Messages

Perhaps we should ask for a more all-encompassing migration feature to be added :-)

Perfect, that works really well.  Thank you.

Unfortunately, I can't help you at all with this.  However, I did want to thank you for posting as I will be starting the exact same exercise once some new equipment I have on order arrives.

I am currently using an alias to block specific external ip v4 addresses; which is great.

However, I would like to be able to all external IP v4 addresses from a specific range of IP addresses.

For example x.y.*.*  (where x and y are specific numbers that I enter, and the * can be anything from 0 to 255)

What is the best approach for this?

After upgrading to 23.1 I had/have an issue with accessing ntopng

In the previous version of OPNsense (22.7) I had set up the ntopng service to use a certificate related to duckdns.org

When I sign on to opnsense I use the address:
https://xxxx.duckdns.org/index.php
where xxxx is my duckdns name
this worked fine in the prior version of OPNsense and continues to work fine in 23.1

However, signing on to ntopng using
https://xxxx.duckdns.org:3000
no longer works.

The work-around for now is to use
http://xxxx.duckdns.org:3000
(no 's' after 'http')
and I can connect, but with an unsecured connection.

I am posting this here, but I am not sure if it is an opnsense or an ntopng issue.

Any thoughts?

SOLVED

On my LAN interface, I set up a rule to log all direction in IPV4 UDP/TCP port 123 requests with a label of "log all NTP requests from LAN".  Also, I set up the same rule on my LANIOT interface but with a label of "log all NTP requests from LANIOT".

Next, I set up a live rule filter, filtering on a label that contains "log all NTP requests".

With this, I now get a realtime view of all the devices on my network that are requesting an NTP time update.

All log entries show the source device requesting the update.  The log entry also shows the IP address of where it is requesting the NTP entry from.  However, the request never goes there as it is intercepted and handled by the OPNsence NTP server.

In any case, the original problem is solved and reporting is what I needed.

Hope this will be of help to others.

Ok - so now I've disabled the NAT Forwarding rule, and I've not included my server's ip address in Services - DHCPV4 - LAN - NTP Servers - Advanced.

What I am seeing from the logs of my time server itself is that it is being hit up for a time check approximately once a minute from 192.168.1.1 the box on which OPNsense is running.

Accordingly, what I have also done is blocked all outgoing IPV4 and IPV6 NTP requests from my two interfaces (LAN and LANIOT) except for an IPV4 NTP request from 192.168.1.1.

With this, my systems continues to get the time ok when there is a request for the time from an external pool (such as pool.ntp.org) with presumably the OPNsense NTP server stepping in and satisfying them, also the NTP request to 192.168.1.1 continues to happen about once a minute (which is presumably the OPNsense NTP server making sure it has the right time).

So I'm now reasonably comfortable OPNsenes and the NTP server are doing what they are intended to. 

The only thing I lack is the ability to see via the live logs (or in another way) which devices are hitting up the OPNsense NTP server for time info.

I found Services - DHCPV4 - LAN - NTP Servers - Advanced
so I tried entering in my time servers address of 192.168.1.193
and turning off the NAT Forwarding rule - but agian I'm not seeing what I would expect in my logs.

To be clear, what i would expect is that if, for example, I have a query to pool.ntp.org that I would see traffic flowing to my time server in the logs.

I don't see that as an option

https://ibb.co/sswJDry

However, Network time is already a listed service (and the screen shot for its settings is in my original post).

@newsense could you please expand on that ...

 I have built my own NTP time server and it is running on my network, and what I would like to do is ensure all NTP requests made on my network are routed to this time server only.

I have the NTP Service running on OPNsense. 
Here is how it is configured:
https://ibb.co/88cm6Td

As I originally understood the documentation here: https://docs.opnsense.org/manual/ntpd.html

OPNsense ships with a standard NTPd server, which synchronizes time with upstream servers and provides time to connected clients.

the above configuration would be all that I needed.

However, I wanted to be able to know which devices on my network are getting the time from the time server, and how often.  So, I thought I would just be able to add a rule that allowed that to happen.  But once done I was not seeing the traffic in the live logs that I expected (in fact I wasn't seeing any).

Here is the rule:
https://ibb.co/9t3ZnRJ

I then found this post, https://forum.opnsense.org/index.php?topic=27640.msg134274#msg134274 and with some tweaks for my situation (below) I did get the traffic I was expecting.

https://ibb.co/s1fDZCR

But there is a problem.

I query the time server directly (192.168.1.193) from a computer on my network everything works fine.

However, from the same computer, if I query the time using pool.ntp.org I see the redirect but I also get a time-out.

If I remove the NAT port forwarding rule, it does not time out but in that case, the traffic is not going to my time server.

If you can provide any insights they would be appreciated.

I've opened an issue on the ntopng githhub page.
https://github.com/ntop/ntopng/issues/7154

I had the community version of ntopng installed some time ago and it was working fine.  However, I hadn't used it in several months and when I went to use it today it didn't work.

I looked at the logs and am seeing this (the topline that starts with 'CLOG' is how it is showing up) - seems corrupted?:

Date
Severity
Process
Line
           CLOGq���   
2022-08-28T10:46:42       ntopng[79768]   [Utils.cpp:3612] WARNING: Network discovery and other privileged activities will fail   
2022-08-28T10:46:42       ntopng[79768]   [Utils.cpp:3611] WARNING: ntopng has not been compiled with libcap-dev   
2022-08-28T10:38:03       ntopng[5225]   [Utils.cpp:3612] WARNING: Network discovery and other privileged activities will fail   
2022-08-28T10:38:03       ntopng[5225]   [Utils.cpp:3611] WARNING: ntopng has not been compiled with libcap-dev   
2022-08-14T15:53:25       ntopng[99579]   [Utils.cpp:3612] WARNING: Network discovery and other privileged activities will fail   
2022-08-14T15:53:25       ntopng[99579]   [Utils.cpp:3611] WARNING: ntopng has not been compiled with libcap-dev   
2022-08-03T22:22:53       ntopng[91162]   [Utils.cpp:3612] WARNING: Network discovery and other privileged activities will fail   
2022-08-03T22:22:53       ntopng[91162]   [Utils.cpp:3611] WARNING: ntopng has not been compiled with libcap-dev   
2022-06-22T10:38:04       ntopng[94041]   [Redis.cpp:150] ERROR: to specify a redis server other than the default   
2022-06-22T10:38:04       ntopng[94041]   [Redis.cpp:149] ERROR: Please start it and try again or use -r   
2022-06-22T10:38:04       ntopng[94041]   [Redis.cpp:148] ERROR: ntopng requires redis server to be up and running   
2022-06-22T10:38:03       ntopng[94041]   [Redis.cpp:99] ERROR: Connection error [Operation timed out]   
2022-06-22T10:38:01       ntopng[94041]   [Redis.cpp:99] ERROR: Connection error [Operation timed out]   
2022-06-22T10:37:58       ntopng[94041]   [Redis.cpp:99] ERROR: Connection error [Operation timed out]


I updated to the latest versions of OPNsense:
OPNsense 22.7.11-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

and tryied restaring the ntopng service.  No love.

Any suggestions on how I can get ntopng working again?

Edit: and I should add the in relation to the line that reads "ntopng requires redis server to be up and running" I checked and according to the dashboard the redis service is running.

Got it to work as you suggested.  Thanks, Rob

got it to work.

I changed so many things back and forth I'm not sure what it was, but it was most likely my password or shared key containing a special character ( "\" ) and or being miskeyed.