Messages

Sure, System : Settings : Logging .. there just double the size for logging.
With 20.7 you can also switch to text logging where there is always one file per day and you set the time how long to keep them.

Can you clarify? In live log I can only select up to 5000 entries. What must I change here?

Hi there,

I am finding the log of only 5000 entries a little restrictive. Is there any inbuilt way inside of OPNSense to increase it slightly more, say 10000 (double) as that would be really helpful in some circumstances when reviewing some of the logs. 5000 seems a tad on the small side when capturing traffic thats all.

P

You tick the  Source / Invert  box to create a ! (ie NOT this IP listed).

Hmm, that is disappointing. Thanks for clarifying.

When using Intrusion Detection, what rules are processed first?

I have normal Firewall rules I would like processed before IDS is processed. Is this the default, or if not, how can I ensure my own rules are processed prior to IDS rules being processed?

Kind regards
Pete

I just want to follow this in case someone gets it working.

Hi there,

I would like to create a rule that detects if an ip attempts to make a connection to the firewall on a certain port, and add that IP into a block rule. Is this possible to do? Eg: Ip 1.1.1.1 connect to firewall on port 4000. Firewall sees this in logs and adds it into a block rule that denys any traffic for 1.1.1.1 which also now prevents that IP from connecting to any nat rules that are open for other services on the network.

Kind regards
P

Try this?
https://forum.opnsense.org/index.php?topic=9245.0

I had to use pc-i440fx-4.2 and seabios on unraid for my opnsense vm. Did you try that? ALso I installed using legacy boot.

I use i440fx and virtio with seabios because it works the best for me after testing all the different combinations, and uses the least cpu. I think trying to use q35 would be really hard.

Thanks for the tips, but I'm using an Intel NIC PCI card where i pass the ports through.

Yup thats the gold standard. For those of us on a tighter budget, bridging is ok for a home setup :)

Good luck with your build - OpnSense is a very nice product :)

What machine type and nic driver type are you passing to the vm from KVM?

Im no expert but from the screenshot memory ballooning might be being used? If that is the case then this behaviour is expected. I use OpnSense on unraid and the same thing happens for me. Also as an aside just as another tip, for me to get best performance I had to use machine type i440fx (im using version 4.2) and Seabios so that I could pass the virtio network drivers. These nics provide the best performance in a VM, unless of course you are using pci passthrough on the nics which would be fine also.

Pete

Hi P,

You can use a full regex search: :53[^0-9]

The page will be improved eventually and the searching made easier. I think there's already a ticket for it.


Cheers,
Franco

Hello Franco,

Thank you, this information is excellent. I was able to get close enough to what I needed with a simple :53[^5353] so thank you for this tip. Even that alone filters out enough to make the log more manageable.
In addition I have managed to switch over completely from PFsense with all the help from the forums so while there is a learning curve in changing over, and some differences its certainly manageable for anyone if even I can do it.

Thanks again,
P

Hi,

I am trying to filter a specific port in live log view. I filter on this string -

:53

This shows me what I am looking for (port 53) but in addition ports that contain this string eg: :5353 also matches. Also the time in seconds at :53 also matches.

How can I modify my string to only search port 53?

Many thanks,
P