Messages

1

24.1 Legacy Series / Re: Update with crowdsec Plugin

« on: November 12, 2024, 01:44:15 pm »

Stuck again in update from 24.7.7 to 24.7.8, wish that wait_for_pids function had a timeout. TERM signal doesn't work.

2

24.1 Legacy Series / Re: Update with crowdsec Plugin

« on: November 01, 2024, 03:23:41 am »

yep, crowdsec implementation is the menace of the year and blocking the router for months. blocked upgrades, and even UPS events succesfully.
even in 24.7.7, can't stop it, it also keeps trying its own port which is already reserved by itself every 10sec:

Code: [Select]

local API server stopped with error: listening on 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use
and it does nonstop internet activity during that, fetching from api.crowdsec.net nonstop. hillariously, after killing it, and starting from scratch, it killed the OS:

Code: [Select]

ps aux|grep crowdsec
-
sockstat -sSUivl|grep 8080
-
configctl crowdsec start
OK
root@opnsense:/]$                                                                               
*** FINAL System shutdown message from root@opnsense ***               

System going down IMMEDIATELY

3

24.7 Production Series / Re: WARNING: failed to start ntopng

« on: October 02, 2024, 10:36:10 am »

i found it in their executable (/usr/local/bin/ntopng), should have mentioned their version:
GUI: ntopng Community v.6.2.240925 rev.0 (FreeBSD 14.1)
Plugin: os-ntopng (installed)   1.3
Package: ntopng   6.2.d20240813,1

so that is causing grep, md5, and UTC warnings, while the "Undefined symbol "gpgrt_add_post_log_func"" is related to the installed packages.

4

24.7 Production Series / Re: WARNING: failed to start ntopng

« on: October 02, 2024, 03:06:40 am »

my ntopng starts but it floods the log with the errors because it wants to run md5sum with -q parameter which is not working even on Linux:

Code: [Select]

xargs md5sum | grep `md5sum -q /etc/localtime`
OPNsense 24.7.5_3

5

24.7 Production Series / Re: New dashboard widgets

« on: August 20, 2024, 04:21:15 pm »

I think the old dashboard was more functional, the new one is half baked but slightly more readable. My impression in 24.7.1:
1) like before, very slow, browser will eventually offer to kill the window which i didn't do before
2) no CPU or disk in system information widget (CPU worked, disk shown tooo many rows so it's ok to be replaced with the separate gauge)
3) CPU widget 4 charts, all empty, alternating between nothing and a flat orange line -> i'd prefer the gauge with only "total" info
4) Cannot click on the headers to go to the actual window, it is the nr.1 issue
5) Cannot resize many widgets, there's no chance to make a nice layout with aligned windows
6) settings are gone from most of the windows
7) Services widget is too long, 2 lines per item, it could have just one button on the right
Gateways, Wireguard also too long, either can't resize or not looking good in 2 column mode..some less important information like WG last timestamp or RTT could be compressed (small font, combining into mini table) or removed
9) Interfaces widget too long, should put IP to the right even in column window, this 2-5 line approach sucks

6

Zenarmor (Sensei) / Re: Error about misconfigured interfaces

« on: July 31, 2024, 02:50:35 am »

Hi
actually the dropped packets just disappeared with the new BSD14 kernel. Wireguard is faster.👍
I've Pentium Gold 8505, 12GB RAM, NVME. Few dozen devices. Should be fine for WAN but I don't use it for anything other than firewall contacting DNS. So i need to accomodate both ZenArmor and Wireguard for 2Gb/s line. The VPN speed gets reduced from 2000Mb/s to 1250Mb/s in netmap mode, it's really hard to guess what CPU could handle the full speed, 100% Wireguard. I wish there was a calculator:)

7

Zenarmor (Sensei) / Re: Error about misconfigured interfaces

« on: July 27, 2024, 07:32:11 am »

For more accurate reporting results, it is recommended to use Zenarmor in Directed mode.

Is this theoretically possible to have a hybrid mode, not filtering connection which has high throughput? I have too many dropped packets during downloads (~1gbps), so i stick to passive mode. During that time every component misreports size, and the slow connections which are the most dangerous are skipped.

8

Zenarmor (Sensei) / Re: Error about misconfigured interfaces

« on: May 24, 2024, 11:09:51 pm »

so i investigated how to trigger the message in v1.17.3, here's how:
* configctl zenarmor notice-public-ip-devices
* in browser you do have to refresh the Dashboard view manually
then you get the popup instantly.
now with this procedure, i've checked interfaces, and the popup appears for ANY interface.
-> ignore the popup. just like "local", "remote" hosts, it doesnt' work.

9

General Discussion / Re: Upgrade to -> 22.7 Crowdsec not working.

« on: May 24, 2024, 10:03:54 pm »

thanks, let me reproduce it. initially i watched it for a few months, and then applied script, and now i turn it off to see if it's stil the case.

10

General Discussion / Re: Upgrade to -> 22.7 Crowdsec not working.

« on: May 24, 2024, 05:45:29 am »

If you don't want to reinstall you can remove the machine, remove login and password from /usr/local/etc/crowdsec/local_api_credentials.yaml and restart the services, that should fix it but I have not tried.

this way didn't work, but the removal of db and config folder worked thanks.

this plugin and ntopng are high maintenance, and sort of unreliable. crowdsec GUI also always lies everything is OK. the alias is getting empty, i have a scheduled task to restart crowdsec every few hours. i thought i was out of woods, and stopped the months long stressful watching, but today i noticed the blocklist is again empty. checked the logs, and it didn't load for 2months! i don't know why, but i've also got the same issue here.

11

Zenarmor (Sensei) / Re: Error about misconfigured interfaces

« on: May 24, 2024, 04:53:23 am »

the message pops  up when it accumulates 10000+ devices so need to wait. Running health check on CLI won't make it appear asap.
So it still pops up on the new version. In subscription page, number of devices: 2500. I have only few devices. I track WG marked as WAN (as there's no "VPN" predefined => won't be treated as WAN). One of them is forward for few VPN clients.

12

24.1 Legacy Series / Re: 24.1.2 Wireguard does not work after updating

« on: May 22, 2024, 02:05:22 am »

Yup, after the upgrade DOT DNS couldn't resolve in order to load Wireguard.
I've tried lowering DNSSEC standards and it helped, at least the BOGUS or NXDOMAIN responses lasted "only" 10sec, so the boot was fast, and WG successful.
I will not use IPs. IPs change.
I just hope Adguard will move to the early part of the boot sequence, so I don't need to use Unbound just to satisfy (unreliably) the boot process.

13

Zenarmor (Sensei) / Re: Error about misconfigured interfaces

« on: May 22, 2024, 02:01:42 am »

Can the message mention the interface? I don't know what to do with this message, no clue what could cause it. in ntopng, for example, they would tell me explicitely, and i would see it visually in the GUI, but this message is mysterious and there's no clue in the GUI.

14

General Discussion / Re: Wireguard and local DNS lookup

« on: May 02, 2024, 12:17:46 am »

Late to the party, but I've been working my way thru this issue the last few days.. and finally got it working

now my setup doesn't look ridiculous anymore. That's crazy effort there! You've got 3 machines for 1 task. Why do we have to create these unique patches is what I wonder.

15

Tutorials and FAQs / Re: Automatic config backups using os-api-backup

« on: March 20, 2024, 05:20:46 am »

I'd like config plaintext passwords to be encrypted in file. Configs always end up on more locations, backup sites, where permissions vary.