Messages

1

Intrusion Detection and Prevention / Re: IDS Alerts can't count?

« on: July 13, 2021, 01:18:47 am »

Does it work like this for everyone?  It defaults to 7 and miscounts the pages on two different CPU's and does so on a fresh install.  It seems to work at blocking what its supposed to, so I can't complain really.  But odd...

2

Intrusion Detection and Prevention / Re: IDS Alerts can't count?

« on: July 09, 2021, 12:47:18 am »

Versions:

Versions   OPNsense 21.1.8_1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k 25 Mar 2021

Here is default view of alerts:

2015 hyundai azera 0 60

But if you increase the view to 100:

flag for zimbabwe emoticons
which is a few more than7!

3

Intrusion Detection and Prevention / IDS Alerts can't count?

« on: July 08, 2021, 04:58:01 pm »

Is there a reason my alerts always default to 7? 

And I don't even know where to start here:


15 to 21 of 89 of nothing?

4

21.1 Legacy Series / Wireguard restart causes unbound to stop resolving names on FW only.

« on: July 01, 2021, 03:29:12 am »

Unbound is stops working when I try to add WG1, a FQDN based connection.  As you can see, I can ping google.com by name.  Then I restart wireguard.  WG0 comes up but WG1 fails because of DNS.  Immediately afterward I can no longer resolve DNS:

Code: [Select]

root@owlhouse:/usr # ping google.com
PING google.com (172.217.5.14): 56 data bytes
64 bytes from 172.217.5.14: icmp_seq=0 ttl=119 time=15.542 ms
64 bytes from 172.217.5.14: icmp_seq=1 ttl=119 time=15.475 ms
64 bytes from 172.217.5.14: icmp_seq=2 ttl=119 time=15.842 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.475/15.620/15.842/0.160 ms
root@owlhouse:/usr # /usr/local/etc/rc.d/wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
wg-quick: `wg1' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 192.168.12.1/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 192.168.12.12/32 -interface wg0
[#] route -q -n add -inet 192.168.12.11/32 -interface wg0
[#] route -q -n add -inet 192.168.12.10/32 -interface wg0
[+] Backgrounding route monitor
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
Name does not resolve: `vaaa.bbb.ccc:51820'
Configuration parsing error
[#] rm -f /var/run/wireguard/wg1.sock
root@owlhouse:/usr # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@owlhouse:/usr #
I can see no errors in syslog. And DNS is working for everything else on the LAN - just not on the FW itself.  Is this an unbound problem or a wireguard problem?

Unbound:

Code: [Select]

<unbound>
    <enable>1</enable>
    <custom_options>#server:
#tls-cert-bundle: "/etc/ssl/cert.pem"

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853</custom_options>
    <dnssec>1</dnssec>
    <noreglladdr6>1</noreglladdr6>
    <acls>
      <aclname>VPN</aclname>
      <aclaction>allow</aclaction>
      <description/>
      <row>
        <acl_network>192.168.1.0</acl_network>
        <mask>24</mask>
        <description/>
      </row>
    </acls>
    <acls>
      <aclname>WGaccess</aclname>
      <aclaction>allow</aclaction>
      <description/>
      <row>
        <acl_network>192.168.12.0</acl_network>
        <mask>24</mask>
        <description/>
      </row>
      <row>
        <acl_network>10.11.14.0</acl_network>
        <mask>24</mask>
        <description/>
      </row>
    </acls>
  </unbound>

5

Virtual private networks / Re: Routed IPSec Tunnel - IPSEC interface is not choosable under gateway

« on: July 01, 2021, 03:09:17 am »

Among many silly errors, I had failed to set 'mode' to 'route based' in P2.

6

Virtual private networks / Routed IPSec Tunnel - IPSEC interface is not choosable under gateway

« on: June 28, 2021, 09:36:40 pm »

I  am trying to setup a routed IPSEC connection almost verbatim to the guide here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html without success.  Under "Step 5 - Define Gateways" it says use interface IPSEC1000, but I can only choose WAN, LAN, OPT1, etc... as the interface for the gateways.  The IPSEC interface is created and, for example, available under firewall rules.

I've been through the instructions over and over... Am I missing something that I can't choose IPSEC? Install policy is unchecked for sure.

7

General Discussion / Re: Problem installing the latest ntopng

« on: March 14, 2021, 09:09:53 pm »

I don't know what you are talking about and honestly it's difficult to help with external ntop repository usage. We talked to them and noted that their build settings are not 100% compatible so some bouncing back and forth is the least problematic issue going forward...

But anyway, these are our versions as per FreeBSD ports:

https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/MINT/21.1/LibreSSL/All/

ntopng-4.2.d20201228,1.txz   2021-01-26 15:38   7.2M   
ndpi-3.4.d20201222,1.txz   2021-01-26 15:38   524K   

Assuming "downgraded my ntopng from 4.0 to 3.4" actually meaning ndpi would make a bit more sense.

For major updates - and this was requested by many - we cleanly reinstall all our packages from our mirror... Meaning I cannot see a bug here other than ntop shipping duplicate packages and not adhering to our build parameters.


Cheers,
Franco

I'm guessing he is seeing this

Code: [Select]

ntopng Community v.3.4.0
on the ntopng page after you log in.  This was confusing me too. I know this can't be 3.4.0 -- but it also keeps bugging me to upgrade to 4.2.0 even though pkg info says I'm on 4.2.0 already.

Code: [Select]

ntopng-4.2.d20210122,1


8

21.1 Legacy Series / 503 Service Unavailable

« on: February 15, 2021, 06:08:39 am »

For a while I have been getting a 503 Service Unavailable page after a reboot.  A GUI restart with /usr/local/etc/rc.restart_webgui fixed it.  Since it only occurred after a reboot and those didn't happen that often, I didn't put much effort into figuring out what was wrong.  However now I get them all the time.  GUI restart doesn't help.  Restarting all services doesn't help.  Network traffic seems unaffected and SSH still works.  It is only the web GUI than does not work.

I can see a lot of these in lighttpd.log:

Code: [Select]

Feb 14 22:21:55 home lighttpd[81368]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-1  0 /tmp/php-fastcgi.socket
Feb 14 22:21:55 home lighttpd[81368]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-0  0 /tmp/php-fastcgi.socket
Feb 14 22:21:56 home lighttpd[81368]: (gw_backend.c.238) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-1: Connection refused
Feb 14 22:21:56 home lighttpd[81368]: (gw_backend.c.238) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-0: Connection refused
Feb 14 22:21:56 home lighttpd[81368]: (gw_backend.c.970) all handlers for /widgets/widgets/ntp_status.widget.php?updateme=yes on .php are down.

Code: [Select]

Feb 14 22:21:52 home lighttpd[81368]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-1  0 /tmp/php-fastcgi.socket
Feb 14 22:21:52 home lighttpd[81368]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-0  0 /tmp/php-fastcgi.socket
Feb 14 22:21:53 home lighttpd[81368]: (gw_backend.c.238) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-1: Connection refused
Feb 14 22:21:53 home lighttpd[81368]: (gw_backend.c.238) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-0: Connection refused
Feb 14 22:21:53 home lighttpd[81368]: (gw_backend.c.970) all handlers for /api/api.php?limit=100 on .php are down.
php-fpm.log says only:

Code: [Select]

[14-Feb-2021 22:01:30] NOTICE: fpm is running, pid 41964
[14-Feb-2021 22:01:30] NOTICE: ready to handle connections
Something isn't configured right, but where can I look for the problem?

9

General Discussion / Tunables - to quote or not to quote

« on: February 05, 2021, 05:56:24 pm »

This seems like a really basic question, but I'm having a hard time finding the answer.  When do you use quotes around the value you are setting in Tunables? Does it matter?

I see both scattered around the internet:
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbclusters=32768

10

20.7 Legacy Series / Intrusion Detection

« on: September 02, 2020, 04:22:41 pm »

Download and Install in Intrusion Detection only yields:

Code: [Select]

Error reconfiguring IDS
Error (1)
Doesn't matter if rules are enabled or disabled, checked or not checked, one rule or many.  Rebooted.  It will show last updated time as the current time, but no rules are listed under the rules tab.

Log file says "   suricata[71351]   [100266] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!"

Also, Redis worked for a little while but now the service is stopped and won't restart.  Uninstalled and reinstalled and it still won't start.  I can' t find any relevant log info for this.


Fairly new install and new to OPNSense after switching from PFsense.  Overall much happier with it, particularly the stability.  But still having a hard time finding relevant log information. Is there some sort of guide or tutorial to SSH in and look at more detailed log info?