Messages

Pinpointed the widgets crashing the firewall:

1. Interfaces
2. Interface statistics
3. Traffic Graph
4. Gateways

If I add these widgets one-by-one or all together with the other default widgets, it pegs the PHP at 100% on all 6 of my CPU cores on a 12th Gen Intel(R) Core(TM) i3-1215U (6 cores, 8 threads) chip. As soon as they are removed and the save finally goes thru and I then do a 'configctl webgui restart' the firewall stabalizes and is responsive in the GUI.

Should be noted, this has only occurred since upgrading to 25.1.11, previous version did not have this problem.

My plugins are presently very light, for testing, I have Zenarmor removed to help pinpoint the problem child, below are my current plugins:

os-frr (installed)   1.44_1   322KiB   2   OPNsense   The FRRouting Protocol Suite   
os-intrusion-detection-content-et-open (installed)   1.0.2_2   6.92KiB   3   OPNsense   IDS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition   
os-intrusion-detection-content-ptopen (installed)   1.0   1.13KiB   3   OPNsense   IDS Positive Technologies ESC ruleset   
os-intrusion-detection-content-snort-vrt (installed)   1.2   12.8KiB   3   OPNsense   IDS Snort VRT ruleset (needs registration or subscription)   
os-theme-cicada (installed)   1.39_1   5.28MiB   3   OPNsense   The cicada theme - dark grey onyx

 

what logs and in which location on the firewall would help the developers troubleshoot why the plugins are causing this PHP loop?

Hello,

root@firewall1:~ # opnsense-version
OPNsense 25.1.11 (amd64)


I cant seem to get past this issue with the Main dashboard, it seem the widgets are causing a PHP loop that is pegging my CPU at 100%:

Here is the top -SH dump:

last pid:  2502;  load averages: 18.75,  6.95,  2.82                                                                                                                    03151:23:06:58  36 running, 250 sleeping, 29 waiting
CPU: 98.0% user,  0.0% nice,  2.0% system,  0.0% interrupt,  0.0% idle
Mem: 5858M Active, 4870M Inact, 3206M Wired, 637M Buf, 17G Free
Swap: 10G Total, 10G Free

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
46478 root        101    0   117M    85M CPU6     6   0:07  64.58% php
47835 root         68    0   121M    88M piperd   4   0:10  60.97% php
92555 root         99    0   113M    80M RUN      7   0:04  47.68% php
33251 root        102    0   165M   129M RUN      4   0:10  43.04% php
97776 root         97    0   119M    77M RUN      5   0:02  42.44% php
82542 root        103    0   117M    85M RUN      5   0:06  39.67% php
94243 root         99    0   113M    79M CPU7     7   0:04  36.66% php
57773 root         68    0   217M   169M select   4   0:10  26.23% php
48910 root         97    0   117M    84M RUN      0   0:07  25.51% php
47339 root         97    0   117M    84M RUN      2   0:07  24.04% php
79294 root         97    0   115M    81M RUN      0   0:05  23.93% php
78748 root         97    0   113M    81M CPU0     0   0:05  23.63% php
84494 root         96    0   111M    79M RUN      1   0:03  22.56% php
81368 root         96    0   113M    80M RUN      3   0:04  22.54% php
42735 root         98    0   117M    85M RUN      3   0:08  22.26% php
47253 root         97    0   117M    85M RUN      1   0:07  21.72% php
50218 root         97    0   115M    83M RUN      1   0:06  21.72% php
91636 root         94    0   109M    77M RUN      2   0:02  21.72% php
83427 root         96    0   111M    79M RUN      3   0:03  21.58% php
93904 root         96    0   119M    78M RUN      1   0:03  20.80% php
37465 root         97    0   119M    87M RUN      0   0:09  20.25% php
82481 root         97    0   113M    80M RUN      3   0:04  20.11% php
58274 root        103    0   165M   130M RUN      5   0:10  19.64% php
95345 root         92    0   107M    74M RUN      0   0:01  19.46% php
91112 root         95    0   111M    79M RUN      2   0:03  18.21% php
79491 root         96    0   113M    81M CPU2     2   0:04  16.47% php
85055 root         21    0   223M   182M kqread   2   0:01   2.29% python3.11
 1977 root         20    0    99M    67M select   4   0:01   1.93% php-cgi
11076 root         20    0    10G  6631M uwait    4   0:00   0.31% suricata{FM#01}
  364 root         68    0   258M   120M accept   4   0:00   0.15% python3.11{python3.11}
48606 root         20    0    17M  4720K CPU1     1   0:00   0.14% top
11076 root         20    0    10G  6631M nanslp   7   1:43   0.12% suricata{suricata}
    0 root        -60    -     0B  1296K -        4   0:00   0.11% kernel{if_config_tqg_0}
    0 root        -60    -     0B  1296K -        2   0:00   0.09% kernel{if_io_tqg_2}
    0 root        -60    -     0B  1296K -        0   0:00   0.08% kernel{if_io_tqg_0}
11076 root         20    0    10G  6631M select   4   0:01   0.07% suricata{W#01-igc0}
18091 root         20    0    45M    16M kqread   1   0:00   0.07% syslog-ng{syslog-ng}
    0 root        -60    -     0B  1296K -        6   0:00   0.06% kernel{if_io_tqg_6}
97990 root         20    0    23M    11M kqread   3   0:00   0.06% lighttpd
11076 root         20    0    10G  6631M select   4   0:00   0.05% suricata{W#04-igc0}
70739 root         20    0    28M    14M select   4   0:00   0.04% python3.11
11076 root         20    0    10G  6631M select   4   0:00   0.03% suricata{W#03-igc0}
11076 root         20    0    10G  6631M select   4   0:00   0.03% suricata{W#02-igc0}
    8 root        -16    -     0B    48K psleep   4   0:00   0.03% pagedaemon{dom0}
    2 root        -60    -     0B   128K WAIT     0   0:00   0.03% clock{clock (0)}
23582 root         20    0    20M  8860K select   2   0:00   0.02% sshd-session
18091 root         20    0    45M    16M kqread   7   0:01   0.02% syslog-ng{syslog-ng}
11076 root         20    0    10G  6631M select   2   0:00   0.02% suricata{W#04-igc0^}
54398 root         20    0    14M  2616K bpf      4   0:00   0.02% filterlog
11076 root         20    0    10G  6631M select   4   0:00   0.02% suricata{W#01-igc0^}
11076 root         20    0    10G  6631M select   0   0:00   0.02% suricata{W#03-igc0^}
    6 root        -16    -     0B    16K pftm     4   0:00   0.02% pf purge
11076 root         20    0    10G  6631M select   4   0:00   0.02% suricata{W#02-igc0^}
    0 root        -60    -     0B  1296K -        7   0:00   0.02% kernel{if_io_tqg_7}
   17 root         20    -     0B   144K sdflus   4   0:00   0.01% bufdaemon{/ worker}
    0 root        -60    -     0B  1296K -        5   0:00   0.01% kernel{if_io_tqg_5}
18091 root         20    0    45M    16M kqread   6   0:01   0.01% syslog-ng{syslog-ng}
    7 root        -16    -     0B    16K -        6   0:00   0.01% rand_harvestq
69544 root         20    0    27M    14M select   2   0:00   0.01% python3.11
30866              20    0    13M  2180K select   4                powerd

I thought it was maybe the Zenarmour and Suricata, but this has only started happening once I upgraded to latest firmware.

Anyone else running into this problem?

Do the devs know of how to correct this issue?

Thank you kindly.

After all these months, figured out the OPNsense without reading the documentation once. So, I'll bookmark this moving forward.

Thank you for your time. :)

Hello,

Is there a way right now to enable MFA for the OPNsense GUI or is there plans for MFA for the GUI in future firmware releases?

Like I'm looking for a way to enable Microsoft Authenticator, Google Authenticator, Duo MFA, or if all else fails Yubikey (but would require physical access to firewall - hard for remote firewalls so hopefully the 1st 3 options).

eventually it loaded after about 20 minutes and then could set it back to 1000.

So these are the rulesets and alerts I've typically been blocking. Curious if others have found some unique ones that should be changed from alert to drop and can share.

ET INFO Observed DNS over HTTPS Domain
ETPRO MALWARE
ETPRO PHISHING
ETPRO INFO Dynamic DNS Domain
ETPRO INFO Observed DNS Query for DDNS domain
ETPRO INFO DYNAMIC_DNS Query
ETPRO INFO DYNAMIC_DNS
ET CINS Active Threat Intelligence Poor Reputation IP group
ET SCAN Sipvicious User-Agent Detected
ET Scan
NMAP
MITRE Recon
MITRE Discovery
MITRE Lateral Movement
MITRE Initial Access
MITRE Persistence
MITRE Collection
MITRE Command and Control
MITRE Defense Evasion
MITRE Exfiltration
MITRE Impact
MITRE Resource Development
Exploit Kit
Windows
Kerberos
Powershell
Remote Code Execution
Security Feature Bypass
Windows Firewall
Print Spooler
DLL Hijack Command
Metasploit
Ransomware
Active Directory
Netgear
Cisco
Nexus
QNAP
VMware
OSSIM
Proofpoint
Defender
ET Policy
ET EXPLOIT
ET INFO
ET MALWARE
ET USER_AGENTS
ET WEB_SPECIFIC_APPS
INDICATOR-COMPROMISE
OS-WINDOWS
NETBIOS
SERVER-WEBAPP
SERVER-OTHER
SERVER-IIS
BROWSER-CHROME
BROWSER-IE
BROWSER-EDGE
BROWSER-TOR
EXPLOIT-KIT
ET ATTACK_RESPONSE
ET WEB_CLIENT
ET HUNTING
OS-Windows
OS-Linux

Hello,

does anyone know how to reset the Suricata alerts page if I curiously changed the view to 5000 but now its been hung on "processing request". I can't seem to do it in the interface by setting it back to the default 7 results or even 1000 (it seems stable in 1000), and I'm not finding a setting in google on how to reset it via command line.

Have others run into this issue in the past and gotten around it?

As a word of caution, please make sure you have a backup of your firewall and a management interface defined before messing around with Suricata in CLI.

A few weeks ago, my own Suricata stopped pulling down rulesets. Thankfully, I was paranoid and took backups daily. When I went to fix it via CLI, it nuked the Suricata IPS config file, and then the firewall locked me out. Ultimately, I had to reinstall and recover. It only took me about 25 minutes, but still.

Side of the edge of caution if you mess around in CLI against Suricata's rulesets.

I sent back the Protectli V1210 and got a V1410 and with pfSense, it seems to work allot better than the V1210. I think because I was trying to force (and it worked-ish) the USB nic for management; it caused problems with routing and filtering.

I strongly advise if your firewall has the memory to enable all MITRE rulesets at the bare minimum.

ET Pro Telemetry is a paid license, do you have a valid token issued?

You can install the plugin, download the rulesets, but if you don't have a valid subscription token you won't get very far.

So I've setup the transparent bridge identical to this youtube video and it doesn't appear to work.

https://www.youtube.com/watch?v=Rb4vlN_Hf-U

Ironically, I saved the OPNsense config and deployed pFsense to the Protectli V1211 vault, and it is working as a transparent bridge-based inline IPS, so I'm left pondering what is broken in OPNsense in version 25.1.1.

The youtube video had it working in 24.7.

Going to let this sit for a little bit and then I'm going to mock this up in my VMware cluster and see if I cant tinker away at why 25.1.1 is broken compared to 24.7 for a transparent bridge based IPS.

Hello,

I've deployed OPNsense 25.1.1 to a Protectli 2 port vault (I'm using a persistently configured USB 3.0 NIC for management), and I placed the LAN and WAN in a bridge. I've enabled promiscious mode and set IPv4 & IPv6 to none.

I've set the firewall to have an 'inbound any any any any rule' and also placed a 'inbound udp any to 255.255.255.255 over port 67' for DHCP leases from Arris modem. I've placed the DHCP rule above the any any any any rule.

Right now, even with enabling allot of the Advanced firewall setting (Static route filtering, Disable reply-to, and Firewall Optimization set to conservative) minus disabling the firewall itself, I still cant get the OPNsense to simply be in 'inline' mode and to simply 'monitor' the traffic that flows thru the bridge as the default deny rule blocks everything.

Does anyone know how to effectively stop the firewall from using the default deny firewall rule and only let the Suricata IPS block based on detection(s) defined in the rulesets while allowing DHCP traffic to issue an IP to an upstream OPNsense firewall and for non-nefarious traffic to otherwise flow from the ISP modem to the 1st tier firewall without restrictions?

One key setting I found in past deployments of OPNsense that I can't seem to find in 25.1.1 is: "Disable stateful filtering for bridge interfaces"; does anyone know where this moved or morphed into?

I did find two tunables called "net.link.bridge.pfil_bridge set to 0 && net.link.bridge.pfill_member set to 0" but it seems the default deny, as mentioned is still blocking, so what gives? O.o

Goal: get Suricata on this 2 port vault in transparent IPS mode, and then on the upstream firewall enable Zenarmor on the WAN port. Effectively offloading the IPS to a dedicated box.

got mine to work again.

I did a backup on Zenarmor a couple of days ago, uninstalled Zenarmor, rebooted firewall, and then reinstalled ZenArmor and restored the backup and now the reports are working. The plugin did show up as orphaned in the plugin after doing 25.1.1.

Shall see if these reports still work over the coming days.