Messages

Right, thanks. Maybe this should be checked by default on new installs, at least for LAN and WAN that's created by setup wizard.

I found a bug! :)

So my mini PC had issues, I was playing with BIOS settings and accidently disabled one Ethernet adapter.
OPNsense booted, no interface in Interfaces, no sigh of it anywhere, as if it never existed.
Restart, go BIOS, enable adapter, boot OPNsense.
Interface is still missing from Interfaces, no sigh of it anywhere. Mine was the WAN one :)

I had to reset to default configuration to fix it. Maybe it is worth looking into, maybe not.
Cheers!

OK, so for everyone else having similar problems, here's the step by step guide again:

1. Define Policy "Alert to Drop" -- Apply
2. Download & Update Rules
2.1. Check within the Rules Tab (Enabled) ===> Are all rules on drop?
3. Settings -- Apply

Thanks!
With these settings, will I see the Drop actions in Alerts tab? If not, where I can see it to make sure it is working?

I would probably disable promiscuous mode, I don't think you need it.

Thanks, disabled now.

When you downloaded all the rules, did you set them to blocking or just alert?

I went to Rules tab, searched for ClassType = network-scan, and sett all that was found (26) to Block, done within Rules tab.
But it does not seem to work.

Do I really need making Policies for standard rules? I think you are right:

"In previous versions (prior to 21.1) you could select a "filter" here to alter the default behavior of installed rules from alert to block. As of 21.1 this functionality will be covered by Policies"
https://docs.opnsense.org/manual/ips.html#download-rulesets

Going to try making Policies :)

GRC Shields Up! service  still happily scans all my ports, no blocking happening ...

Enabling Services / Intrusion Detection / Administration / Settings / "Promiscuous mode" did not help too.

And I tried enabling rulesets one by one, not all at once. But could not find which RuleSet contains rules of ClassType = network-scan. I cannot tell which RuleSet the Rule belongs to. In the Rule Info tab we only see "Source = emerging-scan.rules" but what is "emerging-scan.rules"? It is not a RuleSet ...

Please help :)

[port scan blocking]

... The plugin you want for either firewall is called "suricata", and in the rulesets there is a category for scans :) that will detect port scans and block.

What are the simplest steps to enable port scan blocking using only native OPNSense IDS?
I did these steps, but not sure it is working:

1. Go Services / Intrusion Detection / Administration. Settings tab. I have checked:
  - Enabled
  - IPS mode
  - Interfaces: WAN
  - Enable syslog alerts
  - Promiscuous mode (not needed probably)
2. Go to Download tab
  - Check all Rulesets
  - Press "Enable Selected" button, press "Download and Update Rules" button
3. Go to Rules tab
  - press Filters dropdown, type "scan", press Enter. There will be ~26 rules.
  - select all, press "Drop" button below, press Apply button.

Still I don't see anything in Alets tab, only weird GUI flash-refresh kind of glitch. But on Lobby / Dashboard / Firewall piechart, pressing "Default Deny" pie opens live log, where I can still see port scanning happening.

What did I miss? Maybe add these steps to HowTo OPNSense documentation page?
Or, if I did it correctly, where can I see a list of blacklisted IPs?

The ddclient works with AWS now! Settings:
- ddclient / General Settings / Backend = "native"
- ddclient / Accounts / (account) / Check ip method = Interface[IPV4] (clone it for second account for IPV6)
I'm on latest OPNsense 24.1.1-amd64, it might help.

Any Update on this -- annoucement was made about Route53 protocol support added to ddclient, but I can't see AWS or Route53 in the services ....

If in ddclient / General Settings / Backend you select "native", then you can create Account with Service = aws.

But it still does not work, see
- "I found out that the os-ddclient custom backend only implements the dyndns2 protocol which is not supported by AWS Route53", in this thread
- https://forum.opnsense.org/index.php?topic=38706.msg189486#msg189486

EDIT: Hmm, just saw one NOTICE line in log, "Account (UUID) [aws - R53] set new ip x.x.x.x, ID /change"
Maybe it started working ...

Looks like legacy plugin, dyndns, which worked perfectly with AWS, got dropped.

There is 25 pages long thread about ddclient issues:
https://forum.opnsense.org/index.php?topic=26446.360

I'm getting very strange errors, and the error srting "No address found for" is not even in source code ... How to debug it, please?


Or can we have legacy dyndns plugin back please?

Code Select Expand


2024-02-09T18:22:11 Warning ddclient No address found for 313-(redacted uuid)-483b3 [aws - ]
2024-02-09T18:16:59 Warning ddclient No address found for 313-(redacted uuid)-483b3 [aws - ]
2024-02-09T18:11:47 Warning ddclient No address found for 313-(redacted uuid)-483b3 [aws - ]
2024-02-09T18:08:13 Warning ddclient No address found for 313-(redacted uuid)-483b3 [aws - ]
2024-02-09T18:03:37 Warning ddclient No address found for 313-(redacted uuid)-483b3 [aws - ]
2024-01-17T12:35:04 Notice ddclient WARNING: file /usr/local/etc/ddclient.conf: file /usr/local/etc/ddclient.conf must not be accessible by others.
2024-01-17T12:35:04 Notice ddclient WARNING: file /usr/local/etc/ddclient.conf: file /usr/local/etc/ddclient.conf must be accessible only by its owner.
2024-01-17T12:35:04 Notice ddclient WARNING: file /usr/local/etc/ddclient.conf: file /usr/local/etc/ddclient.conf must be accessible only by its owner (fixed).
2023-12-20T11:04:17 Notice ddclient WARNING: file /usr/local/etc/ddclient.conf: file /usr/local/etc/ddclient.conf must not be accessible by others.
2023-12-20T11:04:17 Notice ddclient WARNING: file /usr/local/etc/ddclient.conf: file /usr/local/etc/ddclient.conf must be accessible only by its owner.
2023-12-20T11:04:17 Notice ddclient WARNING: file /usr/local/etc/ddclient.conf: file /usr/local/etc/ddclient.conf must be accessible only by its owner (fixed).


Do you have a hardware defect ? You could simply solve it by changing a battery:
https://www.duracell.com/en-us/products/lithium-coin-batteries/

I don't see Duracell batteries in FreeBSD supported hardware list, not sure it is compatible... :)

NTP servers rarely change IP addresses - use addresses instead of DNS names.

Good advice, but it is a step away from default OPNsense configuration. I still think ability to set date time in GUI is good feature.

Do you have NTP enabled?

Yes. But it is a cascading failure.
- Box boots with date 01-01-2012.
- NTP starts and tries to DNS resolve configured servers
- DNS requests go to Unbound, who tries to connect to upstream DNS servers using DoT (DNS over TLS)
- Unbound fails to connect due to TLS error -  difference between 2012 and 2024 years.

My router forgets date-time if it gets shut down. I believe its either incompatibility of RTC clock hardware with FreeBSD (OS not updating RTC clock) or battery (just replaced it :) or just my luck.

To set date back to correct one, I need to ssh into the box and issue "date" command.

It would be nice to set date and time using GUI. Thanks! And it is a great project!

PS: Box is Lenovo M73 (10AX) micro PC with added 2nd Eth card.

Thanks, the dyndns one works!

I wanted to set it up, looked at docs, docs recommend os-ddclient. But seems it misses Route53 support.

The legacy plugin, os-dyndns, supports even two Route53s, lol, IPv4 and v6. But it complains "Please make sure to upgrade to os-ddclient before 22.7 is released as this plugin will be removed from our repository".

What am I missing, please?