Messages

1

19.1 Production Series / Re: Aliasing completely broken for me recently

« on: April 16, 2019, 08:57:28 am »

Someone may want to open an issue on github and link this thread if they have not already.

https://github.com/opnsense/core/issues/3399
https://github.com/opnsense/core/commit/00b46e05752ed5e8e98b0256ce34070ea71dfb17

patch locally, using (on >= 19.1.4):

Code: [Select]

opnsense-patch ea2f217cf


2

Intrusion Detection and Prevention / Re: Suricata blocking crashes OPNsense 1.19.4 and some earlier versions

« on: March 31, 2019, 07:07:59 pm »

Have you tried https://forum.opnsense.org/index.php?topic=11477 ?

We only support real inline mode, which requires netmap driver support, which is known to be broken in some (virtual) setups. The call for testing contains the patches which will eventually be included in OPNsense.

Snort is something we most definitely don't consider adding to OPNsense, better investigate the options available in Suricata.

Also keep in mind that pfSense likely doesn't have inline mode enabled and uses some kind of ip block list for "compromised" ip's, which isn't very fine grained when blocking possible threats, but obviously doesn't have the same hardware support constraints as well.

3

19.1 Production Series / Re: Latest download

« on: March 29, 2019, 02:37:44 pm »

should be good now

4

19.1 Production Series / Re: Security Policiy Database empty / ipsec no traffic going out

« on: March 28, 2019, 01:55:00 pm »

Hi,

Can you check if "Install policy" in your phase 1 is checked? The default should be checked but wasn't in this version, this will be fixed in the next one.

Best regards,

Ad

reference commit https://github.com/opnsense/core/commit/8b8bbc3bc73c78b536a7bd3e83dcf22e490c1678

5

19.1 Production Series / Re: "Cannot allocate memory" error after applying alias edit

« on: March 24, 2019, 02:27:33 pm »

Hi,

Yes, you can easily expand the table size in : Firewall -> Settings -> Advanced : " Firewall Maximum Table Entries"

Best regards,

Ad

6

19.1 Production Series / Re: NAT rules edit not possible after update to 19.1.3

« on: March 10, 2019, 02:02:58 pm »

Hi Adrian,

Yes, this was reported and fixed yesterday, more details here https://github.com/opnsense/core/issues/3303

Best regards,

Ad

7

18.7 Legacy Series / Re: Reload FQDN aliasses after a table flush

« on: March 08, 2019, 02:06:15 pm »

re-applying the aliases should normally do the trick just fine, a reboot as well for that matter.

If it stays empty, I assume there's another issue. Can you run this from a console?

Code: [Select]

/usr/local/opnsense/scripts/filter/update_tables.py


8

19.1 Production Series / Re: OpenVPN Export Options

« on: March 08, 2019, 12:03:46 pm »

have you tried the "File Only" option? that's what most devices expect for openvpn (the normal, standard .ovpn file format)

9

19.1 Production Series / Re: Kernel panic after upgrade

« on: March 07, 2019, 06:34:02 pm »

Hi,

I've spend more than a day trying to replicate the issue and tracking it's origin, since it doesn't occur on all EUFI boot systems.
Virtualbox for example boots without issues in UEFI mode, on Parallels (osx) I was able to find the crash as well .

Code: [Select]

fpuinit_bsp1 () at /usr/src/sys/amd64/amd64/fpu.c:241
fpuinit () at /usr/src/sys/amd64/amd64/fpu.c:277
0xffffffff810adb3b in hammer_time (modulep=<optimized out>, physfree=<optimized out>) at /usr/src/sys/amd64/amd64/machdep.c:1801
0xffffffff80316024 in btext () at /usr/src/sys/amd64/amd64/locore.S:79

Let me make one thing very clear, none of our systems suffer from this issue, a lot of people where actively involved during the beta stages up to 19.1 using all kinds of hardware.

I've seen a couple of people complaining, nagging, not being to **any** help to anyone.
I understand you have an issue, we all do, but... there are always alternatives, using other types of setups, being involved earlier and actively helping improving the system.
Don't forget, if your setup fails and you have done nothing to prevent that from happening, it's still your issue.... nobody got paid to solve it for you.

The patch [1] available might not be the final fix, nor will it fix all issues in the world, but it looks promising.

I would like to thank Franco, Shawn and anybody involved in actually pinning this issue down.

A kernel with debug options enabled is available on our website [2], but if Franco has some time available he can probably move it to a better spot, maybe build some iso with kernel.


Best regards,

Ad

• https://github.com/HardenedBSD/hardenedBSD-stable/commit/77a10c68ac3bf9cd0da50bd537dab858462c07f7
• https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/sets/kernel-19.7.a_25-amd64.txz

10

Intrusion Detection and Prevention / Re: Telemetry Status Widget / http error 403

« on: March 01, 2019, 03:11:34 pm »

Hi,

It's likely a faulty token code preventing access to Proofpoint, if you send us an email (project at our domain) with the code you are using, we can check it's validity for you.

Best regards,

Ad Schellevis

11

Hardware and Performance / Re: Realy slow performance Deciso OPN-20071-R

« on: February 22, 2019, 09:00:06 am »

That's quite an old (i386) machine, not an OPN20071R (note the missing dashes), probably based on https://www.openvox.cn/pub/misc/IPC110%20Hardware%20Installation%20Guide%20v1.0.03.pdf or could even be a IPC100

The last one we sold was likely almost 5 years ago, which is when we switched to our own mainboard design, I don't expect a very high performance, it's faster than a Alix 2D13,  which was commonly used back than.

Our guess is that this machine is around 6 years old.

12

18.7 Legacy Series / Re: Miising alias description

« on: February 20, 2019, 12:31:14 pm »

We've rebuild the feature from the ground up, which has many advantages (api support, less fragile loading, ..).

It's not a matter of removing something as it is to fit the most important use-cases when building new software. (addresses + descriptions don't fit the ui model and would complicate our data model, since in the end, it would always be separate entities).

There are always manners to improve input, we likely will add some kind of import export feature at some point in time. How it works under the hood won't change (for reasons explained)

Scripting to push aliases is pretty easy, as mentioned before, our new components always are api enabled.

13

18.7 Legacy Series / Re: Miising alias description

« on: February 19, 2019, 11:05:32 am »

plain and simple, if it's an entity worth describing, treat it like that. create an alias, and bundle sets of aliases for the firewall rule you want to create.
This is pretty standard in a lot (most?) firewall systems.

In detail:

Code: [Select]

client_1_machine_a  [192.168.1.100]
client_1_machine_b  [192.168.1.101]

client_1_all_machines [client_1_machine_a, client_1_machine_b]


14

19.1 Production Series / Re: New OpenVPN Export does not work with Windows because of UDP instead of udp

« on: February 01, 2019, 05:30:24 pm »

can you try https://github.com/opnsense/core/commit/e9d1aa457903b335c980b10ef7f37b23b5518ce7 ?

From the console, install using:

Code: [Select]

opnsense-patch e9d1aa4


15

18.7 Legacy Series / Re: Added new floating rule - in live view wrong rules are given

« on: January 05, 2019, 05:49:06 pm »

not related, but netflow is enabled in that case (

• Capture local)

You could try to see if the gui presentation matches reality by searching for the rule number manually (using the command in my first response). Maybe you have an overlapping rule matching your traffic. I haven't seen issues myself on an active and unchanged ruleset (on new records)