Messages

As soon as I add the blocked IP to the exclusion it works. Restarting isn't necessary. The problem happens when Google changes the IP or port.

I already did the "Have Feedback" last time and I had several messages back and forth with the support person. The last one he wanted me to make and send Wireshark CAP files. I feel if they really want to debug what is a problem in their software they would do it themselves. This is not a configuration issue on my end, so I stopped at that point.

I am not on the business level subscription with official support, so I hope perhaps I can get more eyes on this issue by posting here. I think that Google Voice is a very popular app should be listed in Policy -> App controls. At the least I want to point out the inconsistency of how categories are processed as I did in my original post above.

Google Voice is occasionally blocked. When I look at Live sessions I see two blocks:

The first Blocked Domain is stun.l.google.com. Block message is Conferencing category
If I allow all of Conferencing category, stun.l.google.com is still blocked

The second Blocked Domain 74.125.39.xxx (xxx = it changes). App protocol is STUN Protocol. Block message is Network Management category
There is no STUN Protocol in Network Management category. In App Controls -> VOIP -> VoIP STUN was already enabled.

I can individually enable these in Live Sessions -> Blocks. But Google occasionally changes a port or address setting and then I silently lose incoming calls until I discover I can't make a call. Besides allowing everything which would defeat the purpose of Zenarmor, I don't see any way to fix this.

I am a novice at setting up a firewall and networking in general, so I am struggling with vocabulary and concepts to communicate about this subject.

I found the solution here and it is the solution.

"Services/DHCPv4/[Interface] allows to specify the DNS server(s) passed to this interface only."

https://forum.opnsense.org/index.php?topic=28387.0

I already have an encrypted DNS service for the non-VPN VLAN so using Mullvad DNS would not improve the situation. I still want all VPN network traffic to only go through the VPN gateway (which is the normal case).

If the VPN network goes down I want to be able to plug a laptop into the non-VPN port and have it work.

I want to know if I am forced to send all networks DNS through either the VPN gateway or not the VPN gateway.

I have been using ChatGPT for two weeks to try to set up my firewall. I am checking if what ChatGPT says is correct.

I want a VLAN going to a wireguard VPN gateway and a backup VLAN going to the WAN gateway. I want the VPN VLAN traffic to use the VPN tunnel DNS server and the non VPN VLAN traffic to use Unbound through the WAN. After working with ChatGPT it has has come to the conclusion that I have two choices.

1. Use Unbound through the WAN for all DNS requests.

2. Use the VPN DNS server for all DNS requests. Accept the non VPN LAN would stop working if the VPN went down. This negates the purpose of the backup VLAN.

Is this true or is there a way to get what I want?

I have a Windows host with a malware problem. The malware is installed in the boot sector. The malware "calls home" to enable external exfiltration. I know when the malware is installed because it blue screens the computer often, causing me to reboot often. I suspect that malware gets installed when an unknown file is read. I can remove it by reinstalling the MBR. It gets reinstalled when I browse a certain archive directory. Two malware scanners I tried did not found it.

I want to block outgoing IPs and watch Firewall Live View to see if an unknown IP is calling home, but without allowing it to connect. If that is confirmed I will enable the connection and record packets both ways with Wireshark.

For the first step I want normal network functions to work such as DNS, but block everything else.

My first rule is: Allow, DMZ net, *, DMZ address, 53(DNS)
My second rules is: Block, DMZ net, *, *, *

This seems to work. Any comments?

I checked Opnsense: Services: ISC DHCPv4: Leases. All the status symbols are green except for the router. I can log into the router UI, But what does the red status color mean?

I solved it by doing "Reset Zenarmor to factory defaults," then stepping through and restoring the Policies settings and repeatedly testing. I block everything except what is needed for network functions and my VPN traffic. This time there was only HTTP and HTTPS that recorded as blocked. The phone OS was calling home so I unblocked HTTPS. None of the previous network blocking reoccurred. It is working OK now.

To answer your question I assume you mean the Live Session, Blocks tab, the "Block message" column. I've attached screenshots of the Blocks and Connections tabs during that time.

Setting Deployment mode to Passive Mode changes nothing. How is this possible in passive mode? Is something else the real problem?

This is for a new install with updates. The LAN and DMZ are configured. A PC connected to the LAN is never interrupted. An Android connected to the WiFi router connected to DMZ is getting blocked after a random delay. In Zenamor->Live Sessions->Blocks tab, the application protocols such as DHCP, QUIP, NTP are showing rejected. But these are allowed in policies. Often the Android is still on the internet without apparent interruption for about 10 - 30 minutes, generating random rejected reports in the Blocks tab. then it is suddenly totally blocked. If I set Bypass mode it is always suddenly is back online with no interruptions.

[SOLVED] Suricata is still up and reporting no problems. WiFi  dongle was disabled in main section Interfaces and the fix was to disable it in Services -> Intrusion Detection -> Administration -> interfaces.

Thank you, that is very likely the solution. In Intrusion Detection: Administration -> Interfaces I will uncheck the OPT1 (WiFi) option when I disable WiFi next time and verify that Suricata does not quit.

I will test this later because in the past I have had to reboot the system to get the USB WiFi to work again. I will post a result in a few days.

This was solved by plugging the USB WiFi in and enabling it in Interfaces. It was previously disabled in and removed. I want to do that during long periods when it is not in use to decrease the firewall attack surface, and while keeping Suricata running.

I originally installed Suricata and I often checked to see if there were any results and it was always running. Now I just noticed it had crashed a month ago. One thing I saw in the log was it ran out of memory.

To solve this I just upgraded from 2GB to 8GB. Then I did a complete upgrade to OPNsense v24.1.4 and Suricata 7.0.4.

It still crashes but without the memory issue. Under Interfaces -> WAN the MTU is 1500. I do not know what "HW rings count" is.

Code Select Expand

2024-03-24T18:59:36-07:00 Error suricata [100993] <Error> -- Engine initialization failed, aborting...
2024-03-24T18:59:36-07:00 Error suricata [100993] <Error> -- thread "W#01-run0_wlan1" failed to initialize: flags 0145
2024-03-24T18:59:35-07:00 Error suricata [101441] <Error> -- run0_wlan1: cannot access network interface: run0_wlan1^
2024-03-24T18:59:35-07:00 Error suricata [101441] <Error> -- run0_wlan1: failed to get device flags: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- run0_wlan1: unable to get device caps: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1^ failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [101439] <Error> -- run0_wlan1: cannot access network interface: run0_wlan1
2024-03-24T18:59:35-07:00 Error suricata [101439] <Error> -- run0_wlan1: failed to get device flags: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- run0_wlan1: unable to get device caps: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:59:35-07:00 Error suricata [100993] <Error> -- Query of netmap HW rings count on run0_wlan1 failed; error: Device not configured
2024-03-24T18:55:45-07:00 Warning suricata [100993] <Warning> -- Found deprecated eve-log.alert flag "tls", this flag has no effect
2024-03-24T18:55:45-07:00 Warning suricata [100993] <Warning> -- Found deprecated eve-log.alert flag "http", this flag has no effect
2024-03-24T18:55:45-07:00 Warning suricata [100176] <Warning> -- Failure when trying to get MTU via ioctl for 'run0_wlan1': Device not configured (6)
2024-03-24T18:55:45-07:00 Warning suricata [100176] <Warning> -- Failure when trying to get MTU via ioctl for 'run0_wlan1': Device not configured (6)