Messages

Similar problem, my Zenarmor appears to be crashing constantly - high CPU utilization.

Code Select Expand

pid 14461 (eastpect), jid 0, uid 0: exited on signal 3 (core dumped)
'eastpect' appears to be Zen Armor - I've turned Zen off and it seemed to reset my network stack, but also appears to have significantly lowered my CPU utilization.

Edit:

Check out this thread - Zenarmor Forum about OPNSense 26.1.3 and Zenarmor CPU utilization

Summary - After doing maintainance on the DB, I switched from Passive Mode to Blocking Routed L3 with Native Netmap and it appears to be working w/out coredump now.

Saw a different error specifically saying pkg-static wouldn't let go of the db, ran the kill command, it said it didn't find anything to kill, re-ran the update, it worked.

Rebooted the router, everything is coming up nicely, thank you OPNSense and Franco!!

In short, no.

Use the OPNSense Alert view to view them or send the logs to a data-lake or something like Elasticsearch/Opensearch/Greylog.

My OPNSense complained about an "unknown error" but I cannot find the log of it yet. Any pointers to reviewing logs for upgrades welcomed!!

My upgrade did work however, and I have modded my OPNSense a little out-of-band.

Can the OPNSense affected also if hacker got access to LAN?

Internal Firewall rules with separate zones/interfaces for Wifi/Client/DMZ/Core/etc. Would advise using VLANs if you can, otherwise subneting with /24s is a good idea.

From what I've read, you might also want to turn on MAC-Address filters on your WAPs and/or OPNSense's DHCP, good luck!

I have MAC filtering enabled. NO SSH and open ports. How to create VLAN or subnetting?

VLANs:
https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html
https://www.youtube.com/watch?v=9hJyWaQ2x28

Subnetting, well, that is its own thing. Behind your WAN, is your LAN, and you can have multiple interfaces that feed various parts of your network. Generally your router is the point where the different legs interconnect, and you can subnet within a /16 several /24 cidrs.

192.168.0.0/16 = "usable": 192.168.0.1 - 192.168.255.254

192.168.34.0/24 = "usable": 192.168.34.1 - 192.168.34.254

Depending on how familiar you are with this, yes, you will have to assign a gateway IP to the interface you are creating for a subnet - still considered a "usable" IP.

There are subnet calculators out there, or you can make your own in Excel - it all breaks down to binary math and for the "length" of the CIDR is how much of the binary IP value the IP has as neighbors.

/24 = 255.255.255.0 and for the 192.168.34.56 it means that any other IP with a 192.168.34.XXX is a neighbor, and this works like a mask or filter.
In binary:
11111111.11111111.11111111.00000000 masked onto 11000000.10101000.00100010.00111000 and then 11000000.10101000.00100010.00000001 through 11000000.10101000.00100010.11111110 is your neighbor

It is strongly advised to not try to network at smaller than a /24, but if you are filtering/making a group for a process, you can segment much smaller, just know that at a VLAN/Interface actual network group you will want to use /24 for IPv4 and likely /64 for IPv6. If you are lucky you can get a /56 IPv6 from your ISP and you can use /64s out of it for the various interfaces.

Since a VLAN is a "device" you can make a VLAN and have it have its own subnet, you do not need N ethernet/fiber cards to have N subnets (N = Integer number).

Read the docs, make sure you setup your firewall rules to allow devices within an Interface "In", and what the get to "In" to (any == local and WAN).

Would also advise, unless you have found "the hack", it can be often best to interpret an anomaly/issue as a mis-configuration.

Looking at an "easy learning moment". Developers / OPNSense devs, please advise!

To setup a development environment, one would VM the OPNSense, and using forks of the OPNSense Github repos, run a command on the OPNSense VM after we make the feature branch and change to apply it into the live environment?

It seems the directive to engage modifications that touch the Web GUI is explained here: https://docs.opnsense.org/development/workflow.html#packages

This would be growth on my previous PR experience, and would be great to add a menu option within conditions to allow for a file to exist with at least one line of syntax in it.

This would allow IDS configured Suricata PCAP bpf-filter to do its thing and lighten the load where it matters most, the inspection/workers. Further, if you configure layer 3/6/7 (pf+reverse-proxy-waf), then you have and 'echo' of IPS possibly without any IPS limitation. Further, CTI, cyber threat intelligence. Each attack matters in the global internet landscape.

Please share any lessons learned, will be using Proxmox instead of VirtualBox, and URLs/Youtubes as far as examples or guides that cover this Web GUI <-> OPNSense State abstraction - down to the services and how the args and environment vars work.

Sometimes a helper is that you just gotta turn and start on page XY, instead of starting on the first page, to get jump-started. Cannonball development lol, and if it requires reading from the beginning then it does.

[How can we enable natural use of the -F <filename> for a BPF filter to use when in PCAP mode?]

More or less forced a BPF filter for Suricata in PCAP mode as I realized that is configured on the command line options...

So I edited "/usr/local/etc/rc.d/suricata" and changed the now commented out line with the next line:

Code Select Expand

# [ -z "$suricata_flags" ]    && suricata_flags="-D"
suricata_flags="-D -F /usr/local/etc/suricata/capture-filter.bpf"
Now I have already tested the earlier BPF, it starts with it, and it filters (I was able to comment-out my pass rules I was using to ignore traffic).

How can we enable natural use of the -F <filename> for a BPF filter to use when in PCAP mode?

To all doing IPS and wondering if you can BPF for Suricata, in short, no, it does not appear so.

If you were to BPF your IPS, you would now have as a first level filter on your network the BPF filter itself for all interfaces Suricata would be IPS for... which generally if you are only trying to get Suricata to focus on important stuff... isn't going to work here as it filters the traffic before Suricata sees it and thus it can not pass it along.

Wanted to start with a thank you, the /usr/local/etc/suricata/conf.d/custom.yaml appears persistent and this allows us to further customize Suricata, thank you OPNSense!! We have had difficulty customizing and having it persist until now.

The issue found appears to be that BPF Filtering via netmap in the Suricata config does not appear to work, hosts/networks filtered still show up in the Suricata alerts. The netmap area of suricata.yaml from OPNSense 25.x to OPNSense 26.x appears to have gone through a lot of changes.

The new divert feature being one of the new elements I have not had a chance to explore, I'm using PCAP IPD mode for Suricata.

The documentation for BPF-Filtering within Suricata shows this as an example:

Code Select Expand

not (host IP1 or IP2 or IP3 or net NET/24)
A most desired filter is between a subnet and one or more other subnets, and I've tried this in several methods, here's the most basic I have tried:

Code Select Expand

not ((net NET1/24 and NET2/24) or (net NET2/24 and NET3/24) or (net NET3/24 and NET1/24))
So far none of the BPF filters work with Suricata - does anyone use this and/or have experience?

Edit:
For a while I was only looking at the suricata.yaml file and didn't realize the level of control that went into the command line execution of arguments sent to suricata on service start. For a while I was trying to put netmap in IDS mode thinking that's how the traffic was going and wondering why the BPF filter for netmap wasn't working.

Did the upgrade to 26.1.3, everything so far was working, except a home grown automation to sync stuff gathered from the OPNSense API, Portainer, and kept in a Redis Cache to my BIND setup. This is done by a Python script.

In a most strangest interaction, use case testing Python using requests, http, or httpx and was not able to reach and more correctly connect to OPNSense's API, but Postman/CURL both could - and got valid responses back. Tested the HTTP/1.1 or HTTP/2 nature, always worked for Postman and CURL, never worked for Python.

So I went back to the OPNSense, maybe I could re-reset some stuff, started simple - restarted the System Configuration Daemon and then Web GUI services from the Web GUI, suddenly Python is working again.

Also did a another restart of the OPNSense (it restart initially after the upgrade), and the issue did not present itself again. So this is just a heads up to any that might hit whatever edge case I did, restart services and/or host, should work again.

Not terribly often talked about, but, all FQDNs (even domains) have a period at the end. So, "google.com" is actually "google.com." and we just get to skip the last period because we never had to use it, they have let us skip it since for about forever (in nearly every service, save, Raw/back-end DNS).

At times like this you see the standard show up where you get to see the last period at the end of a name on the network.

You could pursue using Suricata's own rule update/sync mechanism if you wish:

https://www.nova-labs.net/using-suricata-update-on-opnsense/

^ there is only one major deviation, and that is that the custom.yaml file is in a new location and the contents have updated a little... I will update the blog post or make a new one eventually.

The firewall migration worked well for me, and I was able to manually move over ISC to KEA ahead of time and then remove the plug-in that wasn't needed anymore.

To any wanting to 'sync' their KEA IPv4 and IPv6 Reservations by just creating a IPv4 Reservation... here's some Python ^_^
https://github.com/j0nny55555/homelabdnsupdater/blob/main/ipv6reservationupdates.py

Great update, thank you!!

Just wanted to extend OPNSense, the community, FreeBSD, associated projects, and the Open Source community a thank you!!

I wrote a Linux ran multi-threaded Python detail to update several Aliases (two of which have 10k+ IPs) with IP lists via OPNSense API, and on average it is completing now in about 30% less time (that means I block an attacker (CrowdSec enabled Reverse Proxy + Suricata) at Layer 3 faster).

No change to my code, I've already tweaked it for speed in about every way (nice in Linux, pre-compiling Python...) and this speed up is purely because OPNSense continues to become a more lean/mean beast.

Can the OPNSense affected also if hacker got access to LAN?

Internal Firewall rules with separate zones/interfaces for Wifi/Client/DMZ/Core/etc. Would advise using VLANs if you can, otherwise subneting with /24s is a good idea.

From what I've read, you might also want to turn on MAC-Address filters on your WAPs and/or OPNSense's DHCP, good luck!

Ok - so it was the option in Unbound "Register DHCP Static Mappings" which more or less cancelled the forwarding for the local domain, with that disabled, it follows forwarding rules...

So the Overrides work as intended, which is great, and now Aliases asks Unbound (localhost:53) for hosts and my Aliases now update as expected.