Messages

1

23.1 Legacy Series / Unable to access some sites but not blocked in firewall

« on: April 23, 2023, 07:06:14 pm »

I'm running 23.1.6 but was having similar issues before

I've noticed if I try to access https://en.avm.de which is for the fritzbox routers the webpage times out, I'm also getting similar on other sites as well.

I've checked and even disabled zenarmour and that is not blocking the sites, checked firewall and that doesn't seem to be blocking either. No geoip settings enabled

If I switch device to use mobile internet it works fine, other than fully remove opnsense or rebuild it I'm not sure where the issue is.

Any ideas?

2

23.1 Legacy Series / Strongswan vunberability

« on: March 05, 2023, 01:02:13 pm »

So I've upgraded from 22 to 23 and says on latest version 23.1.1_2 yet when checking security audit under updates it's still returning the following

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.1.1_2 at Sun Mar  5 11:50:38 GMT 2023
vulnxml file up-to-date
strongswan-5.9.9_1 is vulnerable:
  strongSwan -- certificate verification vulnerability
  CVE: CVE-2023-26463
  WWW: https://vuxml.FreeBSD.org/freebsd/3f9b6943-ba58-11ed-bbbd-00e0670f2660.html

1 problem(s) in 1 installed package(s) found.
***DONE***

the vunerability reports the following
A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected.

If we don't use the vpn's within OpnSense, do we need to be worried

3

Zenarmor (Sensei) / Scheduled Reports

« on: January 15, 2023, 12:46:10 am »

I've recently rebuilt my opnsense system (not used since july 2022) and performed a clean install, setup zenarmour again and enabled the scheduled reporting.

When I perform a test I get the pdf report without any issues, but if I leave it to run overnight the report is 1k in size and when open it, it shows 504 gateway error.

I know the pdf's are generated using an API in Sunny Valley Networks Datacenter, which suggests there is an issue on their network, can SVND confirm if there is a timescale to resolve this problem and if we have to just stick with html version of the reporting.

4

Zenarmor (Sensei) / Re: Zenarmor & IPv6: Bad Combo (At least on ATT Fiber/US)

« on: January 15, 2023, 12:31:09 am »

If you can, get a static ipv6 and set opnsense to use static ipv6 and setup dhcpv6 and router assists, this will allow ipv6 to continue working.

i had this similar issue with a uk based isp and if set dhcpv6 to track ipv4 and wan i lost ipv6 when zenarmour was activated. i raised this with zenarmour around apr-may 2022.
 

5

General Discussion / Is it worth reinstalling from scratch

« on: August 16, 2022, 09:43:03 am »

So we had some internet issues recently where a fault on landline was causing my g.fast connection to drop. the isp required me to put on their own router for testing purposes to ensure it was not my router (opnsense on qotum pc) causing the problem, even though I stated it was the DSL light on the g.fast modem itself that was going off.

While performing the testing we had tried different routers (opnsense, fritzbox, deco m5 and Asus Zenwifi XT8) - one of the things we noticed was that when the connection dropped all the routers except the opnsense router were able to function correctly with DHCPv6 and routing was immediate.

The only way we got routing working for IPv6 on opnsense was to switch to static ipv6 instead of tracking wan with dhcpv6 as otherwise we constantly had to restart routing after the drops. there was also occasions where we constantly had to restart radvd.

I'm in two minds on whether to return back to opnsense in case we start having similar issues with routing, especially as the Asus Zenwifi XT8 is performing well. If we do decide would it be best just to reinstall from scratch the latest version (was previously updated from early version and had had many configuration changes along the way) and import any settings, or would it be best to also do them from scratch

6

22.1 Legacy Series / PPPoE drops, no routing of IPv6 afterwards unless recycle routing

« on: July 15, 2022, 06:50:31 pm »

Hi,

Is there a way of recycling system routing after a PPPoE drop as whenever it drops, I still have IPv6, DHCPv6 Server is running, but can't route ipv6 unless I recycle system routing. Is this the same as restarting radvd or does radvd do more?

Current settings for RA
Router Advertisements - Assisted
Router Priority - Normal
Source Address - Automatic
Advertise Default Gateway - Ticked

I'm not always available to manually recycle this, so need to get it to recycle routing when the connection is re-established

7

22.1 Legacy Series / Re: standard setup, no route on IPv6

« on: July 03, 2022, 03:34:14 pm »

what happens if you try setting dhcpv6 to dhcpv6 and set router advertisements to assisted.

8

22.1 Legacy Series / Re: IPv6 DNS/DHCPv6 roulette

« on: June 30, 2022, 07:07:42 pm »

did you get a PD and ND

try this, as this was my setup for my isp when using dhcpv6 on tracking wan
dhcpv6 client configuration
untick request only an ipv6 prefix
untick send ipv6 prefix hint

services router advertisements lan
change router advertisements to 'assisted'
untick use the dns settings of dhcpv6 server

I also have all my dns entries under system>settings>general

9

Zenarmor (Sensei) / Do I need Suricata IDS running if using Zenarmor (Sensei)

« on: June 24, 2022, 03:45:31 pm »

Hi,

I've now got Sensei (free version) fully working on my setup and wondered if I still need to use Suricata at the same time?

Regards

10

Zenarmor (Sensei) / Re: Lost DHCPv6 after installing plugin

« on: June 21, 2022, 06:59:23 pm »

Hi,

Please make sure that you try in bypass mode. In bypass mode, the Zenarmor packet engine just forwards the packages and never inspects them. I remember that it has occurred in bypass mode as well. Most probably it is a netmap issue and needs to look into it. It occurs with Suricate in IPS mode as well. Is Suricata active in your OPNsense?

As stated previously, I have tried in bypass mode and have exactly the same problem, whenever the engine starts DHCPv6 Server stops and can't be restarted. I've even tried with IPS disabled and have the same problem.

Its whenever the packet engine starts, dhcpv6 fails and can't be restarted until I disable zenarmour and reboot the whole system.

Update: 18:37  - I think I have it working - managed to get static ipv6 working after some trial and error, started zenarmour and dhcpv6 server still running, so it looks like when it's set to track interface I have the problem. I'm going to monitor to see if I have any issues as not sure if I've set router advertisements correctly (left these on assisted)

11

Zenarmor (Sensei) / Re: Lost DHCPv6 after installing plugin

« on: June 21, 2022, 03:50:42 pm »

update: Zenarmor report they are unable to reproduce the issues I'm experiencing with the DHCPv6 Server going offline and not restarting after starting their product.

My connection looks to be configured correctly as can get IPv6 through the internet, IPv6-Test shows it is working and I'm getting IPv6 entries in my lease table when I don't use Zenarmour.

Has anyone had similar issues or any other advice regarding the configuration of this plugin before I uninstall it

12

22.1 Legacy Series / Re: Switching to static IPV6 and dhcpv6 server - help/advice needed

« on: June 15, 2022, 06:28:44 pm »

Ok, so it didn't look right ...

sorry the instructions didn't match up, so wasn't sure if correct

13

Zenarmor (Sensei) / Re: Request for Feedback: Help us decide Zenarmor's next UI on OPNsense

« on: June 14, 2022, 09:22:29 pm »

Hi @walkerx,

Yes, this is not directly related to Zenarmor. It's because of netmap(4); an Operating System subsystem we use to grab packets off the wire.

If you have IPv6 WAN tracking enabled in a netmap enabled interface and when an application opens the interface in netmap mode, netmap re-initializes the interface; causing the interface to go DOWN/UP. Since you have WAN tracking here, this in turn triggers the OPNsense code to re-configure the related WAN addresses. This whole process can take up to a minute, during which time you lose WAN connectivity.

The behavior is the same if you use Suricata in IPS mode, which utilizes netmap the same way we do.

Having said that, we are evaluating several options which would potentially solve these sort of issues and would add device-independent IPS capabilities. If we can work out a methodology at least in theory, we'll go ahead and sponsor a development on the Operating System side of things.

Stay tuned for more updates on that.

I hope this is helpful.

I can wait hours with zenarmor enabled and dhcpv6 can't be restarted

I have looked at setting the ipv6 manually based on the info i got from my isp for the pd and nd, but not sure how to set this up as the instructions in the guide were a bit confusing when not using the same references throughout

14

Zenarmor (Sensei) / Re: Request for Feedback: Help us decide Zenarmor's next UI on OPNsense

« on: June 14, 2022, 08:29:17 pm »

I think before the UI is updated, any current issues are resolved

Waiting to find out why whenever I start Zenarmor, I lose IPv6 connectivity whether in normal or bypass operation and can't restart the DHCPv6 Server

15

22.1 Legacy Series / Re: Switching to static IPV6 and dhcpv6 server - help/advice needed

« on: June 14, 2022, 04:53:32 pm »

hi,

i tried setting it up but didn't look right.

One of the reasons for setting up in static, is to see if can fix the issue of not having to perform a full reboot to get ipv6 renabled after a line drop, also to get dhcpv6 up faster instead of having to wait 10-20 minutes after a restart of the connection which can happen (sometimes it doesn't restart so need to perform a full reboot)

other reason is to see if can get zenarmour also working with IPv6 as whenever enable it, it takes down DHCPv6 and can't re-enable unless I stop the zenarmour service and prevent it from starting after a reboot. Happens even in bypass mode. Have raised the issue with their support and waiting for an update.