Messages

The request has been closed with the response pasted below.

DENY UNKNOWN option in ISC is still needed for the more security conscious.

Even if a DHCP pool is left empty, if an endpoint has a static configuration it will still be able to connect.

DENY UNKNOWN will remove the ability for a rogue endpoint to be connected that's got static IP?

=====================
Opnlearn
last week
Author
As suggested in this thread, leaving a subnet with an empty list of pools has the effect desired, the server do not assign an IP to clients without a reservation.

Proceeding to close the issue for that reason.

=====================

I would not be too concerned about it. The domain quickdrivingtestcancellations.net is not registered currently. There is only a reverse DNS entry still pointing to it from the IP.

Maybe the IP was transferred with a rack-mounted server to the new owner. The company owning the IP ("Single Mode Networks Ltd") is a hoster with somewhat bad reputation, whereas the domain leontp.com belongs to a company Uputronics making NTP clocks.

Ahhh. insightful and educational response. Thank you. My biggest concern at the time was the volume of requests which were going to that NTP server. Almost every minute or multiple per minute.

What device is requesting that server? I would certainly regard that as suspicious if I hadn't set a device to use that server.

It's the NTP service on the firewall itself making these connections. It was set to use "0.opnsense.pool.ntp.org
 and the "dubious" domain/address is part of that pool.

The domain is unusual "quickdrivingtestcancellations. Why would a driving test cancellation service volunteer as an NTP server? Maybe they've errantly become an NTP server and got added into the pool?

I had NTP set to prefer 0.opnsense.pool.ntp.org

Noticed in firewall live log repeated hits to 85.199.214.99:123 - server1.quickdrivingtestcancellations.net:123 (NTP)

I have low confidence in this domain/IP.

Have set to not prefer any *.opnsense.pool.ntp.org and instead added cloudflares NTP server.

Not sure of exact nature of the suspicions but on various threat intel the IP and domain is arousing suspicion.

Are you using hyperscan in intrusion detection?

Also are these packets bypassing intrusion detection when buffer is full? what is the actual reason they are happening? Slow hardware? Bad Settings?

I started to experience this one the latest update or at least it's noticeably worse causing my LAN interface to hang.

My hardware:
CPU: (4 cores, 1.50GHz)
RAM: 16GB (16947675136 bytes)
Cores: 4 (no Hyper-Threading)
NICs: Realtek Gigabit (re0 for WAN, re1 for LAN)
Current CPU Frequency: 1500MHz
Available Free Memory Pages: 2,356,511

I've tried these tweaks incrementally increasing them and rebooting to test. Any high load with IPS/IDS enabled with hyperscan/aho and aho ken steele, results in the LAN interface hanging.


THEN!!! I realised because I'm a dumb***.... when I re-imaged my FW, I forgot to reinstall the Realtek driver plugin :D

Not sure if OP might be having same/similar issue with missing NIC plugin?

 /var/log/system/*
 /var/log/system/latest.log

Having same issue.

I tried these, seems less frequent but not resolved.

Original values
dev.netmap.buf_num: 163840
dev.netmap.ring_num: 200
dev.netmap.buf_size=2048

New Values
sysctl dev.netmap.buf_num=200000
sysctl dev.netmap.ring_num=256
sysctl dev.netmap.buf_size=4096