Messages

Hello Franco,

I narrowed it down the one of these that need a change, not sure which one though.

dev.netmap.buf_num: 163840

dev.netmap.ring_num: 200

dev.netmap.buf_size: 2048

After reading the Man Pages, here is what I have got:

"netmap supports raw packet I/O through a port, which can be connected to a physical interface (NIC), to the host stack, or to a VALE switch). Ports use preallocated circular queues of buffers (rings) residing in an mmapped region. There is one ring for each transmit/receive queue   of a NIC or virtual port. An additional ring pair connects to the host   stack.

Sizes and number of objects (netmap_if, netmap_ring, buffers) for the global memory region. The only parameter worth modifying is dev.netmap.buf_num as it impacts the total amount of memory used by netmap."

I will try to tweak these values and see if this resolves the issue.

Thanks and Regards,
-=Srijan Nandi

Thanks, Franco. My guess was that. My current hardware has built-in RAM, so maybe I have to get a new hardware for Opnsense.

I thought there could be a way to tweak the netmap_buf, via a kernel configuration and increase the size.

Though, I have already in the MBUF by adding a line in loader.conf, kern.ipc.nmbclusters="131072". I though this will increase the netmap_buf as well.

Thank you so much for the quick reply.

Regards,
-=Srijan Nandi

In system logs, I see the following:

Aug 23 19:00:15 OPNsense kernel: 015.175801 [ 518] netmap_obj_malloc         no more netmap_buf objects
Aug 23 19:00:15 OPNsense kernel: 015.184088 [ 683] netmap_new_bufs           no more buffers after 3874 of 4096
Aug 23 19:00:15 OPNsense kernel: 015.193470 [1423] netmap_mem_rings_create   Cannot allocate buffers for rx_ring
Aug 23 19:00:15 OPNsense kernel: 015.235613 [ 518] netmap_obj_malloc         no more netmap_buf objects
Aug 23 19:00:15 OPNsense kernel: 015.243970 [ 683] netmap_new_bufs           no more buffers after 3874 of 4096
Aug 23 19:00:15 OPNsense kernel: 015.253353 [1423] netmap_mem_rings_create   Cannot allocate buffers for rx_ring

Is there a way to increase 'netmap_new_bufs'?

Sorry, forgot to add. I have a 4GB swap space and when I start suricata on the Static WAN Interface, I see RAM being eaten, but swap is still not utilised.

m.swap_enabled: 1
vm.disable_swapspace_pageouts: 0
vm.defer_swapspace_pageouts: 0
vm.swap_idle_enabled: 0
vm.stats.vm.v_swappgsout: 153221
vm.stats.vm.v_swappgsin: 69916
vm.stats.vm.v_swapout: 26527
vm.stats.vm.v_swapin: 21265
vm.swap_idle_threshold2: 10
vm.swap_idle_threshold1: 2
vm.nswapdev: 1
vm.swap_async_max: 4
vm.swap_maxpages: 1894560
vm.swap_reserved: 591814656
vm.swap_total: 4294967296

Hello Everyone,

I have the following setup. I have two WAN interfaces (one PPPoE and another Static) and have configured a LAN interface and a DMZ interface.

I am currently running OPNsense 16.7.2-i386. The hardware used has the following configuration:

hw.model: Intel(R) Celeron(R) M processor          600MHz
hw.machine: i386
hw.ncpu: 1

real memory  = 536870912 (512 MB)
avail memory = 481464320 (459 MB)

The issue that I am is facing is rather strange. If I select only one PPPoE WAN interface for Intrusion Detection, Suricata starts up all file and I can see it up.

Here are the logs:
23/8/2016 -- 18:53:04 - <Notice> - This is Suricata version 3.1.1 RELEASE
23/8/2016 -- 18:54:31 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.

Now if I enable only the Static WAN interface, Suricata fails to start and gives an out of memory error. Specific logs are as below:

23/8/2016 -- 18:58:44 - <Notice> - This is Suricata version 3.1.1 RELEASE
23/8/2016 -- 19:00:15 - <Error> - [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't register em2 with netmap: Cannot allocate memory
23/8/2016 -- 19:00:15 - <Error> - [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't register em2 with netmap: Cannot allocate memory
23/8/2016 -- 19:00:15 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01-em2" closed on initialization.
23/8/2016 -- 19:00:15 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...


Hardware CRC, Hardware TSO and Hardware LRO are disabled for all interfaces.

I know RAM is less, but I fail to understand if it starts with one WAN interface why it cannot start with the other WAN interface. My ultimate goal is to have Intrusion Detection on both the WAN interfaces.

Any ideas?


Thanks and Regards,
-=Srijan Nandi

Here are my IPFW rules:

root@OPNsense:~ # cat /usr/local/etc/ipfw.rules

#======================================================================================
# flush ruleset
#======================================================================================
flush

#======================================================================================
# define dummynet pipes
#======================================================================================

#======================================================================================
# define dummynet queues
#======================================================================================


#======================================================================================
# general purpose rules 1...1000
#======================================================================================
add 100 allow pfsync from any to any
add 110 allow carp from any to any
# layer 2: pass ARP
add 120 pass layer2 mac-type arp,rarp
# OPNsense requires for WPA
add 130 pass layer2 mac-type 0x888e,0x88c7
# PPP Over Ethernet Session Stage/Discovery Stage
add 140 pass layer2 mac-type 0x8863,0x8864
# layer 2: block anything else non-IP(v4/v6)
add 150 deny layer2 not mac-type ip,ipv6

# allow traffic send from localhost
add 200 skipto 60000 ipv6 from ::1 to any
add 201 skipto 60000 ipv4 from 127.0.0.0/8 to any
add 202 skipto 60000 ipv6 from any to ::1
add 203 skipto 60000 ipv4 from any to 127.0.0.0/8

#======================================================================================
# Allow traffic to this hosts static ip's
#======================================================================================
add 1002 skipto 60000 udp from any to 192.168.1.1 dst-port 53 keep-state
add 1002 skipto 60000 ip from any to { 255.255.255.255 or 192.168.1.1 } in
add 1002 skipto 60000 ip from { 255.255.255.255 or 192.168.1.1 } to any out
add 1002 skipto 60000 icmp from { 255.255.255.255 or 192.168.1.1 } to any out icmptypes 0
add 1002 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.1.1 } in icmptypes 8
add 1003 skipto 60000 udp from any to 1.1.1.1 dst-port 53 keep-state
add 1003 skipto 60000 ip from any to { 255.255.255.255 or 1.1.1.1 } in
add 1003 skipto 60000 ip from { 255.255.255.255 or 1.1.1.1 } to any out
add 1003 skipto 60000 icmp from { 255.255.255.255 or 1.1.1.1 } to any out icmptypes 0
add 1003 skipto 60000 icmp from any to { 255.255.255.255 or 1.1.1.1 } in icmptypes 8

#===================================================================================
# zone OPT Captive Portal (0) / em2 configuration
#===================================================================================
add 3000  skipto 10001 ip from table(0) to any via em2
add 3000  skipto 10001 ip from any to table(0) via em2


#======================================================================================
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2


#======================================================================================
# accept traffic from all interfaces not used by captive portal
#======================================================================================
# let the responses from the captive portal web server back out
add 6000 skipto 60000 tcp from any to any out
# forward unauthorized traffic from captiveportal interfaces to block rule
add 6002 skipto 65534 all from any to any via em2
# send all the rest to the traffic shaper rules
add 6199 skipto 60000 all from any to any


#======================================================================================
# setup zone accounting section
#======================================================================================
# zone OPT Captive Portal (0)
add 10001 count ip from any to any via em2
add 10998 skipto 30000 all from any to any via em2
add 10999 deny all from any to any not via em2


#======================================================================================
# setup accounting section, first rule is counting all CP traffic
#======================================================================================
add 30000 set 0 count ip from any to any


#======================================================================================
# traffic shaping section, authorized traffic
#======================================================================================
add 60000 return via any


# pass authorized
add 65530 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in via em2
add 65530 allow ip from any to any dst-port 80 via em2
add 65533 pass ip from any to any

# block all unmatched
add 65534 deny all from any to any


Regards,
-=Srijan Nandi

[add 65530 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in via em2add 65530 allow ip from any to any dst-port 80 via em2]

I have a slightly different setup, I have setup captive portal and transparent proxy on the LAN interface. I, have finally managed to get it to work, with a workaround. Here is what I have done.

1. When you enable captive portal, it creates IPFW rules:
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2

This is to throw the Captive Portal to users.

2. After getting authenticated, the traffic passes through the following rules:
# pass authorized
add 65533 pass ip from any to any

3. I have create two IPFW rules to pass the authenticated traffic to the Transparent Proxy:
# pass authorized
add 65530 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in via em2
add 65530 allow ip from any to any dst-port 80 via em2
add 65533 pass ip from any to any

It then passes the traffic to the proxy. You just need to ensure that in the Firewall Rules, there is no rule to either block port 80 traffic, neither a NAT rule to redirect it to the transparent proxy.

Everything needs to be done via the IPFW ruleset.

[add 65530 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in via em2add 65530 allow ip from any to any dst-port 80 via em2]

I have a slightly different setup, I have setup captive portal and transparent proxy on the LAN interface. I, have finally managed to get it to work, with a workaround. Here is what I have done.

1. When you enable captive portal, it creates IPFW rules:
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2

This is to throw the Captive Portal to users.

2. After getting authenticated, the traffic passes through the following rules:
# pass authorized
add 65533 pass ip from any to any

3. I have create two IPFW rules to pass the authenticated traffic to the Transparent Proxy:
# pass authorized
add 65530 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in via em2
add 65530 allow ip from any to any dst-port 80 via em2
add 65533 pass ip from any to any

It then passes the traffic to the proxy. You just need to ensure that in the Firewall Rules, there is no rule to either block port 80 traffic, neither a NAT rule to redirect it to the transparent proxy.

Everything needs to be done via the IPFW ruleset.

Can someone help me pass authenticated traffic to proxy on port 3128. Basically, here are the IPFW rules:

# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2

# pass authorized
add 65533 pass ip from any to any

I need help in passing the authenticated traffic to proxy_IP:3128. Then the proxy will hopefully pass the traffic out. This way I may be able to use Captive Portal with Transparent Proxy.

Can someone help me pass authenticated traffic to proxy on port 3128. Basically, here are the IPFW rules:

# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em2
add 5000 allow ip from any to any dst-port 443 via em2
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em2
add 5000 allow ip from any to any dst-port 80 via em2

# pass authorized
add 65533 pass ip from any to any

I need help in passing the authenticated traffic to proxy_IP:3128. Then the proxy will hopefully pass the traffic out. This way I may be able to use Captive Portal with Transparent Proxy.

How did you get this to work for HTTP traffic? I suppose as soon as you enable Captive portal, it makes a default rule in IPFW to pass all port 80 traffic to 127.0.0.1,9000 or 127.0.0.1,8000 i.e. to the captive portal. Therefore, when a  port 80 traffic hits Opnsense, won't this rule take precedence over the PF rule to pass port 80 traffic to the proxy.

Captive Portal works well with Forward Proxy. I somehow am not able to get it to work with Transparent proxy. Am I missing something.

Hello Everyone,

I am new to Opnsense, but so far liked everything Opnsense has to offer. However, recently I got stuck using Captive Portal. My requirement is to use Captive Portal with Transparent Proxy and it does not seem to work.

1. Standalone Captive portal work fine.
2. Captive Portal with Forward Proxy work absolutely fine, does web filtering as well.
3. Captive Portal with Transparent Proxy does not seem to work. Works at times and fails at times.

My requirement is to allow Captive Portal authenticate users and then pass on the session to Transparent proxy. I see two rules in IPFW, one to pass all port 80 traffic to Captive Portal and below it is a rule to pass that traffic through. I want Captive portal to pass the authenticated traffic to proxy when Transparent proxy is enabled. Something similar to this is what i see:

05002 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em1
05002 allow ip from any to any dst-port 80 via em1

I only need the authenticated traffic to pass to proxy and then the proxy take effect.

It would be a great help if anyone can suggest a solution. I have checked pretty much everywhere with no results.

I want to install Opnsense in my production environment and this is a requirement.

Thanking you all in anticipation.