Messages

Hi all,

I have OpenVPN set up with several clients. Each client has a /24 network in the 10.1.0.0/16 range (client1 is 10.1.1.0/24, client 2 is 10.1.2.0/24, etc...). This works great, although I'm not sure how these routes are created. I notice in my routes -> Status I have this entry for my VPN networks: ipv4   10.1.0.0/16   10.1.0.2   UGS   214746   1500   ovpns1

It looks like a static route, but I don't believe I have that defined anywhere. It's not in my Route -> All list and I don't have an interface assigned nor a gateway setup for OpenVPN.

Everything currently it working great, but I want to add another VPN network that has a 10.2.0.0/16 subnet behind it. I'm not sure how to create a route for this network that would direct traffic destined to 10.2.0.0/16 to OpenVPN. I tried to create an interface for ovpns1, but when I enabled it and assigned it the 10.1.0.2 address, it killed all my other VPN connections.

How are these VPN routes created in OpnSense? Any help is greatly appreciated!

Ok.... I found out that without IPS enabled, my rules will just alert me (Even if they are labeled as block). So it appears that IPS does need to be enabled to block traffic. I am then able to pick and choose which rules will just alert and allow traffic and which rules should alert and drop traffic.

Hello!

I'm in the process of setting up intrusion protection with Suricata and I am a bit confused after looking at the options and reading the documentation.

What does the "IPS Mode" setting exactly do? I see that it says it blocks traffic. What kind of traffic? Does it block all my rules, even the ones that I have set to alert only?

I want to be able to pick and choose which rules should be blocked, which rules should log alerts and allow, and which rules should be ignored. Does IPS mode need to be enabled to do this?

Thanks for the response. Yes, I was able to fix this. Strange that the upgrade to 17.1 switched my console to serial...

Thanks Franco for your help. I was able to revive my system by using a FreeBSD live cd and mounting my gmirror. The I edited the /conf/config.xml file to NOT include the lan interface on IDS. After that and a reboot, OPNSense started up and I was able to ssh and log into the web interface once again.

I also fixed my console by going to System -> Settings -> Administration and changing the primary console from Serial to VGA. Not sure why it was set to Serial. I'm guessing an OPNSense update changed it as I wasn't having any console issues when it was first installed.

I am also having this issue! I also have a supermicro board. I get the same exact output as bringha on my monitor+keyboard directly connected to the opnsense box. The only difference is that I never get a login prompt! Bringha, did you change any bios settings to get the login prompt?

Thanks Franco...

Just want to make sure I am removing it and not just setting it to 0.


Also, I don't think the console issue is related to IDS anymore. I'm thinking IDS is just locking me out of SSH and the web gui... although I'm not sure why.

I vaguely remember the console breaking after an OPNSense upgrade. I have a supermicro board and the only thing I get on my console after a reboot is this: http://i.imgur.com/ezgLFJN.jpg (Ignore the pfsense mirror name. I created the mirror with pfsense, then installed opnsense on it).

Any recommendations to getting the console to work again?

Hey bringha... Sorry to bring up an old thread, but did you ever get your login prompt back? My opnsense is stuck after mounting the opnsense disk and then just displays my USB devices. Only thing I can do is scroll lock and page up and down the boot output. I also believe I locked my self out some how by enabling ids. I also have a supermicro board. I wonder if I can access the console from ipmi...

I'm beginning to think the only way I can fix this is with a recovery disk. If I boot into a recovery OS and mount my OPNsense disk, what and where would I need to go to disable Suricata?

So I was configured Intrusion Protection on my OPNSense router and I enabled it for the WAN interface. Everything went well, I was receiving a lot of alerts and realized that some of them are low threat alerts that I didn't need. I then enabled the LAN interface as well (I was just receiving alerts from my WAN IP address to external hosts). This is when things broke. I am now not able to get into the web interface or SSH of my OPNSense box. All rules were set to alerts except for the Abuse.ch rules which were set to drop. I also created rules to automatically drop packets from different geographical locations (China, Russia, India).

To make matters worse, the actual console seems unresponsive. I plugged a keyboard and monitor in to my OPNSense box and I am not able to do anything. A reboot did nothing either.


The console output displays this:
GEOM_MIRROR: Device mirror/opnsenseMirror launched (2/2)
timecounter "TSC-low" frequency 1750032538 Hz Quality 1000
Trying to mount root from ufs:/dev/mirror/opnsenseMirror1a [rw]...
uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
ugen1.2: <vendor 0x8087> at usbus1
uhub2: <vendor 0x807 product 0x8000, class 9/0, rev 2.00/0.05, addr 2> on usbus1


And it just stops there. Pressing enter on the keyboard does nothing. If I unplug the keyboard, I get output that the usb was unplugged.

Alt+sysrq+reisub doesn't seem to do anything either, but pressing the power button on my box shuts down the system. Is there anyway to interupt the boot process of OPNsense so I can disable the intrusion protection and get my system working again?

I was trying to avoid that, but it sounds like that's my only option at this point...

This problem isn't isolated to just the switch or cable. Anything I plug into this interface card has this issue. My 2 onboard interface ports are the only ones that are working correctly.

@abel408
Please post the output of
sysctl dev.igb.0
sysctl hw.igb
netstat -idb -I igb0

I've switched ports to igb2

sysctl dev.igb.2

Code Select Expand


dev.igb.2.host.header_redir_missed: 0
dev.igb.2.host.serdes_violation_pkt: 0
dev.igb.2.host.length_errors: 0
dev.igb.2.host.tx_good_bytes: 2584813
dev.igb.2.host.rx_good_bytes: 9629714
dev.igb.2.host.breaker_tx_pkt_drop: 0
dev.igb.2.host.tx_good_pkt: 0
dev.igb.2.host.breaker_rx_pkt_drop: 0
dev.igb.2.host.breaker_rx_pkts: 0
dev.igb.2.host.rx_pkt: 2
dev.igb.2.host.host_tx_pkt_discard: 0
dev.igb.2.host.breaker_tx_pkt: 0
dev.igb.2.interrupts.rx_overrun: 0
dev.igb.2.interrupts.rx_desc_min_thresh: 0
dev.igb.2.interrupts.tx_queue_min_thresh: 1626039
dev.igb.2.interrupts.tx_queue_empty: 23780
dev.igb.2.interrupts.tx_abs_timer: 0
dev.igb.2.interrupts.tx_pkt_timer: 0
dev.igb.2.interrupts.rx_abs_timer: 0
dev.igb.2.interrupts.rx_pkt_timer: 115268
dev.igb.2.interrupts.asserts: 3561305
dev.igb.2.mac_stats.tso_ctx_fail: 0
dev.igb.2.mac_stats.tso_txd: 0
dev.igb.2.mac_stats.tx_frames_1024_1522: 278
dev.igb.2.mac_stats.tx_frames_512_1023: 588
dev.igb.2.mac_stats.tx_frames_256_511: 285
dev.igb.2.mac_stats.tx_frames_128_255: 144
dev.igb.2.mac_stats.tx_frames_65_127: 16075
dev.igb.2.mac_stats.tx_frames_64: 6410
dev.igb.2.mac_stats.mcast_pkts_txd: 5
dev.igb.2.mac_stats.bcast_pkts_txd: 26
dev.igb.2.mac_stats.good_pkts_txd: 23780
dev.igb.2.mac_stats.total_pkts_txd: 116515
dev.igb.2.mac_stats.total_octets_txd: 8519853
dev.igb.2.mac_stats.good_octets_txd: 2584813
dev.igb.2.mac_stats.total_octets_recvd: 11198418
dev.igb.2.mac_stats.good_octets_recvd: 9629714
dev.igb.2.mac_stats.rx_frames_1024_1522: 1114
dev.igb.2.mac_stats.rx_frames_512_1023: 803
dev.igb.2.mac_stats.rx_frames_256_511: 218
dev.igb.2.mac_stats.rx_frames_128_255: 193
dev.igb.2.mac_stats.rx_frames_65_127: 1006
dev.igb.2.mac_stats.rx_frames_64: 111936
dev.igb.2.mac_stats.mcast_pkts_recvd: 0
dev.igb.2.mac_stats.bcast_pkts_recvd: 111044
dev.igb.2.mac_stats.good_pkts_recvd: 115270
dev.igb.2.mac_stats.total_pkts_recvd: 139781
dev.igb.2.mac_stats.mgmt_pkts_txd: 0
dev.igb.2.mac_stats.mgmt_pkts_drop: 0
dev.igb.2.mac_stats.mgmt_pkts_recvd: 0
dev.igb.2.mac_stats.unsupported_fc_recvd: 0
dev.igb.2.mac_stats.xoff_txd: 58621
dev.igb.2.mac_stats.xoff_recvd: 0
dev.igb.2.mac_stats.xon_txd: 34114
dev.igb.2.mac_stats.xon_recvd: 0
dev.igb.2.mac_stats.coll_ext_errs: 0
dev.igb.2.mac_stats.tx_no_crs: 0
dev.igb.2.mac_stats.alignment_errs: 0
dev.igb.2.mac_stats.crc_errs: 0
dev.igb.2.mac_stats.recv_errs: 0
dev.igb.2.mac_stats.recv_jabber: 0
dev.igb.2.mac_stats.recv_oversize: 0
dev.igb.2.mac_stats.recv_fragmented: 0
dev.igb.2.mac_stats.recv_undersize: 0
dev.igb.2.mac_stats.recv_no_buff: 0
dev.igb.2.mac_stats.recv_length_errors: 0
dev.igb.2.mac_stats.missed_packets: 24511
dev.igb.2.mac_stats.defer_count: 0
dev.igb.2.mac_stats.sequence_errors: 0
dev.igb.2.mac_stats.symbol_errors: 0
dev.igb.2.mac_stats.collision_count: 0
dev.igb.2.mac_stats.late_coll: 0
dev.igb.2.mac_stats.multiple_coll: 0
dev.igb.2.mac_stats.single_coll: 0
dev.igb.2.mac_stats.excess_coll: 0
dev.igb.2.queue7.lro_flushed: 0
dev.igb.2.queue7.lro_queued: 0
dev.igb.2.queue7.rx_bytes: 0
dev.igb.2.queue7.rx_packets: 182577
dev.igb.2.queue7.rxd_tail: 1023
dev.igb.2.queue7.rxd_head: 0
dev.igb.2.queue7.tx_packets: 4035
dev.igb.2.queue7.no_desc_avail: 0
dev.igb.2.queue7.txd_tail: 93
dev.igb.2.queue7.txd_head: 0
dev.igb.2.queue7.interrupt_rate: 8000
dev.igb.2.queue6.lro_flushed: 0
dev.igb.2.queue6.lro_queued: 0
dev.igb.2.queue6.rx_bytes: 0
dev.igb.2.queue6.rx_packets: 114128
dev.igb.2.queue6.rxd_tail: 1023
dev.igb.2.queue6.rxd_head: 0
dev.igb.2.queue6.tx_packets: 1087
dev.igb.2.queue6.no_desc_avail: 0
dev.igb.2.queue6.txd_tail: 82
dev.igb.2.queue6.txd_head: 0
dev.igb.2.queue6.interrupt_rate: 8000
dev.igb.2.queue5.lro_flushed: 0
dev.igb.2.queue5.lro_queued: 0
dev.igb.2.queue5.rx_bytes: 0
dev.igb.2.queue5.rx_packets: 11567
dev.igb.2.queue5.rxd_tail: 1023
dev.igb.2.queue5.rxd_head: 0
dev.igb.2.queue5.tx_packets: 561
dev.igb.2.queue5.no_desc_avail: 0
dev.igb.2.queue5.txd_tail: 22
dev.igb.2.queue5.txd_head: 0
dev.igb.2.queue5.interrupt_rate: 8000
dev.igb.2.queue4.lro_flushed: 0
dev.igb.2.queue4.lro_queued: 0
dev.igb.2.queue4.rx_bytes: 0
dev.igb.2.queue4.rx_packets: 136909
dev.igb.2.queue4.rxd_tail: 1023
dev.igb.2.queue4.rxd_head: 0
dev.igb.2.queue4.tx_packets: 11072
dev.igb.2.queue4.no_desc_avail: 4095
dev.igb.2.queue4.txd_tail: 0
dev.igb.2.queue4.txd_head: 0
dev.igb.2.queue4.interrupt_rate: 8000
dev.igb.2.queue3.lro_flushed: 0
dev.igb.2.queue3.lro_queued: 0
dev.igb.2.queue3.rx_bytes: 0
dev.igb.2.queue3.rx_packets: 328
dev.igb.2.queue3.rxd_tail: 1023
dev.igb.2.queue3.rxd_head: 0
dev.igb.2.queue3.tx_packets: 5116
dev.igb.2.queue3.no_desc_avail: 5103
dev.igb.2.queue3.txd_tail: 1022
dev.igb.2.queue3.txd_head: 0
dev.igb.2.queue3.interrupt_rate: 8000
dev.igb.2.queue2.lro_flushed: 0
dev.igb.2.queue2.lro_queued: 0
dev.igb.2.queue2.rx_bytes: 0
dev.igb.2.queue2.rx_packets: 239406
dev.igb.2.queue2.rxd_tail: 1023
dev.igb.2.queue2.rxd_head: 0
dev.igb.2.queue2.tx_packets: 3577
dev.igb.2.queue2.no_desc_avail: 5095
dev.igb.2.queue2.txd_tail: 1022
dev.igb.2.queue2.txd_head: 0
dev.igb.2.queue2.interrupt_rate: 8000
dev.igb.2.queue1.lro_flushed: 0
dev.igb.2.queue1.lro_queued: 0
dev.igb.2.queue1.rx_bytes: 0
dev.igb.2.queue1.rx_packets: 342474
dev.igb.2.queue1.rxd_tail: 1023
dev.igb.2.queue1.rxd_head: 0
dev.igb.2.queue1.tx_packets: 2683
dev.igb.2.queue1.no_desc_avail: 5103
dev.igb.2.queue1.txd_tail: 1022
dev.igb.2.queue1.txd_head: 0
dev.igb.2.queue1.interrupt_rate: 8000
dev.igb.2.queue0.lro_flushed: 0
dev.igb.2.queue0.lro_queued: 0
dev.igb.2.queue0.rx_bytes: 0
dev.igb.2.queue0.rx_packets: 68432
dev.igb.2.queue0.rxd_tail: 1023
dev.igb.2.queue0.rxd_head: 0
dev.igb.2.queue0.tx_packets: 4274
dev.igb.2.queue0.no_desc_avail: 4095
dev.igb.2.queue0.txd_tail: 0
dev.igb.2.queue0.txd_head: 0
dev.igb.2.queue0.interrupt_rate: 8000
dev.igb.2.fc_low_water: 33152
dev.igb.2.fc_high_water: 33168
dev.igb.2.rx_buf_alloc: 0
dev.igb.2.tx_buf_alloc: 0
dev.igb.2.extended_int_mask: 2147483648
dev.igb.2.interrupt_mask: 4
dev.igb.2.rx_control: 67141634
dev.igb.2.device_control: 1490027073
dev.igb.2.watchdog_timeouts: 0
dev.igb.2.rx_overruns: 0
dev.igb.2.tx_dma_fail: 0
dev.igb.2.mbuf_defrag_fail: 0
dev.igb.2.link_irq: 2
dev.igb.2.dropped: 135555
dev.igb.2.tx_processing_limit: -1
dev.igb.2.rx_processing_limit: 100
dev.igb.2.fc: 3
dev.igb.2.enable_aim: 1
dev.igb.2.nvm: -1
dev.igb.2.%parent: pci1
dev.igb.2.%pnpinfo: vendor=0x8086 device=0x150e subvendor=0x8086 subdevice=0x12a1 class=0x020000
dev.igb.2.%location: slot=0 function=2 dbsf=pci0:1:0:2
dev.igb.2.%driver: igb
dev.igb.2.%desc: Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k


sysctl hw.igb

Code Select Expand


hw.igb.tx_process_limit: -1
hw.igb.rx_process_limit: 100
hw.igb.num_queues: 0
hw.igb.header_split: 0
hw.igb.buf_ring_size: 4096
hw.igb.max_interrupt_rate: 8000
hw.igb.enable_msix: 1
hw.igb.enable_aim: 1
hw.igb.txd: 1024
hw.igb.rxd: 1024


netstat -idb -I igb2

Code Select Expand


Name    Mtu Network       Address              Ipkts Ierrs Idrop     Ibytes    Opkts Oerrs     Obytes  Coll  Drop
igb2   1500 <Link#3>      00:1b:21:a6:c5:06   115293 135555 24511    9631186    23780     0    2584813     0 109068
igb2      - fe80::%igb2/6 fe80::21b:21ff:fe        0     -     -          0        1     -         96     -     -
igb2      - x.x.x.x.0/2 x-x-x-x.tvc-i    17976     -     -    1500557        0     -          0     -     -


I just upgraded to the latest version and I'm still seeing this issue.

I have attached other devices to the Intel 82580 network controller and they also lose their ARP entry. The onboard network controller works fine.

I'm wondering if this is related to my issue: https://forum.opnsense.org/index.php?topic=4848.0

I hope so!