Messages

Can you please share link for testing on production network and to do some code review maybe :)
Seems interesting btw!

What about: https://github.com/antspopov/opnsense_amnezia_plugin (I am not afflifiated with this repo) ? Does it look complete?

Let's hope they implement it.
Wstunnel is fine but no UI is made for it.

Hey today i noticed that my LAN kea based dhcp is giving gateway 0.0.0.0
ipconfig looks like this

Ethernet adapter Ethernet:

  Connection-specific DNS Suffix  . : localdomain
  IPv4 Address. . . . . . . . . . . : 192.168.1.21
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 0.0.0.0
                                      192.168.1.1


*** quick edit after reboot of the laptop , all fixed. Mark for achive.
Sorry :)

Anyone know how to debug this not starting?

the error is

Code Select Expand

Notice root /usr/local/etc/rc.d/os-udpbroadcastrelay: WARNING: failed to start osudpbroadcastrelay
I've found a github thread saying wire guard was an issue but I don't use it. Other than that error I cant work out whats wrong.

Running     Opnsense 24.7.10_2 at present

I had the same problem, in my case I wanted to support mDNS on port 5353, but it was already occupied by Unbound because I run AdGuard on port 53.

I had to move Unbound to port 5354 and then I could start the relay

Same issue here but 5354 doesn't help either.

Code Select Expand

2024-12-31T19:43:13 Error configd.py [b8fe79e4-0d81-47ea-94b1-c43ffa3b6680] returned exit status 1
2024-12-31T19:43:13 Notice configd.py [b8fe79e4-0d81-47ea-94b1-c43ffa3b6680] starting udpbroadcastrelay instance

Nice work !

Maybe tutorial will be affected from https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html

First impresssions:
1. Clicking on firewall always use rule id in page and i need to remove it ()
2. Mobile version is pain for me the dashboard is moving like crazy and i can't scroll,
But in general its very cool to see some new things implemented ^^
ThanksTeam!

Just a quick update on this post , i manage to get it working and its okey, there a few errors that i must fix but so far its okey and blocks.

Just a head's up. In Public services picture, X-Forwarded-For Header is set but recent changes are removing it.

Code Select Expand


4.2

Added:
* add support for built-in OCSP update feature
* add support for forwarded header (RFC7239)
* add option "X-Forwarded-For Header" to backend settings
* add options for HTTP/2 performance tuning

Fixed:
* fix SSL sync cron job (bulk sync was never working properly)

Changed:
* upgrade to HAProxy 2.8 release series (#3459)
* change default for HTTP/2 to enabled (only new frontends/backends)
* add "no-alpn" option if HTTP/2 is not enabled (only TLS-enabled frontends)
* move OCSP settings from "Service" to "Global" section
* replace bundled haproxyctl library with haproxy-cli

Deprecated:
* frontend option "X-Forwarded-For Header" (the backend option should be used)


Hey gentlemens i found in old thread that someone asked about coraza, then i found guide for deb/ubn for integration with HaProxy here.
Can you help me to add it to haproxy for testing purposes , and later add it to HaProxy itself :)

Code Select Expand

root@wall:~/coraza # git clone https://github.com/corazawaf/coraza-spoa.git
Cloning into 'coraza-spoa'...
remote: Enumerating objects: 965, done.
remote: Counting objects: 100% (451/451), done.
remote: Compressing objects: 100% (178/178), done.
remote: Total 965 (delta 315), reused 311 (delta 265), pack-reused 514
Receiving objects: 100% (965/965), 288.82 KiB | 999.00 KiB/s, done.
Resolving deltas: 100% (497/497), done.
root@firewall:~/coraza # cd ./coraza-spoa
root@firewall:~/coraza/coraza-spoa # make
make: "/root/coraza/coraza-spoa/Makefile" line 22: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 24: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 28: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 29: warning: duplicate script for target "ifeq" ignored
make: "Makefile" line 23: warning: using previous script for "ifeq" defined here
make: "/root/coraza/coraza-spoa/Makefile" line 29: warning: duplicate script for target "(,)" ignored
make: "Makefile" line 23: warning: using previous script for "(,)" defined here
make: "/root/coraza/coraza-spoa/Makefile" line 30: Invalid line type
make: Fatal errors encountered -- cannot continue
make: stopped in /root/coraza/coraza-spoa

~ few hundred years later managed to build and run the coraza in opnsense, but i stumble few hickups that i don't understand yet,
- first how to create easy configctl service for it / or maybe just run at startup time of opnsense
- second as i search in forums or inside opnsense files i dont see haproxy.conf that i can edit (and it's not automatic generated) - i guess php handles the generation of it, and in my case is in /usr/local/etc/haproxy.conf and edit will not help, if i click apply from UI because maybe will delete my additions.

Is there a way to add in example bellow few options ?

Code Select Expand

defaults
    log global
    option httplog
    timeout client 1m
timeout server 1m
timeout connect 10s
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h  # for websocket

frontend test
    mode http
    bind *:80
   
    unique-id-format %[uuid()]
    unique-id-header X-Unique-ID
    filter spoe engine coraza config /etc/haproxy/coraza.cfg
   
    # Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
    http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
    http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }

    http-request deny deny_status 403 hdr waf-block "request"  if { var(txn.coraza.action) -m str deny }
    http-response deny deny_status 403 hdr waf-block "response" if { var(txn.coraza.action) -m str deny }

    http-request silent-drop if { var(txn.coraza.action) -m str drop }
    http-response silent-drop if { var(txn.coraza.action) -m str drop }

    # Deny in case of an error, when processing with the Coraza SPOA
    http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
    http-response deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }

    use_backend test_backend

backend test_backend
    mode http
    http-request return status 200 content-type "text/plain" string "Welcome!\n"

backend coraza-spoa
    mode tcp
    balance roundrobin
    timeout connect 5s # greater than hello timeout
    timeout server 3m  # greater than idle timeout
    server s1 127.0.0.1:9000

That's what i'am searching right now.
Maybe as you point the place that logs are collected /var/log/suricata/eve.json some python script need to be run to extract the ips and convert them into a file that can be read from alias.

Another thing that may be good to add to the UI of suricata is ban time (maybe 30) mins and check time (5mins)
for the script to scrap the file to remove ips that are done with the ban. (this can be done with cron maybe.. :) )

Example chatgpt decoder of the file

Code Select Expand

import json

def extract_src_ips(file_path, output_path):
    ips = set()
   
    with open(file_path, 'r') as file:
        for line in file:
            try:
                data = json.loads(line)
                if 'src_ip' in data:
                    ips.add(data['src_ip'])
                if 'flow' in data and 'src_ip' in data['flow']:
                    ips.add(data['flow']['src_ip'])
            except json.JSONDecodeError:
                print(f"Error decoding JSON in line: {line}")
   
    with open(output_path, 'w') as output_file:
        for ip in ips:
            output_file.write(ip + '\n')

# Specify the input file path and the output file path
input_file_path = 'C:/Users/X/Desktop/input.json'
output_file_path = 'C:/Users/X/Desktop/ips.txt'

# Extract src_ips and save to file
extract_src_ips(input_file_path, output_file_path)


Upgrading here to OPNsense 24.1.9-amd64 just now and wg stops for me as well , restart via service fix the issue.

OPNsense 24.1.7-amd64

As description says i find it strange it is wrong time when firewall logs shows it right.
Is there a file that need to be edited to show it right, or this is expected behaviour?

Hellow gentlemen, I have a small network with 4 static WAN addresses, we are currently using one but I decided to add the others so that they can be used productively. The GATEWAY is statically set and working at x.x.x.233 and the WAN interface works with it without a problem, but when I tried to activate the second WAN_HA interface it does not show me the statically entered GATEWAY, what could be the problem?
Thank you for your time!

Kea migrate was easy , thanks for implement.
I just miss one thing to remove clients from leases, it's maybe expected but it`s unknown to me why one i have the server on 0.74 , and i have new reservation to point again to 0.74 but kea gives me 0.150 on image bellow.
How you remove the old lease ? :)
Keep the good work!

~PS. After some time of refreshing the NIC , correct ip is set !