Messages

1

23.1 Production Series / Installer serial keyboard input stops right after Please login...

« on: March 14, 2023, 09:10:53 pm »

I'm currently in the progress of installing OPNsense under kubernetes using kubevirt (kvm)

I can boot the VM just fine and connect to it via serial.

The boot menu responds to input, the startup scripts e.g. configure interfaces all respond to input and works just fine.

The input works just until :

Code: [Select]

Welcome!  OPNsense is running in live mode from install media.  Please
login as 'root' to continue in live mode, or as 'installer' to start the
installation.  Use the default or previously-imported root password for
both accounts.  Remote login via SSH is also enabled.

Right after it's printed input stops working, I can not login as root or installer nothing happens if i type.

However output still works as is, so the serial console is just fine, doing a aacpi shutdown prints

Code: [Select]

>>> Invoking stop script 'beep'
..................
Syncing disks, vnodes remaining... 0 0 0 0 done
All buffers synced.
Uptime: 6m30s

I'm now going to install via VNC but I really want this VM to run headless if possible.

Any solution to this bug ?

2

Documentation and Translation / WireGuard MullvadVPN Road Warrior Documentation Wrong

« on: December 04, 2022, 04:10:00 pm »

So I just followed https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html which broke my internet.

Wireguard will install a 0.0.0.0/1 route following the documentation which will override the default route.

It is important that under VPN -> Wireguard -> Local -> Configuration:  "Disable Routes" is checked.

The step2 in documentation is how to setup dynamic routing, so the disable routes is clearly missing in it, otherwise makes no sense.

3

21.1 Legacy Series / Re: Unbound leaks all subnets

« on: June 12, 2021, 12:44:32 am »

Firewall -> Rules -> Floating: pass port 53 tcp/udp source any dest 192.168.1.1

Services -> Unbound -> General: Network Interfaces: only select lan (192.168.1.1)

Services -> Unbound -> Access Lists: Allow 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8

Services -> DHCPv4 -> Set each interface dns to 192.168.1.1

Repeat for ipv6


This way only 192.168.1.1 is returned for a dns request to the firewall.

4

21.1 Legacy Series / Re: Unbound leaks all subnets

« on: June 11, 2021, 12:51:37 am »

I noticed unbound leaks all subnets configured in opnsense.

And this is a problem, because ...?

Never said it's a problem, I just dislike it. There is simply no reason to leak all networks.

I setup a floating rule, changed unbound to only listen on a single interface and changed the dns via dhcp.

5

21.1 Legacy Series / Unbound leaks all subnets

« on: June 03, 2021, 09:58:22 pm »

I noticed unbound leaks all subnets configured in opnsense.

Just query the firewall host, can be easily found out with a ptr lookup.

Is there some way to prevent unbound from returning all the addresses ?

Code: [Select]

# check dns server
user@docker1:~# nslookup docker1
Server:         192.168.1.1 <- used dns server
Address:        192.168.1.1#53

Name:   docker1.example.com
Address: 192.168.1.11

# ptr on dns server
user@docker1:~# nslookup 192.168.1.1
1.1.168.192.in-addr.arpa        name = firewall1.example.com.

# get all subnets
user@docker1:~# nslookup firewall1.example.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   firewall1.example.com
Address: 192.168.1.1
Name:   firewall1.example.com
Address: 192.168.2.1
Name:   firewall1.example.com
Address: 192.168.3.1
... (removed entries)
Name:   firewall1.example.com
Address: 10.10.1.0
Name:   firewall1.example.com
Address: 10.20.2.0
Name:   firewall1.example.com
Address: 10.20.0.2
... (removed entries)
Name:   firewall1.example.com
Address: 2a02:****
Name:   firewall1.example.com
Address: 2a02:****
Name:   firewall1.example.com
Address: 2a02:****
... (removed entries)


6

21.1 Legacy Series / Re: 21.1.5 Suricata broken (NIC issue)

« on: May 05, 2021, 11:41:20 pm »

Suricata works fine for me on 21.1.5 with proxmox and virtio.

I'm not using jumbo frames however.

7

21.1 Legacy Series / Re: Kubernetes best load balancer setup ?

« on: March 27, 2021, 12:43:44 am »

@SFC opnsense is the upstream gateway for the cluster and ha requires load balancing.

@mimugmail traefik plugin sounds nice, I will set it up for ingress cli is more then fine, no eta yet though.

8

21.1 Legacy Series / Kubernetes best load balancer setup ?

« on: March 17, 2021, 08:42:29 pm »

Has anyone a kubernetes setup with opnsense ?

There is barely content about it so I did some research and testing myself.


Opnsense does not come with load balancing by default but offers 3 plugins: os-relayd, os-nginx and os-haproxy

os-relayd was deprecated in the past, solely for load balancing.

os-nginx and os-haproxy are mainly for http reverse proxying, os-haproxy has some more load balancing options but lacks udp load balancing if required.

os-nginx lacks load balancing algorithms, round robin is the only one but that's a limitation of the opnsense gui.

Best option for future support seems to be os-haproxy.

9

21.1 Legacy Series / Re: Native-kernel wireguard support for 21.1 feasible? FreeBSD 13 may have it

« on: March 16, 2021, 01:35:36 pm »

Wow netgate wireguard implementation reads great.

There were random sleeps added to “fix” race conditions, validation
functions that just returned true, catastrophic cryptographic
vulnerabilities, whole parts of the protocol unimplemented, kernel
panics, security bypasses, overflows, random printf statements deep in
crypto code, the most spectacular buffer overflows, and the whole litany
of awful things that go wrong when people aren’t careful when they write
C. Or, more simply, it seems typical of what happens when code ships
that wasn’t meant to. It was essentially an incomplete half-baked
implementation – nothing close to something anybody would want on a
production machine.

10

21.1 Legacy Series / Re: My OPNSense cant route IPv6

« on: March 13, 2021, 01:18:29 am »

64 prefix means you are limited to 1 subnet = wan, so you can not setup ipv6 for your lan/dmz.

"Interfaces -> Overview -> WAN -> IPv6 delegated prefix"

If you have a prefix <=63 you have to setup router advertisement for SLAAC.

11

21.1 Legacy Series / Re: wireguard performance is better on linux, expected?

« on: March 01, 2021, 06:09:21 pm »

Linux uses the kernel implementation, opnsense the go usermode implementation.

There is a huge performance impact. But kernel implementation for bsd is on it's way.

Edit: nevermind didn't read, but virtio support on bsd is lacking, I think that's the issue.

12

21.1 Legacy Series / Re: Blocking port scans

« on: February 23, 2021, 02:17:58 pm »

Suricata only blocks script enumerations if it sees nmap/zmap user agent.

It won't block syn scans. Relying on security through obscurity doesn't help anyway.

13

21.1 Legacy Series / Re: High availability project

« on: February 23, 2021, 01:27:08 pm »

Virtual nics are cpu bound, with most processors you only get 5Gbit~

You need a proper intel/melanox sfp+ nic and use pcie passtrough.


edit: read 10G, 1G should be no problem

Make sure to disable hardware offloading which can create issues.

# Interfaces -> Settings: Check "Disable CRC, TSO and LRO hardware offload" and "Disable VLAN Hardware Filtering"

14

21.1 Legacy Series / Re: Slow throughput

« on: February 17, 2021, 01:22:58 am »

BSD Virtio support is just bad.

If you need more then 1Gb pcie passtrough your nic.

15

21.1 Legacy Series / Re: Suricata IDS/IPS ~56% slower than before update

« on: February 08, 2021, 01:54:39 am »

My monitoring shows increased CPU usage.

Before with 20.7.x it maxed out at 22%.

With 21.1.x it goes up to 80%.

With all tests I get my max bandwidth of 200mbit.

It does not happen with suricata disabled, the weird thing is that suricata is not set to listen on lan, only on dmz.