Messages

I found the solution here and it is the solution.

"Services/DHCPv4/[Interface] allows to specify the DNS server(s) passed to this interface only."

https://forum.opnsense.org/index.php?topic=28387.0

I already have an encrypted DNS service for the non-VPN VLAN so using Mullvad DNS would not improve the situation. I still want all VPN network traffic to only go through the VPN gateway (which is the normal case).

If the VPN network goes down I want to be able to plug a laptop into the non-VPN port and have it work.

I want to know if I am forced to send all networks DNS through either the VPN gateway or not the VPN gateway.

I have been using ChatGPT for two weeks to try to set up my firewall. I am checking if what ChatGPT says is correct.

I want a VLAN going to a wireguard VPN gateway and a backup VLAN going to the WAN gateway. I want the VPN VLAN traffic to use the VPN tunnel DNS server and the non VPN VLAN traffic to use Unbound through the WAN. After working with ChatGPT it has has come to the conclusion that I have two choices.

1. Use Unbound through the WAN for all DNS requests.

2. Use the VPN DNS server for all DNS requests. Accept the non VPN LAN would stop working if the VPN went down. This negates the purpose of the backup VLAN.

Is this true or is there a way to get what I want?

I have a Windows host with a malware problem. The malware is installed in the boot sector. The malware "calls home" to enable external exfiltration. I know when the malware is installed because it blue screens the computer often, causing me to reboot often. I suspect that malware gets installed when an unknown file is read. I can remove it by reinstalling the MBR. It gets reinstalled when I browse a certain archive directory. Two malware scanners I tried did not found it.

I want to block outgoing IPs and watch Firewall Live View to see if an unknown IP is calling home, but without allowing it to connect. If that is confirmed I will enable the connection and record packets both ways with Wireshark.

For the first step I want normal network functions to work such as DNS, but block everything else.

My first rule is: Allow, DMZ net, *, DMZ address, 53(DNS)
My second rules is: Block, DMZ net, *, *, *

This seems to work. Any comments?

I checked Opnsense: Services: ISC DHCPv4: Leases. All the status symbols are green except for the router. I can log into the router UI, But what does the red status color mean?

I solved it by doing "Reset Zenarmor to factory defaults," then stepping through and restoring the Policies settings and repeatedly testing. I block everything except what is needed for network functions and my VPN traffic. This time there was only HTTP and HTTPS that recorded as blocked. The phone OS was calling home so I unblocked HTTPS. None of the previous network blocking reoccurred. It is working OK now.

To answer your question I assume you mean the Live Session, Blocks tab, the "Block message" column. I've attached screenshots of the Blocks and Connections tabs during that time.

Setting Deployment mode to Passive Mode changes nothing. How is this possible in passive mode? Is something else the real problem?

This is for a new install with updates. The LAN and DMZ are configured. A PC connected to the LAN is never interrupted. An Android connected to the WiFi router connected to DMZ is getting blocked after a random delay. In Zenamor->Live Sessions->Blocks tab, the application protocols such as DHCP, QUIP, NTP are showing rejected. But these are allowed in policies. Often the Android is still on the internet without apparent interruption for about 10 - 30 minutes, generating random rejected reports in the Blocks tab. then it is suddenly totally blocked. If I set Bypass mode it is always suddenly is back online with no interruptions.

[SOLVED] Suricata is still up and reporting no problems. WiFi  dongle was disabled in main section Interfaces and the fix was to disable it in Services -> Intrusion Detection -> Administration -> interfaces.

Thank you, that is very likely the solution. In Intrusion Detection: Administration -> Interfaces I will uncheck the OPT1 (WiFi) option when I disable WiFi next time and verify that Suricata does not quit.

I will test this later because in the past I have had to reboot the system to get the USB WiFi to work again. I will post a result in a few days.

This was solved by plugging the USB WiFi in and enabling it in Interfaces. It was previously disabled in and removed. I want to do that during long periods when it is not in use to decrease the firewall attack surface, and while keeping Suricata running.

I originally installed Suricata and I often checked to see if there were any results and it was always running. Now I just noticed it had crashed a month ago. One thing I saw in the log was it ran out of memory.

To solve this I just upgraded from 2GB to 8GB. Then I did a complete upgrade to OPNsense v24.1.4 and Suricata 7.0.4.

It still crashes but without the memory issue. Under Interfaces -> WAN the MTU is 1500. I do not know what "HW rings count" is.

Code Select Expand

2024-03-24T18:59:36-07:00 Error suricata [100993] <Error> -- Engine initialization failed, aborting...
2024-03-24T18:59:36-07:00 Error suricata [100993] <Error> -- thread "W#01-run0_wlan1" failed to initialize: flags 0145
2024-03-24T18:59:35-07:00 Error suricata [101441] <Error> -- run0_wlan1: cannot access network interface: run0_wlan1^
2024-03-24T18:59:35-07:00 Error suricata [101441] <Error> -- run0_wlan1: failed to get device flags: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- run0_wlan1: unable to get device caps: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1^ failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [101439] <Error> -- run0_wlan1: cannot access network interface: run0_wlan1
2024-03-24T18:59:35-07:00 Error suricata [101439] <Error> -- run0_wlan1: failed to get device flags: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- run0_wlan1: unable to get device caps: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:55:45-07:00 Warning suricata [100993] <Warning> -- Found deprecated eve-log.alert flag "tls", this flag has no effect
2024-03-24T18:55:45-07:00 Warning suricata [100993] <Warning> -- Found deprecated eve-log.alert flag "http", this flag has no effect
2024-03-24T18:55:45-07:00 Warning suricata [100176] <Warning> -- Failure when trying to get MTU via ioctl for 'run0_wlan1': Device not configured (6)
2024-03-24T18:55:45-07:00 Warning suricata [100176] <Warning> -- Failure when trying to get MTU via ioctl for 'run0_wlan1': Device not configured (6)

bartjsmit,
My mistake, it is the same MAC, but with 2 IP addresses assigned. The 2 IP addresses on the one MAC are xxx.xxx.0.1 and xxx.xxx.0.3

I previously did packet capture on OPNsense to log 260,000 LAN packets. For the first IP there are 2 round trips between xxx.xxx.0.1 and the firewall. They are DHCP Request and DHCP ACK. They are separated by exactly 1 hour.

The other IP xxx.xxx.0.3 is 253,756 packets, which I assume is user client data.

I assume this is all normal?

Meyergru, thank you for that info.

I'm a new user of Protecti with OPNsense. I've been a Linux "user" for 20 years, but now I am learning networking. My setup is simple.
[Linux -> VPN] box -> Switch -> Firewall -> Modem -> Internet

My question is about the ARP table in OPNsense. I am looking around making sure there is nothing extra that shouldn't be there. There six entries in the ARP table. Do I understand this right:

2 MACs for Linux box
1 MAC for the switch
2 MACs for fire wall: WAN and LAN
1 MAC for modem

Wait what? Why does the Linux box Ethernet card have two MACs? There is only one cable connection.