Messages

1

Intrusion Detection and Prevention / Re: IPS only shows allowed actions in alerts

« on: January 30, 2019, 08:35:29 am »

Hello xmichielx
Thank you very much for your answer. So only LAN instead of WAN should be selected in Settings --> interfaces  ? I currently only have WAN interface according to the opnsense Wiki selected.

I'll try this asap.

Greetings Manuel

2

Intrusion Detection and Prevention / IPS only shows allowed actions in alerts

« on: January 23, 2019, 09:25:36 am »

Hello
I'm still on 18.7.9 and Suricata 4.0.6. I followed the instructions on https://wiki.opnsense.org/manual/how-tos/ips-feodo.html and downloading all abuse.ch rules daily via cron. I also enabled them and changed Filter to drop. If I check my alerts I only can find log entries with action allowed. I can't find not one blocked action. Strange.

Does my IPS really do his job? How can I test it and force a blocked action?

Thank you very much for your help.

Greetings,
Manuel

3

18.7 Legacy Series / Re: Update to 18.7.10 broke my WAN Interface on apu2

« on: January 12, 2019, 01:00:01 pm »

Hello Franco
Yes, on my box IDS and IPS is enabled on WAN interface only.

Managed to update from 18.7 to 18.7.9 and WAN problems are gone. My internet connection to ISP is stable since some days.

Sorry that I can't assist you anymore but I couldn't find any error entries in dmesg or system.log when loosing IP address on WAN interface igb1.

Regards Manuel

4

18.7 Legacy Series / Re: Update to 18.7.10 broke my WAN Interface on apu2

« on: January 10, 2019, 12:26:50 pm »

Hello Franco
Thank you for your detailed answer. I'll try this this evening.

Really appreciate your help and work.

Greetings Manuel

5

18.7 Legacy Series / Re: Update to 18.7.10 broke my WAN Interface on apu2

« on: January 10, 2019, 10:35:04 am »

Hello Franco
Thank you very much for your explanation.

# opnsense-revert -r 18.7.9 opnsense

Didn't work for me and produced a

# Fetching opnsense.txz: .. failed

Maybe because of missing internet connection?

I still don't get the point how to upgrade from 18.7 to 18.7.9 now. Sorry about that.

Yes you're right, WAN DHCP does not keep its designated IP. That's the problem.

I also checked system.log after upgrading to 18.7.10 but couldn't see any hint why WAN is losing its IP address. Unfortunately I had to go back to 18.7 because I can't live without internet and I don't have another apu2 to play with.

Maybe someone else could provide more info out of log files to investigate this issue.

Thank you very much for your help I'm really a big big fan of opnsense! Very good work.

Greetings Manuel

6

18.7 Legacy Series / Re: Update to 18.7.10 broke my WAN Interface

« on: January 09, 2019, 09:42:08 pm »

Hello
Made a fresh new 18.7 installation this evening restored backup and WAN IP seems to be stable. How can I now update from 18.7 to 18.7.9. The GUI wants to upgrade directly to 18.7.10. I can't select 18.7.9.

I even tried on the shell with opnsense-upgrade -r 18.7.9 but even then it seems that it will go directly to 18.7.10.

Code: [Select]

root@OPNsense:~ # opnsense-update -r 18.7.9
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (101 candidates): 100%
Processing candidates (101 candidates): 100%
The following 85 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        py27-yaml: 3.13
        squid3: 3.5.28_1
        radvd1: 1.15

Installed packages to be UPGRADED:
        ...
        pcre: 8.42 -> 8.42_1
        os-dyndns: 1.8 -> 1.11
        opnsense-update: 18.7 -> 18.7.10
        opnsense-lang: 18.1.7 -> 18.7.8
        opnsense: 18.7 -> 18.7.10
        openvpn: 2.4.6_1 -> 2.4.6_3
        openssl: 1.0.2o_4,1 -> 1.0.2q,1
        openssh-portable: 7.7.p1_6,1 -> 7.9.p1_1,1
        openldap-sasl-client: 2.4.46 -> 2.4.47
        ntp: 4.2.8p11_2 -> 4.2.8p12_3
        ...

Thank you for your help.

Greetings Manuel

7

18.7 Legacy Series / Update to 18.7.10 broke my WAN Interface on apu2

« on: January 09, 2019, 07:12:07 am »

Hello friends
I'm having two different opnsense installation in two different location each on a apu2d4 which are both connected to a cable modem and the same provider. One box was update to 18.7.10 automatically this Monday 7th January. The second box still has 18.7.9 installed and is working fine.

After updating to 18.7.10 I don't get anymore an IP address on the WAN interface from my provider via DHCP. If I reboot the firewall and go to the dashboard I can see an IP from the range of my provider for a couple of seconds. After that, the IP is gone and I have only 0.0.0.0 and at the end there is no IP at all.

I rebooted opnsense several times and also my cable modem. No luck. I also tried to downgrade with

opnsense-revert -r 18.7.9 opnsense

but then I only get a

Fetching opnsense.txz: .. failed

I checked the release notes from 18.7.10. There are some changes in the code for the interfaces.

I attached my kernel message log and also some ifconfig commands. igb0 is my internal interface and igb1 for WAN.

Thank you very much for your help.

Regards Manuel

8

General Discussion / Re: OpenVPN Connection Status to Grafana

« on: October 18, 2018, 08:32:55 pm »

Hello mimugmail
Thank you very mucht that would be great.

Greetings Manuel

9

18.7 Legacy Series / Re: idea filebeat / metricbeat

« on: October 02, 2018, 09:39:53 am »

Hello JetA
That would be perfect! Very good idea!

Regards Manuel

10

18.7 Legacy Series / IDS and IPS

« on: October 02, 2018, 09:29:42 am »

Hello
I enabled IPS/IDS according to the howto "IPS SSLBlacklists & Feodo Tracker". Enabled all abuse.ch rulesets and set filter to drop. If I check the alerts tab I only see actions which were allowed. Do I have to edit each action manually and change configured action from alert to drop?

2018-10-02T09:17:28.703243+0200   allowed   WAN   80.218.168.190   53516   23.205.182.44   443   SURICATA STREAM Last ACK with wrong seq   
2018-10-02T08:43:02.760728+0200   allowed   WAN   80.218.168.190   60441   203.119.201.255   443   SURICATA TLS error message encountered   
2018-10-02T08:43:02.252406+0200   allowed   WAN   203.119.201.255   443   80.218.168.190   60441   SURICATA Applayer Detect protocol only one direction   
2018-10-02T08:43:02.252406+0200   allowed   WAN   203.119.201.255   443   80.218.168.190   60441   SURICATA TLS error message encountered

I expected that if I change the Filter Action of the rulesets to drop that they will be dropped automatically.

Thank you very much for your help.

Regards Manuel

11

18.1 Legacy Series / Re: WAN Interface down after reboot of modem

« on: September 24, 2018, 03:06:43 pm »

Hello Bart
Thank you very much for your answer. I'll try this next time.

Does anybody know how opnsense behaves if wan port goes down? Does opnsense try to reopen the WAN port for some time until it times out? After this time out the only way would be to disable/enable wan interface or reboot the whole box?

Regards Manuel

12

18.1 Legacy Series / WAN Interface down after reboot of modem

« on: September 24, 2018, 09:53:12 am »

Hello
Today we had a problem on the ISP and had to reboot the modem which is connected to my opnsense box. Unfortunately the WAN interface didn't come up again after rebooting the modem. Does opnsense try to open the WAN port several times until it times out and then give up?

Because I like long uptimes very much I hate to reboot my opnsense FW. Is there a way without rebooting it through the GUI to bring up WAN Interface again without rebooting it?

Thank you very much for your hints.

Manuel

13

General Discussion / OpenVPN Connection Status to Grafana

« on: August 17, 2018, 06:14:20 pm »

Under VPN --> OpenVPN --> Connection Status there is a really nice statistics about every user bytes sent and bytes received. Is there a way to send this information via collectd to grafana?

Thank you for your answer.

Manuel

14

General Discussion / Manual changes in /usr/local/etc/collectd.conf

« on: August 17, 2018, 06:51:47 am »

Hello
Did some manual changes in  /usr/local/etc/collectd.conf  to add openvpn plugin in collectd.conf. After reboot of opnsense my changes were gone. Are there any plans to add an "Advanced" field also in collectd
to simply appended to /usr/local/etc/collectd.conf?

There was already a thread https://forum.opnsense.org/index.php?topic=6072.0 about this matter.

Thank you for your answer.

Regards Manuel

15

General Discussion / openVPN Server --> Inactivity timeout (--ping-restart), restarting

« on: July 24, 2018, 11:19:48 am »

Hello
I have setup a openvpn server according to the "Setup SSL VPN Road Warrior" including TOTP. Login works fine but after about 30 Minutes openvpn Client Login pops up and I have to login again using the token from google authenticator and my password. Renegotiate time (reneg-sec 0) is set to 0 in the openvpn server config.

I would like to be connected to the vpn server even there is no activity/traffic. How can I achive this?

Thank you very much for your help.

Regards Manuel

Tue Jul 24 10:02:16 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Jul 24 10:02:16 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 24 10:02:16 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Tue Jul 24 10:02:46 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:46 2018 UDP link local (bound): [AF_INET][undef]:0
Tue Jul 24 10:02:46 2018 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:47 2018 [myopenvpn Server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:48 2018 open_tun
Tue Jul 24 10:02:48 2018 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{AB71E12E-4CCE-42DE-84BA-E28854305B69}.tap
Tue Jul 24 10:02:48 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of xx.xx.xx.xx/255.255.255.xx on interface {xxxxxxxxx} [DHCP-serv: xx.xx.xx.xx, lease-time: 31536000]
Tue Jul 24 10:02:48 2018 Successful ARP Flush on interface [15] {xxxxxxxxx}
Tue Jul 24 10:02:48 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 24 10:02:53 2018 Initialization Sequence Completed
Tue Jul 24 10:31:57 2018 [myopenvpn Server] Inactivity timeout (--ping-restart), restarting
Tue Jul 24 10:31:57 2018 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jul 24 10:42:58 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:42:58 2018 UDP link local (bound): [AF_INET][undef]:0
Tue Jul 24 10:42:58 2018 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:42:59 2018 [SSLVPN Server Certificate] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:43:00 2018 Preserving previous TUN/TAP instance: Ethernet 3
Tue Jul 24 10:43:00 2018 Initialization Sequence Completed

- Server Config File
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
client-disconnect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
local xx.xx.xx.xx
tls-server
server xx.xx.xx.xx 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'TOTP VPN Access Server' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'SSLVPN+Server+Certificate' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route xx.xx.xx.xx 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
reneg-sec 0

- Client Config File
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
reneg-sec 0
resolv-retry infinite
remote myopenvpnserver.com 1194 udp
lport 0
verify-x509-name "myopenvpn Server" name
auth-user-pass
pkcs12 Home.p12
tls-auth Home.key 1
#ns-cert-type server
remote-cert-tls server
comp-lzo adaptive
auth-nocache