Messages

1

24.7 Production Series / Re: IPv6 Track on Loopback

« on: September 26, 2024, 12:01:23 am »

Thanks Franco.

Not the ideal solution, should I add an issue in github to brainstorm a better solution for this?

2

24.7 Production Series / IPv6 Track on Loopback

« on: September 25, 2024, 09:30:07 pm »

hey guys, I tried to put a loopback with track interface to use with NPTv6.

At first it kind of worked but then dhcpv6 started throwing some errors

Code: [Select]

Unsupported device type 24 for "lo1"
here is the full line:

Code: [Select]

/usr/local/sbin/pluginctl: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid vlan0.3.200 lo1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.4.3-P1 Copyright 2004-2022 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpdv6.conf Database file: /var/db/dhcpd6.leases PID file: /var/run/dhcpdv6.pid Wrote 3 NA, 0 TA, 0 PD leases to lease file. Bound to *:547 Unsupported device type 24 for "lo1" If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging. exiting.'

It works if I add a VLAN that I do not use, is there a better way of doing this instead of VLAN?

My reason for using track with NPTv6 is the IPv6 /56 is provided dynamically by ISP, this way I can have my local resources always with the same IPv6 and I do not have to change the firewall rules.

3

24.1 Legacy Series / Unbound Issue with ISC DHCP4 leases

« on: June 08, 2024, 02:12:30 pm »

I am getting this error on the latest update to 24.1.8

I did confirm, I have 3 different systems and all of them have this issue after the update.


2024-06-07T22:41:11   Error   unbound   [50402:0] error: remote control failed ssl crypto error:0A000415:SSL routines::sslv3 alert certificate expired


OPNsense 24.1.8-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13

4

24.1 Legacy Series / Re: 24.1 IDS breaks internet

« on: January 31, 2024, 01:17:51 am »

Same here, had to disable it.

Going out on a limb here franco, sorry, I know you are the maintainer of the package, is it compiled with --enable-netmap?

I don't see it in Makefile of the master branch.

https://docs.suricata.io/en/suricata-7.0.2/capture-hardware/netmap.html

"To build Suricata with NETMAP, add --enable-netmap to the configure line. The location of the NETMAP includes (/usr/src/sys/net/) does not have to be specified."

5

24.1 Legacy Series / Upgrade deleted Manualy added WAN gateway

« on: January 31, 2024, 12:58:18 am »

Somehow the upgrade deleted the upstream Gateway.

The system has a fixed IP address on a WAN with vlan.

6

23.7 Legacy Series / Re: Bug ? "CARP defaults" rules are generated even if there is no virtual IP

« on: September 26, 2023, 04:13:55 pm »

Not only that, it generates generic rules on all interfaces, do not open stuff where you don't need be open.

7

23.7 Legacy Series / Re: WebGui is not creating /tmp/php-fastcgi.socket-0

« on: August 21, 2023, 07:16:07 pm »

It's listening on all of them, some are disabled, can that be an issue?

8

23.7 Legacy Series / Re: WebGui is not creating /tmp/php-fastcgi.socket-0

« on: August 21, 2023, 06:52:00 pm »

Did that already twice before, here is the output.

Code: [Select]

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: h

>>> Check installed kernel version
Version 23.7.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.7.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
SunnyValley
OPNsense
>>> Check installed plugins
os-acme-client 3.19
os-ddclient 1.14
os-frr 1.34_1
os-hw-probe 1.0_1
os-mdns-repeater 1.1
os-nginx 1.32.1_3
os-sensei 1.14.3
os-sensei-updater 1.14
os-smart 2.2_2
os-sunnyvalley 1.2_3
os-theme-vicuna 1.45
os-upnp 1.5_3
os-wol 2.4_1
os-zerotier 1.3.2_4
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: .................................................................... done

Press any key to return to menu.


9

23.7 Legacy Series / WebGui is not creating /tmp/php-fastcgi.socket-0

« on: August 20, 2023, 02:51:27 pm »

I dont know why but I have one machine that is having issues with creating the socket.

I have checked the logs for it I cant find who or where creates the link to /var/run/php-webgui.socket and why it fails

The lighthttpd just complains about the socker is non existent

******************** lighttpd 95143 - [meta sequenceId="3"] (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.71/src/gw_backend.c.281) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-0: No such file or directory


Does anyone have any idea why this happens?

10

Zenarmor (Sensei) / Re: 23.7 CPU / RAM 100% crashing - Zenarmor?

« on: August 17, 2023, 04:10:08 pm »

I was able to fix it, I had to reset to factory defaults.

It's in the uninstall tab.

Nonetheless there is another issue, even if you haverouted native netmap, ZA will use emulated netmap.
It's in the Opnsense general logs (debug)

11

Zenarmor (Sensei) / Re: 23.7 CPU / RAM 100% crashing - Zenarmor?

« on: August 16, 2023, 12:08:38 pm »

Guys, for the sake of trying to figure what is going on, what type of nics are you guys running this.

I have the same problem on a n100 mini pc. Funny enough, i have the exact same configuration on a esxi vm, no issues.  Had to uninstall zenarmor only on mini pc.  Both 8GB ram.  Let me know what zenarmor has to say.

Thanks!

I am suspecting an issue with zenarmor talking with netmap, I have ZA only on one nic (realtek) and suricata on the wan.
The only time ZA does not go to 100% is if all my networks stop talking, not just the one it is attach to.

12

23.1 Legacy Series / Re: Possible FRR OSPF adds rules to each passive interface

« on: May 11, 2023, 01:57:51 pm »

Hi I did made a pull request but I think it needs improvements.

https://github.com/opnsense/plugins/pull/3432

So here is the issue, FRR adds Firewall filter rules to all interfaces, for each network it adds 2 in rules and 2 out rules.

I have tested locally and it does have a performance impact with these rules added with or without the interface, noticeable difference in intervlan routing in the branch office, everything fells faster to respond.

I questioned in github, what I do not know is what is the proper way to identify what interfaces to add these rules to, if it is the interfaces configure in the interfaces tab of OSPF or the non passive interfaces in the general tab.

The pull request code might need just one improvement to add the rules only once per enabled interface, but I would like some feedback on what is the proper way to identify and add the rules for the required interfaces to get OSPF running properly instead of general automated rules.

I am a bit rusty in OSPF, gimp skills are also bad, sorry.

Here is the original code that is creating all the rules, you can see the rules in any interface FW rules, there is a small line "automaticly added rules" just expand it and you can see the OSPF rules added.

Code: [Select]

foreach ($ospf->networks->network->iterateItems() as $network) {
            if ((string)$network->enabled == '1') {
                $fw->registerFilterRule(
                    1, /* priority */
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF (autogenerated)',
                        'from'           => $network->ipaddr . '/' . $network->netmask,
                        'to'             => '224.0.0.0/24',
                        'direction'      => 'in',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF UNICAST (autogenerated)',
                        'from'           => $network->ipaddr . '/' . $network->netmask,
                        'to'             => '(self)',
                        'direction'      => 'in',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF (autogenerated)',
                        'from'           => '224.0.0.0/24',
                        'to'             => $network->ipaddr . '/' . $network->netmask,
                        'direction'      => 'out',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF UNICAST (autogenerated)',
                        'from'           => '(self)',
                        'to'             => $network->ipaddr . '/' . $network->netmask,
                        'direction'      => 'out',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );

13

23.1 Legacy Series / Possible FRR OSPF adds rules to each passive interface

« on: May 10, 2023, 07:15:51 pm »

I trying to understand the automatically added routes in opnsense by FRR, FRR adds 4 rules for each network added to OSPF and it appears on all networks, even passive ones.

So are theses rules "general" or per interface?

14

Zenarmor (Sensei) / Re: mongodb issue

« on: August 13, 2022, 12:48:44 am »

have you tried on CLI

Code: [Select]

pkg install -fy os-sensei
edit:
Tried it, didn't work.

check on another post if you are on version 22.7.1 check if you have a single package for php7.4 (php74-pecl-mongodb) and remove it.

Code: [Select]

pkg remove php74-pecl-mongodb
IF and only IF this is the only thing of php 7.4, nothing else, do not remove anything from php8

15

Zenarmor (Sensei) / Re: Benefits of zenarmor over suricata?

« on: August 06, 2022, 01:41:24 pm »

Is this advisable - to use zenarmor for both internal and external interfaces?

Not really a good idea.
i.e. if you have a DMZ, the added overhead for serving requests will skyrocket and you will have double the logs for the same traffic, also you might want not to put some internal interfaces.

Also zenarmor has exceptions for certain domains you add and also might have based on traffic going in the interface not out.
i.e. it might consider every external connection in the wan interface has an internal device, so naturally zenarmor might consider that you have +1000 devices that aren't really yours, that might not do well in the database and also in the way it logs and analyzes traffic.
It all depends on how Zenarmor is implemented.

Honestly I would keep suricata with hyperscan for Wan interfaces and Zenarmor for analyzing and protecting internal interfaces for your end users.
For DMZ you have other stuff like WAF (web application firewall) on nginx.