Messages

1

Intrusion Detection and Prevention / Re: log4j vulnerability detection

« on: December 13, 2021, 09:46:11 am »

Hi, I am not sure if this will help at all ... google states:

The Cloud Armor WAF rules use a variety of techniques to detect attempted obfuscations and bypasses within attempted exploits of CVE-2021-44228.

But there are probably just way to many ways to obfuscate that simple string ... good enough to catch the script kiddies.

Best regards,

    Space

2

21.1 Legacy Series / Re: Suricata IDS/IPS ~56% slower than before update

« on: February 11, 2021, 12:33:53 am »

Hi,

that workaround does not help with my system (igb driver). iperf3 stays at ~600Mb/s ...

Best regards, Space

3

20.1 Legacy Series / Re: IPv6RD broken again?

« on: February 13, 2020, 04:46:38 pm »

@Admin: can you move my stuff to a new thread? Or even delete it, because I will check with AVM first ... maybe it broke during the firmware upgrade I did some time ago ... without noticing me ...

Just to close my interruption: it's a known bug in FritzBox firmware starting version 7.10 ...

4

20.1 Legacy Series / Re: IPv6RD broken again?

« on: February 11, 2020, 09:20:47 pm »

Oh, my fault. I misread it and read PD, prefix delegation ...

@Admin: can you move my stuff to a new thread? Or even delete it, because I will check with AVM first ... maybe it broke during the firmware upgrade I did some time ago ... without noticing me ...

5

20.1 Legacy Series / Re: IPv6RD broken again?

« on: February 11, 2020, 09:24:28 am »

Did some network tracing on the FritzBox, both on the LAN and WAN side (of the FritzBox)

- ICMPv6 from the OPNsense box can be seen in both LAN and WAN trace on the FritzBox
- ICMPv6 from the client can only be seen in the LAN trace on the FritzBox

Does this mean there is something wrong on the FritzBox settings?

6

20.1 Legacy Series / Re: IPv6RD broken again?

« on: February 11, 2020, 07:26:37 am »

Did you try what worked for me?

Hi,

since I have two internal interfaces (LAN and OPT1) I need to specify an "IPv6 Prefix ID" (this is what you meant with unique identifier, right?). And changing it does not help either.

7

20.1 Legacy Series / Re: IPv6RD broken again?

« on: February 11, 2020, 01:13:19 am »

Btw. ... I can ping6 the OPNsense from LAN and I can also ping the FritzBox from LAN ... wtf ... but the next step I can only ping from the OPNsense, not from LAN.

In the firewall logs I can see OK messages with

Code: [Select]

<IPv6 of LAN system> ipv6-icmp let out anything from firewall host itself
<IPv6 of LAN system> ipv6-icmp let out anything from firewall host itself
<IPv6 of WAN if on OPNsense> ipv6-icmp let out anything from firewall host itself (force gw)
<IPv6 of LAN system> ipv6-icmp let out anything from firewall host itself
<IPv6 of LAN system> ipv6-icmp let out anything from firewall host itself


8

20.1 Legacy Series / Re: IPv6RD broken again?

« on: February 11, 2020, 01:02:25 am »

I am facing the same issue. But switching back to 19.7 did not help either ... not sure when it broke. I know IPv6 was working fine on my clients at some point in time.

My setup is like this: internet <--> FritzBox (get's /56 from telco provider) <--> OPNsense (requests /60) <--> LAN / OPT1.

I see the following in the logs:

Code: [Select]

Feb 11 00:57:25 OPNvirt dhcp6c[64003]: restarting
Feb 11 00:57:25 OPNvirt dhcp6c[64003]: Start address release
Feb 11 00:57:25 OPNvirt dhcp6c[64003]: Sending Release
Feb 11 00:57:25 OPNvirt dhcp6c[64003]: failed to remove an address on igb0: Can't assign requested address
Feb 11 00:57:25 OPNvirt dhcp6c[64003]: remove an address 2a03:...:9bf6/64 on igb2
Feb 11 00:57:25 OPNvirt dhcp6c[64003]: Received REPLY for RELEASE
Feb 11 00:57:25 OPNvirt dhcp6c[64003]: status code: success
Feb 11 00:57:25 OPNvirt dhcp6c: dhcp6c RELEASE on igb1 - running newipv6
Feb 11 00:57:25 OPNvirt opnsense: plugins_configure dhcp (,inet6)
Feb 11 00:57:25 OPNvirt opnsense: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6))
Feb 11 00:57:25 OPNvirt opnsense: /usr/local/etc/rc.newwanipv6: Warning! dhcpd_radvd_configure(auto) found no suitable IPv6 address on igb0
Feb 11 00:57:25 OPNvirt opnsense: /usr/local/etc/rc.newwanipv6: Warning! dhcpd_radvd_configure(auto) found no suitable IPv6 address on igb2
Feb 11 00:57:28 OPNvirt dhcp6c[64003]: Sending Solicit
Feb 11 00:57:28 OPNvirt dhcp6c[64003]: unknown or unexpected DHCP6 option opt_86, len 16
Feb 11 00:57:29 OPNvirt dhcp6c[64003]: Sending Request
Feb 11 00:57:29 OPNvirt dhcp6c[64003]: unknown or unexpected DHCP6 option opt_86, len 16
Feb 11 00:57:29 OPNvirt dhcp6c[64003]: Received REPLY for REQUEST
Feb 11 00:57:29 OPNvirt dhcp6c[64003]: add an address 2a03:......:9bf4/64 on igb0
Feb 11 00:57:29 OPNvirt dhcp6c[64003]: add an address 2a03:......:9bf6/64 on igb2
Feb 11 00:57:29 OPNvirt dhcp6c: dhcp6c REQUEST on igb1 - running newipv6
Feb 11 00:57:29 OPNvirt opnsense: plugins_configure dhcp (,inet6)
Feb 11 00:57:29 OPNvirt opnsense: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6))
In the dashboard I see the assigned addresses for LAN and OPT1 but WAN only shows the link local address although ifconfig reports the assigned address as

Code: [Select]

inet6 2a03:......:9bf5 prefixlen 64 autoconf
On the OPNsense I can ping6 all hosts ... but on the LAN side I can not. Any idea how to continue troubleshooting?

Some further infos about my config:

Code: [Select]

WAN interface:
IPv6 configuration type DHCPv6
Request only an IPv6 prefix yes
Prefix delegation size 60
Send IPv6 prefix hint yes

LAN/OPT1 interface:
Track interface WAN
IPv6 Prefix ID 0 / 1

9

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: July 20, 2019, 01:25:31 pm »

@mb Thanks for the quick response ... I have updated to 0.8.1. When are the logfiles usually pruned? At some specific time?

Yes, it's fixed now ... I just checked and it only kept the last 14 days ... now it's using only 2GB ...

Thanks!

10

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: July 20, 2019, 12:04:03 pm »

@mb Thanks for the quick response ... I have updated to 0.8.1. When are the logfiles usually pruned? At some specific time?

11

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: July 18, 2019, 09:05:12 pm »

Hi MB,

where can I configure the retention time for the worker logs? Shouldn't they be compressed somehow?
On my system the worker logs takes about 13GB ...

Thanks and best regards,

    Space

12

19.1 Legacy Series / Re: dpinger (IPv6) dies after upstream IP renewal

« on: May 29, 2019, 02:38:46 pm »

Just to be clear: this issue was present since a longer time ... so it did not start with 19.1.8 ...

Best regards,

    Space

13

19.1 Legacy Series / dpinger (IPv6) dies after upstream IP renewal

« on: May 29, 2019, 02:38:06 pm »

Hi,

I am running OPNsense behind a FritzBox (which get's new IPv4 and IPv6 addresses each night) and with 19.1.8 the dpinger always dies during IP renewal. The IPv6 address on WAN get's renewed via DHCPv6 and LAN follows WAN IPv6 address. In the log (gateways.log) I only see the following lines:

Code: [Select]

May 29 03:58:57 OPNvirt dpinger: WAN_DHCP6 2a03:f580:2:0:85:22:54:90: Alarm latency 1948us stddev 150us loss 22%
May 29 03:58:57 OPNvirt dpinger: GATEWAY ALARM: WAN_DHCP6 (Addr: 2a03:f580:2:0:85:22:54:90 Alarm: 1 RTT: 1948ms RTTd: 150ms Loss: 22%)
In system.log I only find the DHCP Reply before and after the renewal and OpenVPN complaining:

Code: [Select]

May 29 03:44:49 OPNvirt dhcp6c[46992]: Sending Renew
May 29 03:44:49 OPNvirt dhcp6c[46992]: unknown or unexpected DHCP6 option opt_86, len 16
May 29 03:44:49 OPNvirt dhcp6c[46992]: Received REPLY for RENEW
May 29 03:58:59 OPNvirt opnsense: /usr/local/etc/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP6.
May 29 03:58:59 OPNvirt opnsense: /usr/local/etc/rc.openvpn: OpenVPN: Resync server1 SpaceNet OpenVPN Server
May 29 04:14:49 OPNvirt dhcp6c[46992]: Sending Renew
May 29 04:14:49 OPNvirt dhcp6c[46992]: Received REPLY for RENEW
May 29 04:14:49 OPNvirt dhcp6c[46992]: status code: no binding
If I start the IPv6 dpinger it works fine until the next morning ...

Code: [Select]

May 29 14:36:23 OPNvirt opnsense: /status_services.php: Removing static route for monitor 2a03:f580:2:0:85:22:54:90 via fe80::eadf:70ff:fe59:bd49%igb1
May 29 14:36:23 OPNvirt opnsense: /status_services.php: Adding static route for monitor 2a03:f580:2:0:85:22:54:90 via fe80::eadf:70ff:fe59:bd49%igb1
Any idea how to troubleshoot?

Thanks and best regards,

    Space

14

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: May 19, 2019, 10:15:09 am »

Hi,

are these files needed? Took most of my disk space ...

Code: [Select]

root@OPNvirt:/usr/local/sensei/log # du -sm * | sort -n
1 active
14156 archive
These logs contain statistics for all interfaces per second ... but I did not find an option to disable these logs ...

Thanks and best regards,

    Space

15

Intrusion Detection and Prevention / Re: Suricata 4.1.2 does not block traffic

« on: February 14, 2019, 10:38:40 pm »

There is a patch/fix that will be included in 19.1.2

https://github.com/opnsense/core/issues/3211#issuecomment-462835563

I haven't tried it myself yet..

Works here as well. Suricata did already properly block stuff like inbound SSH scans, but now it also forbids the eicar download.

I can confirm that! Thanks for the quick response and great support as usual!