Messages

1

24.1 Legacy Series / Lease status - red, green meaning?

« on: August 05, 2024, 02:24:44 am »

I checked Opnsense: Services: ISC DHCPv4: Leases. All the status symbols are green except for the router. I can log into the router UI, But what does the red status color mean?

2

Zenarmor (Sensei) / Re: Zenarmor blocking VLAN randomly

« on: May 21, 2024, 01:47:43 pm »

I solved it by doing "Reset Zenarmor to factory defaults," then stepping through and restoring the Policies settings and repeatedly testing. I block everything except what is needed for network functions and my VPN traffic. This time there was only HTTP and HTTPS that recorded as blocked. The phone OS was calling home so I unblocked HTTPS. None of the previous network blocking reoccurred. It is working OK now.

To answer your question I assume you mean the Live Session, Blocks tab, the "Block message" column. I've attached screenshots of the Blocks and Connections tabs during that time.

3

Zenarmor (Sensei) / Re: Zenarmor blocking VLAN randomly

« on: May 21, 2024, 04:57:40 am »

Setting Deployment mode to Passive Mode changes nothing. How is this possible in passive mode? Is something else the real problem?

4

Zenarmor (Sensei) / Zenarmor blocking VLAN randomly

« on: May 21, 2024, 02:56:35 am »

This is for a new install with updates. The LAN and DMZ are configured. A PC connected to the LAN is never interrupted. An Android connected to the WiFi router connected to DMZ is getting blocked after a random delay. In Zenamor->Live Sessions->Blocks tab, the application protocols such as DHCP, QUIP, NTP are showing rejected. But these are allowed in policies. Often the Android is still on the internet without apparent interruption for about 10 - 30 minutes, generating random rejected reports in the Blocks tab. then it is suddenly totally blocked. If I set Bypass mode it is always suddenly is back online with no interruptions.

5

Intrusion Detection and Prevention / Re: Suricata worked for months but now crashes 4 minutes after startup

« on: March 29, 2024, 04:05:55 am »

[SOLVED] Suricata is still up and reporting no problems. WiFi  dongle was disabled in main section Interfaces and the fix was to disable it in Services -> Intrusion Detection -> Administration -> interfaces.

6

Intrusion Detection and Prevention / Re: Suricata worked for months but now crashes 4 minutes after startup

« on: March 26, 2024, 03:15:31 am »

Thank you, that is very likely the solution. In Intrusion Detection: Administration -> Interfaces I will uncheck the OPT1 (WiFi) option when I disable WiFi next time and verify that Suricata does not quit.

I will test this later because in the past I have had to reboot the system to get the USB WiFi to work again. I will post a result in a few days.

7

Intrusion Detection and Prevention / Re: Suricata worked for months but now crashes 4 minutes after startup

« on: March 25, 2024, 03:54:15 am »

This was solved by plugging the USB WiFi in and enabling it in Interfaces. It was previously disabled in and removed. I want to do that during long periods when it is not in use to decrease the firewall attack surface, and while keeping Suricata running.

8

Intrusion Detection and Prevention / Suricata worked for months but now crashes 4 minutes after startup [SOLVED]

« on: March 25, 2024, 03:29:21 am »

I originally installed Suricata and I often checked to see if there were any results and it was always running. Now I just noticed it had crashed a month ago. One thing I saw in the log was it ran out of memory.

To solve this I just upgraded from 2GB to 8GB. Then I did a complete upgrade to OPNsense v24.1.4 and Suricata 7.0.4.

It still crashes but without the memory issue. Under Interfaces -> WAN the MTU is 1500. I do not know what "HW rings count" is.

Code: [Select]

2024-03-24T18:59:36-07:00 Error suricata [100993] <Error> -- Engine initialization failed, aborting...
2024-03-24T18:59:36-07:00 Error suricata [100993] <Error> -- thread "W#01-run0_wlan1" failed to initialize: flags 0145
2024-03-24T18:59:35-07:00 Error suricata [101441] <Error> -- run0_wlan1: cannot access network interface: run0_wlan1^
2024-03-24T18:59:35-07:00 Error suricata [101441] <Error> -- run0_wlan1: failed to get device flags: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- run0_wlan1: unable to get device caps: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1^ failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [101439] <Error> -- run0_wlan1: cannot access network interface: run0_wlan1
2024-03-24T18:59:35-07:00 Error suricata [101439] <Error> -- run0_wlan1: failed to get device flags: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- run0_wlan1: unable to get device caps: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:55:45-07:00 Warning suricata [100993] <Warning> -- Found deprecated eve-log.alert flag "tls", this flag has no effect
2024-03-24T18:55:45-07:00 Warning suricata [100993] <Warning> -- Found deprecated eve-log.alert flag "http", this flag has no effect
2024-03-24T18:55:45-07:00 Warning suricata [100176] <Warning> -- Failure when trying to get MTU via ioctl for 'run0_wlan1': Device not configured (6)
2024-03-24T18:55:45-07:00 Warning suricata [100176] <Warning> -- Failure when trying to get MTU via ioctl for 'run0_wlan1': Device not configured (6)

9

General Discussion / Re: Why does my Ethernet card have 2 MACs?

« on: August 07, 2023, 08:05:00 am »

bartjsmit,
My mistake, it is the same MAC, but with 2 IP addresses assigned. The 2 IP addresses on the one MAC are xxx.xxx.0.1 and xxx.xxx.0.3

I previously did packet capture on OPNsense to log 260,000 LAN packets. For the first IP there are 2 round trips between xxx.xxx.0.1 and the firewall. They are DHCP Request and DHCP ACK. They are separated by exactly 1 hour.

The other IP xxx.xxx.0.3 is 253,756 packets, which I assume is user client data.

I assume this is all normal?

Meyergru, thank you for that info.

10

General Discussion / Why does my Ethernet card have 2 MACs?

« on: August 07, 2023, 07:27:31 am »

I'm a new user of Protecti with OPNsense. I've been a Linux "user" for 20 years, but now I am learning networking. My setup is simple.
[Linux -> VPN] box -> Switch -> Firewall -> Modem -> Internet

My question is about the ARP table in OPNsense. I am looking around making sure there is nothing extra that shouldn't be there. There six entries in the ARP table. Do I understand this right:

2 MACs for Linux box
1 MAC for the switch
2 MACs for fire wall: WAN and LAN
1 MAC for modem

Wait what? Why does the Linux box Ethernet card have two MACs? There is only one cable connection.