Messages

1

Intrusion Detection and Prevention / Re: Suricate not working (any more)

« on: January 21, 2023, 08:00:04 pm »

I used something like 95.14.0.0/16 in the past which did somehow work. But now even setting the exact WAN address does not provide any hit. On LAN and DMZ are attached to a VLAN, but using Promiscuous mode and the VLAN-Interface does not do anything either. It's like the whole thing is not working. The log only has the usual

Code: [Select]

ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.

2

Intrusion Detection and Prevention / Suricate not working (any more)

« on: January 21, 2023, 05:49:16 pm »

Hello,
for a long time I had suricate with IPS mode running sucessfuly on WAN. Recently I did a check on my system and found out that no alerts were present any more. I removed all rules, installed opnsense.test.rules and did a check with eicar.com.txt (on http!, not https). Eicar was neither reported in IDS nor in IPS mode. I'm on OPNsense 22.7.11, everything up and running.

I have tried any kinds of combinations of settings in Suricata, including changing interfaces, Promiscuous mode, disabling and reanabling Suricata, deleting and reinstalling the opnsense.test.rules, reboot, but no success.

I would appreciate some guidance on how to track down the problem. It seems that from the webinterface of Opnsense alone I won't be succesful. If one of you professionals would take me by the hand and support me, that would be great. Many thanks.

3

Virtual private networks / Re: how to Request openVPN Client to prompt for (TOTP) in a second popup

« on: November 18, 2022, 09:48:19 am »

Is there a solution to this problem?

I would like the openVPN client to prompt the user / password in first step, as it is now, but then, for the second challenge, it should show up with a new popup windows, with a single field : "please enter OTP".
How can I acheive that ?

4

Intrusion Detection and Prevention / [solved] Suricata stopped working after updating to OPNsense 22.7.6

« on: November 02, 2022, 07:06:00 pm »

After updating to OPNsense 22.7.6 Suricata stopped working. Starting suricata provides 100% CPU and errors:

Code: [Select]

2022-11-02T18:49:11 Error suricata [109401] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb0^ failed: Cannot allocate memory
igb0 is WAN. Suricata is running on WAN, Zenarmor is running on LAN and other interfaces (for Zenarmor WAN is not even available for selection).

I have a second machine running with more or less identical configuration (CARP, HA), no problems there.

Thank you!


PS: The problem was Sensei. Previously it was configured to listen on various VLAN and not physical interfaces. It worked fine for 2 years without any complaints. Supposedly an updated made Sensei more picky. After only selecting physical interfaces everything worked fine.

5

High availability / Re: Ipv6 and Carp

« on: October 04, 2022, 04:29:01 pm »

...no problem, all fine 

Both nodes need to be in the same /64, but you get perfectly well working failover etc.

Is this to be realized via a virtual ULA (fd00:...) or via a real GUA (2a02:...) for each node?

6

High availability / Re: Ipv6 and Carp

« on: October 04, 2022, 01:05:25 pm »

HA with dynamic addresses and/or prefixes? Who would ever come up with an idea like that?

Good question. I have a spare firewall which sits around doing nothing. By using this spare firewall as backup in a HA setup it's easy to play around with opnsense on the backup without messing up the normal provision of services in the operation of the main firewall. Another advantage is that I always have a backup system available without virtually doing anything. No manual backups (which nevertheless I do from time to time), nothing. As I said, the firewall anyhow just sits around here, so why not giving it a purpose?

7

High availability / Re: am I using CARP incorrectly?

« on: October 01, 2022, 10:50:54 pm »

Does it harm to use only carp addresses instead of virtual IPs for the other VLANs? That's what I use currently and it works...

8

High availability / Re: No internet-uplink in backup-node with static WAN IP

« on: October 01, 2022, 10:04:13 pm »

How does the backup node obtain its WAN IP.? This must be specified at Interfaces - >Wan.

9

High availability / Ipv6 and Carp

« on: October 01, 2022, 07:21:05 pm »

Hello,
I have a problem understanding Ipv6 and CARP and hope for a brief explanation or clarification.

For each interface (LAN etc.) there is a Carp fe80::2:1/64 virtual IP.

• Question 1) for the WAN is it also possible to have such an fe80 virtual IP or is it inevitable to have a global IPv6 address for CARP (e.g. 1a02:800b:d12f:fe20::100/64)?
• Question 2) I know that the local IPv6 of the interface itself (Interfaces->LAN) can be a global IPv6 address. However, is it also possible that it can be an IP "self-assigned" by the interface via IPv6 Configuration Type Track Interface WAN?
• Question 3) in case the answer to 2) is positive, i.e. track interface ist possible, shall the IPv6 Prefix ID different for the same interface on the master node and backup node?

Thanks for the feedback!

PS: some time ago we had a discussion of forwarding IPv6 traffic in case of a HA systems. Forwarding to an fe80 address or an fd00 ULA address did not work for me. Instead I had to use the global address of the device (1a02:abcd:...). With the newly introduced feature of Alias "Dynamic IPv6 Host" that makes life so easy. Neither need of ULA nor any other dynamic host address any more. Thanks for the great job on that!!

10

German - Deutsch / [solved] DHCP funktioniert nicht mehr

« on: September 19, 2022, 09:49:17 am »

Hallo,
ich betreibe hier ein (privates) HA-System, welches über Monate hinweg stabil lief. Vor einer Woche beklagte sich jemand, dass er mit dem Handy über DHCP keine IP-Adresse mehr bekomme. Ich habe daraufhin im Handy die MAC von "zufällig" auf "Telefon-Mac" umgestellt und die IP-Adresse kam. In der Zwischenzeit ist es so, dass diverse Geräte per DHCP überhaupt keine IP-Adresse mehr beziehen, unabhängig davon ob DHCP Static Mapping oder frei.

Ich habe keine Ahnung, wo ich ansetzen soll. Geräte neu gestartet, DHCP-Deamon neu gestartet, statische Zuweisung gelöscht, Neustart von Opnsense. DHCP-Log zeigt z.B.

Code: [Select]

2022-09-19T09:45:33 Informational dhcpd DHCPOFFER on 192.168.2.136 to bc:dd:c2:b2:b1:4a via igb1
2022-09-19T09:45:33 Informational dhcpd DHCPDISCOVER from bc:dd:c2:b2:b1:4a via igb1
2022-09-19T09:45:31 Informational dhcpd DHCPACK on 192.168.2.133 to dc:4f:22:7e:19:6b via igb1
2022-09-19T09:45:31 Informational dhcpd DHCPREQUEST for 192.168.2.133 (192.168.2.8) from dc:4f:22:7e:19:6b via igb1
2022-09-19T09:45:31 Informational dhcpd DHCPOFFER on 192.168.2.133 to dc:4f:22:7e:19:6b via igb1
2022-09-19T09:45:31 Informational dhcpd DHCPDISCOVER from dc:4f:22:7e:19:6b via igb1
2022-09-19T09:45:31 Informational dhcpd DHCPACK on 192.168.2.133 to dc:4f:22:7e:19:6b via igb1
2022-09-19T09:45:31 Informational dhcpd DHCPREQUEST for 192.168.2.133 from dc:4f:22:7e:19:6b via igb1
2022-09-19T09:45:29 Informational dhcpd DHCPOFFER on 192.168.10.58 to 5c:f3:70:4f:f4:15 via igb2_vlan10
2022-09-19T09:45:29 Informational dhcpd DHCPDISCOVER from 5c:f3:70:4f:f4:15 via igb2_vlan10
2022-09-19T09:45:13 Informational dhcpd DHCPOFFER on 192.168.2.132 to 2c:f4:32:3c:6b:99 via igb1
2022-09-19T09:45:13 Informational dhcpd DHCPDISCOVER from 2c:f4:32:3c:6b:99 via igb1
2022-09-19T09:44:34 Informational dhcpd DHCPOFFER on 192.168.10.58 to 5c:f3:70:4f:f4:15 via igb2_vlan10
2022-09-19T09:44:34 Informational dhcpd DHCPDISCOVER from 5c:f3:70:4f:f4:15 via igb2_vlan10
2022-09-19T09:44:33 Informational dhcpd DHCPOFFER on 192.168.2.136 to bc:dd:c2:b2:b1:4a via igb1
2022-09-19T09:44:33 Informational dhcpd DHCPDISCOVER from bc:dd:c2:b2:b1:4a via igb1
2022-09-19T09:44:13 Informational dhcpd DHCPOFFER on 192.168.2.132 to 2c:f4:32:3c:6b:99 via igb1
2022-09-19T09:44:13 Informational dhcpd DHCPDISCOVER from 2c:f4:32:3c:6b:99 via igb1
2022-09-19T09:44:13 Informational dhcpd DHCPOFFER on 192.168.10.58 to 5c:f3:70:4f:f4:15 via igb2_vlan10
2022-09-19T09:44:13 Informational dhcpd DHCPDISCOVER from 5c:f3:70:4f:f4:15 via igb2_vlan10

Z.B. 5c:f3:70:4f:f4:15 ist ein Scanner, welcher bisher problemlos über DHCP funktioniert hat. Jetzt zieht er sich keine IP mehr? Das Spielchen DHCPDISCOVER, DHCPOFFER wiederholt sich 1-2mal die Minute.

Hat jemand eine Idee, wie man das Problem lösen kann? Wie gesagt, ich weiß nicht wo ich ansetzen soll. Danke!!!!

PS: Habe inzwischen die gesamte Hardware zwischen Opnsense und Endgerät (kabelgebunden!) getauscht, DHCP-Requests bleiben unbeantwortet.

Lösung : Der zentrale Switch war schuld. Hatte sich irgendwie aufgehängt und nach und nach immer weniger Pakete durchgelassen.  Danke Tplink.

11

German - Deutsch / Re: keine IP-Adresse auf WAN via DHCP

« on: April 29, 2022, 04:22:34 pm »

Muss der Realtek-Treiber installiert werden, wenn Realtek NICs verwendet werden? Ich habe solche NICs, bin auf 22.1, habe aber keinerlei Probleme ohne den Treiber?

12

German - Deutsch / Re: DHCPv6 vergibt immer ipv6 mit Prefix 128 statt 64

« on: April 29, 2022, 09:04:12 am »

Warum verwendest Du DHCPv6? Mach das mal aus.

##use IPv4 connectivity: An (? hatte ich immer aus).

13

22.1 Legacy Series / Re: Does IPv6 port forwarding do anything without NPTv6?

« on: April 12, 2022, 01:40:11 pm »

Yes sure. The only "challenge" is that you need to assign the local DNS resolver some static IPv6.

14

22.1 Legacy Series / Re: Does IPv6 port forwarding do anything without NPTv6?

« on: April 12, 2022, 11:57:51 am »

Using a port forward?

Code: [Select]

TCP/IP Version IPv6
Destination Port DNS
Redirect Target IP --> the IPv6 address of the local DNS resolver
Redirect Target Port DNS

15

High availability / Re: Which Interfaces need a VirtualIP

« on: April 12, 2022, 09:32:54 am »

No, in my setup for reasons of simplification, only LAN, WAN and Guest have a virtual IP. OpenVPN doesn't. Of course there will be not HA for OpenVPN, but I don't care.