Messages

1

21.1 Legacy Series / Re: 20.1.8 php error

« on: July 07, 2021, 08:54:57 pm »

Yep, I can confirm this.

After the update Sensei said that it needs to start "Elasticsearch DB" to show the reports. When I clicked "Yes" to confirm, the process "eastpect" consumed permanently 100% CPU, and the "There was an error" message on the dashboard appeared, which showed me the "PHP deprecated" message.

2

21.1 Legacy Series / Re: 20.1.8 php error

« on: July 07, 2021, 08:17:42 pm »

Same here!
Thank you 

3

21.1 Legacy Series / Re: Cannot delete firewall alias used by "phantom" rule

« on: June 06, 2021, 12:31:03 pm »

Thanks for the suggestion. Is it possible to edit /conf/config.xml in situ and reload it?

I did it several times to change the IP subnet for all components (interface, aliases, DHCP reservations....) to get a configuration file, which I can import into my OPNsense VM test environment whitout having any IP conflicts in my network. Not sure if it's really supported, but I think as long as you just edit some values and keep the structure of the file, it should be fine.

4

21.1 Legacy Series / Re: Cannot delete firewall alias used by "phantom" rule

« on: June 06, 2021, 11:54:29 am »

I would try to export the configuration in clear text, remove the alias from the XML and import the modified file again.
I would also recommend to search for the alias in the rule section of the exported configuration. Maybe the rule is still there.

5

21.1 Legacy Series / OPNsense does not response to ARP requests for static entries

« on: June 05, 2021, 03:41:44 pm »

Hi folks,

I've configured a DHCPv4 lease with static ARP entry containing the broadcast mac address ff:ff:ff:ff:ff:ff. I'm using this IP to send WoL packets from other subnets to reach all clients in this subnet.

Worked well for years. But now, I've no idea since when exactly, OPNsense doesn't reply to queries for this IP address.

I did a packet capture and the ARP queries are arriving on the right interface. But I can't see any response. Only when the clients request the gateway address, which is the OPNsense interface, I can see the responses.
Any idea ?

EDIT: The ARP table of OPNsense contains the static ARP entry.

6

21.1 Legacy Series / Re: Local DNS resolving is not working after restart of Wireguard

« on: May 23, 2021, 12:54:25 pm »

@Greelan: Yep, the WG config contained a wrong DNS server (typo). Solved. Thank you

7

21.1 Legacy Series / Local DNS resolving is not working after restart of Wireguard

« on: May 23, 2021, 12:31:20 pm »

Hey,

When I restart the Wireguard service, OPNsense is no longer able to resolve DNS names by itself. The LAN clients are all fine, only OPNsense can't resolve e.g. FQDN aliases.

2021-05-23T12:21:01    unable to resolve download.qnap.com for alias WAN_QNAP_Download

I've to restart the appliance to resolve the issue.

I'm using Unbound as DNS resolver. It's listening on a loopback adapter, which address I have configured in the DHCP DNS server options for the clients as well as in the general settings of OPNsense (System: Settings: General)

I can remember that there was a similiar issue with OpenVPN, but I can't find the thread/issue on Github.

Any recommendations?

EDIT: Found out that saving the genereal settings of OPNsense again also solves the issue.

8

Intrusion Detection and Prevention / Re: Memory usage grow during a constant traffic flow

« on: November 29, 2020, 02:55:44 pm »

Thank you for the How-To.

All values were already configured in the standard files as mentioned in your How-To.
I have only added the IP addresses of my hosts to the host-os-policy section, but that didn't helped. 

9

Intrusion Detection and Prevention / Re: Memory usage grow during a constant traffic flow

« on: November 28, 2020, 02:48:37 pm »

I've about 58.000 rules enabled. That's a lot, I know. But it seems that they're not harming any other services like Netflix, Deezer or other connections which are using a constant bandwidth over a longer time.

I've enabled IDS/IPS on the LAN interface because I'm having several VLANs and interfaces. Therefore I want to scan the the traffic between them too.

My iPerf test run about two hours and there was no rising memory usage. So I guess it's a single rule which causes the issue during the SMB stream.

10

Intrusion Detection and Prevention / Memory usage grow during a constant traffic flow

« on: November 22, 2020, 01:52:02 pm »

Hey,

I'm often watching TV shows that I've recorded in the past, and saved on my NAS as MPG-2 file.
The playing device is a Dreambox (Linux based) in a different VLAN. The Dreambox uses SMB2 to play the file. The connection uses about 5 Mbit/s.

After approxm. 30 minutes watching I get an warning from my OPNsense, that the memory usage has reached 80% of 8 GB. The activity page shows that Suricata uses the most of it. The memory usage continues to grow up to 97% as long as the episode plays. Then the SWAP usage starts to grow.
My OPNsense uses about 20% of the memory during normal operation.

I do not see any drops or alerts in the IDS/IPS logs regarding this connection. I can try to define an IP-to-IP exception in the user rules section to prevent it. But if it's a single rule which causes this behaviour, I would prefer to identify and disable this rule.
Is this a normal behaviour? If not, how should I go through to prevent this?

Current Suricata settings: Promiscus & IPS modes are active. The pattern matcher is Hyperscan, and Suricata is only listening on the physical LAN interface. The home network subnets are entered.

Jas

EDIT: I'm not able to reproduce this issue by using iPerf3 to create an TCP connection with an constant bandwidth usage.

11

20.7 Legacy Series / Re: Current list of bugs/issues I've encountered in 20.7

« on: August 17, 2020, 11:09:35 pm »

@FullyBorked: I'm having the issues #3 and #4 (both) too.

I've reported issue #3 some minutes ago (https://github.com/opnsense/core/issues/4272)
Regarding syslog-ng there are several reports of users which having the same or other issues (https://github.com/opnsense/core/issues/4263)

12

General Discussion / Re: Sonos across multiple subnets

« on: July 31, 2020, 10:41:31 pm »

I'm having the same network setup as you. You need to allow the UDP responses from the Sonos devices for ports 40000-60000.

This is my "UDP Broadcast Relay" configuration
udp_vars="--id 1 --port 1900 --dev [INTERFACE_LAN] --dev [INTERFACE_IOT] --multicast 239.255.255.250"

This is my firewall ruleset to allow the communication between the Sonos app and the devices

From Sonos app to Sonos devices
TCP/1400, 1443

From Sonos devices to Sonos app
TCP/3400, 3401, 3500
TCP/4444
UDP/40000-60000

13

Intrusion Detection and Prevention / Re: Samba (smb) with slow speeds because of Suricata

« on: June 07, 2020, 02:14:00 pm »

Hey,
Same issue here.

I've opened a new thread: https://forum.opnsense.org/index.php?topic=17572.0
Not exactly what you are searching for, but maybe it's helpful for you too.

Jas

14

Intrusion Detection and Prevention / Understanding of "user defined" rules

« on: June 07, 2020, 01:51:49 pm »

Hey,

I've different VLANs in my LAN and Suricata is enabled in IPS mode on the physical interface on which all VLANs mapped to.

When I copy some big files from a host in VLAN1 to a host in VLAN2 via SMB, Suricata reaches 100% of the CPU time because it inspects the traffic of course. Due to the high CPU utilization the bandwidth of the copy job is much lower than whitout IDS/IPS enabled.

So I added two user defined pass rules for the hosts (from host 1 to host 2 and vice versa). The rules are matching, but the Suricata process still uses 100% of the CPU time during the copy job.

My question is: should the traffic bypass IDS/IPS completly when there's a pass rule for it? Or is the traffic still inspected by IDS/IPS, and the pass rule overwrites only all alert/block rule that may match? The documentation of Suricata is not understandable for me in this point (https://suricata.readthedocs.io/en/suricata-4.1.2/performance/ignoring-traffic.html).
What would be the best way to perform my requirement?

Thanks.
Jas

15

Hardware and Performance / Re: Connection reset during iperf test

« on: March 13, 2020, 10:56:21 pm »

Hey tjanker,

Your OPNsense ends the connection to the client by sending the FIN flag in packet 18. The the RST flag in packet 19 is only to shutdown the connection immediatly without any timeouts.

Have you used any iPerf options? Is IPS enabled?

I guess you've captured the traffic on the client, because the frames from the clients are bigger than 1518 bytes (offloading is active).
Can you do another capture "on the wire" or on a mirror port on the switch?

Jas