Messages

Hi, many thanks @Patrick for the very quick reply and, yes, this worked fine : I clicked on the "reset" item in the "resolve the plugin conflicts" menu and now the status is "installed", looks good :)

Have a good day everyone,

Alex

Many thanks for your messages, much appreciated.

Indeed, the checkbox appeared in 27.5, thanks for pointing this out.
https://wiki.opnsense.org/releases/CE_25.7.html#july-23-2025

And any thoughts/inputs about the "misconfigured" status please ?

Hi,

Sharing an issue about the os-realtek-re plugin uninstall/reinstall and a question about its configuration please.

Some stability issues with Realtek NICs have reoccurred ar. end of June, but seemed improved or gone after 25.7. These issues have become frequent again recently so I thought to rebaseline the driver, ie. uninstall the os-realtek plugin, and then reinstall it.

Interestingly, this action didn't seem to harm connectivity of the Realtek NICs directly but the only Intel on the LAN couldn't see the (Realtek) interface on the other end, which wasn't visible in the ARP table and impossible to ping from OPNsense.

However, once uninstalled, the Realtek plugin couldn't be seen on the plugin list in the GUI (please see screenshot), where it wasn't possible to reinstall it. Having tried a different repo, same thing : the plugin still wasn't visible in the GUI.

From CLI, the package can been seen on the repo and could be then installed (from the CLI): a message at the end of the install points at two parameters to be added in /boot/loader.conf - the latter config file pointing at /boot/loader.conf.local or the Tunables tab in the GUI System section, where the two parameters have been added.

Once reinstalled from CLI, the Realtek package could be seen again in the GUI, within the list of plugins, but it appeared as "misconfigured", although OPNsense had been rebooted, as stated in the info on the package in the CLI (and in addition of the two parameters already set). Tried to reboot again and power off/on, but the status of the package in the GUI remains "misconfigured".

Could you please advise what should be done then to resolve this misconfig status, knowing that the bootloader conf file now includes the two parameters due to be changed ?

Many thanks,

Alex

Hi the OPNsense community,

In Services > Intrusion Detection > Administration, the GUI enables the user to make a number of configuration changes and there are additional settings too that can be configured in the file suricata.yaml.

The OPNsense document speaks about suricata.yaml and to add additional changes, there is another configuration file, custom.yaml.
https://docs.opnsense.org/manual/ips.html

The question is: what are the possible practices - or advice - to make these additional settings changes in Suricata ?

I have tried the following:
- In addition to the parameters that can be managed directly from the GUI, I edited the suricata.yaml file directly but at boot, changes are erased to keep the ones input from the GUI only ;
- to test the custom.yaml configuration file, I copied in there the full suricata.yaml including the wished changes. Although that suricata.yaml worked when used as main configuration file, it didn't work as custom.yaml ;

For instance, I am wondering please about possibilities to:
- keep an updated suricata.yaml even after reboot ?
- additional info about how to use the custom.yaml ?
- any other thoughts / ideas about this topic ?

Many thanks !

["df -h"]

Update:
a bit unexpectedly, but the DHCP and therefore possibly the LAN connectivity issue was linked to IPS which blocked the responses from OPNsense port 67 to LAN port 68 as potentially malicious. The LAN connectivity was restored after disabling IDS/IPS, and a closer look at IPS blocks pinpointed the above. Personally, I didn't see this kind of blocks happening in OPNsense earlier.

If IPS is also enabled on you LAN, maybe you can try to disable it temporarily - if that's permissible on your network - to check that assumption? The stability or connectivity issues on LAN seem to be gone for now.


Sharing also a bit of insights about how that specific issue interacted with other topics, in case it may help others too, as I think that the IPS has been doing its jobs well but this occurred in a given sequence of events:

• sometimes after upgrading OPNsense to 25.1, some LAN connectivity issues began to happen in an unpredictable fashion, not knowing what could have caused it ;
• in the same time frame and on some days, it occurred that the IPS recorded a very high and unusual number of alerts (for a home lab) - eg 90 million events or 210 million events - with a majority of error messages, which made genuine alerts impossible to notice. This may have also prevented the IPS to work normally ;
• point b°) was not visible from the routine check done with "df -h" as the command df appeared not to work as it should - on my new OPNsense re-install, things look back to normal as the command works now as expected. 
• on the LAN interface, some connection attempts were repeatedly initiated from OPNsense, probing port 22 on the LAN subnet (and port 80 as well); it appeared that a similar of kind of probes were being initiated from OPNsense on the WAN interface, also on ports 22 and 80. Unaware of a legitimate service that may have been doing this kind of asynchronous probes

Hoping that may be useful - cheers.

Hi @nicholaswkc,

Thanks for the swift response! As in both cases DHCP ia activated that may help to pinpoint the cause.

Personally I have made network traffic captures and on the LAN endpoint, the DHCP messages are being sent but get no response from OPNsense.

Another element / item to check please:

On LAN, I have also enabled IDS/IPS (Suricata) and I found online an older issue published on another forum mentioning that the DHCP problem could be linked to this service - although the thread didn't get a final or formal response.
https://www.reddit.com/r/OPNsenseFirewall/comments/rcwtdz/dhcp_seems_to_keep_failing/

On that other website, there is also a mention of messages such as

Code Select Expand

generic_netmap_attach Emulated adapter for [Interface name] created (prev was NULL)
These kind of messages are being now (in 25.1) displayed all the time on the console screen while earlier, I can't remember having seen those or maybe that happened but rarely.

Do you also use IDS/IPS on the LAN interface?

I am going to disable IDS/IPS to make a test and observe whether the issue occurs again and the connection is stable.

Hi @nicholaswkc,

The same happens on OPNsense 25.1 in my home lab : there are 2 interfaces in addition to WAN, ie. LAN and let's say OPT1. The issue also occurs without any change in configuration on OPNsense, and I could identify something : DHCP works fine if I plug the LAN endpoint on the OPT1 interface, but the connection fails when it is connected to the LAN interface itself. It appears therefore that the connectivity loss on LAN could be linked to DHCP specifically on LAN.

Is DHCP activated on your LAN interface too? 

Just a quick update : in addition to what's in this thread, I noticed that the IPS was most probably not functional on some days, which was unnoticed for some days as the "df" command doesn't seem to work fine (or maybe very differently than on Linux?)

https://forum.opnsense.org/index.php?topic=46382.0

So any thoughts please to dig into the root cause or potential sources of this thread would be really welcome :-/

Many thanks

Thanks for your reply!

You cant have IDS and IPS at the same time, one or the other

Yes, indeed :-) but I mentioned IDS/IPS together as my question applies similarly to both IDS and IPS.

What do you have enabled as far as rules. Just the defaults?

At the moment, the enabled rules are the default ones, changing some from "block" to "allow" and vice versa, and that was fine.

The issue is that it takes to go into /var/log/suricata to be in a position to realize that the amount of alerts went through the roof:
- a first day, 46 million of "No buffer space available"
- then a second day, 210 million of the same error message.

For a home lab, such figures mean that the IPS (as it was the mode I enabled) was not functional.

That situation was also uneasy to spot as it looks that, moreover,the "df" command doesn't seem to work as it should, which delayed the moment I could identify this situation. That happens in the context when I am trying to identify an odd behavior in the OPNsense box which is asynchronously probing my LAN on ports 22=>80=>22, and then doing the same towards the ISP.

This incident is addressed in this other post: 
https://forum.opnsense.org/index.php?topic=46311.15

In OPNsense, I find the dashboard very useful to notice, at a glance, whether a gateway is up or down or whether any of the services are running. Wondering please if there is any possibility in OPNsense - widget, plugin or other - to get instantly such information about the IDS/IPS, eg. simple high-level stats or an overview to get a heads-up signal ?

Many thanks.

Hi to the OPNsense community,


disclaimer: this is a redirect/repost from a post I made about IPS in the general production series, while there is in fact a specific forum for IPS, hence putting it in the the proper place :)


OPNsense runs in my home lab with IDS/IPS enabled, and I regularly check alerts in Services > Intrusion Detection > Administration - Alerts tab.

The question is : Is there a way to monitor IDS/IPS stats in the GUI, ie. to get an overview ?

For instance, checking log files (/var/log/suricata), I could recently notice, on some specific days, a very unusual number of entries logged, repeating "error reading netmap data via polling: No buffer space available". However, I don't know if there is a way to monitor such stats from the GUI.

In the present case, the high number of buffer error messages (for a home lab) has also probably disabled the protection provided by IPS, as the number of other sorts of messages is much below the normal order of magnitude for daily logs.

By the way, there is another issue: having previously looked at the overall free space on disk with the df command, the output doesn't reflect the actual (and abnormal) size of the Suricata logs; it seems that the correct information is provided with ls when querying the log folder such as for Suricata.

Many thanks,

Hi there,

Well, I haven't configured port forwarding between LAN and WAN but managed to see something : I previously mentioned that the unexpected TCP packets from OPNsense hit port 22 and also 80. In a few cases, it happened in the following sequence : port 22, port 80 and port 22 again.

I could see a similar connection going to WAN but now I managed to see that the same sequence happens on the WAN side : connections from OPNsense to the ISP box on port 22, then 80 and port 22 again. Also got traces of that in /var/log/filter.

A "block all" rule has been added, so these packets are not left out anymore, but still I would like to learn what it may be. Any thoughts please to dig into the root cause or source of this ?

Many thanks again for your follow up, much appreciated !

Have you identified the originating traffic?

Not yet but I don't see something on WAN that could match. That's why I was asking if OPNsense can "probe", that might not be the right word but what I mean is to find out if there are some services/processes running in OPNsense or in one of its services (eg IPS or Ntop) that may be, for valid reasons, making this kind of attempts. But, it keeps happening and I can't find what it could be :-/

By default SSH traffic from WAN to LAN will be blocked. So if it is coming in, someone has created a rule on the firewall to allow it. So if it is allowed, you probably don't want to be alerted every time. But if you are, then that's a conversation to have.

As far as I get it, these specific connection attempts are allowed by automatic rules which, if I am correct, a user can not modify. Attaching the subset of automatic rules that cover among other DHCP, SSH and HTTPS. Could it help to check if these automated rules are ok ?

I would also wonder if that is really a SSH packet or a TCP packet sent to port 22, and will get a look at the IDS alerts that were flooded by an abnormal high number of events a few days ago.

Hi to the OPNsense community,

OPNsense runs in my home lab with IDS/IPS enabled, and I regularly check alerts in Services > Intrusion Detection > Administration - Alerts tab.

Is there a way to monitor IDS/IPS high level stats in the GUI?

For instance, checking log files (/var/log/suricata), I could recently notice a very high unusual number of entries logged, repeating "error reading netmap data via polling: No buffer space available". However, I don't know if there is a way to monitor such stats from the GUI.

Many thanks.

Well, in the present case, that automation would be trigger an alert when OPNsense probes LAN on port 22. Is there a way to do so please ?

This type of events continue to happen, and I wonder if some services on OPNsense could automatically start TCP port probes, as in addition to port 22, the OPNsense box contacts port 80.

I also noticed an enormous amount of IDS alerts on WAN, which I am going to mention in another post.

Back to the forum and thanks for contributions - there were some persistent stability issues on WAN today, hence a bit of delay to respond.

It can be a git server in your own network, it doesn't have to be a public one like GitHub.

That's cool: if it's possible not to go on a public git, then I'll explore this further - thanks for bringing this forward.

Firewall > Settings > Advanced > Logging: Tick to log default block, default pass and outbound NAT <=don't forget to change it all back.
Go back to Firewall > Log Files > Live View: Change the drop down for the number of entries from the default 25 to say 100.

Done, many thanks for the hint :) And now, in practice, as this happens at unexpected moments (as always...), is there a way to automate an alert when this kind of condition is met? I had a look at the OPNsense manual and plugin list but not sure what could help.

Many thanks