Messages

@MikeH
Internet-box 3 (Port 2.5G) -> FW Protectli
Seems to me i had not this problem with opnsense 23 !
@CJ
Internet-box 3 (Port 2.5G) -> FW Protectli
Sometimes I turn off the firewall.
When I turned it back on, I lost the internet connection.
By now I see the wan_gw is gone.
I do the maneuvers indicated above with system>wizard and I recover the internet connection. Same thing with some reboots.
Could be a variant of https://forum.opnsense.org/index.php?topic=38453.0

I have a protectli i7, ram 16g, 480ssd, 6 ports, coreboot.
Due to some difficulties, I did a fresh installation with OPNsense 24.1.1-amd64, FreeBSD 13.2-RELEASE-p9, OpenSSL 3.0.13.
Sometimes I turn off the device. After a restart, the firewall loses internet. I have to do a wizard by setting the correct static address for wan, then a second wizard pass with dhcp. The wan takes the correct ip address from the swisscom router. And then everything is ok. The maneuver is reproducible after a shutdown.

hi,

Login as administrator and root (I check that).
But I receive the message "permission denied"
Is there somme specificities related to freebsd?
I gogle but didn't find any solution.
thanks for your help

update:
i receive an answer from helpdesk:
Thanks for reaching out and letting us know about the problem.
"
Is the FW reachable? Can you try to stop Zenarmor packet Engine by runnig the command "service eastpect stop" on the console as root? Then please change the deployment mode to emulated driver in Configuration - General - Deployment Mode - L3 Routed mode with netmap emulated driver on GUI.
"
I start a new post because i was unable to reinstall zenarmor

when i upgrade previously from 23.1.7, firewall go down.
i had to reinitialise everything.
everything works but zenarmor.
I upgrade to 23.1.8
I had to reinstall zenarmor
i check agree terms of service
I see :
cpu model: intel(R) core(TM)i7-8550 cpu @ 1.80ghz
cpu score 676572
physical memory size: 16gb
congratulations! your hadware looks great.
but the bar din't progress and nothing happens (1h).
I reinsttall zenarmor but no change.
protectli f6w dd 500g
active subscription from  almost  3 y
what should i do?

23-7-1

I have à similar issue. Don't upgrade. This is Bullshit.
Everything down.
I don't use suricat.
I have a protection i7

up help me please

[ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102), [ERRCODE: SC_ERR_INVALID_SIGNATURE(39),  [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]

I want to have suricat that inspects wan interface and  zenarmon inspects lan, dmz and wifi. crowdsec runs also.
is snortrules-snapshot-29151.tar.gz compatible with the version of suricat provided by opnsense 22.7.6?  (i have paid snort subscription and snort_vrt.oinkcode is ok).
the firewall is behind a router provides by isp. should i use advanced mode (settings page)? if yes, what should i put in home networks? leave blank? ip interface wan? ip lan, dmz, wifi?
thanks for help
regards

Code Select Expand



2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:9;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 3546
2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:2;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 1122
2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
2022-10-24T12:42:58 Error suricata [103231] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt"; flow:to_server,established; content:"user_name="; fast_pattern:only; http_uri; urilen:4; content:"/cgi"; nocase; http_uri; pcre:"/[?&]user_name=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-5722; classtype:web-application-attack; sid:53858; rev:2;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 202

I don't understand the discussion : did you solve the problem?
My firewall's backup 22.1.10 was in nextcloud. By now, I can't have this file: Murphy's law!
What can I do?
thanks

[system logfiles bakend]

small lan (pcs linuxmint or win, mac, microservers ubuntu/linuxmint - ufw no ipv6,  managed switch -no ipv6, wifi) -> firewall (no ipv6 in initial setup-> box internet provider (no ipv6).

The initial setup was made without ipv6.

No change was made recently (without exception regular update)

If somebody tells me where I can can double check the config, i will...

Other  facts:

system logfiles bakend
2022-08-10T08:16:46   Error   configd.py   [d5095e33-7fea-4571-bb7e-c463be8a315e] Script action failed with Command 'pkg update -q && pkg rquery -U "%n|||%v|||%c|||%sh|||0|||0|||%L|||%R|||%o" ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 482, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command 'pkg update -q && pkg rquery -U "%n|||%v|||%c|||%sh|||0|||0|||%L|||%R|||%o" ' returned non-zero exit status 1.   
2022-08-10T07:56:30   Error   configd.py   Timeout (120) executing : firmware remote   
2022-08-10T01:50:22   Error   configd.py   [677b51f3-0277-4d8d-a4ce-d568a1b36010] Script action stderr returned "b'pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: No address record\npkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: No address record\npkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz'"

system logfiles general
2022-08-11T00:22:32   Error   opnsense   /usr/local/etc/rc.newwanip: On (IP address: 192.168.2.131) (interface: WAN[wan]) (real interface: igb1).   
2022-08-11T00:22:32   Error   opnsense   /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'   
2022-08-11T00:22:32   Error   dhclient   unknown dhcp option value 0x7d   
2022-08-11T00:19:42   Error   send_heartbeat.py   connection error sending heartbeat to https://opnsense.emergingthreats.net/api/v1/telemetry

[(installed)]

is it normal i see 22.7.1, 22.7 (installed) with changelog instead of 22.7_4 ?
is it discrepancy?

Lobby.dashboard
Versions   OPNsense 22.7_4-amd64
FreeBSD 13.1-RELEASE
OpenSSL 1.1.1q 5 Jul 2022
Updates   Click to view pending updates.
CPU type   Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (4 cores, 8 threads)
Memory usage  18 % ( 2953/16244 MB )
Disk usage 1% / [ufs] (4.2G/424G)

System:Firmware:status
Type   opnsense   
Version   22.7_4   
Architecture   amd64   
Flavour   OpenSSL   
Commit   909dcabd5   
Mirror   https://pkg.opnsense.org/FreeBSD:13:amd64/22.7   
Repositories   OPNsense, SunnyValley   
Updated on   Wed Aug 10 00:21:08 CEST 2022   
Checked on   Wed Aug 10 10:48:45 CEST 2022

System:Firmware: changelog
Version   Date   
22.7.1   2022-08-09   
22.7 (installed)   2022-07-28   
22.1.10   2022-07-07

other hints:

# /sbin/ping -4 -c '3' 'google.com'
ping: cannot resolve google.com: Host name lookup failure

# /sbin/ping -4 -c '3' 'pkg.opnsense.org'
ping: cannot resolve pkg.opnsense.org: Host name lookup failure

# /sbin/ping -4 -c '3' '89.149.211.205'
PING 89.149.211.205 (89.149.211.205): 56 data bytes

--- 89.149.211.205 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

behind the firewall, ping seems ok

# /sbin/ping -4 -c '3' '192.168.x0.y0y'
PING 192.168.x0.y0y (192.168.x0.y0y): 56 data bytes
64 bytes from 192.168.x0.y0y: icmp_seq=0 ttl=255 time=0.321 ms
64 bytes from 192.168.x0.y0y: icmp_seq=1 ttl=255 time=0.436 ms
64 bytes from 192.168.x0.y0y: icmp_seq=2 ttl=255 time=0.448 ms

--- 192.168.x0.y0y ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.321/0.402/0.448/0.057 ms

inside lan, dmz, ... we can reach everything

same situation as above.
before upgrading everything was ok
please help Mr Franco
thanks a lot for opnsense
best regerds

Code Select Expand

upgraded from 22.1.10 to 22.7
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7_4 (amd64/OpenSSL) at Wed Aug 10 07:54:30 CEST 2022
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: No address record
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: No address record
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: No address record
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: No address record
Unable to update repository SunnyValley
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.7_4 (amd64/OpenSSL) at Wed Aug 10 08:22:32 CEST 2022
No IPv4 address could be found for host: pkg.opnsense.org
No IPv6 address could be found for host: pkg.opnsense.org
***DONE***

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7_4 (amd64/OpenSSL) at Wed Aug 10 08:23:16 CEST 2022
>>> Check installed kernel version
Version 22.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
SunnyValley
OPNsense
>>> Check installed plugins
os-dnscrypt-proxy 1.12
os-dyndns 1.27_3
os-etpro-telemetry 1.6_1
os-intrusion-detection-content-snort-vrt 1.1_1
os-nextcloud-backup 1.0_1
os-sensei 1.11.4
os-sensei-updater 1.11
os-sunnyvalley 1.2_2
os-wireguard 1.11
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.80 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dnsmasq-2.86_4,1 has no upstream equivalent
Checking packages: .
dpinger-3.2 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10_5 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.2P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.2P1_1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.65 has no upstream equivalent
Checking packages: .
monit-5.32.0 has no upstream equivalent
Checking packages: .
mpd5-5.9_9 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_5 has no upstream equivalent
Checking packages: .
openssh-portable-8.9.p1_4,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1q,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.7 has no upstream equivalent
Checking packages: .
opnsense-22.7_4 has no upstream equivalent
Checking packages: .
opnsense-installer-22.1 has no upstream equivalent
Checking packages: .
opnsense-lang-22.7 has no upstream equivalent
Checking packages: .
opnsense-update-22.7 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.8 has no upstream equivalent
Checking packages: .
php80-ctype-8.0.20 has no upstream equivalent
Checking packages: .
php80-curl-8.0.20 has no upstream equivalent
Checking packages: .
php80-dom-8.0.20 has no upstream equivalent
Checking packages: .
php80-filter-8.0.20 has no upstream equivalent
Checking packages: .
php80-gettext-8.0.20 has no upstream equivalent
Checking packages: .
php80-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php80-ldap-8.0.20 has no upstream equivalent
Checking packages: .
php80-pdo-8.0.20 has no upstream equivalent
Checking packages: .
php80-pecl-radius-1.4.0b1_2 has no upstream equivalent
Checking packages: .
php80-phalcon-5.0.0.r2 has no upstream equivalent
Checking packages: .
php80-phpseclib-2.0.37 has no upstream equivalent
Checking packages: .
php80-session-8.0.20 has no upstream equivalent
Checking packages: .
php80-simplexml-8.0.20 has no upstream equivalent
Checking packages: .
php80-sockets-8.0.20 has no upstream equivalent
Checking packages: .
php80-sqlite3-8.0.20 has no upstream equivalent
Checking packages: .
php80-xml-8.0.20 has no upstream equivalent
Checking packages: .
php80-zlib-8.0.20 has no upstream equivalent
Checking packages: .
pkg-1.17.5_1 has no upstream equivalent
Checking packages: .
py39-Jinja2-3.0.1 has no upstream equivalent
Checking packages: .
py39-dnspython-2.2.1_1,1 has no upstream equivalent
Checking packages: .
py39-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py39-requests-2.28.1 has no upstream equivalent
Checking packages: .
py39-sqlite3-3.9.13_7 has no upstream equivalent
Checking packages: .
py39-ujson-5.0.0 has no upstream equivalent
Checking packages: .
py39-vici-5.9.3 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.7.2_6 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-4.15 has no upstream equivalent
Checking packages: .
strongswan-5.9.6_2 has no upstream equivalent
Checking packages: .
sudo-1.9.11p3 has no upstream equivalent
Checking packages: .
suricata-6.0.6 has no upstream equivalent
Checking packages: .
syslog-ng-3.37.1 has no upstream equivalent
Checking packages: .
unbound-1.16.1 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10_6 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***