Messages

glad they working on it, well in my case it's not empty, but with a label of another rule, but it's almost sure the issue is the same, or related

thx

same issue here, from a port forward auto generated rule, see attachments

Type   opnsense   
Version   24.7.9_1   
Architecture   amd64   
Commit   b41ccdc9f   
Mirror   https://opnsense-mirror.hiho.ch/FreeBSD:14:amd64/24.7   
Repositories   OPNsense (Priority: 11)   
Updated on   Sat Nov 23 15:12:18 CET 2024   
Checked on   N/A

nevermind, just ordered a cheap AP, too bad, it was nice not to have an extra device

Hi,

just upgraded and facing the same issue. Any news?

Code Select Expand

root@myfw:~ # dmesg | grep run0
run0 on uhub0
run0: <Ralink 802.11 n WLAN, class 0/0, rev 2.00/1.01, addr 1> on usbus0
run0: MAC/BBP RT3070 (rev 0x0200), RF RT3020 (MIMO 1T1R), address 00:22:43:73:89:17
run0: [HT] Enabling 802.11n
wlan0: changing name to 'run0_wlan1'
run0: firmware RT2870 ver. 0.33 loaded
run0: firmware RT2870 ver. 0.33 loaded
run0: firmware RT2870 ver. 0.33 loaded
root@myfw:~ # tail /var/log/wireless/latest.log
<31>1 2024-10-15T17:07:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:08:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:09:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:10:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:11:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:12:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:13:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:14:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:15:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="1"] run0_wlan1: WPA rekeying GTK
<31>1 2024-10-15T17:16:21+02:00 myfw.signorini.in hostapd 17447 - [meta sequenceId="2"] run0_wlan1: WPA rekeying GTK


Thanks!

please, could someone help me and try the below command?

any idea?
does someone using it confirms it works, or can someone just launch it to tell me if same error appears?

you can try: gcloud info --run-diagnostics

Hi all,

gcloud command does not work anymore, I noticed now since my certificates are expired, so it could be an issue of like 2 or 3 months ago. I use acme with DNS validation.

Nothing relevant in the logs. I also tried to truss it, but still not useful info

Code Select Expand

[root@myfw ~]# /usr/local/bin/gcloud dns record-sets list --name="www.signorini.ch." --type="A" -z "external-ch"
ERROR: gcloud crashed (AttributeError): 'NoneType' object has no attribute 'clean_version'

If you would like to report this issue, please run the following command:
  gcloud feedback

To check gcloud for common problems, please run the following command:
  gcloud info --run-diagnostics


[root@myfw ~]# gcloud info --run-diagnostics
Network diagnostic detects and fixes local network connection issues.
Checking network connection...failed.
ERROR: gcloud crashed (AttributeError): 'NoneType' object has no attribute 'clean_version'

If you would like to report this issue, please run the following command:
  gcloud feedback

To check gcloud for common problems, please run the following command:
  gcloud info --run-diagnostics


[root@myfw ~]# pkg which /usr/local/bin/gcloud
/usr/local/bin/gcloud was installed by package google-cloud-sdk-431.0.0


[root@myfw ~]# pkg info google-cloud-sdk-431.0.0
google-cloud-sdk-431.0.0
Name           : google-cloud-sdk
Version        : 431.0.0
Installed on   : Fri May 26 11:26:15 2023 CEST
Origin         : net/google-cloud-sdk
Architecture   : FreeBSD:13:*
Prefix         : /usr/local
Categories     : net
Licenses       : APACHE20
Maintainer     : bofh@FreeBSD.org
WWW            : https://developers.google.com/cloud/sdk/
Comment        : Google Cloud SDK for Google Cloud Platform
Options        :
        BASH           : on
        ZSH            : on
Annotations    :
        repo_type      : binary
        repository     : OPNsense
Flat size      : 326MiB
Description    :
Google Cloud SDK contains tools and libraries that enable you to easily create
and manage resources on Google Cloud Platform, including App Engine, Compute
Engine, Cloud Storage, BigQuery, Cloud SQL, and Cloud DNS.

WWW: https://developers.google.com/cloud/sdk/


[root@myfw ~]# opnsense-version
OPNsense 23.1.9


[root@myfw ~]# find /usr/ /opt/ -type f | xargs grep -l clean_version 2>/dev/null
/usr/local/lib/perl5/5.32/CPAN/Meta/Converter.pm
/usr/local/google-cloud-sdk/lib/googlecloudsdk/core/util/platforms.py
/usr/local/google-cloud-sdk/lib/googlecloudsdk/core/util/__pycache__/platforms.cpython-39.pyc
/usr/local/google-cloud-sdk/lib/googlecloudsdk/core/__pycache__/transport.cpython-39.pyc
/usr/local/google-cloud-sdk/lib/googlecloudsdk/core/transport.py
^C

[root@myfw ~]# grep -10 clean_version /usr/local/google-cloud-sdk/lib/googlecloudsdk/core/util/platforms.py
      return not self.__lt__(other)

    @property
    def version(self):
      """Returns the operating system version."""
      if self == OperatingSystem.WINDOWS:
        return platform.version()
      return platform.release()

    @property
    def clean_version(self):
      """Returns a cleaned version of the operating system version."""
      version = self.version
      if self == OperatingSystem.WINDOWS:
        capitalized = version.upper()
        if capitalized in ('XP', 'VISTA'):
          return version
        if capitalized.startswith('SERVER'):
          # Allow Server + 4 digits for year.
          return version[:11].replace(' ', '_')


[root@myfw ~]# find /usr/local/google-cloud-sdk/  -type f | xargs grep -l NoneType  2>/dev/null
/usr/local/google-cloud-sdk/.install/.backup/lib/third_party/oauth2client/crypt.py
/usr/local/google-cloud-sdk/.install/.backup/lib/third_party/oauth2client/__pycache__/crypt.cpython-37.pyc
/usr/local/google-cloud-sdk/.install/.backup/lib/third_party/websocket/_core.py
/usr/local/google-cloud-sdk/.install/.backup/lib/third_party/apitools/base/py/encoding_helper.py
/usr/local/google-cloud-sdk/.install/.backup/lib/third_party/apitools/base/py/__pycache__/encoding_helper.cpython-37.pyc
/usr/local/google-cloud-sdk/.install/.backup/platform/bq/third_party/oauth2client_4_0/crypt.py
/usr/local/google-cloud-sdk/.install/.backup/platform/bq/third_party/oauth2client_4_0/__pycache__/crypt.cpython-37.pyc
/usr/local/google-cloud-sdk/.install/.backup/platform/gsutil/gslib/vendored/oauth2client/oauth2client/crypt.py
/usr/local/google-cloud-sdk/.install/.backup/platform/gsutil/gslib/vendored/oauth2client/oauth2client/__pycache__/crypt.cpython-37.pyc
/usr/local/google-cloud-sdk/.install/.backup/platform/gsutil/third_party/apitools/apitools/base/py/encoding_helper.py
/usr/local/google-cloud-sdk/.install/.backup/platform/gsutil/third_party/apitools/apitools/base/py/__pycache__/encoding_helper.cpython-37.pyc
/usr/local/google-cloud-sdk/lib/googlecloudsdk/api_lib/compute/iap_tunnel_lightweight_websocket.py
/usr/local/google-cloud-sdk/lib/third_party/oauth2client/crypt.py
/usr/local/google-cloud-sdk/lib/third_party/oauth2client/__pycache__/crypt.cpython-37.pyc
/usr/local/google-cloud-sdk/lib/third_party/oauth2client/__pycache__/crypt.cpython-38.pyc
/usr/local/google-cloud-sdk/lib/third_party/oauth2client/__pycache__/crypt.cpython-39.pyc
/usr/local/google-cloud-sdk/lib/third_party/apitools/base/py/encoding_helper.py
/usr/local/google-cloud-sdk/lib/third_party/apitools/base/py/__pycache__/encoding_helper.cpython-37.pyc
/usr/local/google-cloud-sdk/lib/third_party/apitools/base/py/__pycache__/encoding_helper.cpython-39.pyc
/usr/local/google-cloud-sdk/lib/third_party/apitools/base/py/__pycache__/encoding_helper.cpython-38.pyc
/usr/local/google-cloud-sdk/lib/third_party/websocket/_core.py
/usr/local/google-cloud-sdk/lib/third_party/jmespath/functions.py
/usr/local/google-cloud-sdk/platform/bq/third_party/oauth2client_4_0/crypt.py
/usr/local/google-cloud-sdk/platform/bq/third_party/oauth2client_4_0/__pycache__/crypt.cpython-37.pyc
/usr/local/google-cloud-sdk/platform/gsutil/gslib/vendored/oauth2client/oauth2client/crypt.py
/usr/local/google-cloud-sdk/platform/gsutil/gslib/vendored/oauth2client/oauth2client/__pycache__/crypt.cpython-37.pyc
/usr/local/google-cloud-sdk/platform/gsutil/third_party/apitools/apitools/base/py/encoding_helper.py
/usr/local/google-cloud-sdk/platform/gsutil/third_party/apitools/apitools/base/py/__pycache__/encoding_helper.cpython-37.pyc
/usr/local/google-cloud-sdk/platform/gsutil_py2/gslib/vendored/oauth2client/oauth2client/crypt.py
/usr/local/google-cloud-sdk/platform/gsutil_py2/third_party/apitools/apitools/base/py/encoding_helper.py




try a tcpdump on opnsense wan interface to actually see the scan is incoming, don't you have a modem/router in between which only NAT specific ports?

Hi,

we have many Web Server with e-commerce (Magento, Prestashop, etc...) and some Windows Servers that must be reachable via RDP on non standar Port (Port forward vs 3389) and we want to test OPNsense to use it as our new firewall. The Web Servers have to be reachable via FTP and SSH from well known IPs (for ssh we will use non standar port). Of course the most important feature for us is Suricata as IPS/IDS. Naturally we will use ET Pro Telemetry, now the questions are:

• which are the rules to enable to protect our Servers?
• And what about false positive?
• Is it enough to enable Suricata only on the WAN Interface?

We will use OPNsense as VM under Proxmox (KVM), could you give me some advice on how to optimize the OPNSense configuration?
Does Sensei help me?

Thank you to all

A web server should only expose web service (better with a reverse proxy to protect it), really bad idea to allow ssh. And FTP, really?

If you need SSH access you should evaulate to use a jump server reachable with VPN

wanted to change some pt.research rule from drop to alert, it's not possible anymore, both from the alert tab and the rules tab itself, the change is not taken

Hi there. I'm seeing a ton of blocked LAN traffic on my FW, where one thing on my LAN is attempting to talk to another thing on my LAN. I cannot for the life of me understand why this is happening.

__timestamp__   Nov 13 17:54:07
ack   386885594
action    [block]
anchorname   
datalen   0
dir    [in]
dst   192.168.1.52
dstport   55240
ecn   
id   31958
interface   em0
interface_name   lan
ipflags   DF
label   Default deny rule
length   40
offset   0
proto   6
protoname   tcp
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
ridentifier   0
rulenr   8
seq   
src   192.168.1.5
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   128
version   4

it's maybe an ACK package for a connection not active anymore in the firewall

I don't know a way to discover new VLAN, but I am far to be an expert of zabbix

To discover new devices I opened the ping from zabbix server to any and configured zabbix like this (see attachment)

do you see something strange in the last log in /var/log/configd?

what's the content of /home/mts/cron_scripts/getWho.sh?

it could be just an environment issue, maybe in the PATH variable

Which network do you have your PI on?

on a network I call "management network" in a dedicated interface of the OPNsense

Ahh so you are using the default LAN interface, and then everything else is vlan on other interfaces? Are you using a switch to connect the LAN interface and the PI or are you directly connecting the PI to the physical interface of your OPNsense device?

Actually my configuration is a bit more complex, I have 2 interfaces in link aggregation and connected to a switch, this link is a trunk of several vlans. Then I have the management LAN untagged and connected to another switch. On this management network I have several stuff, my NTP servers, monitoring, openvas security scanner, and all management related stuff. But this is not significant, you can call it "default LAN" if you like