Messages

Thanks,

The twitter comment got me working again:
opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart
Much appreciated.

Regards

Thanks all, looks like we are golden:

tunefs -p /
tunefs: trim: (-t)                                         enabled

I was looking through the forums and documentation and whilst I could find references to TRIM on SSD's I couldn't really work out how to enable it?

Does it get set automatically or if not where should I go and set it?

Kinda agree :)

@Devs, I see some automatic rules have a magnifying glass next to the rule. How about having one next to the automatic deny rules to take you to the logging options?

Hi,

I'm not 100% sure that is what you are looking for, but go to System>Settings>Logging and then there is a section for logging default Blocks, is this what you are looking for? The default is to log any default blocks.

Log Firewall Default Blocks:
   Log packets matched from the default block rules put in the ruleset
   Log packets matched from the default pass rules put in the ruleset
   Log packets blocked by 'Block Bogon Networks' rules
   Log packets blocked by 'Block Private Networks' rules

Hi Fabian,

Again thanks for the response.

What I mean was I'm familiar with the ELK stack and the components, just that I'm not keen on deploying more resources and maintain them for odd occasion that I want to look back a little more than currently offered out of box. Hence the worst case off box syslog option :)

But again appreciate the feedback.

R

Thanks guys, I do appreciate the response.

I'm not too keen on deploying an ELK stack, but might just opt to push the syslog to a remote box just so I have a grep'able copy that goes back more than a couple hours :)

@Fabian, it would be nice to have an on box feature to archive selected logs to x numbers archives logs for auditing purposes :)

Hi,

Just checking on sizes...
I noticed that my logs rotate to quickly with default settings so I increased them from the default 512K (empty) to 200MB (209715200), saved the setting and reset the logs.
Everything appeared ok, but when I tried viewing the logs via the WEBGUI it would not return any results in the live view and then trying any other web interaction would fail and the web server would be unresponsive which required a restart of the services. I tried reducing the size, but had to bring the logs way down to 10MB for it to remain stable.

So 2 questions:
1) Anyone else seen this issue? (I'm on 19.7.7 and 19.7.8)
2) Anyone else increasing log file sizes? The defaults seems way too little and there doesn't seem to be an option to rotate logs. What do others do to maintain log history, send to remote?

Regards

Afraid it's same conclusion I have come up with.

I've paired down some of the lists Suricata uses, but it's memory usage seems to vary radically with little correlation as to what traffic is causing it.

One thing that we could do it try and identify the leak, but having poked about the net it seems a bit involved. So for now I iretate the living @#$@# out of myself as I hate it when people suggest ...: Restart the service periodically and hope someone comes up with a fix soon. :) 

Hi,

You could look at using plain old top :)
Unfortunately bsd does have some quirks when it gets to reporting memory usages, specifically swap so take the swap values with a bag-o-salt. At least that's the conclusion I have come too when looking around the internet.

I'm having similar memory issues where for no reason that I can find the system will just spike and consume a significant amount of memory (virtual+physical). Looking at the usage Squid and Suricata seems to be the culprits, but the stats don't add up. I have also seen some BSD articles which suggests that it could be kernel memory usage, I haven't found any smoking guns. What I have seen is that my system will report close to 2GB swap usages, but any tool I use to break down the swap usage only adds up to about 10MB, which as I understand the docs means the rest must be kernel related processes that have been paged out.

This should give you a sorted list of processes by total size (res, swap, libraries etc etc):
top -S -w -o size
This should give you a sorted list with top res (physical memory)
top -S -w -o res
This should give you a sorted list by swap:
top -S -w -o swap

For now I have limited my Squid memory allocation and I restart Squid/Suricata every so often else I reboot the box :(

R

On 19.7.2
The wan interface gets DHCP from the internet provider and it does work, but takes a long time on boot up.
Then under normal operation I do see deny messages in the logs:

filterlog: 11,,,0,vtnet1,match,block,in,4,0x0,,64,0,0,none,17,udp,344,0.0.0.0,255.255.255.255,68,67,324
And in the live view:
   NET1      Aug 25 14:24:09   0.0.0.0:68   255.255.255.255:67   udp   Default deny rule

I do see the following automatically generated rules at the top of my wan interface:
      IPv4+6 UDP    *    67    *    68    *    *    allow DHCP client on NET1    
      IPv4+6 UDP    *    68    *    67    *    *    allow DHCP client on NET1    

I have removed my default deny from the WAN interface as I understand that the fault action would be block and log, but still am still seeing the denies, any thoughts?

Hi,

Anyone else see any value in having the ability to stack the user/nice/system utilization under the Health/System graph to be able to gauge total CPU utilization?

And then also to capture and graph the loadAVG?
And if we do measure the LA can we express that as value relative to 1?
ie systemLoadAverage/nrCPUs=normalizedLoadAverage.
Thus you would know when the load is an issue regardless of the number of CPUs or have to work out what it should be as the number of CPU's have been changed (in the case of a VM).

Regards
Rabie

One thing I have noticed (not quite related to your issue) is that when the WAN interface goes down the WUI appears to not be available yet I can log on via SSH.

What I have worked out is that I have a couple of plugins for AV and site reputation checking and even though the firewall url has been added to the exclusion list there appears to be still some form of a look up attempted.

If I leave the page long enough it will eventually load al be it slowly.

On using a cloud based auth, it's a bit of a double edged sword, but agreed if you do have a fall back configured then it 'should' fail back to that. Just speculating here, unless you have other lookups occuring against ldap not just user auth for the firewall admin, then I could understand the firewall taking a nose dive as it tries to look up ID's and having to wait x seconds for a timeout.

Not sure if this is possible of practical, but having a local cached copy of your LDAP DB might also assist.

But agreed it does sound like unexpected behavior.

I'm just checking, but it's a know issue that PPP interfaces don't work with the netmap implementation.
If you are aware and just pointing out the logs then ignore me :)
If you weren't aware, then sadly IPS will not work on a PPP interface and from posts I have seen is likely to never be fixed on BSD.

Either monitor the internal and/or DMZ interface or do you PPPoE upstream or use a different OS (but then you lose the OpnSense goodness :( )

Hahahaha, glad you solved it.
Although maybe time for some fresh firmware on the switch or as much as I hate the practice ... a reboot schedule :)