Messages

1

General Discussion / Re: 22.1 port forwarding will not open port 25

« on: April 19, 2022, 12:52:40 pm »

Are you on 22.1.6? I upgraded to this a few days ago and I've been unable to get any port-forwards to work since.

It's consistently failing in the firewall being caught by the default deny rule even though there is a matching rule in the firewall for the port-forward.

2

22.1 Legacy Series / Re: NAT port forward rules being caught by default deny

« on: April 18, 2022, 07:58:57 pm »

I tried any previously. I just tried "this firewall" and unfortunately I get the same response.

I think this is some sort of recent regression or change in behaviour. Possibly with 22.1.6 which I only upgraded to the other day. I set up port forward rule two weeks ago and it was fine.

3

22.1 Legacy Series / NAT port forward rules being caught by default deny

« on: April 18, 2022, 02:19:45 pm »

(Version 22.1.6)

Having spent several hours I'm unable to get a simple NAT port forward rule working. It's always caught by the default deny rule.

It's a really simple NAT rule from WAN:5051 -> MY_INTERNAL_IP:5051 TCP. See attached.

I have the associated rule created and if I look at the firewall rules then I can see that the rule is there.

When I attempt to connect then looking at the live view I can see that it's being consistently caught by the default deny rule as shown below:

__timestamp__   2022-04-18T12:59:52
ack   
action    [block]
anchorname   
datalen   0
dir    [in]
dst   x.x.x.x
dstport   5051
ecn   
id   30452
interface   pppoe1
interface_name   WAN
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   52
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   9
seq   2845703226
src   y.y.y.y
srcport   51702
subrulenr   
tcpflags   S
tcpopts   
tos   0x0
ttl   121
urp   64240

I've had port forwards working previously without any issues. I've tried all the usual things such as rebooting; deleting the NAT rule and recreating; using different ports; changing NAT reflection, but the problem persists. Does anybody have any idea what might be wrong and how to fix this?

Many thanks

4

22.1 Legacy Series / opnsense persistently nails a CPU core at 100%

« on: February 26, 2022, 12:34:35 pm »

I can restart and it and the CPU hog seems to go away for a while but it soon comes back and runs like this 24/7. Let's take a look with top:

Code: [Select]

root@bosk:~ # top

last pid:  1685;  load averages:  1.74,  1.54,  1.34                                                                     up 5+21:38:23  11:13:46
60 processes:  3 running, 57 sleeping
CPU: 29.7% user,  0.0% nice,  1.7% system,  0.3% interrupt, 68.3% idle
Mem: 388M Active, 5572M Inact, 202M Laundry, 1416M Wired, 735M Buf, 312M Free
Swap: 8192M Total, 8192M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
51222 root          1 103    0    37M    26M CPU3     3 141.5H  99.72% python3.8
86842 root          7  20    0  3076M  1166M nanslp   2 662:06   6.80% suricata
49827 root          1  20    0    61M    36M select   1   0:01   1.21% php-cgi
  426 root          2  52    0   105M    59M accept   3   0:27   0.53% python3.8
61091 root          1  20    0    61M    37M accept   2   0:03   0.12% php-cgi
35054 root          1  20    0    14M  4052K CPU0     0   0:00   0.07% top
88400 root          4  20    0    43M    12M kqread   1  30:55   0.06% syslog-ng
// SNIP
So that's PID 51222:

Code: [Select]

root@bosk:~ # ps 51222
  PID TT  STAT       TIME COMMAND
51222  -  Rs   8487:33.77 /usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py (python3.8)
root@bosk:~ #
So searching around I'm not the first to report such a thing so this looks like a longstanding problem. I'm not seeing any plausible solutions to the problem though.

If I had strace available I'd take a look to see what the process was doing.

Any thoughts? I'm sure if I disable netflow the problem will go away but that does remove rather an important feature of opnsense.

5

General Discussion / Re: Problems with DNS resolution of certain domains

« on: February 01, 2021, 02:43:19 pm »

In the ubound->blacklist disable the blacklisting of "windowspyblocker (extra)"

6

General Discussion / Problems with DNS resolution of certain domains

« on: September 11, 2020, 06:17:08 pm »

I recently switched to opnsense (fantastic decision). I'm using unbound DNS as a local DNS server. In general it all works perfectly but I noticed that certain domains failed to resolve. In particular login.microsoftonline.com (which I need for my work) wouldn't resolve from an Android client - although it would resolve fine from a Linux machine on the same network - curious.

The android client was fine if I switched it to use 1.1.1.1 as the DNS server.

I didn't make much progress with the problem until I saw this eloquent article that describes the exact problem I'm seeing:

https://techcommunity.microsoft.com/t5/office-365/dns-resolution-issues-when-attempting-to-connect-to-login/m-p/146379

I couldn't find any control over TCP DNS requests in opnsense except for the number of incoming/outgoing TCP packets (I had the defaults of 10). On a whim I increased to 20 of each. Making this change seems to have fixed the issue. This seems very surprising. I wondered if perhaps there was a bug in the GUI such that 10 was in fact setting 0 which I believe would disable TCP DNS requests.

Thoughts?

Rob