Messages

All,
     My workstation that I use a VPN on is showing the following:

     An error has occured, Sorry Guest, you are banned from using this forum!
     The ban is not set to expire.

     I cleared the browser cache and it worked for a few minutes. Then the above appeared again.
 
     Am I doing anything wrong? How do I get questions answered regarding this?

Thanks
Zz00mm

Please see below requested information.

   pfctl -t __qfeeds_malware_ip -T show | head -10

......

Aah I see the issue the "tag qtag" is causing issues. I've forwarded it to our developers. Thank you very much we will get back with a solution soon.

EDIT: confirmed fix in the latest commit. Will be part of official release.



Update:
     Removing the tag didn't resolve the issue.
What I found:
     Since this is an HA configuration, I did the following.
     Removed inbound floating rule, created rule on WAN and inbound blocks started appearing
     Outbound floating rule, added WAN to the existing rule with the vLANs and outbound blocks started appearing

     I believe this is due to the way HA configurations work.
     I will install Q-Feeds on a standalone (non HA) firewall this week and see if it works with floating rules and without WAN in the outbound rule.

Zz00mm

Please see below requested information.

Check if Q-Feeds tables exist and contain entries:

   pfctl -t __qfeeds_malware_ip -T show | head -10

   1.0.0.4
   1.0.0.181
   1.0.0.187
   1.0.75.78
   1.0.138.92
   1.0.151.224
   1.0.152.138
   1.0.153.83
   1.0.153.159
   1.0.158.78

   pfctl -t __qfeeds_malware_ip -T show | wc -l

 491863

Check firewall rules for Q-Feeds table references:
  pfctl -sr | grep "<__qfeeds" | tail -5

block drop out log quick on em0_vlan108 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop in quick on em1 reply-to (em1 x.x.x.22) inet from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
block drop in quick on em1 reply-to (em1 fe80::1e52) inet6 from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"

Qfeeds,
      the Q-Feeds widget on the dashboard show's IP's are being block, right now 1633
      Security-> Q-Feeds Connect -> Events: shows nothing.
      qfeedsctl.py logs via command line: output show nothing.
      cat /var/log/filter/latest.log | grep block: does show IPs being blocked on em1 (WAN)
      What information can I provide to troubleshoot this?
      Config:
      running os-q-feeds-connecter-1.1_2, GUI plugin shows version 1.1 not 1.1_2
      completely uninstalled and reinstalled version 1.1_2 just to doublecheck myself.
      2 Node HA cluster
      10 vLANs internal network

Zz00mm

qfeedsctl.py stats:
{"feeds":[{"name":"malware_ip","total_entries":491863,"packets_blocked":16765,"bytes_blocked":791023,"addresses_blocked":1645}],"totals":{"entries":491863,"addresses_blocked":1645,"packets_blocked":16765,"bytes_blocked":791023}}
qfeedsctl.py logs:
{"rows":[]}
qfeedsctl.py show_index:
{"company_info":{"id":106,"name":"xxxxxxx Company","token_expiration":null,"p                                                                                       remium_access":false},"security_settings":{"rate_limit_window":10,"allowed_ips":                                                                                       "*","allowed_user_agents":"*"},"licensing_summary":{"features":{"total":5,"licen                                                                                       sed":0,"unlicensed":5},"feeds":{"total":3,"licensed":3,"unlicensed":0}},"feature                                                                                       s":[{"id":1,"name":"attack_surface","description":"Access to the External Attack                                                                                       -Surface Management functionality.","licensed":false},{"id":6,"name":"manage_api                                                                                       _key_settings","description":"Allows users to edit advanced settings for API key                                                                                       s, such as IP restrictions, feed access, and rate limits.","licensed":false},{"i                                                                                       d":3,"name":"manage_users","description":"Ability to create, edit, and delete su                                                                                       b-users.","licensed":false},{"id":7,"name":"support","description":"Access to su                                                                                       pport ticketing system and false positive reporting","licensed":false},{"id":4,"                                                                                       name":"threat_lookup","description":"Access to the Threat-Intelligence lookup fu                                                                                       nctionality.","licensed":false}],"feeds":[{"id":9,"feed_type":"malware_ip","type                                                                                       ":"ip","description":"Malicious IP addresses","created_at":"2024-09-02T12:00:00Z                                                                                       ","updated_at":"2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19                                                                                       T00:17:31Z","licensed":true,"local_filename":"\/var\/db\/qfeeds-tables\/malware_                                                                                       ip.txt","updated_at_dt":1760745600.0,"next_update_dt":1760833051.0},{"id":10,"fe                                                                                       ed_type":"malware_domains","type":"domains","description":"Malicious domain name                                                                                       s","created_at":"2024-09-02T12:00:00Z","updated_at":"2025-10-18T00:00:00Z","freq                                                                                       uency":1200,"next_update":"2025-10-19T00:17:31Z","licensed":true,"local_filename                                                                                       ":"\/var\/db\/qfeeds-tables\/malware_domains.txt","updated_at_dt":1760745600.0,"                                                                                       next_update_dt":1760833051.0},{"id":11,"feed_type":"phishing_urls","type":"urls"                                                                                       ,"description":"Phishing URLS","created_at":"2024-09-02T12:00:00Z","updated_at":                                                                                       "2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19T00:17:31Z","li                                                                                       censed":true,"local_filename":"\/var\/db\/qfeeds-tables\/phishing_urls.txt","upd                                                                                       ated_at_dt":1760745600.0,"next_update_dt":1760833051.0}]}

All,
    I'm receiving the following error after updating to 1.1: Rate limit exceeded for company: xxxxx's Company on feed malware_ip
    I went to the tip.qfeeds.com site as I had disabled the rate limiting when I first installed for 5 minutes, looks like this option has been removed.
    Currently running on an HA pair, hopefully this isn't causing issues. I didn't use seperate API keys for each node, should I configure a 2nd API key for the 2nd node?

Zz00mm

Stefan,
     Would be interested in testing as well.

Thanks
zz00mm

I have an X550 in my firewall and I select the speed via the GUI. See attachment, connects at 2500 to cable modem. Provisioned for 1.2GbE, see speeds at high at 1.55Gb download speeds. I updated the NVM with the latest from Dec, 2024 and use the OPNsense ix driver without issue.

Z00m

Intel X550 supports 10/5/2.5/1, currently using X550-T2 in HA configuration connecting to Comcast 2.5GbE ports on modem for 1.2Gb internet

Have you read thru the docs? I used these myself when configuring my HA setup.
https://docs.opnsense.org/manual/hacarp.html

Would you provide more detail of your configuration? I would like to try this configuration myself, do not have dual ISPs just 5 public IP's within the same /29.

Thanks
Z00m

I haven't used this util in a couple of years and it does work with OPNsense..
https://github.com/KoenZomers/pfSenseBackup

https://www.routerperformance.net/opnsense-repo/

Search thru the forum on VMware and/or ESX and you'll find many other posts. If you are creating a none HA firewall. you need to modify your PortGroup and enable Promiscuous mode, MAC address changes and Forged transmits.

If you are attempting to create an HA pair, the only way I've been successful to get an HA pair to work is use the same options with a vDS (Distributed Switch). Even then I finally had to tag the WAN side to get it to work.

Hopefully this helps, attaching a screen shot of the "Security section" where the above options are disabled by default.

Rebuild an HA Cluster configuration. speedtest info within the GUI showed nothing. Checked the speedtest.csv file it didn't have a duplicate entry, nano did say it was converting from a DOS file. Nothing looked wrong, so I renamed speedtest.csv to speedtest.csv.org and ran "python3 opn_speedtest.py" which recreated the speedtest.csv file and populated it with speed output information. Information now shows in the widget in the GUI.

I have comcast business myself with 5 IP's. so the only item I can suggest is have you spoofed the WAN mac address of your current firewall into OPNsense. I know on the residential side they use to remember your WAN mac address and I use to leave the firewall/modem off for about 1 hr to get it to release. using  a /32 is like a VPN connection it's the GW.

https://docs.opnsense.org/manual/interfaces.html