Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - narfight

Pages1
#1
17.1 Legacy Series / Re: 100% CPU load by openvpn and syslogd
November 17, 2017, 10:24:21 AM
Thank you for your recommendations.
Can you tell me what can I change server side without having to deploy a new file to my users?
#2
17.1 Legacy Series / Re: 100% CPU load by openvpn and syslogd
November 16, 2017, 01:58:53 PM
the load of syslogd and openvpn are closely related.

Nothing strange in the content of the logs.

Lisintg of log file
Code Select

root@wan:/var/log # ls -l
total 8713
-rw-r-----  1 root   wheel    1617 Nov 16 00:00 acme.sh.log
lrwxr-xr-x  1 root   wheel      26 Nov  9 13:06 bsdinstaller -> /root/var/log/bsdinstaller
-rw-------  1 root   wheel  511488 Nov 16 13:55 dhcpd.log
-rw-------  1 root   wheel   94441 Nov 16 03:01 dmesg.today
-rw-------  1 root   wheel   90168 Nov 15 03:01 dmesg.yesterday
-rw-------  1 root   wheel  511488 Nov  9 13:07 dnsmasq.log
-rw-------  1 root   wheel  511488 Nov 16 13:55 filter.log
-rw-------  1 root   wheel  511488 Nov 14 03:01 gateways.log
-rw-------  1 root   wheel  511488 Nov  9 13:07 ipsec.log
-rw-r--r--  1 root   wheel       0 Nov  9 13:07 lastlog
-rw-------  1 root   wheel  511488 Nov  9 13:07 lighttpd.log
-rw-------  1 root   wheel     189 Nov 10 03:01 mount.today
drwxr-xr-x  2 root   wheel       0 Nov  9 13:09 ntp
-rw-------  1 root   wheel  511488 Nov 10 03:01 ntpd.log
-rw-------  1 root   wheel  511488 Nov 16 13:55 openvpn.log
-rw-------  1 root   wheel  511488 Nov  9 13:07 portalauth.log
-rw-------  1 root   wheel  511488 Nov  9 13:07 ppps.log
-rw-------  1 root   wheel  511488 Nov 16 13:53 resolver.log
-rw-------  1 root   wheel  511488 Nov  9 13:07 routing.log
-rw-------  1 root   wheel    2783 Nov 10 03:01 setuid.today
drwxr-x---  2 squid  squid     960 Nov 16 00:00 squid
-rw-------  1 root   wheel  511488 Nov  9 13:07 squid.syslog.log
-rw-------  1 root   wheel  511488 Nov  9 13:07 suricata.syslog.log
-rw-------  1 root   wheel  511488 Nov 16 13:55 system.log
-rw-------  1 root   wheel    1088 Nov  9 13:09 userlog
-rw-r--r--  1 root   wheel     197 Nov 16 13:30 utx.lastlogin
-rw-r--r--  1 root   wheel     189 Nov 16 13:30 utx.log
-rw-------  1 root   wheel  511488 Nov  9 13:07 vpn.log
-rw-------  1 root   wheel  511488 Nov  9 13:07 wireless.log
#3
17.1 Legacy Series / Re: 100% CPU load by openvpn and syslogd
November 16, 2017, 01:39:10 PM
100% off CPU = 4Mb/s on OpnVPN interface

The capacity of my line is 40Mb/s.

Can I change something to reduce the CPU charge ?
For exemple "Change DH parameters Lenght" from 4096 to 2048 or change "Encryption algorithm" from "AES-256-CBC (256 bit key, 128 bit block)" to lowers option ?
#4
17.1 Legacy Series / 100% CPU load by openvpn and syslogd
November 16, 2017, 11:42:35 AM
Hi,

I use an old Watchguard XTM505 with :
  • OPNsense 17.7.6-amd64
  • Intel(R) Celeron(R) CPU 440 @ 2.00GHz (1 cores)
  • 3Go of RAM
I have a problem with the openvpn. My users (4 users connected simultaneously) tell me that the VPN is very slow. When I look to the CPU load, i see this :
Code Select
last pid: 47564;  load averages:  1.45,  1.54,  1.41    up 6+22:30:52  11:37:19
163 processes: 4 running, 118 sleeping, 41 waiting
CPU: 41.4% user,  0.0% nice, 51.7% system,  6.9% interrupt,  0.0% idle
Mem: 43M Active, 1038M Inact, 320M Wired, 135M Buf, 1523M Free
Swap:

  PID USERNAME        PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
70144 root             87    0  1063M  7468K RUN      9:10  57.62% openvpn
24578 root             48    0  1051M  3016K RUN    206:45  35.85% syslogd
   12 root            -92    -     0K   656K WAIT   203:40   2.37% intr{irq257:
   12 root            -92    -     0K   656K WAIT    89:59   2.18% intr{irq261:
   12 root            -92    -     0K   656K WAIT    26:43   0.73% intr{irq273:
22407 root             20    0 20032K  4092K RUN      0:00   0.27% top
   12 root            -92    -     0K   656K WAIT    33:03   0.21% intr{irq258:
   12 root            -92    -     0K   656K WAIT     8:53   0.20% intr{irq262:
   12 root            -60    -     0K   656K WAIT    10:48   0.15% intr{swi4: c
    7 root            -16    -     0K    16K -       12:49   0.13% rand_harvest
   12 root            -92    -     0K   656K WAIT     1:53   0.08% intr{irq274:
14493 root             20    0  1091M  6804K select   0:00   0.03% sshd
    6 root            -16    -     0K    16K pftm     4:42   0.03% pf purge
   12 root            -92    -     0K   656K WAIT   268:29   0.02% intr{irq277:
90908 root             20    0  1049M  2764K select   2:25   0.02% apinger
   12 root            -72    -     0K   656K WAIT     3:31   0.01% intr{swi1: p
   12 root            -92    -     0K   656K WAIT     0:29   0.01% intr{irq20:
53819 squid            20    0  1067M  4576K select   0:04   0.01% pinger
75491 squid            20    0  1723M   605M kqread 877:05   0.01% squid
40796 dhcpd            20    0  1057M  8292K select   0:47   0.01% dhcpd
37732 squid            20    0  1067M  4572K select   0:18   0.00% pinger
31640 squid            20    0  1067M  4572K select   0:34   0.00% pinger
77885 squid            20    0  1067M  4572K select   0:34   0.00% pinger
(...)


Can you help me to reduce the CPU load ?

Thk in advance
#5
17.7 Legacy Series / LDAP/OpenVPN : Client Specific Overrides
September 22, 2017, 02:31:51 PM
Hello,

For apply rules on some user connected by OpenVPN. I use "Client Specific Overrides" to force IP of client by the field "Common name".

but the field "Common name" has case sensitive unlike samAccountName from LDAP. If the client use login "MyLogin" and not "mylogin", my rules is ignored !!!

In LDAP, we can use "caseExactMatch" to force case sensitive search. If in LDAP server, in field "User naming attribute", in put "samAccountName:caseExactMatch:" the server LDAP return correctely the username with case sensitive. but the returne attribute name is "samAccountName" and not "samAccountName:caseExactMatch:" and Opnsense can't authentifie the connection.

Do you have a solution for this ?
#6
17.7 Legacy Series / Re: [SOLVED] LDAP/Active Directory and nested group
August 28, 2017, 02:37:50 PM
Two error in my config.

First : add "(objectCategory=person)" to my Extended Query.

second : Allow my user "LDAP" to read in all of DC !
#7
17.7 Legacy Series / [SOLVED] LDAP/Active Directory and nested group
August 28, 2017, 01:45:07 PM
Hello,

I tried to use "memberOf:1.2.840.113556.1.4.1941:=CN..." to get the list of users who are in nested group for my VPN connection.

I use this configuration :
  • Type : LDAP
  • Hostname or IP address : 10.0.0.10
  • Port value : 389
  • Transport : TCP - Standard 
  • Protocol version : 3
  • Bind credentials : User DN: MyCorp\LDAP
  • Search scope : Entire Subtree 
  • Base DN : OU=Macell,DC=MyCorp,DC=org
  • Authentication containers : DC=MyCorp,DC=org
  • Extended Query : &(memberOf:1.2.840.113556.1.4.1941:=CN=TESTGROUP,OU=Remote Login,OU=00 Security Group,OU=Macell,DC=MyCorp,DC=org)
  • User naming attribute : sAMAccountName

the reply are users directly member of TESTGROUP and ... list of groups member of this group.

Can you confirm that it is possible to use "1.2.840.113556.1.4.1941" on OpnSense ?

Thank you
#8
17.7 Legacy Series / Re: I need to restart OPNSense to apply the rules !
August 28, 2017, 01:12:02 PM
Hello,

I formatted the disk and changed to nano OS on CompacFlash.

When I reinupped my backup, everything came back to normal

Thank for your help.
#9
17.7 Legacy Series / Re: I need to restart OPNSense to apply the rules !
August 25, 2017, 12:12:06 PM
Hello,

Thank for your help.

I just tested this:

  • start an old computer
  • Takes his IP
  • create a rules to block ICMP from this IP and put this rules on the top
  • reload rules config
  • start PING on the old computer: firewall reply
  • reboot OPNSense
  • Rules loaded: firewall do not reply anymore

On SSH, the file /tmp/rules.debug is only updated on the reboot !
#10
17.7 Legacy Series / [SOLVED] I need to restart OPNSense to apply the rules !
August 25, 2017, 07:54:41 AM
Hello,

I use OPNSense (OPNsense 17.7-amd64/FreeBSD 11.0-RELEASE-p11/OpenSSL 1.0.2l 25 May 2017) on Watchguard XTM505.

When I create a news or update a rules and click to "reaload changes", no error but the changement don't be apply !

filter reload log :
Code Select
1503639532.2634: Initializing
1503639532.2636: Creating aliases
1503639532.2637: Generating NAT rules
1503639532.2638: Creating 1:1 rules...
1503639532.2639: Creating outbound NAT rules
1503639532.264: Creating automatic outbound rules
1503639532.3072: Creating NAT rule Rediriger le trafic vers le proxy
1503639532.355: Loading filter rules
1503639532.3721: Setting up logging information
1503639532.3722: Setting up SCRUB information
1503639532.3722: Generating rules
1503639532.3867: Creating IPsec rules...
1503639532.3868: Executing packet filter reload
1503639532.4187: Cleanup schedule states
1503639532.4244: Reloading filterdns daemon
1503639532.4245: Flushing schedule state
1503639532.4246: Processing down interface states
1503639532.4247: Done

I need to restart OPNSense to apply correctly .... it's very no frendly use.

My test is very simple. I create à rule to allow ping or not on the interface
Code Select
IPv4 ICMP * * * * * Easy Rule: Passed from Firewall Log

Can you help me ?

Thk in advance
Pages1