Messages

["df -h"]

Update:
a bit unexpectedly, but the DHCP and therefore possibly the LAN connectivity issue was linked to IPS which blocked the responses from OPNsense port 67 to LAN port 68 as potentially malicious. The LAN connectivity was restored after disabling IDS/IPS, and a closer look at IPS blocks pinpointed the above. Personally, I didn't see this kind of blocks happening in OPNsense earlier.

If IPS is also enabled on you LAN, maybe you can try to disable it temporarily - if that's permissible on your network - to check that assumption? The stability or connectivity issues on LAN seem to be gone for now.


Sharing also a bit of insights about how that specific issue interacted with other topics, in case it may help others too, as I think that the IPS has been doing its jobs well but this occurred in a given sequence of events:

• sometimes after upgrading OPNsense to 25.1, some LAN connectivity issues began to happen in an unpredictable fashion, not knowing what could have caused it ;
• in the same time frame and on some days, it occurred that the IPS recorded a very high and unusual number of alerts (for a home lab) - eg 90 million events or 210 million events - with a majority of error messages, which made genuine alerts impossible to notice. This may have also prevented the IPS to work normally ;
• point b°) was not visible from the routine check done with "df -h" as the command df appeared not to work as it should - on my new OPNsense re-install, things look back to normal as the command works now as expected. 
• on the LAN interface, some connection attempts were repeatedly initiated from OPNsense, probing port 22 on the LAN subnet (and port 80 as well); it appeared that a similar of kind of probes were being initiated from OPNsense on the WAN interface, also on ports 22 and 80. Unaware of a legitimate service that may have been doing this kind of asynchronous probes

Hoping that may be useful - cheers.

Hi @nicholaswkc,

Thanks for the swift response! As in both cases DHCP ia activated that may help to pinpoint the cause.

Personally I have made network traffic captures and on the LAN endpoint, the DHCP messages are being sent but get no response from OPNsense.

Another element / item to check please:

On LAN, I have also enabled IDS/IPS (Suricata) and I found online an older issue published on another forum mentioning that the DHCP problem could be linked to this service - although the thread didn't get a final or formal response.
https://www.reddit.com/r/OPNsenseFirewall/comments/rcwtdz/dhcp_seems_to_keep_failing/

On that other website, there is also a mention of messages such as

Code Select Expand

generic_netmap_attach Emulated adapter for [Interface name] created (prev was NULL)
These kind of messages are being now (in 25.1) displayed all the time on the console screen while earlier, I can't remember having seen those or maybe that happened but rarely.

Do you also use IDS/IPS on the LAN interface?

I am going to disable IDS/IPS to make a test and observe whether the issue occurs again and the connection is stable.

Hi @nicholaswkc,

The same happens on OPNsense 25.1 in my home lab : there are 2 interfaces in addition to WAN, ie. LAN and let's say OPT1. The issue also occurs without any change in configuration on OPNsense, and I could identify something : DHCP works fine if I plug the LAN endpoint on the OPT1 interface, but the connection fails when it is connected to the LAN interface itself. It appears therefore that the connectivity loss on LAN could be linked to DHCP specifically on LAN.

Is DHCP activated on your LAN interface too? 

Just a quick update : in addition to what's in this thread, I noticed that the IPS was most probably not functional on some days, which was unnoticed for some days as the "df" command doesn't seem to work fine (or maybe very differently than on Linux?)

https://forum.opnsense.org/index.php?topic=46382.0

So any thoughts please to dig into the root cause or potential sources of this thread would be really welcome :-/

Many thanks

Thanks for your reply!

You cant have IDS and IPS at the same time, one or the other

Yes, indeed :-) but I mentioned IDS/IPS together as my question applies similarly to both IDS and IPS.

What do you have enabled as far as rules. Just the defaults?

At the moment, the enabled rules are the default ones, changing some from "block" to "allow" and vice versa, and that was fine.

The issue is that it takes to go into /var/log/suricata to be in a position to realize that the amount of alerts went through the roof:
- a first day, 46 million of "No buffer space available"
- then a second day, 210 million of the same error message.

For a home lab, such figures mean that the IPS (as it was the mode I enabled) was not functional.

That situation was also uneasy to spot as it looks that, moreover,the "df" command doesn't seem to work as it should, which delayed the moment I could identify this situation. That happens in the context when I am trying to identify an odd behavior in the OPNsense box which is asynchronously probing my LAN on ports 22=>80=>22, and then doing the same towards the ISP.

This incident is addressed in this other post: 
https://forum.opnsense.org/index.php?topic=46311.15

In OPNsense, I find the dashboard very useful to notice, at a glance, whether a gateway is up or down or whether any of the services are running. Wondering please if there is any possibility in OPNsense - widget, plugin or other - to get instantly such information about the IDS/IPS, eg. simple high-level stats or an overview to get a heads-up signal ?

Many thanks.

Hi to the OPNsense community,


disclaimer: this is a redirect/repost from a post I made about IPS in the general production series, while there is in fact a specific forum for IPS, hence putting it in the the proper place :)


OPNsense runs in my home lab with IDS/IPS enabled, and I regularly check alerts in Services > Intrusion Detection > Administration - Alerts tab.

The question is : Is there a way to monitor IDS/IPS stats in the GUI, ie. to get an overview ?

For instance, checking log files (/var/log/suricata), I could recently notice, on some specific days, a very unusual number of entries logged, repeating "error reading netmap data via polling: No buffer space available". However, I don't know if there is a way to monitor such stats from the GUI.

In the present case, the high number of buffer error messages (for a home lab) has also probably disabled the protection provided by IPS, as the number of other sorts of messages is much below the normal order of magnitude for daily logs.

By the way, there is another issue: having previously looked at the overall free space on disk with the df command, the output doesn't reflect the actual (and abnormal) size of the Suricata logs; it seems that the correct information is provided with ls when querying the log folder such as for Suricata.

Many thanks,

Hi there,

Well, I haven't configured port forwarding between LAN and WAN but managed to see something : I previously mentioned that the unexpected TCP packets from OPNsense hit port 22 and also 80. In a few cases, it happened in the following sequence : port 22, port 80 and port 22 again.

I could see a similar connection going to WAN but now I managed to see that the same sequence happens on the WAN side : connections from OPNsense to the ISP box on port 22, then 80 and port 22 again. Also got traces of that in /var/log/filter.

A "block all" rule has been added, so these packets are not left out anymore, but still I would like to learn what it may be. Any thoughts please to dig into the root cause or source of this ?

Many thanks again for your follow up, much appreciated !

Have you identified the originating traffic?

Not yet but I don't see something on WAN that could match. That's why I was asking if OPNsense can "probe", that might not be the right word but what I mean is to find out if there are some services/processes running in OPNsense or in one of its services (eg IPS or Ntop) that may be, for valid reasons, making this kind of attempts. But, it keeps happening and I can't find what it could be :-/

By default SSH traffic from WAN to LAN will be blocked. So if it is coming in, someone has created a rule on the firewall to allow it. So if it is allowed, you probably don't want to be alerted every time. But if you are, then that's a conversation to have.

As far as I get it, these specific connection attempts are allowed by automatic rules which, if I am correct, a user can not modify. Attaching the subset of automatic rules that cover among other DHCP, SSH and HTTPS. Could it help to check if these automated rules are ok ?

I would also wonder if that is really a SSH packet or a TCP packet sent to port 22, and will get a look at the IDS alerts that were flooded by an abnormal high number of events a few days ago.

Hi to the OPNsense community,

OPNsense runs in my home lab with IDS/IPS enabled, and I regularly check alerts in Services > Intrusion Detection > Administration - Alerts tab.

Is there a way to monitor IDS/IPS high level stats in the GUI?

For instance, checking log files (/var/log/suricata), I could recently notice a very high unusual number of entries logged, repeating "error reading netmap data via polling: No buffer space available". However, I don't know if there is a way to monitor such stats from the GUI.

Many thanks.

Well, in the present case, that automation would be trigger an alert when OPNsense probes LAN on port 22. Is there a way to do so please ?

This type of events continue to happen, and I wonder if some services on OPNsense could automatically start TCP port probes, as in addition to port 22, the OPNsense box contacts port 80.

I also noticed an enormous amount of IDS alerts on WAN, which I am going to mention in another post.

Back to the forum and thanks for contributions - there were some persistent stability issues on WAN today, hence a bit of delay to respond.

It can be a git server in your own network, it doesn't have to be a public one like GitHub.

That's cool: if it's possible not to go on a public git, then I'll explore this further - thanks for bringing this forward.

Firewall > Settings > Advanced > Logging: Tick to log default block, default pass and outbound NAT <=don't forget to change it all back.
Go back to Firewall > Log Files > Live View: Change the drop down for the number of entries from the default 25 to say 100.

Done, many thanks for the hint :) And now, in practice, as this happens at unexpected moments (as always...), is there a way to automate an alert when this kind of condition is met? I had a look at the OPNsense manual and plugin list but not sure what could help.

Many thanks

Thank you very much again for your messages.

Do you have backup to git enabled?

Well, I am not using that feature for the moment. It looks great and can be very helpful, but at the same time, it is not making your configuration public, is it? Until now, I have been doing back-ups and restores using config files, and use #diff to spot any changes. Can you share a bit about your experience with git please? I'd like to know more about it for sure.

Well, there's "Firewall: Log Files: Plain View", but searching it can be a bit cumbersome.

Indeed :-/ I have tried some basic steps, using simple #grep filters and #less but I am not sure what are the best log filters to look at to identify this kind of event in traffic - ie. the entry point on WAN - and in the system.

By the way, OPNsense was updated today to 25.1.3, which I welcomed as a chance to re-baseline the system but the same attempt was spotted again on LAN, so any thoughts and advice to track this kind of event would be please really, really welcome.

Many thanks.

Many thanks for your message.

Logging is indeed enabled on some of the rules, but not on the automatic ones :/... I'll implement that step, thanks again for mentioning this.

In such case, is there something else that I can dig into to learn about this event, eg in /var/log or elsewhere?

I would also like to know if there is a way to assess whether that happened through traffic only or does it imply the OPNsense system is compromised (not sure if both conditions can apply).

Many thanks for the swift reply.

Well, unfortunately no, I wasn't SSH'ing from the console :-/  ..so what can be done please to find that other part corresponding to this traffic?

Hi to the OPNsense community,

I am using OPNsense as a home lab, in the following basic setting :

      Internet access ===> OPNsense 25.1 ==> LAN

After upgrading to OPNsense 25.1, there were some connectivity issues on the LAN interface (instability), which some other users experienced and this made me have a closer look at the LAN interface.

This is how I noticed connections going from the firewall to port 22 on the LAN. Theses connections - or rather attempts,allowed by automatic rules ('let anything out from firewall host itself'), suggest use of SSH as the protocol was TCP.

Please see attached screenshot from the live view in firewall logs : the connections are leaving  the LAN interface, from OPNsense to the computer on the LAN.

I tried to find out if there is any legitimate service on OPNsense 25.1 that could be make this kind of activity, could anyone share any thoughts or advice please ?

Many thanks.