Topics

1

19.7 Legacy Series / Wireguard Unstable

« on: October 31, 2019, 11:31:13 pm »

Hi All,

I have been using Wireguard dev for a while and recently mived to the stable build but after moving to the stable build wireguard has become unstable. Most of the times it won't establish the connection with the server only in one occasion it was able to establish the connection there were no changes in the config and I have even tried uninstalling and doing a fresh install, still thar didn't work. How can view the Wireguard logs? It's seems really hard to troubleshoot Wireguard connectivity issues.

Thanks in advance.

Regards,
Bobby Thomas

2

19.1 Legacy Series / LAN down, cannot access firewall through LAN but works through WAN over vpn

« on: April 18, 2019, 10:38:12 am »

Hi All,

The issue started yesterday evening and there were no recent config changes. It started all of a sudden and I lost connectivity to the network while I was working from home. I have a MultiWAN setup and both of the WAN links works fine and I can access the firewall through VPN. But the issue is with LAN interface and it seems like it's totally down even though the interface status shows up in Firewall. I tried rebooting the firewall and the interface comes up and stay active for couple of minutes then it goes down. After that I cannot ping the firewall from LAN or the other way. All I get is host down (if I ping from forewall). All the WAN links are working fine and the dpinger shows up.

The issue I am guessing seems to be something with firewall rules or NAT or routing, but it's really hard to identify that, I have Zero tier and Wireguard running on the box and when I lose LAN connectivity the routing shows the LAN network gateway as a Zerotier interface or lo0 interface. Since I am running it as a VM, I tried rolling back it to an old 19.1 snapshot and it worked, but when I tried restoring the config backups the issue started happening once again.

 Any help is highly appreciated.

Thank you,
Regards,
Bobby Thomas

3

19.1 Legacy Series / Monit default mail format cannot be changed

« on: April 12, 2019, 11:41:41 pm »

Hi,

I was trying to edit the default mail-format on the monitrc file but it seems like it reverts to the default after re-initializing. Is there anyway to edit and keep the mail-format?

Thank you,
Bobby Thomas

4

19.1 Legacy Series / Issues with Monit notification

« on: March 29, 2019, 08:09:30 pm »

Hi All,

I have a MultiWAN setup and I have configured monit to monitor my primary link status. Monit working fine but the email notification is not as I expected. I am receiving receiving ICMP success notifications but not failure notifications. There is no problem with standby internet connectivity and it was working previously with "CHANGED STATUS" condition, but now after the upgrade when I put that I get syntax error. Any suggestions?

Here is the alert settings config from the monitrc:

set alert abc@gmail.com  { icmp,instance } mail-format { Subject:$SERVICE on $HOST $EVENT (ISP LINK STATE CHANGE) } reminder on 10 cycles

And here is the service and service test settings config:

check host ISP-Link-status address xxx.xxx.xxx.xxx
   if failed ping then alert

Thanks in advance,
Regards,
Bobby Thomas

5

19.1 Legacy Series / Issues with Multi WAN

« on: March 14, 2019, 11:24:49 pm »

I am facing issues with Multiwan routing. My primary ISP link is not stable and it goes offline quite often, so I planned using my 3G data plan as a backup link. I bought a Huawei LTE modem and it works perfectly, it has an ethernet interface which connects to my OPNsense as a WAN2 Gateway. I have assigned a weight of 1 while I kept the the weight of the primary gateway at 5. I have set Gateway priority of Primary WAN link to 1 and other WAN gateway priority to tier 5. I have created a LAN rule to use Gateway group as the new gateway.

Our Wan link has been down since today evening and since then it's working on the LTE link. But it seems like there is some issue with routing. In the Gateway groups both are showing as active and LTE gateway is being used for all the traffic regardless where the traffic originates. I have created a policy based routing config and based on that all ICMP traffic to 8.8.8.8 should go through WAN gateway 1 and ICMP traffic to 8.8.4.4 should go through WAN gateway 2, even if I have that configured the traffic is sent to WAN gateway 2. Can someone help me identify the issue with Multiwan setup?

Thank you,
Regards,
Bobby Thomas

Sent from my ONEPLUS A5000 using Tapatalk

6

18.7 Legacy Series / DNS doesn't work after upgrade to 18.7.9

« on: December 22, 2018, 07:14:14 am »

Hi Everyone,

I have tried upgrading my OPNsense firewall to 18.7.9 twice from 18.7.8, both of the time after the upgrade DNS doesn't work. So the only way to get this fixed is by rolling back to 18.7.8, as I am running it as a VM I can roll back to 18.7.8 and everything works  after that. Any changes in DNS structure from 18.7.9? Any help highly appreciated.

Thank you,
Regards,
Bobby Thomas

7

18.7 Legacy Series / Openconnect VPN dns is overriding configured DNS servers

« on: September 19, 2018, 12:48:15 am »

Hi,

I am connecting to my office network using openconnect and it's really a nice plugin to have. But my only concern is that the anyconnect vpn to my office is configured with Tunnel-all dns in ASA anyconnect option which inserts my corporate DNS server as the default DNS server for the OPNsense. Is it anyway possible to override the tunnel all dns option, so that Firewall perform the name server lookup based on locally configured dns servers?

Thanks in advance.

Regards,
Bobby Thomas

8

18.7 Legacy Series / PPPoE not reconnecting

« on: August 06, 2018, 08:14:24 am »

 Hi Team,

It was a smooth transition from 18.1 to 18.7 everything went well but after the upgrade I started noticing issues with my PPPoE connection, if the connection goes down it doesn't come back automatically, I have to login to firewall and issue connect option or reload the interface to bring back the connection. I have a multiwan setup and I don't see any specific logs. Anyone else experienced this?

Thank you,
Regards,
Bobby Thomas

9

17.7 Legacy Series / Lots of Parsing errors in Surricata logs for snort_vrt rules

« on: January 25, 2018, 03:39:44 pm »

Hi,

I am seeing a large number of parsing errors in the Surricata logs and most of these are related to the snort_vrt rules. It looks like Surricata is not able to parse snort rules, how can we fix this?

Code: [Select]

19/1/2018 -- 03:55:14 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
19/1/2018 -- 03:55:14 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop  tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-samba.rules at line 53
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 278
19/1/2018 -- 03:55:55 - <Notice> - rule reload complete

Thank you,
Regards,
Bobby Thomas

10

17.7 Legacy Series / IPSec Road warrior VPN only supports one LAN interface?

« on: January 20, 2018, 10:41:06 am »

It looks like we can only add one LAN segment to the encryption domain, even if I add a new phase 2 entry for second LAN interface it's not showing up in IPSec status. I cannot access the 2nd LAN network. Is it possible to add subnets instead of Interface network in IPSec VPN.

Thank you,
Regards,
Bobby Thomas

11

17.7 Legacy Series / Web GUI not loading.

« on: January 19, 2018, 08:57:55 pm »

Hi All,

This is the second time I am posting this in the forum. I am facing issues accessing Opnsense Web GUI from the LAN interface. If I use the dynamic dns it's working. If I disable HTTPS I can access the web console. I created a new internal certificate and used it for https without any success. Changed from LibreSSL to openSSL, no success and it doesn't work. Tried different web browsers, but nothing worked. The same access is working over ZeroTier VPN. I can access web console using the same browser but using the ZeroTier interface IP. If I use LAN IP browser doesn't respond.

When I run wireshark capture, I can see that my PC is trying to start a TLS session (TLS hello message) and 3 way handshaking completes, and then my PC sends a TCP RST, I was wondering that this could be some issue related to SSL parameters. But I tried this on different devices and the results are same. Just wondering how I can fix this.

Thanks in advance.

Regards,
Bobby Thomas

12

17.7 Legacy Series / [Solved] Multi WAN not working in new DMZ interface.

« on: January 02, 2018, 09:18:51 am »

Hi,

I have recently configured a new DMZ interface to host my BitTorrent client. Previously this was on my inside network and Multi WAN loadbalancing was working without any issues, but since I moved it to DMZ multi WAN load balancing is not working. When my primary link goes down it loses internet connectivity, while I have internet access on the LAN interface through secondary link. I am able to ping the gateway and monitoring IP from the DMZ host when the primary link is down and it's able to resolve DNS, but whenever I try to ping any other host I am getting destination host unreachable from the firewall DMZ interface.

Any solution?

Thank you,
Regards,
Bobby Thomas

13

17.7 Legacy Series / MultiWAN link utilization based load balancing

« on: November 30, 2017, 10:48:28 am »

Is it possible to load balance the gateways based on the link utilization?

Thank you,
Regards,
Bobby Thomas

14

17.7 Legacy Series / After upgrade to 17.7.8 web gui is inaccessible over local lan.

« on: November 26, 2017, 09:55:16 am »

Hi All,

I recently upgraded from 17.7.7 to 17.7.8, since then I am facing issues accessing web gui(both http and https). I can access it using the dynamic dns, but not using the LAN ip(default login method). It's even accessible over the zerotier tunnel interface IP but not over lan. It gives me website not responding message.

Any help is highly appreciated.

Thanks in advance,
Regards,
Bobby Thomas

15

17.7 Legacy Series / ZeroTier Routing

« on: November 03, 2017, 12:33:20 am »

Hi All,

I have completed the Zerotier setup and I am able to reach the hosts over the Zerotier VPN network. I have created a new interface and allowed all communication through it, still LAN network is unable to access the Zerotier network. I cannot even ping the Zerotier IP of the firewall from my LAN.  While I can ping and access the Zerotier devices from the firewall. Any help?

Note: I tried disabling NAT for the traffic still it didn't help. When I do a packet capture (on LAN interface), I can see ICMP echo requests to Zerotier IP from LAN range but when I do the capture on Zerotier interface I don't see any traffic from LAN range.

Thank you,
Regards,
Bobby Thomas