"
I've installed a fresh copy of OPNsense 21.1 and restored from backup config file. I'd like to update to just OPNsense 21.1.9 and hold off on 21.7 for a bit and stay at 21.1.9 but when I check for updates it wants to install 21.7 and I just can't seem to find a config setting to stay on 21.1.x Marvelous Meerkat series. Any assistance would be greatly appreciated.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
21.1 Legacy Series / [SOLVED] Upgrade from clean install of OPNsense 21.1 to OPNsense 21.1.9 ?
August 02, 2021, 03:19:36 AM #2
21.1 Legacy Series / Many thanks and the traffic graphs are beautiful!
March 15, 2021, 11:17:05 PM
Just wanted to say thanks to franco and the entire team for all their hard work and efforts on the incredible project.
The traffic graphs really look amazing.
The traffic graphs really look amazing.
#3
General Discussion / How to enable log forwarding?
December 19, 2020, 04:31:42 AM
I'd like to forward logs to Alien Vault OSSIM but I can't seem to find the setting to do this anywhere in OPNsense. Is this log forwarding possible?
#4
19.7 Legacy Series / DHCPv4 Service - Removed domain field vaule, but it's not removed on clients
December 17, 2019, 03:16:24 AM
Hi,
I'm wondering if this is expected behavior or perhaps a bug. I want to remove the domain line listed in my DHCPv4 clients' /etc/resolv.conf and have no domain line listed. They were getting this value from my OPNsense DHCPv4 server.
I cleared/deleted the value in the domain field on my OPNsense DHCPv4 server, but it was never removed from the clients. I tried releasing/renewing at the clients and also waited a day. I ended up replacing the blank field with something a different value and then that new value was sent to the clients.
Is it not possible to entirely remove the domain value from DHCPv4 clients' /etc/resolv.conf?
Thanks.
I'm wondering if this is expected behavior or perhaps a bug. I want to remove the domain line listed in my DHCPv4 clients' /etc/resolv.conf and have no domain line listed. They were getting this value from my OPNsense DHCPv4 server.
I cleared/deleted the value in the domain field on my OPNsense DHCPv4 server, but it was never removed from the clients. I tried releasing/renewing at the clients and also waited a day. I ended up replacing the blank field with something a different value and then that new value was sent to the clients.
Is it not possible to entirely remove the domain value from DHCPv4 clients' /etc/resolv.conf?
Thanks.
#5
19.1 Legacy Series / [RESOLVED] "Cannot allocate memory" error after applying alias edit
March 23, 2019, 05:55:42 PM
Hi,
I receive the popup error "Cannot allocate memory" after I hit apply in the Firewall/Aliases section. I've discovered that I don't have to add/edit or change any of the aliases but if I even simply go to the Aliases section and hit "Apply" after making no changes, I still get the error.
I do have quite a few aliases that contain a large number of CIDRs but this error is something relatively new, maybe only started after that last two updates.
I'm using the current, up to date v19.1 production series:
OPNsense 19.1.4-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019
Is there a tunable that I could adjust or should I start examining my large aliases perhaps?
Any assistance would be greatly appreciated.
Thanks,
ObecalpEffect.
I receive the popup error "Cannot allocate memory" after I hit apply in the Firewall/Aliases section. I've discovered that I don't have to add/edit or change any of the aliases but if I even simply go to the Aliases section and hit "Apply" after making no changes, I still get the error.
I do have quite a few aliases that contain a large number of CIDRs but this error is something relatively new, maybe only started after that last two updates.
I'm using the current, up to date v19.1 production series:
OPNsense 19.1.4-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019
Is there a tunable that I could adjust or should I start examining my large aliases perhaps?
Any assistance would be greatly appreciated.
Thanks,
ObecalpEffect.
#6
18.7 Legacy Series / [SOLVED] All Aliases Missing - Still Visible in Rules but Not Editable
November 02, 2018, 03:04:34 PM
Hi,
All my aliases in Firewall/Aliases are missing. I know that I have a number of aliases. I can still see that they are applied by looking at the Firewall/Rules. I see them in there, but if I click to Edit one of the aliases in Firewall/Rules, it just takes me back to a blank aliases page.
Any thoughts? I'm running 18.7.6-amd64.
Here's what I'm seeing:
https://imgur.com/a/kuLFrP7
I'd be grateful for any thoughts, insight or assistance as I need to edit one of the Aliases.
Thanks,
ObecalpEffect
All my aliases in Firewall/Aliases are missing. I know that I have a number of aliases. I can still see that they are applied by looking at the Firewall/Rules. I see them in there, but if I click to Edit one of the aliases in Firewall/Rules, it just takes me back to a blank aliases page.
Any thoughts? I'm running 18.7.6-amd64.
Here's what I'm seeing:
https://imgur.com/a/kuLFrP7
I'd be grateful for any thoughts, insight or assistance as I need to edit one of the Aliases.
Thanks,
ObecalpEffect
#7
Intrusion Detection and Prevention / GeoIP Just Not Working
August 19, 2018, 02:54:50 AM
Hi,
I've noticed for quite a long time that my user defined IDS GeoIP drop rules just aren't working. I just verified it this evening when SPAM from 45.65.227.2 was delivered to my email server which is behind my OPNsense firewall.
45.65.227.2 is identified by goeiplookup on the OPNsense server as Argentina which is in my source block rule.
I just don't understand why if geoiplookup from the shell of the OPNsense server itself successfully identiifies the country of origin, why isn't it being blocked?
Nearly everything that makes it through my firewall should be blocked by the countries I'm blocking with the IDS goeipblock rule but they aren't. Is there anyway this feature could be improved on please?
Thanks,
ObecalpEffect.
I've noticed for quite a long time that my user defined IDS GeoIP drop rules just aren't working. I just verified it this evening when SPAM from 45.65.227.2 was delivered to my email server which is behind my OPNsense firewall.
45.65.227.2 is identified by goeiplookup on the OPNsense server as Argentina which is in my source block rule.
I just don't understand why if geoiplookup from the shell of the OPNsense server itself successfully identiifies the country of origin, why isn't it being blocked?
Nearly everything that makes it through my firewall should be blocked by the countries I'm blocking with the IDS goeipblock rule but they aren't. Is there anyway this feature could be improved on please?
Thanks,
ObecalpEffect.
#8
18.1 Legacy Series / Angry Error on Console at Startup - SC_ERR_MISSING_CONFIG_PARAM 118
April 15, 2018, 06:11:36 PM
Hi - There's an angry red error on the console at startup on my OPNSense server. I can't seem to find it in any of the log files or dmesg but I might not be looking in the right places.
The message is:
SC_ERR_MISSING_CONFIG_PARAM 118 No logging compatible with daemon mode selected
I'm not sure it's affecting anything but it's got my attention since it's in red at the console.
Anyone have any insight please?
Thanks.
The message is:
SC_ERR_MISSING_CONFIG_PARAM 118 No logging compatible with daemon mode selected
I'm not sure it's affecting anything but it's got my attention since it's in red at the console.
Anyone have any insight please?
Thanks.
#9
General Discussion / Disabled WWW Server NAT Rule, Suddenly the Admin Web GUI is publicly Accessible!
January 17, 2018, 11:58:25 PM
Hi,
I thought I just disabled the two NAT rules to my internal www server, but with that rule disabled I just noticed the admin web GUI for my OPNsense server is then publicly accessible. I must be misunderstanding something somewhere. I certainly don't want my OPNsense server accessible from the internet.
I've attached a screenshot of the NAT rules. I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while. Maybe I should just delete the NAT rules instead of disabling them?
Thanks,
ObecalpEffect.
I thought I just disabled the two NAT rules to my internal www server, but with that rule disabled I just noticed the admin web GUI for my OPNsense server is then publicly accessible. I must be misunderstanding something somewhere. I certainly don't want my OPNsense server accessible from the internet.
I've attached a screenshot of the NAT rules. I re-enabled them to block access to the admin webgui, but now my web server is publicly accessible again which was what I was hoping to disable for a while. Maybe I should just delete the NAT rules instead of disabling them?
Thanks,
ObecalpEffect.
#10
17.1 Legacy Series / SSL Weirdness [SOLVED]
March 19, 2017, 02:55:24 AM
Hi,
Just a short time after logging into my OPNsense system and adjusting a firewall alias and then logging out, I tried to log back in and was presented with a SEC_ERROR_UNKNOWN_ISSUER insecure connection warning that I had not seen just 20 minutes earlier. I hadn't installed any updates in those twenty minutes.
Maybe I'm just misunderstanding or forgetting the webconfigurator website behavior but it just seemed odd. Is the correct cert for the web/gui front end to OPNsense the /var/etc/cert.pem file? Maybe I'm just being paranoid, it's just that all my browsers on all my systems, suddenly told me it was an untrusted cert, when just 20 minutes earlier it was trusted.
Any insight or suggestions would be greatly appreciated.
Many thanks,
ObecalpEffect.
Just a short time after logging into my OPNsense system and adjusting a firewall alias and then logging out, I tried to log back in and was presented with a SEC_ERROR_UNKNOWN_ISSUER insecure connection warning that I had not seen just 20 minutes earlier. I hadn't installed any updates in those twenty minutes.
Maybe I'm just misunderstanding or forgetting the webconfigurator website behavior but it just seemed odd. Is the correct cert for the web/gui front end to OPNsense the /var/etc/cert.pem file? Maybe I'm just being paranoid, it's just that all my browsers on all my systems, suddenly told me it was an untrusted cert, when just 20 minutes earlier it was trusted.
Any insight or suggestions would be greatly appreciated.
Many thanks,
ObecalpEffect.
#11
General Discussion / I Have Nut Working but not Autostarting
December 06, 2016, 03:14:50 AM
Hello,
I've successfully installed and configured nut to monitor a UPS connected to another computer on my network but I can't figure out how to set the nut_upsmon service to start automatically when OPNsense boots. I tried creating /etc/rc.conf and added the following:
nut_enable="YES"
nut_upslog_enable="YES"
nut_upsmon_enable="YES"
This allows me to check the nut service status with "service nut_upsmon status", which would fail with a complaint without those lines in that file, but the service still doesn't start when OPNsense boots.
I'm guessing it has something to do with the fact that the nut config files really exist int /usr/local/etc/nut but I can't figure out what I need to do in order to enable the service to start automatically.
Could someone give me a hint or suggestion please?
Thanks,
ObecalpEffect.
I've successfully installed and configured nut to monitor a UPS connected to another computer on my network but I can't figure out how to set the nut_upsmon service to start automatically when OPNsense boots. I tried creating /etc/rc.conf and added the following:
nut_enable="YES"
nut_upslog_enable="YES"
nut_upsmon_enable="YES"
This allows me to check the nut service status with "service nut_upsmon status", which would fail with a complaint without those lines in that file, but the service still doesn't start when OPNsense boots.
I'm guessing it has something to do with the fact that the nut config files really exist int /usr/local/etc/nut but I can't figure out what I need to do in order to enable the service to start automatically.
Could someone give me a hint or suggestion please?
Thanks,
ObecalpEffect.
#12
General Discussion / [Solved] Empty Lobby Dashboard after most recent updates?
June 07, 2016, 11:42:58 PM
Is it just me, or is anyone else seeing an empty Lobby/Dashboard after the most recent updates? I updated one system and the lobby is empty but glancing at another system without the most recent updates installed shows the normal lobby stuff like System Information, Gateways, Interface List, Service Status, etc...
#13
General Discussion / [Solved] Can't add more networks to an Alias again
May 25, 2016, 03:56:22 PM
Hi - I previously encountered an issue that prevented me from adding new networks to an alias that was a very long list of CIDR networks (~2500). Franco created a patch that fixed the issue, but now it seems to have returned.
To reproduce the issue, I click on "Firewall/Aliases/View" and then click to edit one of my aliases which is a long list of CIDR networks. I scroll all the way to the bottom of the list and add the new CIDR network, then click "Save". When it was working, it would then return me to the list of Aliases with a "Click to Apply" button, but now it just returns me to the same Alias that I added a new entry to with the "Save/Cancel" button at the bottom of the page.
Is it possible to edit/add to aliases from the shell? Maybe I could do this as a temporary work around?
Any assistance would be greatly appreciated.
Thanks.
To reproduce the issue, I click on "Firewall/Aliases/View" and then click to edit one of my aliases which is a long list of CIDR networks. I scroll all the way to the bottom of the list and add the new CIDR network, then click "Save". When it was working, it would then return me to the list of Aliases with a "Click to Apply" button, but now it just returns me to the same Alias that I added a new entry to with the "Save/Cancel" button at the bottom of the page.
Is it possible to edit/add to aliases from the shell? Maybe I could do this as a temporary work around?
Any assistance would be greatly appreciated.
Thanks.
#14
General Discussion / [SOLVED] Check for updates - Connection Error
March 23, 2016, 02:53:15 PM
Hi - For the last few days I've been unable to fetch updates. I get "Connection Error". I'm wondering if I've inadvertently blocked the update mirror or if it's perhaps down.
I noticed this in the log file but I'm not sure what to make of it.
Mar 23 08:43:47 OPNsense configd.py: [43fa4099-7ea5-4ebf-992c-a7000f60502c] retrieve package status
Mar 23 08:46:55 OPNsense lighttpd[49412]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Any assistance would be greatly appreciated.
Thank you.
I noticed this in the log file but I'm not sure what to make of it.
Mar 23 08:43:47 OPNsense configd.py: [43fa4099-7ea5-4ebf-992c-a7000f60502c] retrieve package status
Mar 23 08:46:55 OPNsense lighttpd[49412]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Any assistance would be greatly appreciated.
Thank you.
#15
General Discussion / [SOLVED] - Intrusion Detection GeoIP Blocking Success?
March 22, 2016, 08:37:48 PM
Hi - I'm wondering if I don't have the the IDS/GeoIP blocking setup quite right, or if maybe it's not completely 100% successful at blocking all traffic?
I blocked a lot of countries, including Iran, but later that day I received a SPAM email on a server behind OPNsense that came from Iran. A geoiplookup utility identifies it as Iran, as does its whois info. The IP address was 2.180.53.127
(7) --> geoiplookup 2.180.53.127
GeoIP Country Edition: IR, Iran, Islamic Republic of
GeoIP City Edition, Rev 1: IR, 16, Kordestan, N/A, N/A, 35.713100, 47.265598, 0, 0
GeoIP ASNum Edition: AS48159 Telecommunication Infrastructure Company
(5) --> whois 157.55.234.250
inetnum: 2.180.16.0 - 2.180.63.255
netname: tckhr-DSL
descr: Telecommunication Company of Khorasan Razavi for ADSL users
country: IR
person: Jamil Sabaghi
address: Khomeini ST Mashhad Iran
Here's a snippet of from my mail server:
Mar 22 10:15:53 myhostname postfix/smtpd[2629]: connect from unknown[2.180.53.127]
Mar 22 10:15:56 myhostname postfix/smtpd[2629]: CEAD023BA027: client=unknown[2.180.53.127]
Mar 22 10:15:57 myhostname postfix/cleanup[2639]: CEAD023BA027: message-id=<9059532066.SIM_0099577ADC51@myhostname.com>
Mar 22 10:15:57 myhostname postfix/qmgr[3927]: CEAD023BA027: from=<tarrantNikki09@biurex.pl>, size=5807, nrcpt=1 (queue active)
Mar 22 10:15:57 myhostname postfix/smtpd[2629]: disconnect from unknown[2.180.53.127] ehlo=1 mail=1 rcpt=1 data=1 quit=1 command$
Mar 22 10:16:02 myhostname postfix/local[2640]: CEAD023BA027: to=<user@myhostname.com>, relay=local, delay=9, delays=3.7/0.01/0/$
Here's how I have IDS/GeoIP setup on OPNsense:
http://imgur.com/a/iVRJx
Is there a log that would show me drops due to IDS/GeoIP matches? Any insight would be greatly appreciated.
Thanks.
I blocked a lot of countries, including Iran, but later that day I received a SPAM email on a server behind OPNsense that came from Iran. A geoiplookup utility identifies it as Iran, as does its whois info. The IP address was 2.180.53.127
(7) --> geoiplookup 2.180.53.127
GeoIP Country Edition: IR, Iran, Islamic Republic of
GeoIP City Edition, Rev 1: IR, 16, Kordestan, N/A, N/A, 35.713100, 47.265598, 0, 0
GeoIP ASNum Edition: AS48159 Telecommunication Infrastructure Company
(5) --> whois 157.55.234.250
inetnum: 2.180.16.0 - 2.180.63.255
netname: tckhr-DSL
descr: Telecommunication Company of Khorasan Razavi for ADSL users
country: IR
person: Jamil Sabaghi
address: Khomeini ST Mashhad Iran
Here's a snippet of from my mail server:
Mar 22 10:15:53 myhostname postfix/smtpd[2629]: connect from unknown[2.180.53.127]
Mar 22 10:15:56 myhostname postfix/smtpd[2629]: CEAD023BA027: client=unknown[2.180.53.127]
Mar 22 10:15:57 myhostname postfix/cleanup[2639]: CEAD023BA027: message-id=<9059532066.SIM_0099577ADC51@myhostname.com>
Mar 22 10:15:57 myhostname postfix/qmgr[3927]: CEAD023BA027: from=<tarrantNikki09@biurex.pl>, size=5807, nrcpt=1 (queue active)
Mar 22 10:15:57 myhostname postfix/smtpd[2629]: disconnect from unknown[2.180.53.127] ehlo=1 mail=1 rcpt=1 data=1 quit=1 command$
Mar 22 10:16:02 myhostname postfix/local[2640]: CEAD023BA027: to=<user@myhostname.com>, relay=local, delay=9, delays=3.7/0.01/0/$
Here's how I have IDS/GeoIP setup on OPNsense:
http://imgur.com/a/iVRJx
Is there a log that would show me drops due to IDS/GeoIP matches? Any insight would be greatly appreciated.
Thanks.
#16
General Discussion / [SOLVED] Limit to Number of Networks in an Alias?
March 21, 2016, 05:16:42 AM
Is there a limit to the number of networks that can be in a single ALIAS? I have a very long list of CIDR networks in a single ALIAS that I'm trying to add to but after clicking + and entering a new one, followed by "save", they don't appear on the page when it reloads.
#17
General Discussion / [SOLVED] DHCP Server Static Reservations?
March 21, 2016, 02:51:34 AM
Hello,
Is it possible to setup DHCP reservations with the DHCP server in OPNsense? I can't seem to find an area where I can do it in the web GUI.
I'm transitioning from m0n0wall's DHCP service, which has a number of reservations, to OPNsense. I was hoping to setup the reservations before I move to OPNsense's DHCP service.
Thanks.
Is it possible to setup DHCP reservations with the DHCP server in OPNsense? I can't seem to find an area where I can do it in the web GUI.
I'm transitioning from m0n0wall's DHCP service, which has a number of reservations, to OPNsense. I was hoping to setup the reservations before I move to OPNsense's DHCP service.
Thanks.
#18
General Discussion / How to Import M0n0wall Rules?
December 30, 2015, 11:59:07 PM
Sorry if I'm missing something obvious. I looked through the documentation, did some google searches and searched through the GUI, but I can't seem to find a way to import my m0n0wall rules. Is this possible? Or can I edit a single file on the console and insert them? Most of the rules are specific CIDR network denies.
Pages1
