Messages

Does Suricata work on VLANs now?

Your reply made me recheck what the documentation says about VLAN, so I had another look and  the documentation does state:
"Interfaces to protect.  | When in IPS mode, this need to be real interfaces supporting netmap. (when using VLAN's, enable IPS on the parent)"

So I removed vlan from interfaces and added icg3 and now with it keeps running even with IPS switched on. Not sure why it did not work the previous time I tried this but I am sure I just messed up.

Bump..

That's a pity.
Because I can of course read the original HAproxy documentation, but that documentation describes how to use HAproxy config  files and does not explain where to look in the opnsense UI.

I would be more than willing to create a pull request for updated documentation but that means that first I need to understand it myself :-)

In this page: https://docs.opnsense.org/manual/reverse_proxy.html, the documentation references Haproxy How-Tos: https://docs.opnsense.org/manual/how-tos/haproxy.html
But those How-Tos no longer exist.

This is also true for the web interface of the haproxy plugin, it refers to the same non-existent howtos.

This basically means that at the moment there is no opnsense haproxy documentation at all

I have posted a similar problem :
Intrusion Detection stops after 1 minute

Assumed my issue was related to "changing to VLAN"  but maybe it is related to what you are reporting?

I now discover that I have not been running Intrusion Detection for quite some time.
When I start the service this is in the log:

Code Select Expand

2023-09-01T09:12:07 Error suricata [120679] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:vlan0.300/R failed: Invalid argument
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Warning suricata [100503] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-01T09:10:32 Notice suricata [100503] <Notice> -- This is Suricata version 6.0.13 RELEASE running in SYSTEM mode

I am running OPNsense 23.7.3-amd64 on actual hardware, 4 network ports based on  Intel I-225V
This is my interface assignment:


I think the problem started when I switched from VDSL (OPNsense connected to internet via VSDL Modem) to Fiber (OPNSense connected directly to Huawei Media Converter, using vlan0.300), so my OPNsense hardware did not change but the environment did.

I have  all hardware offloading switched off including vlan (and did not change that when switching to fiber).

Hope that with some help I can get IPS working again!

Although I cannot type in German, I have the same issue on my opnsense. I have used this funcitonality in the past and then it did work

Thanks!
Feel a bit silly for not finding that but monit is running a  temperature check  now :-)

I have just bought new hardware to run OPNsense on. Because of what I have read on the internet. I woiuld like to keep a close eye on the  CPU temperature  of this mini-pc.

I can of course have a look at the cpu temp in my OPNSense dashboard or at the graphs in Reporting. But I would rather have some kind of alert when the temperature rises above a certain value.
So therefor I would like to know:

• Can the CPU temperature(s) be retrieved using snmp?
  I did an SNMP walk but found nothing, the OIDs I found using google also did nothing.
• I could also use an alert in monit for CPU temperature
  I did find some description in the monit documentation so I created a script that returns the cpu temperature.and then found an example how to use that in monit.
  

  # set the trigger temperature
  check program CPU-Temp with path "/usr/local/etc/scripts/cputemp.sh"
      if status > 62 then alert

  
  But I can't figure out how to add that to monit using the OPNsense UI.

In System: Settings: Miscellaneous make sure to set Thermal Sensors: Hardware to  reflect your hardware

I wanted to show you this  output:

Code Select Expand

> dig www.familie-dokter.net +short
82.197.218.159


Which triggered me to try a dns record that points www.familie-dokter.net to the WAN address of opnsense:

Code Select Expand

>dig www.familie-dokter.net +short
192.168.1.5

And now it does work. But somehow leaving me more confused: I had tried this already...but hey: it does work :-D

Thanks for your reply!

I am quite new to opnsense, moved from clearos to opnsense so on a crash course " how to configure opnsense".
I have configured ha_proxy  to forward www.familie-dokter.net to a server on my lan. That works just fine. Now I also would like to use that same " external address"  on my lan clients. That appeared to work, but then I changed the lan ip-address of the webserver (and probably other settings too) and now I can't get it to properly function again.

My network setup is quite simple:



Connecting to my webserver from the internet works (the blue line, so ha_proxy works, even after lan ip change). 
Connecting to my server from the lan does not work (the red line)
I have enabled:



What am I doing wrong?

[hostname]

That seems like normal behavior to me. It's up to the client to request a new lease. Just do a release and renew at the client and the updated static IP should be obtained.

That indeed is normal behavior for DHCP but it is OPNsense not allowing (or at least advising against) to make static a previously "dynamic ip address". Some of these devices are inside a wall (home automation) releasing the lease is done by cutting the power.

On the same screen where you assign the static IP after pressing the plus button, there is a hostname field. Fun fact: you can assign a hostname there based on the MAC address and leave the IP field blank. In that way, the hostname will resolve to the IP, although the IP will still be dynamic.

I know that you can provide a host name, (i actually mentioned "copying ip-addres and hostname" my question was about adding aliases (more than one host name referring to the same ip-address). It can be done by adding a record to  dns , but clicking through these webpages, scrolling from top to bottom (because save is at the bottom) and back up if you mistyped a field.. not enjoying that part

Hello,

i am moving from clearos to pfsense and I have a few question regarding DHCP static lease and DNS:
On my lan opnsense dhcp server uses a range from 100 tot 200.
Some of the dhcp leases I would like to make static: in openhab that meant: " use this ip-address every time one is requested by this mac address". In opnsense when I click plus, I get a form pre-filled with the mac-address and am asked to provide an ip-address. The advice says: use an ip-address outside the pool.

But that causes some issues: because the lease in the " pool list"  was just obtained it means the static address will not be used until the lease is refreshed. I find that a bit confusing, is it meant to be like that?

Next to when I have the checkmark that says a static lease needs to by added to DNS too. Which is fine, but is there a way to add hostname aliases to the static lease ? I can get this done of course but that involves" copying" the ip-address and host name from the static lease and create a dns record out of that.