Topics

Hi,

what is the idea behind removing this feature?

I used the feature to force Web-GUI login via 2fa, SSH via keys, but allow console login and su for root without 2fa (sudo disabled). So root can't login (directly) at Web-GUI or SSH (no 2fa and no key). After update to 25.x i am not able to "su root".

Thanks for some explanation and ideas to get a similar setup again

OPNsense 23.7.12_5

When I use the search field in "Firewall : Log Files : Plain View" it seems I only get events displayed if they fill up a hole page (at least 20).

To reproduce I choose a known target - e. g. "142.250.185.195" (www.google.de) - to search for and get a lot of events.

Code Select Expand


2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
...


After the resuts are displayed, I extend the seach string about the displayed source port number digit by digit "142.250.185.195,6"

Code Select Expand


2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
2024-05-30T14:23:18 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,6304,443,0,S,820402105,,65228,,mss;nop;wscale;sackOK;TS
2024-05-29T17:17:46 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,62739,443,0,S,3333951251,,65228,,mss;nop;wscale;sackOK;TS
...


And "142.250.185.195,60" - I know, there is at least one event, but I only get:

Code Select Expand


Loading...


I don't expect this as an intended behavior, how can I find single or seldom events?

Thanks for any hint!

With the activated option "Disable integrated authentication" it is not possible to login at the console and not possible to do su in ssh.
OPNsense version 23.1.11_2

Context:
I have configured 2FA with TOTP and set up a user (not root) with an OTP seed. This user is a member of the group "admins". Additionally I configured SSH public keys for that user. Login to the webgui with 2FA and SSH-login with public key works well. The user 'root' doesn't have either an OTP seed or a public key.

As fallback in case of problems with 2FA, I wanted to login per SSH with key or console. But as soon as I activate "Disable integrated authentication" I can not login to the console and I can not su to root in SSH.

Thanks for any hint!

We use a group of restricted users to gain access to the webgui with the following assigned privileges.

GUI    Dashboard (all)
GUI    Diagnostics: Logs: DHCP
GUI    Diagnostics: Logs: Firewall: Live View
GUI    Services: Unbound DNS: Log File
GUI    Status: DHCP leases

In OPNsense version 22.7.2 (2 devices) those users see running services in the dashboard. In version 23.1.11 (11 devices) those users see an empty service widget. Services will be shown in the widget, if we additional assign the privilege "GUI Status: Services". But then they are able to stop or start services, which isn't intended.

Any idea how to list running services for restricted users without the option to start or stop any services?

Thanks for any hint!

Stumpled upon this question while investigating some 'received-errors' at an interface. All the investigated interfaces (ix0 at different opnsense boxes) are connected to a (different) switch with one untagged and a couple of tagged vlans.

The untagged root interface (ix0) on some boxes shows the flag 0x8863 and on the other boxes 0x8963. All tagged interfaces (ix0_vlanX) show the flag 8x8843.

My first guess was the flag is representing the EtherType, but the only corresponding number i found was 0x8863 (PPPoE Discovery Stage). So i think, i am at the wrong way. Can someone point me to the right direction?

--

FYI:
The investigated errors seemed to caused by 802.3 eee. After disabling 802.3 eee at the switch ports the errors are stopped.

Hello,

Since connecting two interfaces of an opnsense device to the switch - with different vlans - in errors for both interfaces are reported. The monitoring (checkmk) shows a constant error rate - 0,5 per second - regardless of the traffic for each interface. Does anyone have an idea what could cause this issue?

Thanks for any help!

Code Select Expand


ix0:
Status up
MAC address 00:90:0b:7f:84:b2 - LANNER ELECTRONICS, INC.
MTU 1500
IPv4 address 10.2.0.1/26
IPv4 gateway 10.2.0.1
Media 1000baseT <full-duplex,rxpause,txpause>
In/out packets 79509368 / 79575887 (5.76 GB / 5.48 GB)
In/out packets (pass) 79508679 / 79575887 (5.76 GB / 5.48 GB)
In/out packets (block) 85929 / 0 (689 bytes / 0 bytes)
In/out errors 2199811 / 0
Collisions 0

ix1:
Status up
MAC address 00:90:0b:7f:84:b3 - LANNER ELECTRONICS, INC.
MTU 1500
IPv4 address 10.2.8.1/24
Media 10baseT/UTP <full-duplex,rxpause,txpause>
In/out packets 125031641 / 112825265 (92.06 GB / 84.11 GB)
In/out packets (pass) 124958473 / 112825264 (92.06 GB / 84.11 GB)
In/out packets (block) 7824309 / 1 (71 KB / 60 bytes)
In/out errors 2196895 / 0
Collisions 0


Hello,

i accidentally set up a wrong ssl cert for the management web-site (i think, i choosed a client instead of a server cert to generate). Now i am not able to logon at the opnsense management web-site with the error "SEC_ERROR_INADEQUATE_CERT_TYPE". I did a restore using ssh, but that did not bring back the previously used ssl cert (why?).

How can i manage opnsense by cli to set up an alternate ssl cert or, at least to get access to the web-site?

Thanks for any hint,
proctor

Hello,

I have an IPsec connection with routed ESP, both ends are OPNsense version 21.1.2 and 21.1. Ping and ssh work like expected through the tunnel, but http/https not.  Web Proxy isn't in use.

In Firefox network analyzer I see that some data is received, but no page will be shown. Looking in the firewall logs (attached), it seems like an interface mismatch. What I found for that is related to NAT - https://forum.opnsense.org/index.php?topic=13663.msg62940#msg62940 , but it dont seem to help me.

Because I see this issue in two constallations - that are the only constellation with OPNsense at both ends here - I think of a configuration problem but have no more idea (after struggeling for a couple of days).

Does anyone have an idea, what is going wrong? I will share any futher information if needed.

Code Select Expand


Interface Time Source Destination Proto Label
-------------------------------------------------------------------------------------------------------------------------------------------------

HTTP:
-------------------------------------------------------------------------------------------------------------------------------------------------
IPsec Mar 11 12:42:57 10.8.0.4: 10.240.9.14 tcp Default deny rule
IPsec Mar 11 12:42:57 10.8.0.4:80 10.240.9.14:50595 tcp Default deny rule
IPsec Mar 11 12:42:56 10.8.0.4: 10.240.9.14 tcp Default deny rule
IPsec Mar 11 12:42:56 10.8.0.4:80 10.240.9.14:50595 tcp Default deny rule
IPsec Mar 11 12:42:56 10.8.0.4: 10.240.9.14 tcp Default deny rule
IPsec Mar 11 12:42:56 10.8.0.4:80 10.240.9.14:50595 tcp Default deny rule
IPsec_Infra_08 Mar 11 12:42:55 10.240.9.14:50595 10.8.0.4:80 tcp let out anything from firewall host itself
LAN_Admin_Prime Mar 11 12:42:55 10.240.9.14:50595 10.8.0.4:80 tcp Infra Local | Admin Prime - RDSH
-------------------------------------------------------------------------------------------------------------------------------------------------

SSH:
-------------------------------------------------------------------------------------------------------------------------------------------------
IPsec_Infra_08 Mar 11 12:39:01 10.240.9.14 10.8.0.4 icmp let out anything from firewall host itself
LAN_Admin_Prime Mar 11 12:39:01 10.240.9.14 10.8.0.4 icmp Infra Local | Admin Prime - RDSH
-------------------------------------------------------------------------------------------------------------------------------------------------

Ping:
-------------------------------------------------------------------------------------------------------------------------------------------------
IPsec_Infra_08 Mar 11 12:35:54 10.240.9.14:50591 10.8.0.4:22 tcp let out anything from firewall host itself
LAN_Admin_Prime Mar 11 12:35:54 10.240.9.14:50591 10.8.0.4:22 tcp Infra Local | Admin Prime - RDSH


Thanks,
poctor

Hello,

a gateway sends traffic to IPsec policy based remote address with public address, not the local address for the policy.

If my gateway sends a dns request to a dns server which is connected through a policy based IPsec tunnel, the gateway uses the wan ip address for sending the request (and sends it to the wan). What would be the right way to let the gateway use the appropriate local ip address to send the request to the policy based remote address?

Till now we used routed IPsec where this is solved by routing. But an ongoing problem with routed IPsec in version 20.7. (https://forum.opnsense.org/index.php?topic=18918.0) leads me the policy based configuration.

Thanks for any hint,
Proctor