Messages

I just tested with Wireguard and it does block if you add the Wireguard interface into the two Qfeeds floating rules:

It blocked a known malicious IP on my LAN and Wireguard interfaces:

If I install a VPN on her machine she will probably wind up leaving it on, bypassing Qfeeds

I thought Qfeeds would filter the VPN (if you added within the floating rule) the interface list that currently has WAN?

I've noticed that viewing the Events page is starting to take a while before the page is filled as my log file must be getting larger every day. I understand that the log file is cleared after a reboot which then allows the Events to display quickly, until it again gets larger.

Which logfile is Qfeeds using to populate the Events page?

Sorry didn't check that thoroughly. Seems that somehow your filter_*.log got corrupted. Did you have any system crashes, disk full, or power loss events lately? I think its best to log a bug report on the GitHub plugin repository: https://github.com/opnsense/plugins/issues

No crashes, disk full or power loss - all running fine. I restarted the host that OPNSense is running on and it's now working. Strange that it was working during the day, then overnight the log somehow was corrupted. I'll keep an eye on it.

How frequently is the widget "Blocked" number updated ?

That's very interesting, but we're glad that issue is solved now. Now regarding the events tab, that's an interesting find as well. Just to be sure, you haven't disabled logging on the rules? And you do see blocks in the dashboard widget?

Does this command dump logs ? "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs"

The rules have the logging enabled - I shared a screenshot in my previous reply of the live logs showing my test was blocked. Yes the dashboard widget shows a large blocked number.

The command gives an error:

Code Select Expand

root@OPNsense:~ # /usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py", line 50, in <module>
    for msg in getattr(actions, action)():
  File "/usr/local/opnsense/scripts/qfeeds/lib/__init__.py", line 187, in logs
    yield ujson.dumps({'rows': PFLogCrawler(feeds).find()})
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opnsense/scripts/qfeeds/lib/log.py", line 75, in find
    result.append(self._parse_log_line(line))
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/opnsense/scripts/qfeeds/lib/log.py", line 64, in _parse_log_line
    return [parts[1], fw_line[4], fw_line[7]] + [x for x in fw_line if is_ip_address(x)]
                      ~~~~~~~^^^
IndexError: list index out of range
Thanks

Dear vk2him,

Thank you for your great feedback and suggestions!

• Thanks, fixed it right away!
• I had a look at the reports but unfortunately couldn't reproduce this either. In our backend, which contains over 80 million IOCs, this domain doesn't exist, I also couldn't find it in the OSINT or Premium feeds. If you download the list directly in your browser, do you see the domain then? And or is there anyone else on this forum who experiences connection issues with pvoutput.org? Obviously I'm using all of our blocklists but I can connect without any issues.
• Thanks for pointing out the encoding issue, it's been fixed.
• Good idea, you can now reopen cases and also edit your initial submissions.
• The IPv6 issue is solved now. We'll reconsider the scan limits later, but for now, while we're monitoring infrastructure load, you can scan multiple IPs once per week. The allowed IPs are based on where you've connected from (via TIP login or API calls), to help prevent abuse.
• We've added direct links to the Logs and API Keys sections, great suggestion! For the Available Feeds section, we'll add a link once some new planned pages are ready.

[/list]

Unfortunately, I can't assist directly with Monit configuration, but maybe someone else in the community can share some insights.

Kind regards,

David

Thanks for the reply and fixing the items I pointed out.

Regarding pvoutput.org - today I am able to connect to it, and I wasn't able to find it on the list after I downloaded it, so that's strange.

Anyway, I'm seeing something strange at the moment - my Events tab isn't showing anything and it was yesterday.

I tried browing to a site that is in the IP filter table and the livelogs show Qfeeds blocked it, however The events tab is blank? I tried this yesterday and it appeared in live logs and the events tab?

I've tested this today in my home and seems to be working ok - here's some feedback

• The main website https://qfeeds.com/ has a typo in this section
  .. "We offers detection and response services against phishing  .." the word "offers" should be "offer"
• I added the Blocklist "https://api.qfeeds.com/api?feed_type=malware_domains&api" into Adguard Home and it was working fine, however it blocked the solar monitoring website https://pvoutput.org
  I made a false positive report advising that I was using the malware domains list in AdGuard Home, and Support closed it saying it's not on the list. I double checked I set it correctly, which I had, and submitted another false positive report. Support closed it again and wrote back saying it must be an issue on my end as pvoutput.org isn't on your IP list and not in your Domains lists and to try force reloading the list. I logged another false positive after I disabled all the other AGH blocklists and force reloaded the qfeeds malware list. I also pointed out that issue is with the blocklist in Adguard Home which is using MALWARE Domains and that if I create a whitelist in AGH for pvoutput.org, I can access it, and I was able to access it until I loaded the Qfeeds blocklist - I'm still awaiting a reply
• When logging the false positive reports, I noticed that if I entered a single quote ' in my report, for example won't,  after I saved the report it displayed the HTML number ' instead won't   
• It would be good if a false positive report could be added to/reopened rather than needing to keep adding a new report as I had to keep repeating all the information from the previous ones there were (incorrectly) closed
• I was considering a Plus subscription, however Patrick reported that the scanner isn't working properly, so we need to wait a week to try again as we can only test one IP per week - can this be relaxed until you fix the issue with the scanner?
• In the TIP dashboard, it would be great if clicking on the panels My API Keys, Available Feeds and My API Calls were hyperlinks to those sections

Edited to add

• How can I enable monit to monitor qfeeds ?

Many thanks

My Protectli NUC upgraded with no issues - I have os-cpu-microcode-intel installed

What model do you have? I have a VP2420 and plan to upgrade during the weekend.

Sorry for delay in reply - I have a VP2410, so the older version of the one you have

My Protectli NUC upgraded with no issues - I have os-cpu-microcode-intel installed

I'm running the latest OPNsense 25.1.7_2-amd64 and the issues below occurred on the previous 25.1.6

I had NUT running fine for quite a while in Netclient mode connected to a Cyberpower UPS that is connected to a Synology NAS.

I got a second CyberPower UPS this week with the OPNsense NUC now being powered by it (previously it wasn't UPS protected as it's on a different floor to the Synology). So now I wanted OPNsense to work in Standalone mode connected to the USB UPS that's right next to it.

In the NUT UPS Type tab I unticked Netclient, saved and restarted the service, then Enabled Standalone and the USB-HID Driver option, plugged in the USB into the OPNsense NUC and restarted the service.

The Diagnostics shows it's still connected to the Netclient mode UPS in the garage and it won't recognise the standalone UPS plugged into the USB port. I tried all sorts of combinations and it always showed it was still connected via netclient.

So I uninstalled NUT, reinstalled it and rebooted OPNsense. Immediately when OPNsense starts up, it shuts down. It look me a few restarts to quickly go into the GUI and disable NUT to prevent the loop.

Here's the log when it starts then shuts down - 192.168.1.252 is the Synology NAS

Code Select Expand


2025-05-21T14:47:52 Notice kernel ---<<BOOT>>---
2025-05-21T14:47:52 Notice syslog-ng syslog-ng starting up; version='4.8.2'
2025-05-21T14:46:19 Notice kernel <6>ovpns1: link state changed to DOWN
2025-05-21T14:46:18 Notice syslog-ng syslog-ng shutting down; version='4.8.2'
2025-05-21T14:45:56 Notice upsmon Auto logout and shutdown proceeding
2025-05-21T14:45:56 Critical upsmon Executing automatic power-fail shutdown
2025-05-21T14:45:56 Notice upsmon UPS ups@192.168.1.252:3493: forced shutdown in progress
2025-05-21T14:45:51 Notice configctl event @ 1747802750.95 exec: system event config_changed response: OK
2025-05-21T14:45:51 Error upsmon Login on UPS [ups@192.168.1.252:3493] failed - got [ERR ACCESS-DENIED]

So even though I have disabled Netclient mode, it's still trying to connect, it fails, then 5 seconds later it decides to shutdown.

Looking at the logs, at one stage it did recognise the UPS via USB, but disconnected/attempted again which I discovered by googling that some Cyberpower UPS do this until they connect to the driver?

Code Select Expand

2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0
Any suggestions would be appreciated - I'm not too keen to re-enable NUT as I think it will shutdown as soon as I enable it?

For further testing, have you tried renaming to wan rather than WAN ?

Yes, working fine on Protectli FW2B with Intel Celeron J3060.

I have a Protectli VP2410 with a Intel Celeron J4125 - which os-cpu-microcode should I select as the OPNsense version architecture is AMD64 while it has Intel CPU? Thanks