"
You're not alone. I also have kernel crashes.. https://forum.opnsense.org/index.php?topic=45138.msg225446#msg225446
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
24.7, 24.10 Legacy Series / Re: Opnsense Crash Logfiles
January 28, 2025, 09:07:40 PM
It's important the swap is on persistent storage like:
What is your output of the command I gave you earlier?
If there is really a kernel crash happening, and the crash gets logged to the swap partition, after an automatically system restart the kernel crash report should be visible at: System -> Firmware -> Reporter.
If you see "No issues were detected.", there has been no kernel crash. Or the kernel crash was not stored on your swap partition.
Code Select
Device: 1024-blocks Used:
/dev/gpt/swapfs 8620216 0
What is your output of the command I gave you earlier?
If there is really a kernel crash happening, and the crash gets logged to the swap partition, after an automatically system restart the kernel crash report should be visible at: System -> Firmware -> Reporter.
If you see "No issues were detected.", there has been no kernel crash. Or the kernel crash was not stored on your swap partition.
#3
24.7, 24.10 Legacy Series / Re: Opnsense Crash Logfiles
January 28, 2025, 06:52:35 PM
You will need a swap partition in order to see kernel crashes getting logged.
Check if you have a swap by executing (only a swap on persistent storage will work):
If you mean other kind of software crashes, like services maybe crashing in the background (aka not a kernel crash), then you might take a look at the log files. For example System -> Log Files -> General
Check if you have a swap by executing (only a swap on persistent storage will work):
Code Select
swapctl -l
If you mean other kind of software crashes, like services maybe crashing in the background (aka not a kernel crash), then you might take a look at the log files. For example System -> Log Files -> General
#4
Intrusion Detection and Prevention / Re: IPS/Ids Protectli Vault Pro VP4670-6
January 27, 2025, 01:14:15 AM
WOw uhmm ok.
- Do NOT enable IDS/IPS on Vlan interfaces. And you also do not need to select WAN. Then also uncheck "Promiscuous mode". And also uncheck "Enable syslog alerts" (unless you have a good reason to have syslog alerts?).
- Then also which rulesets did you downloaded? You didn't show that. I hope you didn't downloaded all.. That is also a bad idea
- Last but not least, you are setting all the rules to "Alert", meaning you do not even block any request with your current IPS setup. Why?
#5
Intrusion Detection and Prevention / Re: IPS/Ids Protectli Vault Pro VP4670-6
January 26, 2025, 05:32:25 PM
I'm also not maxing out the CPU and definitely not the memory. I would have the same question, I was hoping to get more throughput. So we are in the same boat, but let's help each other.
First, what are the intrusion detection settings you have?
I share my configs so you know what kind of information I'm after.
Under: Services -> ID -> Administration:
Then I go to: Services -> ID -> Policy.
Create a new policy:
Please, share your setup.
Last but not least, what kind of tunables did you apply??
First, what are the intrusion detection settings you have?
I share my configs so you know what kind of information I'm after.
Under: Services -> ID -> Administration:
- Intrusion Detection -> Checked
- IPS Mode -> Checked
- Interfaces -> ONLY selected one interface. Which is my LAN interface.
- Pattern matcher -> Hyperscan (if your hardware allows it?)
- Under the "Download", I enabled / downloaded the following rules: Code Select
abuse.ch/Feodo Tracker, abuse.ch/ThreatFox, abuse.ch/URLhaus, ET open/botcc, ET open/drop, ET open/dshield, ET open/emerging-dos, ET open/emerging-exploit, ET open/emerging-exploit_kit, ET open/emerging-phishing, ET open/emerging-scan, ET open/emerging-shellcode, ET open/emerging-sql, ET open/emerging-web_server, ET open/emerging-worm
Then I go to: Services -> ID -> Policy.
Create a new policy:
- Enabled -> Checked
- Rulesets -> Selecting all of the above (which I downloaded)
- Action -> Alert
- New action -> Drop
Please, share your setup.
Last but not least, what kind of tunables did you apply??
#6
Tutorials and FAQs / Re: Intrusion Prevention System (IPS): Understanding Policies
January 23, 2025, 10:01:46 PM
I will answer my own question, also for others in the future. After playing around with it bit, and a bit of trial and error.
So the idea of Services -> Intrusion Detection -> Policy. Is you are able to manage both whole multiple rulesets together under "Policies" as well as fine-tune specific rules under "Rule adjustments" tab.
So let's start with the Policies tab. You can create a new policy rule, selecting the rulesets that you want to adjust. Then select for the "Action" the value "Alert". And as "New action" you could select "Drop".
That will automatically change all the rules under the rulesets from Alert to Drop. Thus without the need of changing all the rules manually under the Administration -> Rules tab.
While this all makes very much sense if you understand it. The different menu (sub-menu) items, different naming conventions and the lack of documentation can make this policy feature rather confusing. Especially if you are new to Intrusion detection and these settings (I personally would for example not put rule adjustments under Policy).
Next, the Rule adjustments tab. Allows you to manually adjust a single rule. For example, let's say just enabled the whole ruleset from alert to drop using this policy. However, with rule adjustments can enter a specific SID (rule number) and either disable this rule and/or move the action back to Alert instead of drop again.
So the idea of Services -> Intrusion Detection -> Policy. Is you are able to manage both whole multiple rulesets together under "Policies" as well as fine-tune specific rules under "Rule adjustments" tab.
So let's start with the Policies tab. You can create a new policy rule, selecting the rulesets that you want to adjust. Then select for the "Action" the value "Alert". And as "New action" you could select "Drop".
That will automatically change all the rules under the rulesets from Alert to Drop. Thus without the need of changing all the rules manually under the Administration -> Rules tab.
While this all makes very much sense if you understand it. The different menu (sub-menu) items, different naming conventions and the lack of documentation can make this policy feature rather confusing. Especially if you are new to Intrusion detection and these settings (I personally would for example not put rule adjustments under Policy).
Next, the Rule adjustments tab. Allows you to manually adjust a single rule. For example, let's say just enabled the whole ruleset from alert to drop using this policy. However, with rule adjustments can enter a specific SID (rule number) and either disable this rule and/or move the action back to Alert instead of drop again.
#7
24.1, 24.4 Legacy Series / Re: Slow Download Speed
January 22, 2025, 09:50:02 PM
@meyergru Can I ask one final question?
I notice that IDS/IPS can optionally also include block lists like Spamhaus, right? However, I notice some people will use maybe a firewall alias for Spamhaus and block the traffic under firewall rules..
So my question would be: Would it be more performant (keep higher throughput) if some of these checks like Spamhaus will be done under the firewall settings rather than under Instruction Detection? Since for some reason, I have the feeling that Instruction Detection is much more demanding than just a firewall block, while again a simple block list like Spamhaus doesn't necessary need to be part of IDS/IDS, Spamhaus (and alike) can be part of a block list...?
I hope my story/question is clear.
I notice that IDS/IPS can optionally also include block lists like Spamhaus, right? However, I notice some people will use maybe a firewall alias for Spamhaus and block the traffic under firewall rules..
So my question would be: Would it be more performant (keep higher throughput) if some of these checks like Spamhaus will be done under the firewall settings rather than under Instruction Detection? Since for some reason, I have the feeling that Instruction Detection is much more demanding than just a firewall block, while again a simple block list like Spamhaus doesn't necessary need to be part of IDS/IDS, Spamhaus (and alike) can be part of a block list...?
I hope my story/question is clear.
#8
24.1, 24.4 Legacy Series / Re: Slow Download Speed
January 22, 2025, 09:44:32 PMQuote from: meyergru on January 22, 2025, 10:01:28 AMIDS mode can inspect packets after the fact and only generate an alarm. At this time, the packet was already processed. IPS mode has to actually check all the rules before it will decide on whether to actually allow the packet to pass.
Now I think about this, this makes of course a lot of sense! So IDS mode is just written differently. And indeed IPS needs to be blocking the traffic if it does find something, so it can not do any post-processing after the fact. Thanks!
#9
24.1, 24.4 Legacy Series / Re: Slow Download Speed
January 21, 2025, 10:30:42 PM
I would still like to understand why there is such a big performance impact (I also see a massive reduction in speeds) when enabling IPS Mode.
The reason that I find it strange is that when I only enable Intrusion Detection (so just IDS), it's very fast. But the system is still checking all the packages, after all it will alert on find matches.
And IPS Mode is basically doing all of the same, but then it will also drop the connection on the rules instead of only an alert. So why is IPS mode so much worse performance wise? I still do not get it.
The reason that I find it strange is that when I only enable Intrusion Detection (so just IDS), it's very fast. But the system is still checking all the packages, after all it will alert on find matches.
And IPS Mode is basically doing all of the same, but then it will also drop the connection on the rules instead of only an alert. So why is IPS mode so much worse performance wise? I still do not get it.
#10
Tutorials and FAQs / Re: Intrusion Prevention System (IPS): Understanding Policies
January 21, 2025, 08:12:45 PM
I think action & new action fields are still very unclear to me, poorly documented also at: https://docs.opnsense.org/manual/ips.html#policies
Hopefully this documentation can be improved. And better explain what the difference is between "Action" vs "New action" for example. As well as better explain what metadata rules per category are/do.
Hopefully this documentation can be improved. And better explain what the difference is between "Action" vs "New action" for example. As well as better explain what metadata rules per category are/do.
#11
Intrusion Detection and Prevention / Re: IDS, what interface to choose
January 20, 2025, 05:38:11 PM
It's a old question and still unanswered. But I had the same question.
After reading the docs.
Meaning, I believe you want to enable IDS and IPS on your physical LAN interface (avoid setting it to a bridge interface, and also avoid setting it to a VLAN interface).
Some people enable it on the physical WAN interface. However for that check the "advanced mode" option at the top. And enter your WAN IP in your "home networks" box. Do NOT enable both WAN & LAN, since that will most likely cause IDS/IPS to scan the traffic twice.
See also this blog post: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/
If I'm wrong, please correct me.
After reading the docs.
QuoteOne of the most commonly asked questions is which interface to choose. Considering the continued use IPv4, usually combined with Network Address Translation, it is quite important to use the correct interface. If you are capturing traffic on a WAN interface you will see only traffic after address translation. This means all the traffic is originating from your firewall and not from the actual machine behind it that is likely triggering the alert.
Rules for an IDS/IPS system usually need to have a clear understanding about the internal network; this information is lost when capturing packets behind NAT.
[...]
Since the firewall is dropping inbound packets by default it usually does not improve security to use the WAN interface when in IPS mode because it would drop the packet that would have also been dropped by the firewall.
Meaning, I believe you want to enable IDS and IPS on your physical LAN interface (avoid setting it to a bridge interface, and also avoid setting it to a VLAN interface).
Some people enable it on the physical WAN interface. However for that check the "advanced mode" option at the top. And enter your WAN IP in your "home networks" box. Do NOT enable both WAN & LAN, since that will most likely cause IDS/IPS to scan the traffic twice.
See also this blog post: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/
If I'm wrong, please correct me.
#12
24.7, 24.10 Legacy Series / Re: Kernel crash
January 11, 2025, 03:50:11 PM
Thanks. Changing the NIC? I'm using official Deciso hardware: DEC3852...?
#13
24.7, 24.10 Legacy Series / Kernel crash
January 10, 2025, 01:51:16 PM
Dmesg kernel crash using OPNsense 24.10.1 Business (fully up to date). I use both IPv4 and IPv6 (dual stack), nothing special about my setup and no additional package installed. And using the official Deciso hardware:
Reason unknown to me.
Code Select
<7>cannot forward src fe80:6::99bc:8c8c:d836:c182, dst 2620:2d:4000:1::2a, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::99bc:8c8c:d836:c182, dst 2620:2d:4000:1::2b, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::99bc:8c8c:d836:c182, dst 2620:2d:4000:1::23, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::99bc:8c8c:d836:c182, dst 2620:2d:4002:1::197, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::99bc:8c8c:d836:c182, dst 2620:2d:4002:1::198, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a01:111:f100:9001::1761:9097, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42::485, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42::485, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42::485, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:200::485, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:400::485, nxt 17, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2620:1ec:bdf::67, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:400::485, nxt 17, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:400::485, nxt 17, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:400::485, nxt 17, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:400::485, nxt 17, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:400::485, nxt 17, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:400::485, nxt 17, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2a04:4e42:400::485, nxt 17, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2606:50c0:8001::154, nxt 6, rcvif ax1, outif pppoe0
<7>cannot forward src fe80:6::e486:95ff:fe5b:1003, dst 2606:50c0:8003::154, nxt 6, rcvif ax1, outif pppoe0
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0xfffff809e2afe000
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff810baf61
stack pointer = 0x28:0xfffffe001d772cd0
frame pointer = 0x28:0xfffffe001d772d00
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (if_io_tqg_0)
rdi: 000000082c140000 rsi: 0000000000000001 rdx: 0000000000000011
rcx: 000000002b95d7ff r8: 000000002b95e000 r9: fffffe001d773000
rax: fffff801b69be000 rbx: fffffe00d9baa000 rbp: fffffe001d772d00
r10: 0000000000000000 r11: 0000000000000000 r12: 0000000000000010
r13: fffff80004007800 r14: 0000000000000000 r15: 0000000000000000
trap number = 12
panic: page fault
cpuid = 0
time = 1736267408
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe001d7729c0
vpanic() at vpanic+0x131/frame 0xfffffe001d772af0
panic() at panic+0x43/frame 0xfffffe001d772b50
trap_fatal() at trap_fatal+0x40b/frame 0xfffffe001d772bb0
trap_pfault() at trap_pfault+0x46/frame 0xfffffe001d772c00
calltrap() at calltrap+0x8/frame 0xfffffe001d772c00
--- trap 0xc, rip = 0xffffffff810baf61, rsp = 0xfffffe001d772cd0, rbp = 0xfffffe001d772d00 ---
axgbe_isc_rxd_available() at axgbe_isc_rxd_available+0xc1/frame 0xfffffe001d772d00
iflib_rxeof() at iflib_rxeof+0xc5/frame 0xfffffe001d772e00
_task_fn_rx() at _task_fn_rx+0x72/frame 0xfffffe001d772e40
gtaskqueue_run_locked() at gtaskqueue_run_locked+0x14e/frame 0xfffffe001d772ec0
gtaskqueue_thread_loop() at gtaskqueue_thread_loop+0xc2/frame 0xfffffe001d772ef0
fork_exit() at fork_exit+0x7f/frame 0xfffffe001d772f30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe001d772f30
--- trap 0xe9939ae2, rip = 0x61d4934a6d94934e, rsp = 0xc6e30806caa30802, rbp = 0x7adc2428769c242c ---
KDB: enter: panic
Reason unknown to me.
#14
24.7, 24.10 Legacy Series / Re: New Dashboard short-comings
January 02, 2025, 12:50:36 AMQuote from: opnsenseuser1 on August 02, 2024, 05:43:12 PM**** Interface statistics was better in the old version with all details rather than the current PIE chart.****
Can we have it configurable ? with choose PIE chart or details like in old version ????
I'm using 24.10, but I also think a detailed "Interface Statistics" with a table lay-out widget would be a nice addition.
I think this detailed table view should just be another widget.
#15
Dutch - Nederlands / Re: OpenVPN client configuratie gebaseerd op ovpn bestand
December 26, 2024, 09:04:35 PM
Deze vraag is wel eens eerder gesteld, destijds was deze import mogelijkeheid niet aanwezig, maar niet lastig om het toch voor elkaar te krijgen: https://forum.opnsense.org/Archive/17_7_Legacy_Series/import__opnvpn
Ik zie echter dat "Servers" & "Clients" ondertussen gemarkeerd zijn als 'legacy'. Vandaag de dag kan je beter kiezen voor "Client Specific Overrides": https://docs.opnsense.org/manual/vpnet.html#new-vpn-openvpn-instances
Ik zie echter dat "Servers" & "Clients" ondertussen gemarkeerd zijn als 'legacy'. Vandaag de dag kan je beter kiezen voor "Client Specific Overrides": https://docs.opnsense.org/manual/vpnet.html#new-vpn-openvpn-instances
