Messages

Dunno, but monit does it by default when CPU usage is >75%. Perhaps adjust that.

Thx - like you said not exactly but could from UI see load averages again (monit->status) when enabled cpu monitoring. Guessing my cpu run out of power time to time, zenarmor :/

Running zenarmor etc, and in previous UI I could see CPU spiking quite high (100%) in UI but that might have been due to loading UI of Opnsense.

Any tips on howto capture if CPU spikes at 100%/any of cores spikes at 100%? Do I need to build some script and capture averages, or could I install the Telegraf-plugin and export CPU data that way?

I would like to use zenarmor with a wireguard interface but I believe this can only be done with the GO implementation. However GO has not been updated since 1.3 and kernel wireguard is now on 2.5. Is the only method to get this working to use this old version of the package that is no longer maintained?

I just checked: I have Zenarmor active (on LAN interface, not WAN) and use Kernel-wireguard. Zenarmor is working and blocking some ads etc.

Hi,

Thank you for answer. Need to consider then if I want to keep data for longer time and perhaps fix elastic.

For me the hostname in reports works so that if I move the mouse over hostname then those that have a hostname in OPNsense will switch to hostname.

Aka if I open report with 10 rows I need to go the to the source ip column and move mouse pointer over all rows and they will "switch" to hostname if it exits on opnsense.

Hi,

I actually have 2 questions.

1. I have a "regular" home network with home devices and an iot-vlan with few more - in total maybe 50 devices. Any reason why the SQLite db would not be sufficient and I should go for Mongo or Elastic? There is not much info about SQLite just the press release saying it is good for 100 devices. Maybe the correct wording for question is: for a home network is there any reason to use anything except SQLite if you have decently powerful opnsense box?

2. I tried Sensei like year ago, but uninstalled it at that time. Decided to try it again, and I have added community repo (mimugmail) for adguard  and unifi some time ago. At install Zenarmor detects community repo, and suggests SQlite or "remote elastic". I logged on to opnsense and found Elasticsearch installed. Afaik I know neither Adguard or Unifi does use elastic, could it be that it is left from old installation? Unifi uses Mongo though.

Hi,

I have a really strange issue that took me long time to figure out - but I dont know howto troubleshoot it good enough for bugreport. I run latest OPNSense version (21.7.3_1) and tunnel my traffic out through Wireguard tunnel. Sometimes to get netflix etc working I add an IP to an exclusion alias (ips_exclude_vpn) that has own rule.

This works fine, but I added an Chromecast Ultra with fixed IP yesterday. The Chromecast did not get proper internet access, and I spent 4-6h troubleshooting it. In end I added the chromecast IP to exclusion alias list, and it started working.

The strange thing is that I did not active the exclusion rule on firewall - I only added CCU IP (192.168.1.161) to exclusion alias list and forced fw rule reload and it started to work. I can repeat this: if I remove IP from exclusion alias CCU looses internet access, but if it is on list it has internet access. So far what I have not tried is to have CCU on exclusion list and activate exclusion rule (aka I dont know if it actually would avoid WG-tunnel).

But as such I find it very strange that CCU needs to be on an alias list to be able to get internet access to work on a rule that is not active, that should not be the case?

Edit: added attachments. If I remove the 2nd IP from alias as said my Chromecast looses internet connectivity fully although I do not touch bypass_rule

Ok, I think I solved it by adding this custom option in unbound settings:

Code Select Expand

edns-buffer-size: 4096

Notice that the EDNS UDP size is 4096, whereas in my previous posts, this size was 1232.

Thank you for this: I started seeing same behaviour after upgrade to 21.1.2 (or what is latest version) - and the weird thing it was only few selected subdomains that failed to resolve. But added this as optional command in unbound settings, restarted unbound and now all works.

Weird issue that I could also run nslookup in terminal and the domains that failed to resolve did resolve - however browser (and apps on phone) did not resolve them. Rebooted everything etc before trying this fix.

Not sure what the the one rule to port 500 does, but yes looks correct (I have set it other way around; specific IPs go to WAN, others to VPN). I would maybe specific LAN to go to WAN_DHCP, not to * - but I just like to keep things tidy.

Try checking "Skip rules when gateway is down" under Firewall->Settings->Advanced and "Gateway monitoring". If you read it it behaves like anti-kill switch and I noticed many times devices estabilished routes over WAN gw before VPN GW came up -> stayed on that until I did a manual firewall reset.

After that try putting your laptop into PIA_VPN_Traffic list; do you get IP from DHCP, and if you do can you do a dns lookup? If you can then doesn't ipleak.net show correct aka PIA IP?

https://docs.opnsense.org/manual/how-tos/multiwan.html

You need to manually created second gateway and for both allow monitoring (by configuring them correctly). Then group them and remember to create fw rule for dns (step 5) after setting priority for group.

Firewall -> Advanced - scroll to end to find "Dynamic state reset". Maybe checking that will help?

So if I understood correctly PIA_VPN_Traffic is the IP_addresses that should go to VPN, the rest should go over WAN. On high level it should be like this:

WAN outbound:
Interface: PIA_OPVN_VPNV4, Source PIA_VPN_Traffic - allow everything from IPs to go over VPN
Interface: WAN, Source: Any (or LAN) - Allow everything else to go to WAN

LAN rules:
Protocol IPv4 (both tcp/udp), Source: PIA_VPN_Traffic, Gateway: PIA_OPNVPN_VPNV4
Protocol IPv4 (both tcp/udp), Source: LAN, Gateway: WAN_DHCP

First rule routes PIA_VPN_Traffic ips traffic over PIA VPN GW. Second rule routes the rest from LAN to WAN_DCHP GW. Note that here the rule order matter; it takes first rule first and matches, then next etc.

Hi,

I have setup an own vlan for workstation that is run over same physical port as my regular lan (lan untagged, vlan 10) and everything works fine except that VoIP services cut out randomly for random periods: usually it is once-twice per 30 minute around 5-10 seconds break. In Firewall settings-> Advanced I enabled "Reset all states when a dynamic IP address changes." which made the breaks shorter. To me it looks like some buffer/rulespace or similar would run out and be reset, but I have not been able to find anything in any logs.

I have openvpn client enabled on fw, but I dont think that affects - since after moving workstations to lan (no vlan tagging) it works fine. I also moved mobile to network with vlan tagging, and started experiencing there also cutouts on VoIP.  IPS etc is disabled, Intel I210 nics but all default accelerations are enabled.

Any tips on what to examine / setup to capture issue? I downgraded to 20.1 version and had same issues also on that so not related to new version of Hardened BSD.