Messages

Hey Guys,

We have a number of OpnSense boxes out on the Internet now and behind those - mail servers and web servers/services.

We see a lot of activity with ANY exposed services on these systems with hackers trying to brute force their way in.

We have implemented fail2ban etc on some of these systems, but it would seem to me to be a more logical/powerful solution if OpnSense was able to be integrated to these systems in some fashion

e.g. when the threshold limit was reached on a machine with an exposed service, fail2ban would notify OpnSense and OpnSense would automatically create a rule blocking that source IP from ALL systems behind OpnSense.

Has anyone looked at this ?

Craig

Have just gone through the full firewall logs and there is nothing in there - here is a screenshot from on the box itself - the remote syslog host sees the same thing i.e. not entries logged of not prior to the kernel restarting.

I am thinking this might be something to do with a failing UPS (or a UPS that goes into test mode each week) as i noticed the interface on the Linux Syslog host lost connectivity at almost the same time (it is in a different cabinet and on a different UPS - but the main network switch is in that cabinet.)

Craig

Guys,

I have a 20.7 install on QOTOM i5 hardware.

System is configured for Sydney/Australia timezone - but the hour is one hour different from our real DST time that we have at the moment - it is showing 1 hour slower.

Any ideas on what to do about this ?

Craig

I am getting something similar happening.

Full Story

Purchased 3 x Identical QOTOM mini PC - Intel i5 - added brand new identical Crucial RAM to each machine and identical Samsung 840 Pro 128 GB SSDs.

One machine was installed and configured for home use running untangle - this machine has been absolutely rock solid and stable - not a single issue. This is my home system.

the 2nd machine was due to go to a friends house with a gigabit internet connection running OpnSense 20.7 - we initially experienced what appeared to be random hangs/sleep issues where the box on a fairly predictable weekly cycle would power itself down (or at the very least not respond to anything and not allow any access, in/out or admin. Only a complete power off would resolve it.

I thought it might be a BIOS sleep issue so changed many settings (based on our firend google) for this hardware and then swapped our 3rd hot spare box in with all the BIOS changes.

Took the apparently failing box and left it on a test bench - powered on - but not connected to anything and it ran for two weeks - so did not appear to be a BIOS sleep issue for low load etc.

Ran the replacement box with a brand new install of OpnSense and restored settings and BIOS settings updated to remove all sleep options at my friends place and then same thing happened - this box once again shutdown after approximately 2 weeks.

Made a few more BIOS changes and also enabled remote syslogging - and have just had a restart over the weekend after 14 days - i am about to go through the logs to try and see what the syslog box saw at the time of the reboot.

Will report back

Craig

Thanks for the reply Jonny

I have 3 of the

NO RAM NO SSD, Q555G6 7200U NO WiFi

I have one running as my home Untangle Firewall - it has worked without missing a beat for about 4 months, i have another that i have installed with OpnSense for a friend - this is the one giving me problems - the 3rd one is a hot spare, which i use to make changes on and then drop in for the OpnSense unit to try and identify/resolve issues.

I added Corsair 8GB RAM to each of them and Samsung 850 Pro SSDs - all bought at the same time from the same vendor.

Initially i thought it was a hardware issue so i took the first unit that appeared to "fail" and swapped in the hot spare, then put the apparent failed unit on my testbench and had two PCs hammer data through it for a week - no issues.

I then started thinking it was some form of hardware sleeep setting so i did some searching and found a few comments across the web about disabling cstates and other hardware sleep control - so turned all of these off and then tested for another week (meanwhile the 2nd unit with OpnSense on my friends site was shutting down once a week or so - does not respond to pings, does not pass any traffic, can not log into web interface.

Set it up to log to a syslog box but nothing of interest.

So took the box with the BIOS options set to disabled and swapped it in - and the same thing happened again - so i have now started thinking it is something to do with OpnSense.

Again thinking it may be some form of sleep issue - i setup a cron job on OpnSense to restart the captive portal every 10 minutes (we do not use the catpive portal) - thinking this would stop it going into a sleep state if this was what was happening - but no difference.

Any ideas ?

Craig

Guys, NOOB here - rolled out a QOTOM i5 with 20.7 - very basic config - only a single port forward and upnp whilst we are testing.

At least once a week the system appears to shutdown/sleep and the only reliable method we have found to wake it up is to remove power and then power it back on.

This has now happened 3 weeks in a row and appears to happen only on the weekends.

I have found a number of online guides that talk about various BIOS settings to stop the hardware sleeping. I enabled these on one unit (we have 3 units in total - but only one live at this stage whilst we test)

We have set the various BIOS settings, swapped in one of the other units and then put the device that was having the problems onto our test bench and let it sit there - not traffic going through it - and it was fine for a week (with a monitor connected) - no shutdowns etc.

Is there a log setting we can set on OpnSense to have it write activity logs etc to disc prior to a shutdown (if that is what is happening)  so can try and troubleshoot this ? Or can we redirect the logs out to a remote syslog server etc ?

Craig

Thanks for the help - it was the upnp that did it.

Even though it was installed (must be part of the base install) it was not showing up in the services, I had to uninstall the plugin, then reinstall and it showed up. Once configure ZT when down to 11ms pings - so all good.

Craig

Thanks Cerberus.

Nope i have not installed ZT on OpnSense (thats probably the next step) - we have clients (Virtual Desktops) behind OpnSense that have ZT installed.

Remote users are made members of the ZT network so they can RDP into the Virtual Desktops.

When you say enable a rule on the External interface for UDP port 9993 would that look something like

Enable incoming on Wan, from any IP address, source UDP 9993, Destination  internal LAN network ?

Thanks for taking the time to answer

Craig

Guys,

Migrating a client away from Cyberoam to OpnSense. First foray into using it - so far very impressed.

One issue i have

Gigabit link to Internet
Stock install - no IPS, IDS or any apps added.
Whilst in testing mode we have allowed all outbound ports.

Outbound clients to internet (Speedtest.net) are achieving 900+Mb/s both upload and download - so very happy with that.

We have a number of machines behind the firewall with Zerotier client installed.  We RDP across the ZT network onto those machines and this is where the problem is.

I will concentrate on a single machine (but it is happening across all of the ZT machines that are accessed through RDP.

The machine i access for management purposes is a W2K8 server  - i have created a Management ZT network that i am able to access for this site and there is a machine on another site on the same ZT network (no other VPN between sites)

So we have 3 machines on 3 different sites on the same ZT subnet.

On the problem site we are in the process of migrating away from Cyberoam SG series firewalls. Previously we were using ZT fine with these in place and speed was excellent.

Now that we have changed FWs we are finding the interactive speed it terrible - when pinging one of the machine on the 3rd site that is still behind a Cyberoam firewall i am getting 12ms response times, on the one with OpnSense i am getting 450ms.

If i swap back to the Cyberoam from OpnSense (even though it is not fast enough to handle the Gigiabit speeds) the response times to pings to the problem machine drop back to 12 to 13 ms.

Both remote machines are located relatively close to me in Sydney - and both are connected to the same ISP network - the network is a dedicated business grade fibre network - so the performance issues are not coming from there.

Has any one else experienced problems with ZT clients behind OpnSense ?

It feels to me like MTU fragmentation but i have left that at the default settings.

The firewall is an Intel i5 with 6 gigabit network interfaces (one of the QOTOM units) - it has a samsung SATA SSD and 8GB RAM.

ANy ideas ?

Craig