Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - hharry

#1
25.1, 25.4 Series / Re: How do I turn off nat
July 14, 2025, 08:26:51 AM
Quote from: saki22 on July 14, 2025, 06:10:47 AMI got a new ISP provider the modem I cannot turn off the nat. I was wondering if there was a way turn off the nat protocol on Opnsense without affecting the firewall rules

to turn off NAT, you disable NAT in Firewall: NAT: Outbound

#2
it's working for me, add new or edit existing F/W rule, save, and then apply changes button's are always present, FWIW i'm using latest brave 1.80.120 ( chromium 138.0.7204.101 ) browser
#3
25.1, 25.4 Series / Re: 25.1.10 and CPU Usage
July 04, 2025, 03:56:26 AM
Quote from: spetrillo on July 02, 2025, 05:16:10 PMHello all,

I upgraded to 25.1.10 last night and afterwards my CPUs are being pegged at 100%. My OPNsense firewall is virtualized under Proxmox, but was running just fine prior to 25.1.10. Anyone else seeing this?

Thanks,
Steve

I'm not running OPNsense in Proxmox VM, but am running several OPNsense 25.1.10 deployments in ESXi 6.7 update3 U2 VM's, and all instances are behaving themselves when it comes to CPU utilization.

Perhaps you should navigate to System: Diagnostics: Activity to get an idea which process(s) may be hogging CPU...

#4
I've recently added IDS ( not IPS ) to my OPNsesne 25.1.7_4-amd64 deployment, and observing that the suricata ET ( emerging threats ) definitions not downloading according to the scheduled cronjob.

I have for now added the suricata rules to the cron schedule, to be downloaded every 24 hours, and can see that all enabled rules, other than ET ( emerging threats ) are downloaded according to the cronjob schedule. The date+time stamp for all ET ( emerging threats ) rules are stuck on the date+time i did the initial download of the rules...

Anybody know why ET ( emerging threats ) rules are not being downloaded according to the cron schedule ?
#5
Quote from: Cipher on May 12, 2025, 11:49:52 AMHas anyone used PAP authentication on OPNsense? Any known issues or limitations?

Thanks in advance!

Yes OPNsesne supports PPPoE PAP authentication, when the remote PPPoE server requests it.

OPNsesne configures by default, PPPoE to accept, PAP, or CHAP, or EAP authentication protocols.

root@OPNsense:~ # egrep -ai 'link accept' /var/etc/mpd_wan.conf
  set link accept chap pap eap
root@OPNsense:~ #


I run several OPNsense instances with PPPoE, all run with PAP authentication, sample logs below


/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="70"] PPPoE: rec'd ACNAME "VYOS03"
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="71"] [wan_link0] PPPoE: connection successful
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="72"] [wan_link0] Link: UP event
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="73"] [wan_link0] LCP: Up event
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="74"] [wan_link0] LCP: state change Starting --> Req-Sent
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="75"] [wan_link0] LCP: SendConfigReq #5
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="76"] [wan_link0]   MRU 1492
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="77"] [wan_link0]   MAGICNUM 0x3456ef14
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="78"] [wan_link0] LCP: rec'd Configure Request #101 (Req-Sent)
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="79"] [wan_link0]   AUTHPROTO PAP
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="80"] [wan_link0]   MRU 1492
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="81"] [wan_link0]   MAGICNUM 0x7bdf7d46
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="82"] [wan_link0] LCP: SendConfigAck #101
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="83"] [wan_link0]   AUTHPROTO PAP
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="84"] [wan_link0]   MRU 1492
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="85"] [wan_link0]   MAGICNUM 0x7bdf7d46
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="86"] [wan_link0] LCP: state change Req-Sent --> Ack-Sent
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="87"] [wan_link0] LCP: rec'd Configure Ack #5 (Ack-Sent)
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="88"] [wan_link0]   MRU 1492
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="89"] [wan_link0]   MAGICNUM 0x3456ef14
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="90"] [wan_link0] LCP: state change Ack-Sent --> Opened
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="91"] [wan_link0] LCP: auth: peer wants PAP, I want nothing
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="92"] [wan_link0] PAP: using authname "username@example.com"
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="93"] [wan_link0] PAP: sending REQUEST #1 len: 43
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="94"] [wan_link0] LCP: LayerUp
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="95"] [wan_link0] PAP: rec'd ACK #1 len: 29
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="96"] [wan_link0]   MESG: Authentication succeeded
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="97"] [wan_link0] LCP: authorization successful
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="98"] [wan_link0] Link: Matched action 'bundle "wan" ""'
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="99"] [wan_link0] Link: Join bundle "wan"
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="100"] [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="101"] [wan] IPCP: Open event
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="102"] [wan] IPCP: state change Initial --> Starting
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="103"] [wan] IPCP: LayerStart
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="104"] [wan] IPCP: Up event
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="105"] [wan] IPCP: state change Starting --> Req-Sent
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="106"] [wan] IPCP: SendConfigReq #7
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="107"] [wan]   IPADDR 0.0.0.0
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="108"] [wan] IPCP: rec'd Configure Request #239 (Req-Sent)
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="109"] [wan]   IPADDR 192.168.40.254
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="110"] [wan]     192.168.40.254 is OK
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="111"] [wan] IPCP: SendConfigAck #239
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="112"] [wan]   IPADDR 192.168.40.254
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="113"] [wan] IPCP: state change Req-Sent --> Ack-Sent
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="114"] [wan] IPCP: rec'd Configure Nak #7 (Ack-Sent)
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="115"] [wan]   IPADDR 192.168.40.1
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="116"] [wan]     192.168.40.1 is OK
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="117"] [wan] IPCP: SendConfigReq #8
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="118"] [wan]   IPADDR 192.168.40.1
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="119"] [wan] IPCP: rec'd Configure Ack #8 (Ack-Sent)
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="120"] [wan]   IPADDR 192.168.40.1
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="121"] [wan] IPCP: state change Ack-Sent --> Opened
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="122"] [wan] IPCP: LayerUp
/var/log/system/system_20250511.log:<29>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 91391 - [meta sequenceId="123"] [wan]   192.168.40.1 -> 192.168.40.254
/var/log/system/system_20250511.log:<13>1 2025-05-11T16:19:43+10:00 OPNsense.localdomain ppp 25853 - [meta sequenceId="124"] ppp-linkup: executing on pppoe1 for inet
#6
It's more likely the pppoe interface is displaying the correct ip address as negotiated from IPCP, and that your ISP has another layer of SNAT'ing your PPPoE address to another address.
#7
i assume your OPNsense deployment has only 1 x WAN G/W, the PPPoE interface.

This would explain the package has no upstream equivalent messages, as OPNsense needs INET connectivity to perform the complete health check.

What did you find in the system logs in System: Log Files: General, and add the filer=ppp with severity=notice....
#8
Quote from: verfluchten on May 08, 2025, 12:28:42 PM
Quote from: hharry on May 08, 2025, 03:18:48 AMNavigate to System: Firmware, and click on the Audit button -> Health
Firmware drops down another menu. Could you share a screenshot with the path to the Audit button?

#9
Quote from: verfluchten on May 08, 2025, 01:22:05 AM
Quote from: hharry on May 07, 2025, 04:27:47 AMan audit check
What is that?

Navigate to System: Firmware, and click on the Audit button -> Health

Did you also check the system logs ?
#10
i'm running several OPNsense 25.1.5_5-amd64 instances with PPPoE and zero issues whatsoever, i also perform PPPoE functionality and performance LAB testing, before upgrading production.

I'd suggest you run an audit check on your deployment...

Also you should investigate the system logs in System: Log Files: General, and add the filer=ppp with severity=notice....
#11
Quote from: newsense on May 02, 2025, 07:24:09 AMAre things working fine on 25.1.4 ?

opnsense-revert -r 25.1.4 opnsense && /usr/local/etc/rc.filter_configure
No reboot required, but I would reset the states to be on the safe side.

No, 25.1.4 also suffers from the same bug.

Below has been my upgrade path on 25.1 on production OPNsense deployment, all versions below have the issue

root@OPNsense:~ # egrep -ai 'OPNsense.localdomain: OPNsense ' /var/log/system/*
/var/log/system/system_20250411.log:<13>1 2025-04-11T09:11:49+10:00 OPNsense.localdomain kernel - - [meta sequenceId="17"] <118>*** OPNsense.localdomain: OPNsense 25.1.3 (amd64) ***
/var/log/system/system_20250414.log:<13>1 2025-04-14T00:05:31+10:00 OPNsense.localdomain kernel - - [meta sequenceId="17"] <118>*** OPNsense.localdomain: OPNsense 25.1.5_4 (amd64) ***
/var/log/system/system_20250423.log:<13>1 2025-04-23T08:44:29+10:00 OPNsense.localdomain kernel - - [meta sequenceId="15"] <118>*** OPNsense.localdomain: OPNsense 25.1.5_5 (amd64) ***


Below has been the upgrade path on my staging LAB OPNSense deployment, also all versions below had the issue

root@OPNsense:~ # egrep -ai 'OPNsense.localdomain: OPNsense ' /var/log/system/*
/var/log/system/system_20250412.log:<13>1 2025-04-12T10:00:32+10:00 OPNsense.localdomain kernel - - [meta sequenceId="16"] <118>*** OPNsense.localdomain: OPNsense 25.1.4_1 (amd64) ***
/var/log/system/system_20250412.log:<13>1 2025-04-12T10:06:26+10:00 OPNsense.localdomain kernel - - [meta sequenceId="18"] <118>*** OPNsense.localdomain: OPNsense 25.1.5_4 (amd64) ***
/var/log/system/system_20250422.log:<13>1 2025-04-22T13:09:30+10:00 OPNsense.localdomain kernel - - [meta sequenceId="16"] <118>*** OPNsense.localdomain: OPNsense 25.1.5_5 (amd64) ***
root@OPNsense:~ #

Even 24.7 releases also have this issue...i posted about it over here -> https://forum.opnsense.org/index.php?topic=45338.0
#12
Quote from: EricPerl on May 02, 2025, 03:26:41 AMWeird. Isn't the link something like: https://opnsense.fqdn/firewall_rule_lookup.php?rid=d83b28858f6858c902e03b3c214cd444 ?

Looks like an additional bug to me...

#13
Quote from: EricPerl on May 01, 2025, 10:22:45 PMHmm, when you hover above the session rule name, the underlying link shows a rule ID (and can be followed).
Is it the wrong rule? The other possibility is that the lookup by the GUI is messed up.

when clicking on the session rule name, it instead always takes you to Firewall: Settings: Advanced page, and not the rule itself.

running OPNsense 25.1.5_5-amd64
#14
25.1, 25.4 Series / Re: Where did bogons go?
May 01, 2025, 09:11:34 AM
Quote from: OPNenthu on May 01, 2025, 08:37:07 AMroot@firewall:~ # grep -nri bogons /var/log/system
root@firewall:~ #


Looks like the update is not triggering, check in your configuration in OPNSense Firewall: Settings: Advanced, for the Bogon update frequency, i have mine set to daily, and it's been updating as expected.

you should also see a cronjob installed, like snippet below;

root@OPNsense:~ # crontab -l
# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem
#minute hour    mday    month   wday    command
1       3       *       *       *       (/usr/local/sbin/configctl -d filter schedule bogons) > /dev/null

Sample log file snippet as below
root@OPNsense:~ # grep -nri bogons /var/log/system
/var/log/system/latest.log:2:<13>1 2025-05-01T03:04:16+10:00 OPNsense.localdomain root 57509 - [meta sequenceId="1"] bogons update starting
/var/log/system/latest.log:3:<13>1 2025-05-01T03:04:19+10:00 OPNsense.localdomain root 64108 - [meta sequenceId="2"] Bogons V4 file updated: no changes.
/var/log/system/latest.log:4:<13>1 2025-05-01T03:04:19+10:00 OPNsense.localdomain root 74492 - [meta sequenceId="3"] Bogons V6 file updated: no changes.
/var/log/system/latest.log:5:<13>1 2025-05-01T03:04:19+10:00 OPNsense.localdomain root 76702 - [meta sequenceId="4"] update bogons is ending the update cycle
/var/log/system/system_20250430.log:25:<13>1 2025-04-30T03:05:05+10:00 OPNsense.localdomain root 49980 - [meta sequenceId="1"] bogons update starting
/var/log/system/system_20250430.log:26:<13>1 2025-04-30T03:05:08+10:00 OPNsense.localdomain root 60853 - [meta sequenceId="2"] Bogons V4 file updated: no changes.
/var/log/system/system_20250430.log:27:<13>1 2025-04-30T03:05:08+10:00 OPNsense.localdomain root 70377 - [meta sequenceId="3"] Bogons V6 file updated: no changes.
/var/log/system/system_20250430.log:28:<13>1 2025-04-30T03:05:08+10:00 OPNsense.localdomain root 72136 - [meta sequenceId="4"] update bogons is ending the update cycle
/var/log/system/system_20250501.log:2:<13>1 2025-05-01T03:04:16+10:00 OPNsense.localdomain root 57509 - [meta sequenceId="1"] bogons update starting
/var/log/system/system_20250501.log:3:<13>1 2025-05-01T03:04:19+10:00 OPNsense.localdomain root 64108 - [meta sequenceId="2"] Bogons V4 file updated: no changes.
/var/log/system/system_20250501.log:4:<13>1 2025-05-01T03:04:19+10:00 OPNsense.localdomain root 74492 - [meta sequenceId="3"] Bogons V6 file updated: no changes.
/var/log/system/system_20250501.log:5:<13>1 2025-05-01T03:04:19+10:00 OPNsense.localdomain root 76702 - [meta sequenceId="4"] update bogons is ending the update cycle


#15
yes i have this exact same issue, it's a real PITA, having to reset erroneous F/W states after F/W reboot, to have it handle outbound traffic in the correct F/W policy...OPNSense been doing this for quite sometime now...

The issue is very easy to replicate, with active LAN<>WAN traffic being handled by OPNSense,  just reboot or upgrade OPNsense ( which includes the reboot ), and once OPNSense is up after the reboot, will always see outbound traffic showing up in incorrect F/W rule set...Seems like a very obvious OPNsense F/W bug to me, given how easy it is to replicate...