"Quote from: Q-Feeds on October 18, 2025, 05:12:32 PMQuote from: zz00mm on October 18, 2025, 03:31:35 PMPlease see below requested information.
pfctl -t __qfeeds_malware_ip -T show | head -10
......
Aah I see the issue the "tag qtag" is causing issues. I've forwarded it to our developers. Thank you very much we will get back with a solution soon.
EDIT: confirmed fix in the latest commit. Will be part of official release.
Update:
Removing the tag didn't resolve the issue.
What I found:
Since this is an HA configuration, I did the following.
Removed inbound floating rule, created rule on WAN and inbound blocks started appearing
Outbound floating rule, added WAN to the existing rule with the vLANs and outbound blocks started appearing
I believe this is due to the way HA configurations work.
I will install Q-Feeds on a standalone (non HA) firewall this week and see if it works with floating rules and without WAN in the outbound rule.
Zz00mm
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feeds plugin
October 20, 2025, 02:32:16 AM #2
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feeds plugin
October 18, 2025, 03:31:35 PM
Please see below requested information.
block drop out log quick on em0_vlan108 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop in quick on em1 reply-to (em1 x.x.x.22) inet from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
block drop in quick on em1 reply-to (em1 fe80::1e52) inet6 from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
Quote from: Q-Feeds on October 18, 2025, 10:28:20 AMCheck if Q-Feeds tables exist and contain entries:
pfctl -t __qfeeds_malware_ip -T show | head -10
1.0.0.4
1.0.0.181
1.0.0.187
1.0.75.78
1.0.138.92
1.0.151.224
1.0.152.138
1.0.153.83
1.0.153.159
1.0.158.78
pfctl -t __qfeeds_malware_ip -T show | wc -l
491863
Check firewall rules for Q-Feeds table references:
pfctl -sr | grep "<__qfeeds" | tail -5
block drop out log quick on em0_vlan108 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop in quick on em1 reply-to (em1 x.x.x.22) inet from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
block drop in quick on em1 reply-to (em1 fe80::1e52) inet6 from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
#3
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feeds plugin
October 18, 2025, 03:58:37 AM
Qfeeds,
the Q-Feeds widget on the dashboard show's IP's are being block, right now 1633
Security-> Q-Feeds Connect -> Events: shows nothing.
qfeedsctl.py logs via command line: output show nothing.
cat /var/log/filter/latest.log | grep block: does show IPs being blocked on em1 (WAN)
What information can I provide to troubleshoot this?
Config:
running os-q-feeds-connecter-1.1_2, GUI plugin shows version 1.1 not 1.1_2
completely uninstalled and reinstalled version 1.1_2 just to doublecheck myself.
2 Node HA cluster
10 vLANs internal network
Zz00mm
qfeedsctl.py stats:
{"feeds":[{"name":"malware_ip","total_entries":491863,"packets_blocked":16765,"bytes_blocked":791023,"addresses_blocked":1645}],"totals":{"entries":491863,"addresses_blocked":1645,"packets_blocked":16765,"bytes_blocked":791023}}
qfeedsctl.py logs:
{"rows":[]}
qfeedsctl.py show_index:
{"company_info":{"id":106,"name":"xxxxxxx Company","token_expiration":null,"p remium_access":false},"security_settings":{"rate_limit_window":10,"allowed_ips": "*","allowed_user_agents":"*"},"licensing_summary":{"features":{"total":5,"licen sed":0,"unlicensed":5},"feeds":{"total":3,"licensed":3,"unlicensed":0}},"feature s":[{"id":1,"name":"attack_surface","description":"Access to the External Attack -Surface Management functionality.","licensed":false},{"id":6,"name":"manage_api _key_settings","description":"Allows users to edit advanced settings for API key s, such as IP restrictions, feed access, and rate limits.","licensed":false},{"i d":3,"name":"manage_users","description":"Ability to create, edit, and delete su b-users.","licensed":false},{"id":7,"name":"support","description":"Access to su pport ticketing system and false positive reporting","licensed":false},{"id":4," name":"threat_lookup","description":"Access to the Threat-Intelligence lookup fu nctionality.","licensed":false}],"feeds":[{"id":9,"feed_type":"malware_ip","type ":"ip","description":"Malicious IP addresses","created_at":"2024-09-02T12:00:00Z ","updated_at":"2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19 T00:17:31Z","licensed":true,"local_filename":"\/var\/db\/qfeeds-tables\/malware_ ip.txt","updated_at_dt":1760745600.0,"next_update_dt":1760833051.0},{"id":10,"fe ed_type":"malware_domains","type":"domains","description":"Malicious domain name s","created_at":"2024-09-02T12:00:00Z","updated_at":"2025-10-18T00:00:00Z","freq uency":1200,"next_update":"2025-10-19T00:17:31Z","licensed":true,"local_filename ":"\/var\/db\/qfeeds-tables\/malware_domains.txt","updated_at_dt":1760745600.0," next_update_dt":1760833051.0},{"id":11,"feed_type":"phishing_urls","type":"urls" ,"description":"Phishing URLS","created_at":"2024-09-02T12:00:00Z","updated_at": "2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19T00:17:31Z","li censed":true,"local_filename":"\/var\/db\/qfeeds-tables\/phishing_urls.txt","upd ated_at_dt":1760745600.0,"next_update_dt":1760833051.0}]}
the Q-Feeds widget on the dashboard show's IP's are being block, right now 1633
Security-> Q-Feeds Connect -> Events: shows nothing.
qfeedsctl.py logs via command line: output show nothing.
cat /var/log/filter/latest.log | grep block: does show IPs being blocked on em1 (WAN)
What information can I provide to troubleshoot this?
Config:
running os-q-feeds-connecter-1.1_2, GUI plugin shows version 1.1 not 1.1_2
completely uninstalled and reinstalled version 1.1_2 just to doublecheck myself.
2 Node HA cluster
10 vLANs internal network
Zz00mm
qfeedsctl.py stats:
{"feeds":[{"name":"malware_ip","total_entries":491863,"packets_blocked":16765,"bytes_blocked":791023,"addresses_blocked":1645}],"totals":{"entries":491863,"addresses_blocked":1645,"packets_blocked":16765,"bytes_blocked":791023}}
qfeedsctl.py logs:
{"rows":[]}
qfeedsctl.py show_index:
{"company_info":{"id":106,"name":"xxxxxxx Company","token_expiration":null,"p remium_access":false},"security_settings":{"rate_limit_window":10,"allowed_ips": "*","allowed_user_agents":"*"},"licensing_summary":{"features":{"total":5,"licen sed":0,"unlicensed":5},"feeds":{"total":3,"licensed":3,"unlicensed":0}},"feature s":[{"id":1,"name":"attack_surface","description":"Access to the External Attack -Surface Management functionality.","licensed":false},{"id":6,"name":"manage_api _key_settings","description":"Allows users to edit advanced settings for API key s, such as IP restrictions, feed access, and rate limits.","licensed":false},{"i d":3,"name":"manage_users","description":"Ability to create, edit, and delete su b-users.","licensed":false},{"id":7,"name":"support","description":"Access to su pport ticketing system and false positive reporting","licensed":false},{"id":4," name":"threat_lookup","description":"Access to the Threat-Intelligence lookup fu nctionality.","licensed":false}],"feeds":[{"id":9,"feed_type":"malware_ip","type ":"ip","description":"Malicious IP addresses","created_at":"2024-09-02T12:00:00Z ","updated_at":"2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19 T00:17:31Z","licensed":true,"local_filename":"\/var\/db\/qfeeds-tables\/malware_ ip.txt","updated_at_dt":1760745600.0,"next_update_dt":1760833051.0},{"id":10,"fe ed_type":"malware_domains","type":"domains","description":"Malicious domain name s","created_at":"2024-09-02T12:00:00Z","updated_at":"2025-10-18T00:00:00Z","freq uency":1200,"next_update":"2025-10-19T00:17:31Z","licensed":true,"local_filename ":"\/var\/db\/qfeeds-tables\/malware_domains.txt","updated_at_dt":1760745600.0," next_update_dt":1760833051.0},{"id":11,"feed_type":"phishing_urls","type":"urls" ,"description":"Phishing URLS","created_at":"2024-09-02T12:00:00Z","updated_at": "2025-10-18T00:00:00Z","frequency":1200,"next_update":"2025-10-19T00:17:31Z","li censed":true,"local_filename":"\/var\/db\/qfeeds-tables\/phishing_urls.txt","upd ated_at_dt":1760745600.0,"next_update_dt":1760833051.0}]}
#4
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feeds plugin
October 15, 2025, 04:59:43 AM
All,
I'm receiving the following error after updating to 1.1: Rate limit exceeded for company: xxxxx's Company on feed malware_ip
I went to the tip.qfeeds.com site as I had disabled the rate limiting when I first installed for 5 minutes, looks like this option has been removed.
Currently running on an HA pair, hopefully this isn't causing issues. I didn't use seperate API keys for each node, should I configure a 2nd API key for the 2nd node?
Zz00mm
I'm receiving the following error after updating to 1.1: Rate limit exceeded for company: xxxxx's Company on feed malware_ip
I went to the tip.qfeeds.com site as I had disabled the rate limiting when I first installed for 5 minutes, looks like this option has been removed.
Currently running on an HA pair, hopefully this isn't causing issues. I didn't use seperate API keys for each node, should I configure a 2nd API key for the 2nd node?
Zz00mm
#5
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feeds plugin
October 01, 2025, 10:48:55 PM
Stefan,
Would be interested in testing as well.
Thanks
zz00mm
Would be interested in testing as well.
Thanks
zz00mm
#6
Hardware and Performance / Re: Adding Speed Parameters to X550 Config
September 18, 2025, 12:54:42 AM
I have an X550 in my firewall and I select the speed via the GUI. See attachment, connects at 2500 to cable modem. Provisioned for 1.2GbE, see speeds at high at 1.55Gb download speeds. I updated the NVM with the latest from Dec, 2024 and use the OPNsense ix driver without issue.
Z00m
Z00m
#7
25.1, 25.4 Series / Re: No option to force Intel X710-T4 to 2.5Gb in interface settings
March 22, 2025, 01:32:55 AM
Intel X550 supports 10/5/2.5/1, currently using X550-T2 in HA configuration connecting to Comcast 2.5GbE ports on modem for 1.2Gb internet
#8
High availability / Re: HA Questions
January 13, 2025, 08:22:47 PM
Have you read thru the docs? I used these myself when configuring my HA setup.
https://docs.opnsense.org/manual/hacarp.html
https://docs.opnsense.org/manual/hacarp.html
#9
High availability / Re: BGP with CARP LAN
October 23, 2024, 03:38:12 AM
Would you provide more detail of your configuration? I would like to try this configuration myself, do not have dual ISPs just 5 public IP's within the same /29.
Thanks
Z00m
Thanks
Z00m
#10
24.7, 24.10 Legacy Series / Re: Regular backup of OPNsense config to a local NAS (via SMB)?
September 29, 2024, 09:03:25 PM
I haven't used this util in a couple of years and it does work with OPNsense..
https://github.com/KoenZomers/pfSenseBackup
https://github.com/KoenZomers/pfSenseBackup
#11
24.7, 24.10 Legacy Series / Re: How to install htop
September 22, 2024, 06:11:36 AM #12
24.1, 24.4 Legacy Series / Re: No Internet Access - OPNsense on VMware
August 18, 2024, 03:23:00 AM
Search thru the forum on VMware and/or ESX and you'll find many other posts. If you are creating a none HA firewall. you need to modify your PortGroup and enable Promiscuous mode, MAC address changes and Forged transmits.
If you are attempting to create an HA pair, the only way I've been successful to get an HA pair to work is use the same options with a vDS (Distributed Switch). Even then I finally had to tag the WAN side to get it to work.
Hopefully this helps, attaching a screen shot of the "Security section" where the above options are disabled by default.
If you are attempting to create an HA pair, the only way I've been successful to get an HA pair to work is use the same options with a vDS (Distributed Switch). Even then I finally had to tag the WAN side to get it to work.
Hopefully this helps, attaching a screen shot of the "Security section" where the above options are disabled by default.
#13
24.1, 24.4 Legacy Series / Re: Periodic Speedtest
July 09, 2024, 03:26:56 PM
Rebuild an HA Cluster configuration. speedtest info within the GUI showed nothing. Checked the speedtest.csv file it didn't have a duplicate entry, nano did say it was converting from a DOS file. Nothing looked wrong, so I renamed speedtest.csv to speedtest.csv.org and ran "python3 opn_speedtest.py" which recreated the speedtest.csv file and populated it with speed output information. Information now shows in the widget in the GUI.
#14
24.1, 24.4 Legacy Series / Re: Cannot get out on the internet with Comcast Business service
May 24, 2024, 08:17:33 PM
I have comcast business myself with 5 IP's. so the only item I can suggest is have you spoofed the WAN mac address of your current firewall into OPNsense. I know on the residential side they use to remember your WAN mac address and I use to leave the firewall/modem off for about 1 hr to get it to release. using a /32 is like a VPN connection it's the GW.
https://docs.opnsense.org/manual/interfaces.html
https://docs.opnsense.org/manual/interfaces.html
#15
General Discussion / Re: Announce: os-unifi-maxit replaces os-unifi7-maxit (with Unifi8)
February 28, 2024, 02:32:37 AM
Has this been attempted on HA?
