: opnsenseuser8473 on July 06, 2025, 11:38:30 AMThe settings syncookie is always on. But I'm still being port scanned then flooded. After i w8 out the attack or reinstall, i usually have to add an extra block rule, with the bots/ attackers host names and IP. That ussually keeps it at bay for a few days until I see new bot host name and i fail to respond in time
You should try changing to "never" which is the current default.
Quote from: opnsenseuser8473 on July 06, 2025, 11:14:06 AMQuote from: patient0 on July 05, 2025, 05:47:41 AMAs cookiemonster already mentioned: Please provide more details of your setup. There are no open ports on the WAN interface per default, no attack vector there.
Have you opened ports on WAN? Is the ISP modem also a router or does OPNsense get a public IP?
Generally if you log the connection attemps on WAN you will see lots of them. But they are only attemps and nothing you can do about that.
i7 12900, 16 gig ram, nic I225,and I know that's what's concerning I have no idea how that are managing this.
And nothing unusual and nothing for incoming. Yet I'm being port scanned then flooded
Sorry this is not a setup, that is just the hardware specs. You don't want to tell your setup and want us to keep guessing, sorry, I'm out.
Show your firewall rules and if applicable also NAT port forwarding on WAN or nobody will be able to help you.
Quote from: Patrick M. Hausen on July 06, 2025, 05:39:24 PMShow your firewall rules and if applicable also NAT port forwarding on WAN or nobody will be able to help you.
I apologies as specified above this is my first time working with opnsense, but to be more specfic and it forums, or forum in general so I don't know the full scope of its functions. Im on my email often but no notifications are being sent. so i apologies for delay. I politely ask for a bit more patience. I dont know the specfics terms of the forum or functions of the site.
my experience is with commercial homeuse grade hardware and software that uses outbound and inbound terms.
I do know the rule orders and what "in and out" mean even if I reference outbound or inbound. when the above individual said set up with no specifics after referencing hardware that's what I assumed.
My wan interface is just a genric block inbound trafic rule directed toward wan.
a block IP list rule applied indivdually for source and destinations for "in" and "out" so 4 rule.
If you want my other interphase system configuration settings rules they are pretty generic.
Infront General inbound block all rule,
No general allow outbound.
A redundant specific block rule for IP that abuse any open ports
Just general outbound access to specific ports,the typical INTERNET ports, 80 443 and 53 for dns sometimes my DNS needs an "out" to function
a generic all block at the end, even if redundant.
The set ups in the right order and the relative "in" and "out" rules are placed. Nothing complicated such as shaping they are all generic.
The unusual outbound ports that get opened are video game (ps5)specfic ports whos interface is typically closed unless used.
Port forwarding rules are only in use when I have multiple devices running and that's only directed to the ps5 interface and they are to specific game ports if needed.
As for defense protection updated crowdsec and suricata updated and base IPS rule. As i was told they work together. Hyperscan applied to all ports, Syncookies enabled.
Nat ports set to hybrid nothing specfic. as I was trying to get VPN working but nothing came about it.
This next statement might come off paranoid to those that haven't first hand seen the situation.
But for context of history im actually dealing with a situation where a fellow college student at the time lied, said I "hacked" the indivdual and said other false things. In my old system I was constantly ddos, TCP no flagged and null attacks I had my DNS leaked information and unencrypted traffic made public to everyone involved. The amount of crap I had to clean in that old system was bad. So I switched to opnsense cause it was said to be superior granted some buggy states and plugin exploits that get patches along the way.
So in short, these kids went on a revenge plot. What was stated by them they thinking its a "game". I'm just Trying figure out what the heck is going on or what they are exploiting. Whether it be this system or an already compromised device I don't know.
From my understanding configuration setup issues system freese shouldn't magically go away for a longer time each time after I clean install the system and additionally block the list of ip. That would suggest the issues is relative to the ips ingeneral. unless they are trying to "sledge hammer" to force open ports like with my old system which which they abused a lot that caused my old cheap system to stop functioning often. no I didnt specifically open any ports.
I'm new with this system not new in general. Each interface follows the simlar format with exception to wan and the console which specific outbound game ports are needed.
If this is the list of everything adjusted by me if more adjustments or information is needed please let me know but my firewall has generic rules.
Show. The. Rules. Literally. Screenshots.
Please.
You don't need any rule on WAN for example. OPNsense blocks by default.
So this:
QuoteMy wan interface is just a genric block inbound trafic rule directed toward wan.
Might be not quite what you intend it to do but instead opens up things.
A "virgin" OPNsense with only WAN IP settings configured and a PC or a switch connected to LAN is secure by default.
I would recommend starting with this setup and then working from there, step by step.
Kind regards,
Patrick
Quote from: Patrick M. Hausen on July 06, 2025, 09:08:03 PMShow. The. Rules. Literally. Screenshots.
Please.
You don't need any rule on WAN for example. OPNsense blocks by default.
So this:
QuoteMy wan interface is just a genric block inbound trafic rule directed toward wan.
Might be not quite what you intend it to do but instead opens up things.
A "virgin" OPNsense with only WAN IP settings configured and a PC or a switch connected to LAN is secure by default.
I would recommend starting with this setup and then working from there, step by step.
Kind regards,
Patrick
Thank you for your time I will post it shortly as I'm only able to access online with my phone at the moment do to "complications"
Quote from: opnsenseuser8473 on July 06, 2025, 09:45:49 PMQuote from: Patrick M. Hausen on July 06, 2025, 09:08:03 PMShow. The. Rules. Literally. Screenshots.
Please.
You don't need any rule on WAN for example. OPNsense blocks by default.
So this:
QuoteMy wan interface is just a genric block inbound trafic rule directed toward wan.
Might be not quite what you intend it to do but instead opens up things.
A "virgin" OPNsense with only WAN IP settings configured and a PC or a switch connected to LAN is secure by default.
I would recommend starting with this setup and then working from there, step by step.
Kind regards,
Patrick
Thank you for your time I will post it shortly as I'm only able to access online with my phone at the moment do to "complications"
Quote from: Patrick M. Hausen on July 06, 2025, 09:08:03 PMShow. The. Rules. Literally. Screenshots.
Please.
You don't need any rule on WAN for example. OPNsense blocks by default.
So this:
QuoteMy wan interface is just a genric block inbound trafic rule directed toward wan.
Might be not quite what you intend it to do but instead opens up things.
A "virgin" OPNsense with only WAN IP settings configured and a PC or a switch connected to LAN is secure by default.
I would recommend starting with this setup and then working from there, step by step.
Kind regards,
Patrick
so your saying that putting block rules opens the firewall that's weird. I put a redundant all block in a few min.
Quote from: opnsenseuser8473 on July 06, 2025, 09:45:49 PMQuote from: Patrick M. Hausen on July 06, 2025, 09:08:03 PMShow. The. Rules. Literally. Screenshots.
Please.
You don't need any rule on WAN for example. OPNsense blocks by default.
So this:
QuoteMy wan interface is just a genric block inbound trafic rule directed toward wan.
Might be not quite what you intend it to do but instead opens up things.
A "virgin" OPNsense with only WAN IP settings configured and a PC or a switch connected to LAN is secure by default.
I would recommend starting with this setup and then working from there, step by step.
Kind regards,
Patrick
Thank you for your time I will post it shortly as I'm only able to access online with my phone at the moment do to "complications"
I apologies as the system that is connecting to opnsense is a glorified moniter so its set up with no internet access because its old. So this is the best I can do the port imposter is 443 and 80. Because some but try to port in using upd port 443 and 80... But they are TCP ports
(https://cdn.corenexis.com/media?608n34&24H&p&b&zyig.jpg)
(https://cdn.corenexis.com/media?934wlk&24H&p&b&00s9.jpg)(https://cdn.corenexis.com/media?23myga&24H&p&b&tb1p.jpg)
(https://cdn.corenexis.com/media?0b4rwk&168H&p&b&zieq.jpg)
Says files too big here's the URL of the images. I just googled image to URL converter
https://cdn.corenexis.com/media?608n34&24H&p&b&zyig.jpg
https://cdn.corenexis.com/media?934wlk&24H&p&b&00s9.jpg
Https://cdn.corenexis.com/media?23myga&24H&p&b&tb1p.jpg
https://cdn.corenexis.com/media?0b4rwk&168H&p&b&zieq.jpg
Quote from: opnsenseuser8473 on July 06, 2025, 10:28:44 PMSays files too big here's the URL of the images. I just googled image to URL converter
https://cdn.corenexis.com/media?608n34&24H&p&b&zyig.jpg
https://cdn.corenexis.com/media?934wlk&24H&p&b&00s9.jpg
Https://cdn.corenexis.com/media?23myga&24H&p&b&tb1p.jpg
https://cdn.corenexis.com/media?0b4rwk&168H&p&b&zieq.jpg
Granted for security I cant give the full details of who's blocked but it should help.
Please attach the images here in the forum. I'm not clicking on links to a site I never heard of, sorry.
I tried I honestly am trying. My attachment say too big. I'll report in after an hour after I figure out how to use this forum. I'm new to writing in forums.
Quote from: Patrick M. Hausen on July 06, 2025, 11:20:24 PMPlease attach the images here in the forum. I'm not clicking on links to a site I never heard of, sorry.
here is what im working with nothing complex
Quote from: Patrick M. Hausen on July 06, 2025, 11:20:24 PMPlease attach the images here in the forum. I'm not clicking on links to a site I never heard of, sorry.
i have my own modem, no router built in and when port forward in use its connected to a properly isolated with dual trunk set up, cause the switch is weird when it comes to using the same trunk port for separate vlans interfaces in that switch. my only concern is how does adding a block rule open up ports typically, from my understanding its allow rules.
I'd argue that all your WAN block rules on the top of your list don't actually achieve anything. You have "!BadWanIP" as the source in your allow rules, so these are blocked, already. I assume there are corresponding inbound NAT rules?
Everything that is not explicitly allowed is blocked by default.
Can you disable IDS/IPS completely and reboot and check if the problem persists?
Kind regards,
Patrick
Adding to this: There are also many "out" rules, which are mostly redundant, because usually, you check packets when they enter an interface ("in" direction). Since OpnSense is a stateful firewall, the responses to allowed packets are allowed as well, so you do not need two rules for the same traffic.
You should probably study this section of the docs very closely (https://docs.opnsense.org/manual/firewall.html#), where it says:
QuoteTraffic can be matched on in[coming] or out[going] direction, our default is to filter on incoming direction. In which case you would set the policy on the interface where the traffic originates from.