Topics

Hi!

I have a "usual suspect" causing the vast majority of all alerts in IPD (Win business notebook...) and I would like to search all alerts caused NOT by this IP. I tried "!10.0.0.63" in the search bar for IPS Alerts in the GUI, but his doesn't work as expected.

Is there an "invert/NOT function" for the GUI search function implemented?

Hi again!

Have a list of Host(s) in Aliases and deleted one of the entries. Checked in pfTables, the IP is still in there. Clicked "Flush" to clean the alias, but after reload still the IP is in the pfTables for the respective Alias.

Changed type of alias to Network(s) and back to Host(s) to no avail.

Can anybody enlighten me what I have to do to get the altered alias to work? :-)

PS: Sorry, dunno how to delete the thread, but using a different browser did the trick....

Sorry for the stupid question, could not find anything with a quick search:

The certificate for the WebGUI in my 19.1.9 installs expired 29th May. Any advice how to renew? One of my users complains, as his browser complains ;-)

Hi!

Tryingto update a 4GB Cf-card install of 386 nano (currently on 19.1.4), but after downloading all updates the install process gives "disk full" and update fails...

Any ideas?

Hy!

Just updated to 19.1.5 and on virtually no page of the GUI I can trigger a reload in FF. Have to load a different page and then come back...

F5 doesn't help, also reboot of client or sense is no help.

Hy!

Setup is a cable modem (Cisco) provided by ISP, opnsense (latest) with DHCP IPv4 on WAN ("block private networks" is enabled on WAN).

I had a minor hick-up at the tunnels and therefore had a look at the General logs of the sense and found that to my surprise the DHCP for my public WAN address (no CG-NAT, IP in the 80.x.y.z range) is done via a 10.x.y.z IP on the WAN interface:

Code Select Expand

Apr 2 08:42:39 dhclient[33436]: bound to 80.xxx.yyy.zzz -- renewal in 5211 seconds.
Apr 2 08:42:39 dhclient: Creating resolv.conf
Apr 2 08:42:39 dhclient[33436]: DHCPACK from 10.0.173.52
Apr 2 08:42:39 dhclient[33436]: DHCPREQUEST on em0 to 10.0.173.52 port 67

Traceroute gives

Code Select Expand

# /usr/sbin/traceroute -w 2 -n  -m '18' -s '80.xxxx.yyy.zzz'   '10.0.173.52'
traceroute to 10.0.173.52 (10.0.173.52) from 80.xxx.yyy.zzz, 18 hops max, 40 byte packets
1  10.190.1.66  11.226 ms  7.541 ms  7.763 ms
2  * * *
3  * * *
4  213.xxx.yyy.zzz  14.084 ms  15.887 ms  15.735 ms
5  10.20.41.71  33.475 ms
    10.20.41.69  28.584 ms  16.428 ms
6  10.20.11.69  20.135 ms  16.666 ms
    10.20.11.71  23.914 ms
7  10.20.12.70  21.543 ms  17.166 ms
    10.20.11.70  19.720 ms
8  10.20.12.37  20.519 ms
    10.20.11.37  17.143 ms  17.849 ms
9  10.0.1.113  21.072 ms  16.629 ms  19.003 ms
10  10.0.1.41  14.813 ms  15.923 ms  15.973 ms
11  10.0.1.41  15.873 ms  16.019 ms  16.052 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *

Apparently this is going on for longer, oldest log is from 23. March, but maybe the log simply rotated for the GUI.

Can anybody help me understanding this setup...

Hi!

Is there an option in suricata to block access to DNS servers via https (e.g. via a list of DNS servers)?

Any other options for blocking DNS over HTTPS below the level of deep package inspection of HTTPS with all its implications?

Interesting operation:

https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

Where did the 600 target MACs come from? An why did ASUS sign the update?

Something to keep in mind ;-)

Hy!

I found this here

https://community.openvpn.net/openvpn/ticket/1080

and tried to establish a peer-to-peer with TLS 1.3, but got the same error as reported above (19.1.1). Is TLS 1.3 in sight for 19.7? Or any plans for the nearer future?

Hi!

Only way to check my Cron jobs is via

Services -> Intrusion Detection -> Administration -> Schedules

However, reaching the page in the GUI, a window pops up for a new Cron rule. If I close this window, the GUI automagically jumps to "Settings" instead of letting me have a look at the "Schedule" page.

So I can't manage the existing Cron jobs....

Hi again!

I first noticed this on my 19.1.1/LibreSSL (opnsense-patch 90c0c395 installed) with OpenVPN client for site-to-site doing fine for years.

Repeated resetting the connection (no useful entry in OpenVPN server log) with:

Code Select Expand

openvpn[59431]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode

...and afterwards trying to reconnect. Ok, I thought, let's have a look in the logs of the second machine I upgraded to 19.1.1 LibreSSL yesterday. And there where the same errors, but starting from December 2018, i.e. where I set up the machine with 18.7.10. So the problems apparently started with 18.7.10.

Any ideas what this could mean, a quick Startpage gave me nothing conclusive (as usual with tunnels and error messages...).

Hello again!

Have here a fresh install of 19.1.1 amd64 with LibreSSL and DNS over TLS configured. Unbound not stable under these conditions, see here

https://forum.opnsense.org/index.php?topic=7811.msg48949#msg48949


:-(

But if I try to revert unbound to the version doing fine with 18.7.x, by

Code Select Expand

opnsense-revert -r 18.7.7 unbound

I only get "Fetching unbound.txz... failed"

(while unbound is UP und running).

Is it not possible to run 19.1.1 with this old version of unbound?

___________________

Was it only a problem with Suricata (not yet) configured correctly (and therefore not starting up)? Now Unbound has been stable for quite some time.

Hy!

Updated this morning to 18.7.10 amd64 with LibreSSL, some minutes ago I lost one interface, which came up again after plugging out/in the RJ45:

Code Select Expand

Jan 11 11:36:40 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 10.45.23.1) (interface: iNET[opt1]) (real interface: igb1).
Jan 11 11:36:40 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb1'
Jan 11 11:36:40 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for iNET(opt1) but ignoring since interface is configured with static IP (10.45.23.1 ::)
Jan 11 11:36:40 kernel: igb1: link state changed to UP
Jan 11 11:36:20 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for iNET(opt1) but ignoring since interface is configured with static IP (10.45.23.1 ::)
Jan 11 11:36:20 kernel: igb1: link state changed to DOWN

Hallo!

Im Zuge der Umstellung auf VOIP werde ich von meinem DSL-Anbieter (congstar) mit VDSL zwangsbeglückt.

Bisheriger Aufbau:

Splitter - Draytek Vigor 130 (bridged) - sense (PPPoE)

Für den Tag der Umstellung habe ich folgende Fragen:

1. Splitter MUSS weg, oder? Hat ja keine Funktion mehr...

2. Auch wenn die sense das VLAN 7 macht, MUSS trotzdem die VLAN 7 Firmware auf das Draytek, oder?

3. Ist das hier https://forum.opnsense.org/index.php?topic=7270.0 eigentlich behoben?

4. Hab ich was übersehen? :-)

Vielen Dank vorab!

Hi everybody!

Have here an up-to-date amd64 install I configured these days. This morning I had a look at the live view of the FW log and found that for some (not all) entries the WRONG FW rule was indicated that resulted in blocking this traffic.

I had to add a rule (Floating this time) and afterwards I had a look into live view of FW logs again. This time even more entries had the wrong FW rule listed.

Here is an example:

Code Select Expand

lan Dec 22 07:20:27 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:19 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:15 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:13 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:12 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs

As can been seen, the port does not match to the description of the FW rule which caused the block. And I have more of this in my list. Is there any known bug in parsing the "decription" of the FW rules to the live view?

Hello again!

I have scheduled BLOCK rules (not Allow rules!) and would like to know, if the states are killed automagically when the block rule kicks in.

Is there anybody who could enlighten me? :-)

For scheduled ALLOW rules I guess the states will be killed when the permited interval is over, or?

Hi again!

From time to time I have to reset the states with a simple

Code Select Expand

/sbin/pfctl -F state

via Cron.

However, I don's see any "free text" option for Cron under "System"-"Settings"-"Cron".

Is it possible to create an arbitrary Cron job and switch the <command> in the config.xml to make this work?

Hello again!

Have a broadcast spammer with a private IP on my Wan address (with a public IP...) and would like to stop logging this, as it's flooding my firewall log.

Editing this rule is not possible in GUI, as you get redirected to the interface, where the only option is to turn on/off. Any other options from command line or editing the confing.xml? :-)

Many thanks in advance...

Hi again!

This here is closed, apparently:

https://forum.opnsense.org/index.php?topic=3630.30

I would like to shift a PPPoE box to OPNsense, but need there IDS (and absolute reliability, as box is somewhat remote).

Is the problem only when activating IDS on WAN interface? Or is it IDS in general, that might cause trouble? Would it be an option to run IDS only on LAN interfaces? Or has nobody a real idea?

Hi!

The default in the GUI is often to show only the first 7 entries of a GUI item, e.g. aliases, log entries etc.

Is there a way to change this default to "all" or let's say, 100 entries? Didn't find anything in the GUI, e.g. tunables or related...

Thanks in advance!