Messages

1

17.7 Legacy Series / Re: Traffic Graph : IN speed not showing

« on: September 10, 2017, 11:51:39 pm »

Sorry I cannot help, I wanted to comment that I've just upgraded to 17.7.1 from 17.7 and now my Out traffic graph is showing as zero.

2

17.1 Legacy Series / Re: IPSec reported tunnels

« on: May 30, 2017, 10:33:01 pm »

Thanks Franco,

Patch applied, I'll report back on my progress.

root@XEN-FW:~ # opnsense-patch a039ad4d
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From a039ad4db4d5819fa427c694c94d09846a377e3e Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Fri, 19 May 2017 16:19:24 +0200
|Subject: [PATCH] ipsec: fix widget count after 5.5.2 update
|
|---
| src/www/widgets/widgets/ipsec.widget.php | 12 +++++++++---
| 1 file changed, 9 insertions(+), 3 deletions(-)
|
|diff --git a/src/www/widgets/widgets/ipsec.widget.php b/src/www/widgets/widgets/ipsec.widget.php
|index 4a98e13a5..58eb9e258 100644
|--- a/src/www/widgets/widgets/ipsec.widget.php
|+++ b/src/www/widgets/widgets/ipsec.widget.php
--------------------------
Patching file www/widgets/widgets/ipsec.widget.php using Plan A...
Hunk #1 succeeded at 34.
Hunk #2 succeeded at 66.
Hunk #3 succeeded at 109.
done
All patches have been applied successfully.  Have a nice day.
root@XEN-FW:~ #

3

17.1 Legacy Series / IPSec reported tunnels

« on: May 30, 2017, 02:57:26 pm »

Hi Folks,

Sorry me again

More of an observation than a bug. I have a number of 'site to site' IPsec VPN's in place between 5 different sites. All sites run OPNsense, mostly 17.1.7 but a one is 17.1.4.

Everything works and for the most part is trouble free but on each host I see odd numbers reported for the number of connected tunnels. For example I have one FW configured with 1 phase link and two phase two using IKEv1. The Dashboard shows 4 Active tunnels and -2 In-Active.

I have also noted at times that all the tunnels on a host can be 'Active' and working and the Dashboard shows 0 Active and 0 in-active. When this occurs checking VPN/IPSec/Status Overview shows nothing. Restarting the StrongSWAN daemon corrects this.

Whilst this odd behaviour doesn't seem to affect the IPSec function it does make diagnosing problems somewhat tricky.

Cheers

4

17.1 Legacy Series / Re: Intrusion Detection w/ IPS enabled = nothing works

« on: May 30, 2017, 02:49:22 pm »

I've had a similar issue with ProxMox 4.4, eventually put the issue down to buggy VirtIO nic drivers in FreeBSD.

Moving my exact same config (Back/restore) to physical hardware with Intel e1000 style nics and everything works.

Have you tried changing the Nic type to e1000?

5

17.1 Legacy Series / Re: FTP-Proxy FTP server behind OPNSense FW with NAT

« on: March 08, 2017, 12:22:02 am »

Sorted, thanks for the replys

6

17.1 Legacy Series / Re: FTP-Proxy FTP server behind OPNSense FW with NAT

« on: March 03, 2017, 06:26:09 pm »

Quick update, if I force passive mode on the client ftp -p I can connect.

Trouble is I don't have control over which clients connect so cannot rely on this as a solution.

7

17.1 Legacy Series / [SOLVED] FTP-Proxy FTP server behind OPNSense FW with NAT

« on: March 03, 2017, 06:18:19 pm »

Hi Folks,

I'm having an issue with FTP Proxy so need some guidance again.

Ok first off the network plan is as follows:

[Internet] > [OPNSense] > [FTP Server vsftpd]

So far I've:

/ I've installed the FTP-Proxy plugin
/ Configured a single proxy instance listening on 127.0.0.1:8021, reverse address set to internal ip of ftp server port 21
/ Added a WAN rule allowing ftp/21 to the WAN IP Address
/ Added a port forward rule forwarding WAN ftp/21 to 127.0.0.1:8021

Ok, if I ftp to the WAN IP Address I can connect to the FTPProxy and logon to the target FTP server (either anonymous or a local user account). However if I then try and perform any action I get the following, the command hangs hence the Ctrl+C to cancel:

yyyyy@GC-JUMPBOX:~$ ftp -v 159.8.x.x
Connected to 159.8.x.x.
220 Welcome to the Txxx Sxxxx Patching FTP service.
Name (159.8.x.x:yyyyy): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
^C
421 Service not available, remote server has closed connection

receive aborted
waiting for remote to finish abort
ftp>

The clients tested are Debian's default FTP and MS Windows, both can connect to ftp.debian.org for example eliminating the local firewall.

It looks like when the FTP client issues the N+1 request the proxy doesn't work.

If I connect directly to the FTP server using a client on the same lan everything works.

Any help very much appreciated.

Simon

8

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: December 14, 2016, 08:16:59 pm »

Silly me, the Opteron Istanbul core does support SSE3 and is shown in the DMESG of OPNSense booting however it doesn't support SSSE3 (extra S). Could this be what HYperscan is using not SSE3?

CPU: Six-Core AMD Opteron(tm) Processor 2431 (2400.14-MHz K8-class CPU)
  Origin="AuthenticAMD"  Id=0x100f80  Family=0x10  Model=0x8  Stepping=0
  Features=0x1783fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,SSE2,HTT>
  Features2=0x80a02001<SSE3,CX16,x2APIC,POPCNT,HV>
  AMD Features=0xee500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM,3DNow!+,3DNow!>
  AMD Features2=0x5f3<LAHF,CMP,CR8,ABM,SSE4A,MAS,Prefetch,IBS>

9

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: December 14, 2016, 04:06:19 pm »

Thanks franco,

That sounds like an interesting situation. As per your recommendation I will lock the Suricata package now from updates and call on your generosity should a major update occur that I need to deploy.

With regard to your latter statement yes according to everything I can find it should support SSE3 however looking at a Linux VM running on the same host I get the following, as you can see SSE3 is missing for some reason. I've checked on a couple of DL385G6 servers are the results are the same, I'll start looking to see if I can find any microcode issues/updates on Google:

/proc# cat cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 16
model           : 8
model name      : Six-Core AMD Opteron(tm) Processor 2431
stepping        : 0
microcode       : 0x10000da
cpu MHz         : 2400.160
cache size      : 512 KB
physical id     : 0
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow rep_good nopl extd_apicid pni cx16 x2apic popcnt hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefetch ibs vmmcall
bogomips        : 4800.32
TLB size        : 1024 4K pages
clflush size    : 64
cache_alignment : 64
address sizes   : 48 bits physical, 48 bits virtual
power management:

10

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: December 14, 2016, 12:45:08 am »

Thanks franco!

Surciata has now been up and running for over 1hour!

Now the big question, is this something that can be addressed going forward or would the removal of SSE3 support cause too many performance issues? I guess I'm asking is my ability to run Suricata on this host on borrowed time?

11

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: December 13, 2016, 05:11:03 pm »

Sorry for the delay

Aha! progress excellent!

Yes it's an Opteron 2431 (Six Core) DL385 G6 server.

Crypto is currently OpenSSL

12

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: November 22, 2016, 09:14:51 pm »

just updated to 16.7.9 on 2 boxes. Same result Suricata will not run:

root@XEN-FW:/usr/local/etc/suricata # suricata -c /usr/local/etc/suricata/suricata.yaml -i xn0 -v
22/11/2016 -- 20:06:05 - <Warning> - [ERRCODE: SC_WARN_FASTER_CAPTURE_AVAILABLE(275)] - faster capture option is available: NETMAP (--netmap=xn0). Use --pcap=xn0 to suppress this warning
22/11/2016 -- 20:06:05 - <Info> - Including configuration file installed_rules.yaml.
Illegal instruction (core dumped)
root@XEN-FW:/usr/local/etc/suricata #

Log:

22/11/2016 -- 20:12:31 - <Notice> - This is Suricata version 3.1.3 RELEASE
22/11/2016 -- 20:12:31 - <Info> - CPUs/cores online: 2
22/11/2016 -- 20:12:31 - <Info> - Found an MTU of 1500 for 'xn0'
22/11/2016 -- 20:12:31 - <Info> - Found an MTU of 1500 for 'xn0'
22/11/2016 -- 20:12:31 - <Info> - No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
22/11/2016 -- 20:12:37 - <Info> - 22 rule files processed. 10282 rules successfully loaded, 0 rules failed
22/11/2016 -- 20:12:37 - <Info> - 10282 signatures processed. 46 are IP-only rules, 3312 are inspecting packet payload, 7864 inspect application layer, 102 are decoder event only
22/11/2016 -- 20:12:39 - <Info> - Threshold config parsed: 0 rule(s) found
22/11/2016 -- 20:12:39 - <Info> - eve-log output device (regular) initialized: eve.json
22/11/2016 -- 20:12:39 - <Info> - stats output device (regular) initialized: stats.log
22/11/2016 -- 20:12:39 - <Info> - Going to use 1 thread(s)
22/11/2016 -- 20:12:39 - <Info> - using interface xn0
22/11/2016 -- 20:12:39 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
22/11/2016 -- 20:12:39 - <Info> - Found an MTU of 1500 for 'xn0'
22/11/2016 -- 20:12:39 - <Info> - Set snaplen to 1524 for 'xn0'
22/11/2016 -- 20:12:39 - <Info> - Going to use 1 thread(s)
22/11/2016 -- 20:12:39 - <Info> - using interface xn0
22/11/2016 -- 20:12:39 - <Info> - Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
22/11/2016 -- 20:12:39 - <Info> - Found an MTU of 1500 for 'xn0'
22/11/2016 -- 20:12:39 - <Info> - Set snaplen to 1524 for 'xn0'
22/11/2016 -- 20:12:39 - <Info> - RunModeIdsPcapWorkers initialised
22/11/2016 -- 20:12:39 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.

13

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: August 27, 2016, 09:28:07 am »

Thanks Franco,

Unfortunately this doesn't solve 'this' problem. Xen has a rather annoying bug it would seem with TX offload and FreeBSD which results in a huge performance drop when a FreeBSD VM forwards packets between VIF's. Having encountered this problem previously I already have VIF/Bridge/Physical and VM Offload engines disabled.

As before prior to 16.7 Securicata worked without issue
 

14

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: August 25, 2016, 03:32:22 pm »

Hey Folks,

I've tracked through all the IPS broken discussions and still have no solution to my problem.

This morning I upgrade to 16.7.2 / 10.3.p7 and just as before Securicata borks in either IPS or IDS mode.

Just to confirm, the firewall is running in a VM on a Citrix XenServer 7.0 server.

FreeBSD _IS_ XEN aware and as such uses the correct XN driver and XenServer provides no mechanism to override this, see dmesg below:

root@XEN-FW:~ # dmesg | grep -i Xen
XEN: Hypervisor version 4.6 detected.
ACPI APIC Table: <Xen HVM>
xen_et0: <Xen PV Clock> on motherboard
Event timer "XENTIMER" frequency 1000000000 Hz quality 950
Timecounter "XENTIMER" frequency 1000000000 Hz quality 950
acpi0: <Xen> on motherboard
xenpci0: <Xen Platform Device> port 0xc000-0xc0ff mem 0xf2000000-0xf2ffffff irq 30 at device 3.0 on pci0
xenstore0: <XenStore> on xenpci0
xenbusb_front0: <Xen Frontend Devices> on xenstore0
xn0: <Virtual Network Interface> at device/vif/0 on xenbusb_front0
xn1: <Virtual Network Interface> at device/vif/1 on xenbusb_front0
xn2: <Virtual Network Interface> at device/vif/2 on xenbusb_front0
xbd0: 102400MB <Virtual Block Device> at device/vbd/768 on xenbusb_front0
xn3: <Virtual Network Interface> at device/vif/3 on xenbusb_front0
xn4: <Virtual Network Interface> at device/vif/4 on xenbusb_front0
xn5: <Virtual Network Interface> at device/vif/5 on xenbusb_front0
xn3: backend features:xn6: <Virtual Network Interface> at device/vif/6 on xenbusb_front0
xenbusb_back0: <Xen Backend Devices> on xenstore0
xctrl0: <Xen Control Device> on xenstore0
root@XEN-FW:~ #

Any updates?

15

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: August 06, 2016, 01:16:11 pm »

Upgraded to 16.7.1 today, IDS/IPS still broken.

Platform - XenServer i.e XN nic's not Intel.