Messages

is there any hope or progress related opnSense (freeBSD) and suricata with PPPoE WAN Interfaces in IPS Mode will work?

seems like it is not working and not supported by suricata / netmap

https://forum.opnsense.org/index.php?topic=31587.0

anyone successfully using suricata on a PPPOE WAN?

Best Regards

[is any one able to use 2 consoles/games same time and got an open NAT?]

Dear All

i investigated the issue (again) when you use more then 1 device/console/computer for gaming and try to get an open NAT. i read and do testing around 10 hours, but now im done and back here to ask if something changed bc the messages i read in other forums (pfsense, github..etc) are from 2 years+ ago.

Is the 2 computer/consoles/games issue with open NAT still present in 2024?



i have 2 consoles.

Szenario 1 = 1 console used
if i set up strict outbound NAT, 1 console has open NAT. OK

szenario 2 = 2 consoles used
if i try to use 2 consoles its not working with strict outbound NAT. so i try to use upnp (miniupnpd).
But im not able to get open NAT on the consoles. More then that, i think upnp is not wirking at all, bc i do not see any session in the status tab. also checked config file, route logs etc but its all the same und unclear (regarding to those thousned peoples they did similiar testing)

i know all this setup instruction with strict NAT, UPNP configuration and using NAT reflection etc, but again:

is any one able to use 2 consoles/games same time and got an open NAT?

Best Regards

Edit: installed an UPNP test tool on my pc (same network as the console) setup propper rules in UPNP-plugin on opnsense. result: the tool is not able to open port, also it does not recognize that there is UPNP service on OPNsense. the tool looks like it works, bc it was able to find other devices who seem to use upnp.

Edit2:
2024-05-30T12:12:13   Warning   miniupnpd   Port forwarding is now disabled
2024-05-30T12:12:12   Warning   miniupnpd   Check configuration of firewall on local machine and also on upstream router   
2024-05-30T12:12:12   Warning   miniupnpd   STUN: ext interface pppoe0 has now public IP address x.x.x.x but firewall filters incoming connections set by miniunnpd
i do not have manual created wan rules in place. so what try miniupnpd try to say to me?

Intrusion detection systems need to track the flows. If you do address translation then sources or targets of flows are rewritten. The original flow is terminated and replaced. Intrusion detection systems typically only see one leg of the entire communication. Either the original flow leg or the replaced, new flow leg. But in either case they keep on missing half of what's going on.
Feel free to read the documentation for details. It's all there right in the "Choosing an interface" chapter: https://docs.opnsense.org/manual/ips.html#choosing-an-interface".

PS: There is a reason why many admins hate NAT. You have to jump a lot of hoops and deal with heaps of BS just to keep using the old IPv4 address.

ok of course, but it does not matter in this szenario, bc suricata does not work and it worked back in the days when the interface was DHCP-WAN and not PPPOE-WAN.

Best Regards

Also NAT and intrusion detection systems are no friends.

?? what has suricata todo with NAT?

I don't believe you can use Suricata on PPPoE - it is not compatible.

why not, suricata does not see pppoe header i think

hi there

befor everthing was working fine.
i had an fiber wan connection which was DHCP.
Suricata was configured to look at the WAN interface and it was working, i got some alerts during the week.

bc of relocating, the ISP only offers fiber with pppoe in this area.
i reconfigured the wan (create vlan11 interface, create pppoe device with credentials, assigned pppoe interface as WAN)
opnsense got an public IP and internet working as well. this "happens" around 6 month ago.
Till then, i never got an suricata alert. so i was wondering if suricata is working properly. i tested it with eicar and nothing happend, so i dont get any alert since 6month and my testing triggered also no alert.

I then switched Promiscuous mode off after about 4 months, no change. After 2 months more still no alerts.
I suspect that Suricata cannot access the WAN interface. i think it has problems with the constellation interface->vlan->pppoe->WAN

Any idea what the problem could be, how I can troubleshoot and fix it?

what i did:
restart service
reboot
test with eicar, NOK
check ruleset (every drop/alert rules are enabled)
tested it with http://testmynids.org/uid/index.html
change pattern matcher aho <->hyper


Best Regards

in pfsense 24.03 you can easily switch dhcp backend from ISC to KEA (and vice versa) with 2 click. I wish Opnsense would implement something similar. reservation and so on are still in place.

see attachment.

similar issue with suricata after upgrade to 23.1_6. Suricata all rulesets are downloaded without ET PRO.
After boot opnsense successfully and everthing works fine, i have a disconnect on WAN after 5 mins(where is suricata running on) for around 5-10 seconds. this disconnct just happend once after ervery reboot after a uptime from around 5 min. After that, it runs for hours without issues.

edit: mb its bc suricata service starts a little bit delayed and when the service starts, its shutdown the WAN interface for a coupe of seconds.

Is there a way to decide which internal IPs can use the VPN?

I have about 20 devices connect to my LAN, and I'd like just a couple of those devices to use the VPN, is it feasible?

Tia.

yes it is. just use firewall rules with client IP as source and selected ProtonVPN as Gateway in that Rule

https://protonvpn.com/support/pfsense-2-5-x-vpn-setup/
BR

After upgrade it stucks at the "vlan changing name to..."
I use miniPC with intel CPU and NIC's (nrg-systems.de)

what i tested:

Running opnsense 21.1.9, upgrade to 21.7
-> Freeze on vlan config

Clean install 21.7(works) and restore with 21.1.9 backup
-> freeze on vlan config

Clean install 21.1.9, restore config 21.1.9 and upgrade to 21.7
-> freeze on vlan config

Clean install 21.1.9 and restore config 21.1.9
-> everything works fine

i also use LAGG interfaces with VLAN's

similar to this:
https://forum.opnsense.org/index.php?topic=23867.0

Thanks for Help!

Best Regards

same issue here with the final 21.7.

After upgrade it stucks at the "vlan changing name to..."
I use miniPC with intel CPU and NIC's (nrg-systems.de)

what i tested:

Clean install 21.7(works) and restore with 21.1.9 backup
-> freeze on vlan config

Clean install 21.1.9, restore config 21.1.9 and upgrade to 21.7
-> freeze on vlan config

Clean install 21.1.9 and restore config 21.1.9
-> everything works fine

i also use LAGG interfaces with VLAN's

Thanks for Help!

Best Regards

i tried it on another opnsense with active running sensei.

Short version:

just delete 'sensei-db'

cd /usr/local/opnsense/version/
rm -rv sensei-db

then use auto plugin resolver, and reset local conflicts
done


hint:
there is another folder under /usr/local/sensei-db
im not sure is it still in use or not.
to fix the GUI it is enough to delete the folder /usr/local/opnsense/sensei-db.
I also deleted the folder /usr/local/sensei-db, which had a lot of content, but the instance is still running, but can't say for sure if data (dashboard) is lost.

br
K

resolved!

what i did befor open this thread:
- uninstall sensei
- run automatic plugin resolver
- reset plugin conflicts
- reboot

result= sensei-db missing

then i opened this thread:

meanwhile i searched over cli for everything related for 'sensei' or 'os-sensei' or 'sensei-db' and delete it manually.

find / -name 'sensei-db'


- run automatic plugin resolver
- reset plugin conflicts

result: sensei-db missing still there

- reboot opnsense

result: sensei-db missing still there
- run automatic plugin resolver
- reset plugin conflicts

result: gone :)