Show posts

#1

General Discussion / Re: interface to interface traffic

May 30, 2022, 06:32:56 PM

oh, and the DHCP and interface subnet is /24

i had it set as a test to /16 thinking that it might need to open the scope a bit to allow traffic to go through, but all this allowed for was instead of getting a DHCP lease from 172.16.1 range, i was getting it from 172.16.3 or 172.16.2 ranges... but as i was still physically connected to the igb1 interface, traffic wasn't passing still.

So all interfaces are /24 with DHCP running from range .10 to .50 only ( basically mirroring each other and directing DNS to unboundDNS on port 53 locally.

#2

General Discussion / Re: interface to interface traffic

May 30, 2022, 06:30:28 PM

traceroute:

# /usr/sbin/traceroute -w 2 -I -m '5' -s '172.16.1.1' '172.16.3.10'
traceroute to 172.16.3.10 (172.16.3.10) from 172.16.1.1, 5 hops max, 48 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *

# /usr/sbin/traceroute -w 2 -I -m '5' -s '172.16.3.1' '172.16.3.10'
traceroute to 172.16.3.10 (172.16.3.10) from 172.16.3.1, 5 hops max, 48 byte packets
1 NAS-RAID.172-16-3 (172.16.3.10) 0.375 ms 0.199 ms 0.234 ms

#3

General Discussion / Re: interface to interface traffic

May 30, 2022, 06:28:31 PM

I tried port probing 172.16.3.10 from the 172.16.3.1 network

# /usr/bin/nc -v -w 10 -4 -s '172.16.3.1' '172.16.3.10' '8080'
Connection to 172.16.3.10 8080 port [tcp/http-alt] succeeded!

i try the same but use the 172.16.1.1 network

# /usr/bin/nc -v -w 10 -4 -s '172.16.1.1' '172.16.3.10' '8080'
nc: connect to 172.16.3.10 port 8080 (tcp) failed: Operation timed out

#4

General Discussion / Re: interface to interface traffic

May 30, 2022, 06:23:27 PM

yes.. both private and bogon are unticked for both interfaces

i just configured unboundDNS and its running internally.. .so i queried it and got this

C:\>ping -a 172.16.3.10
Pinging NAS-RAID.172-16-3 [172.16.3.10] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.3.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

So the firewall knows of this device, matched the IP to the DNS record and resolved the IP to the right host name, even got the right domain for the right interface too !

#5

General Discussion / Re: interface to interface traffic

May 30, 2022, 05:27:38 PM

as an additional;

I can ping from 172.16.1.10 ( PC ) to 172.16.3.1 ( gateway for igb3 lan ) but when i ping 172.16.3.10 the packets do not go anywhere yet live view of the logs shows they are being passed.

#6

General Discussion / interface to interface traffic

May 30, 2022, 04:54:07 PM

Hello all,

I have a problem with a newly setup OPNsense 22.1.8_1-amd64 firewall running on a picopc box.

I have 4 interfaces , igb0 thru igb3.

igb0 is my ISP WAN DHCP address from ISP
igb1 is 172.16.1.0/24 ( internal )
igb2 is 172.16.2.0/24 ( Secondary LAN )
igb3 is 172.16.3.0/24 ( NAS network )

my PC is connected directly to igb1 and DHCP service gives it a IP of 172.16.1.10
my NAS is connected to igb3 and DHCP gives it an IP of 172.16.3.10

I have a group assignment called ALL_LANS and have set a rule to allow all traffic from all LANS to talk to each other
I have further rules set directly as part of testing to allow traffic from my PC via an alias of my PC MAC address to the NAS box MAC address.

****I cannot connect to the NAS box on port 8080 from my PC ****

To test, I connect the NAS box to the same LAN as the PC ( it gets a DHCP address of 172.16.1.11 ) I can access it.
So I know its listening and allowing connections

Now, connecting the NAS back to igb3 so it gets its original 172.16.3.10 I then try diagnostics and ping 172.16.3.10 from the 172.16.3_net interface and I get a response

I ping from diagnostics and ping 172.16.1.10 from the 172.16.1_net interface and I get a response.

But when I try ping from 172.16.1.10 to 172.16.3.10 nothing... I see the ping traffic in the live view of the logs, but I get no response to packets. The logs are telling me traffic is passing, but there's no response.

I'm confused as to why this doesn't work and hoping someone can point me in the right direction. I'm not a network person but I know enough to make this work and I previously had it running on ver 20.1 and upgraded today.

Thanks

Rokky

#7

General Discussion / Re: log standard.. or how to decipher logs

November 22, 2020, 04:11:13 PM

i really hoped it would be, but it has problems finding the correct gem on the rubygems site..

ill pull the ruby stuff from your git hub and try pushing it in manually

ive been creating my own conf for the opensense but id like to gives yours a go as it looks much cleaner...

do you know if your filter is going to be ok with opensense 20.7 ?

#8

General Discussion / Re: log standard.. or how to decipher logs

November 21, 2020, 11:14:42 AM

you sir are a fricken legend!!!!!!!!! ;D

#9

General Discussion / log standard.. or how to decipher logs

November 20, 2020, 07:18:03 PM

hello all,

Friday question here :)

i am exporting the logs into logstash and i need some help deciphering the log structure

for example:

Code Select

<134>Nov 20 15:35:55 OPNsense.localdomain filterlog: 14,,,0,igb0,match,block,in,4,0x0,,119,17591,0,DF,6,tcp,52,<redacted IP >,<redacted IP >,63652,7680,0,S,3174183196,,64240,,mss;nop;wscale;nop;nop;sackOK

im ok right up to this point

Code Select

,0,S,3174183196,,64240,,mss;nop;wscale;nop;nop;sackOK

is there some sort of guide or technical opensense doc that details what each of these fields represents ?
what the numbers represent what mss, nop etc mean in regards to the firewall log output?

i tried the logstash-filter-opnsensefilter (https://github.com/fabianfrz/opnsense-logstash-config) but it dosnt install cleanly on the latest logstash version, and whilst i dont have any errors on the logstash conf files, it refuses to utilise the logstash plugin which might be that its now out of date.

i built a logstash grok for a specific log event

Code Select

%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:syslog_program} %{NUMBER:rulenr},,,%{WORD:rid},%{WORD:interface},%{WORD:reason},%{WORD:action},%{WORD:dir},%{WORD:version},%{WORD:tos},,%{NUMBER:ttl},%{NUMBER:id},%{NUMBER:offset},%{WORD:ipflags},%{NUMBER:protonumber},%{WORD:protocol},%{NUMBER:length},%{IP:src_ip},%{IP:dst_ip},%{WORD}=%{NUMBER:datalen}

this works against :

Code Select

<134>Nov 20 18:11:24 OPNsense.localdomain filterlog: 82,,,0,igb2,match,pass,out,4,0x0,,63,6038,0,DF,1,icmp,36,<redacted IP >,<redacted IP >,datalength=16

which is a simple icmp event.. seperates into nice seperate fields, no parse failures... wonderful... but i have all sorts of data type flowing through the firewall so im wondering if anyone else is having or had similar issues and how you got around it.

Many thanks

R

#10

20.1 Legacy Series / Some issues that i need some guidance on

April 15, 2020, 05:57:23 PM

I have a nano pc box with 4 interfaces. I have installed opensense ( OPNsense 20.1.4-amd64 FreeBSD 11.2-RELEASE-p18-HBSD OpenSSL 1.1.1f 31 Mar 2020 ) allowed it to set up the auto rules and choosen the interfaces to be used for specific purposes, but i have configured the interfaces currently as below to illustrate my confusion in this.

My test have confirmed that when i connect WAN to my internet router, it gets a DHCP lease ok, and i can access internet from any of the three interfaces. so that part works.

My issues that i've been wrestling with for the past few days are:

1. i can't control if a device connects to interface 172_16_1_x it gets a 172.16.3.x address.. i can't figure out how to stop this
2. i cannot ping or access a device when i connect laptop to interface 172.16.1.x and ping 172.16.3.11 from 172.16.1.10 ( although testing on the firewall diags allows me to ping the ip from the 172.16.1.x interface. i've tried other combinations of interfaces and all exhibit the same condition ) i've tried setting the relevent interfaces to /24 /16 /8 and adjusting the dhcp scopes to match to allow for subnet access between the interfaces, but it dosn't work.
3. i cannot find a description of the differece between _net and _address as a suffix in my interface fw rules dropdowns. Address is singular addresses.. like 172.16.3.11 and net is 172.16.3.0/24 ?
4. by default, wan does not allow incoming traffic which is good, are there or is there a list of current accepted best practice rules that i can insert into a backup i can then use to restore to cut out a lot of clicking and selecting and applying ? seems a bit of a long route around to create a rule for each and every port and service type if its out there already and can be spliced in somehow.
5. my current wifi router is an asus ea6500 and its current dhcp scope is 10.1.1.0/24 and when i change this to 172.16.4.0/25 i get massive problems in terms of access and the router resets itself to a random 10.x.x.x range upon reboot... this i find odd behaviour as when i disconnect the opnsense from the router, it allows the 172.16.4.0/24 range to persist.... which leads me to think my config in the opnsense is somehow interferring with the setup/boot process of the wifi router. i'll see about getting wire shark onto one of the wifi router interfaces and seeing what is actually going on here. any experiences with similar here ?

4 interfaces

172_16_1_x
172_16_2_x
172_16_3_x
WAN

172_16_1_x
DHCP enabled
GW 172.16.1.1
DHCP range 172.16.1.10 - 172.16.1.245
DHCP subnet mask 255.255.255.0

172_16_2_x
DHCP enabled
GW 172.16.2.1
DHCP range 172.16.2.10 - 172.16.2.245
DHCP subnet mask 255.255.255.0

172_16_3_x
DHCP enabled
GW 172.16.3.1
DHCP range 172.16.3.10 - 172.16.3.245
DHCP subnet mask 255.255.255.0

PFtop

QuotepfTop: Up Rule 1-87/87, View: rules
RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES MAX INFO
0 Block In Log !igb1 0 0 * drop inet from 172.16.0.0/16 to any
1 Block In Log !igb2 0 0 * drop inet from 172.16.0.0/16 to any
2 Block In Log !igb3 0 0 * drop inet from 172.16.0.0/16 to any
3 Block In Log 0 0 * drop inet from 172.16.1.1/32 to any
4 Block In Log 0 0 * drop inet from 172.16.2.1/32 to any
5 Block In Log 0 0 * drop inet from 172.16.3.1/32 to any
6 Block In Log igb1 0 0 * drop inet6 from fe80::290:27ff:fee4:7621/128 to any
7 Block In Log igb2 0 0 * drop inet6 from fe80::290:27ff:fee4:7622/128 to any
8 Block In Log igb3 0 0 * drop inet6 from fe80::290:27ff:fee4:7623/128 to any
9 Block In Log igb0 0 0 * drop inet6 from fe80::c256:27ff:febe:cd5d/128 to any
10 Pass In Log Q lo0 K 0 0 * inet6 all flags S/SA
11 Block In Log Q 0 0 * drop inet6 all
12 Block In Log 0 0 * drop inet all
13 Block In Log 0 0 * drop inet6 all
14 Pass In Log Q ipv6-icmp K 0 0 * inet6 all
15 Pass In Log Q ipv6-icmp K 0 0 * inet6 all
16 Pass In Log Q ipv6-icmp K 0 0 * inet6 all
17 Pass In Log Q ipv6-icmp K 0 0 * inet6 all
18 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
19 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
20 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
21 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
22 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
23 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
24 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
25 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
26 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
27 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
28 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
29 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
30 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
31 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
32 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
33 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
34 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
35 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
36 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
37 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
38 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
39 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
40 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
41 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
42 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
43 Block In Log Q tcp 0 0 * drop inet from any port = 0 to any
44 Block In Log Q udp 0 0 * drop inet from any port = 0 to any
45 Block In Log Q tcp 0 0 * drop inet6 from any port = 0 to any
46 Block In Log Q udp 0 0 * drop inet6 from any port = 0 to any
47 Block In Log Q tcp 0 0 * drop inet from any to any port = 0
48 Block In Log Q udp 0 0 * drop inet from any to any port = 0
49 Block In Log Q tcp 0 0 * drop inet6 from any to any port = 0
50 Block In Log Q udp 0 0 * drop inet6 from any to any port = 0
51 Block In Log Q carp 0 0 * drop from (self) to any
52 Pass Any Log Q carp K 0 0 * all
53 Block In Log Q tcp 0 0 * drop from to (self) port = ssh
54 Block In Log Q tcp 0 0 * drop from to (self) port = https
55 Block In Log Q 0 0 * drop from to any
56 Block In Log Q igb0 0 0 * drop inet from to any
57 Block In Log Q igb0 0 0 * drop inet from 10.0.0.0/8 to any
58 Block In Log Q igb0 0 0 * drop inet from 127.0.0.0/8 to any
59 Block In Log Q igb0 0 0 * drop inet from 100.64.0.0/10 to any
60 Block In Log Q igb0 0 0 * drop inet from 172.16.0.0/12 to any
61 Block In Log Q igb0 0 0 * drop inet from 192.168.0.0/16 to any
62 Block In Log Q igb0 0 0 * drop inet6 from fc00::/7 to any
63 Pass In Log Q igb1 udp K 0 0 * inet from any port = bootpc to 255.255.255.255/32 port = bootps
64 Pass In Log Q igb1 udp K 0 0 * from any port = bootpc to (self) port = bootps
65 Pass Out Log Q igb1 udp K 0 0 * from (self) port = bootps to any port = bootpc
66 Pass In Log Q igb2 udp K 0 0 * inet from any port = bootpc to 255.255.255.255/32 port = bootps
67 Pass In Log Q igb2 udp K 0 0 * from any port = bootpc to (self) port = bootps
68 Pass Out Log Q igb2 udp K 0 0 * from (self) port = bootps to any port = bootpc
69 Pass In Log Q igb3 udp K 0 0 * inet from any port = bootpc to 255.255.255.255/32 port = bootps
70 Pass In Log Q igb3 udp K 0 0 * from any port = bootpc to (self) port = bootps
71 Pass Out Log Q igb3 udp K 0 0 * from (self) port = bootps to any port = bootpc
72 Pass In Log igb0 udp K 0 0 * from any port = bootps to any port = bootpc
73 Pass Out Log igb0 udp K 0 0 * from any port = bootpc to any port = bootps
74 Pass In Log Q lo0 K 648 59368 * all flags S/SA
75 Pass Out Log K 648 59368 * all flags S/SA allow-opts
76 Pass In Log Q igb1 tcp K 0 0 * from any to (self) port = http flags S/SA
77 Pass In Log Q igb1 tcp K 1638 1578982 * from any to (self) port = https flags S/SA
78 Pass Any Log Q igb1 K 6 468 * inet from (igb1) to (igb1) flags S/SA
79 Pass Any Log Q igb2 K 0 0 * inet from (igb2) to (igb2) flags S/SA
80 Pass Any Log Q igb3 K 107 8351 * inet from (igb3) to (igb3) flags S/SA
81 Block In Q igb0 0 0 * drop inet all
82 Block In Q igb0 0 0 * drop inet6 all
83 Pass In Q igb1 K 0 0 * inet from (igb1) to any flags S/SA
84 Pass In Q igb1 K 0 0 * inet6 from (igb1) to any flags S/SA
85 Pass Out Q igb3 K 0 0 * inet from (igb1) to (igb3) flags S/SA
86 Pass In Q igb3 K 0 0 * inet from (igb1) to (igb3) flags S/SA

Messages - r0ckky

General Discussion / Re: interface to interface traffic

General Discussion / Re: interface to interface traffic

General Discussion / Re: interface to interface traffic

General Discussion / Re: interface to interface traffic

General Discussion / Re: interface to interface traffic

General Discussion / interface to interface traffic

General Discussion / Re: log standard.. or how to decipher logs

General Discussion / Re: log standard.. or how to decipher logs

General Discussion / log standard.. or how to decipher logs

20.1 Legacy Series / Some issues that i need some guidance on