Messages

1

Intrusion Detection and Prevention / Re: Crowdsec decided today to start blocking my cell phone??

« on: September 22, 2024, 07:08:57 am »

Ok, I figured it out.   There was a "firewallservices/pf-scan-multi_ports" Reason in crowdsec that made a decision to ban my phone.   I think this was from a unifi tool I use to scan the network to identify devices on the network.   I figured out that I can remove that decision and all is right with the world with my phone with the crowdsec setting  Enable Remediation Component (IPS) on.

Learned a lot...

2

Intrusion Detection and Prevention / Re: Crowdsec decided today to start blocking my cell phone??

« on: September 22, 2024, 06:40:10 am »

Ok, I figured out how to turn on the verbose logging and see it in the firewall logs but I'm still not sure what's triggering crowdsec to block my phone all of a sudden.   How do I track this down?   The problem is once crowdsec blocks it, it blocks EVERYTHING from my phone.   I can't tell what the trigger for this is.

3

Intrusion Detection and Prevention / Crowdsec decided today to start blocking my cell phone??

« on: September 22, 2024, 06:32:29 am »

This afternoon when my phone would connect to my WIFI it would be the connected without internet message.   After some debugging it couldn't get to the gateway.   I could ping the phone from any server and ping any server on my local network, but not the gateway.   Other devices on the same WIFI Access Point could ping the gateway and get to the internet just fine.

I finally rebooted the OPNSense router and the pings started working from the phone seconds after the reboot started, then would stop during the actual reboot and pings would work after the reboot for about a minute then stop again.  Ok, something on the router was blocking so I got in on the console and when I enter reboot one of the first services to stop is crowdsec, and when it stopped the pings started to work.   Same on boot up, one of the last services to start is crowdsec on a couple seconds later the pings on my phone stopped working.

Ok, I got into crowdsec and clicked off the Enable Remediation Component (IPS) setting and my phone works now.   If I check it my phone is blocked in a few seconds. 

My question is, why would that block my phone and is there a log I can see to find what's up??   I can't find one.

Thanks!

Current crowdsec settings in attachment.

4

Intrusion Detection and Prevention / Re: Where is WAN outbound 1.1.1.1:53 coming from?

« on: April 27, 2023, 03:56:26 am »

Ah-ha!  The mystery 1.1.1.1 traffic is coming from a Unfi Dream Router I've been playing with.   I don't like the darn thing, the software hides too much and doesn't let you customize it like I want.   This is a good example of hiding things...   It seems like it's using a ping to 1.1.1.1 to see if it has internet connectivity.   If I make a rule to block LAN 1.1.1.1 ICMP then it thinks it's lost it's internet connection.   I had a pass rule that I thought would have showed me that but it didn't...   I'm still getting used to the opnsense rules so I must have messed up the pass rule... anyway mystery solved.

I've been chasing down the WAN DNS because I'm trying to push everything through my pihole and unboundDNS.  I'm trying to block, unsuccessfully, adds with my Google TVs and chromecast.  I read that chromecast hard codes DNS to the google DNS servers so I'm trying to route that to pihole but the mystery WAN traffic to 8.8.8.8 and 1.1.1.1 was driving me crazy.   By the way this hasn't helped.   If anyone knows how to get rid of youtube adds with FW rules or pihole rexedit rules let me know!  Adds suck!

5

Intrusion Detection and Prevention / Re: Where is WAN outbound 1.1.1.1:53 coming from?

« on: April 27, 2023, 02:35:52 am »

Thanks for the input.   I'm trying to port forward to my pihole too...   I may have messed up something here...
Interface - LAN
TCPIP - IPv4
Protocol - UDP/TCP
Destination - GoogleDNS ( alias for 8.8.8.8, 8.8.4.4, 1.1.1.1 ) I added the cloudflare addr for a test.
Destination Port - DNS
Redirect target IP - PiHole ( alias for pihole 10.0.0.48 )
Redirect port - DNS
Description - Redirect GoogleDNS to Pihole
All the rest are defaults...

Also the interesting thing is I'm not seeing any 1.1.1.1 traffic on the LAN but I'm also over my head with wireshark....

6

Intrusion Detection and Prevention / Where is WAN outbound 1.1.1.1:53 coming from?

« on: April 27, 2023, 12:11:54 am »

Ok, I'm new to opnsense but this is driving me crazy, yup - short drive...

In the firewall logs I see some things I don't understand.   I see 1.1.1.1:53 out of the WAN when I'm using UnboundDNS and am not using 1.1.1.1, I'm using 1.1.1.2:853.

   WAN      2023-04-26T15:53:15-06:00   192.168.1.97:46081   1.1.1.1:53   udp   let out anything from firewall host itself (force gw)

I don't have anything in the General DNS settings under System>Settings>General under DNS servers, all DNS Server entries are blank.

I'm using Pi-hole and it's 10.0.048 on a 10.0.0./24 pointed at opnsense router for DNS.

I don't seem to be able to set a rule to stop WAN outbound :53 traffic because I can't set a rule above the auto-generated rules and the auto-generated "let out anything from firewall host itself" rule let's everything out.

I've tried setting a rule on the LAN interface ( to see if this is coming from LAN and being forwarded through the router,  I'm only using WAN and LAN now ) to PASS or BLOCK 1.1.1.1 but it doesn't seem to catch anything so I think this must be coming from the router??

I'm also seeing 8.8.8.8 ICMP that I don't understand where that's coming from.  I checked System>Gateways and all have Disable Gateway Monitoring checked.
   WAN      2023-04-26T16:02:02-06:00   192.168.1.97   8.8.8.8   icmp   let out anything from firewall host itself (force gw)

I'll add that I have Zenarmor ( LAN), Intrusion Detection( WAN ), and CrowdSec enabled.

Where the heck is the WAN 1.1.1.1:53 and 8.8.8.8 ICMP traffic coming from?   How do I figure that out?

Also, is there a way to move a rule before the Automatically generated rules that I'm too dim to figure out?

Thanks!