Topics

1

21.1 Production Series / How to move SWAP to a different drive?

« on: February 24, 2021, 09:46:36 pm »

Hi there,

This may not be much related to OPNsense but I would like to get some guidance in moving SWAP to a new partition/disk. Currently I am running OPNsense VM on Proxmox with SSD, I would just like to move the SWAP partition to another HDD, is it possible?

Thanks in Advance,

Regards,
Bobby Thomas

2

20.7 Legacy Series / Having issues getting public IP on WAN interface

« on: December 24, 2020, 04:05:06 pm »

Hi Team,

Hope everyone enjoying the holidays.

Well it seems like my holidays are going from bad to worse. Coming to the point I have an OPNsense firewall setup in a VM in Proxmox and it has been working great, couple of weeks back my ISP replaced my Docsis 3 ethernet cable modem with a wifi one, since then I was facing issues. I have disabled the wifi on the new Wifi Docsis modem and configured Bridge mode (as I need public IP terminating on my OPNsense firewall). I got public ip on the modem for some time then it started causing issues, I started getting IP address from 192.168.5.0/24 range even though I have disabled DHCP service on the wifi modem. What ever I do, I only receive an IP address from the range 192.168.5.0/24 on my OPNsense firewall, while if I connect a PC to the modem I am hetting a public IP issued by ISP DHCP server. I am scratching my head to understand why it's happening like this.

I also tried a different approach by assigning the MAC address of the PC to the OPNsense WAN interface and then it gets the public IP but it cannot communicate with anything in WAN (cannot ping gateway or it seems no traffic passing through). Any idea how I can get this issue fixed? I think there is some issue with OPNsense DHCP client service.

Thanks in advance,
Regards,
Bobby Thomas

3

20.7 Legacy Series / Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 09:34:59 am »

Hi OPNSensers,

I am a bit confused here, trying to think of a method to implement a solution. Here are some details about the issue I am currently facing. I have an Openhab server for automation in the inside and I have access to it over http/https only from inside. There are some android apps which require https and public ca signed certificate for api access (as from Android 10 they have those restrictions). I have Letsencrypt service running for CA cert which signs my ddns domain. I previously had pi-hole where I have created a static DNS A record for my ddns domain pointing to Openhab and then I imported the Letsencrypt certificate to openhab from OPNSense, after this android app worked well. Now I have moved away from pi-hole as I am now using Unbound and Bind for dns filtering. Also it's very hectic to manually import the certificate to the openhab every three months, so I want to know if I can use HA proxy for this purpose. I only need to access this server from inside and vpn networks and not from outside but I need it to use the Letsencrypt cert for ssl.

It maybe a little confusing to you to follow, but let me know if you require any additional details.

Thanks in advance
Regards,
Bobby Thomas

4

20.7 Legacy Series / [SOLVED] Wireguard not working after upgrade.

« on: August 02, 2020, 06:04:01 pm »

Hi All,

I just upgraded my firewall from 20.1.9 to 20.7, the upgrade went smooth. The only issue I am seeing is with the wireguard vpn. After the upgrade the wireguard vpn service was showing down, but when I tried to start the service it's not starting. So I went through the logs and I found below.

Code: [Select]

root@firewall:~ # cat /var/log/system.log | grep wg
Aug  2 20:52:13 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:52:13 firewall kernel: wg0: deletion failed: 3
Aug  2 20:52:13 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:56:30 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:56:30 firewall kernel: wg0: deletion failed: 3
Aug  2 20:56:30 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:58:07 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:58:08 firewall kernel: wg0: deletion failed: 3
Aug  2 20:58:08 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:12:08 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:12:09 firewall kernel: wg0: deletion failed: 3
Aug  2 21:12:09 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:13:46 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:13:46 firewall kernel: wg0: deletion failed: 3
Aug  2 21:13:46 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:01:26 firewall kernel: ifa_maintain_loopback_route: deletion failed for interface wg0: 3
Aug  2 20:01:26 firewall kernel: wg0: link state changed to DOWN

Is this some kind of bug? It seems to me like the system is unable to rename the tunnel interface.

Any help is appreciated.

Thank you,
Regards,
Bobby Thomas

5

19.7 Legacy Series / Wireguard Unstable

« on: October 31, 2019, 11:31:13 pm »

Hi All,

I have been using Wireguard dev for a while and recently mived to the stable build but after moving to the stable build wireguard has become unstable. Most of the times it won't establish the connection with the server only in one occasion it was able to establish the connection there were no changes in the config and I have even tried uninstalling and doing a fresh install, still thar didn't work. How can view the Wireguard logs? It's seems really hard to troubleshoot Wireguard connectivity issues.

Thanks in advance.

Regards,
Bobby Thomas

6

19.1 Legacy Series / LAN down, cannot access firewall through LAN but works through WAN over vpn

« on: April 18, 2019, 10:38:12 am »

Hi All,

The issue started yesterday evening and there were no recent config changes. It started all of a sudden and I lost connectivity to the network while I was working from home. I have a MultiWAN setup and both of the WAN links works fine and I can access the firewall through VPN. But the issue is with LAN interface and it seems like it's totally down even though the interface status shows up in Firewall. I tried rebooting the firewall and the interface comes up and stay active for couple of minutes then it goes down. After that I cannot ping the firewall from LAN or the other way. All I get is host down (if I ping from forewall). All the WAN links are working fine and the dpinger shows up.

The issue I am guessing seems to be something with firewall rules or NAT or routing, but it's really hard to identify that, I have Zero tier and Wireguard running on the box and when I lose LAN connectivity the routing shows the LAN network gateway as a Zerotier interface or lo0 interface. Since I am running it as a VM, I tried rolling back it to an old 19.1 snapshot and it worked, but when I tried restoring the config backups the issue started happening once again.

 Any help is highly appreciated.

Thank you,
Regards,
Bobby Thomas

7

19.1 Legacy Series / Monit default mail format cannot be changed

« on: April 12, 2019, 11:41:41 pm »

Hi,

I was trying to edit the default mail-format on the monitrc file but it seems like it reverts to the default after re-initializing. Is there anyway to edit and keep the mail-format?

Thank you,
Bobby Thomas

8

19.1 Legacy Series / Issues with Monit notification

« on: March 29, 2019, 08:09:30 pm »

Hi All,

I have a MultiWAN setup and I have configured monit to monitor my primary link status. Monit working fine but the email notification is not as I expected. I am receiving receiving ICMP success notifications but not failure notifications. There is no problem with standby internet connectivity and it was working previously with "CHANGED STATUS" condition, but now after the upgrade when I put that I get syntax error. Any suggestions?

Here is the alert settings config from the monitrc:

set alert abc@gmail.com  { icmp,instance } mail-format { Subject:$SERVICE on $HOST $EVENT (ISP LINK STATE CHANGE) } reminder on 10 cycles

And here is the service and service test settings config:

check host ISP-Link-status address xxx.xxx.xxx.xxx
   if failed ping then alert

Thanks in advance,
Regards,
Bobby Thomas

9

19.1 Legacy Series / Issues with Multi WAN

« on: March 14, 2019, 11:24:49 pm »

I am facing issues with Multiwan routing. My primary ISP link is not stable and it goes offline quite often, so I planned using my 3G data plan as a backup link. I bought a Huawei LTE modem and it works perfectly, it has an ethernet interface which connects to my OPNsense as a WAN2 Gateway. I have assigned a weight of 1 while I kept the the weight of the primary gateway at 5. I have set Gateway priority of Primary WAN link to 1 and other WAN gateway priority to tier 5. I have created a LAN rule to use Gateway group as the new gateway.

Our Wan link has been down since today evening and since then it's working on the LTE link. But it seems like there is some issue with routing. In the Gateway groups both are showing as active and LTE gateway is being used for all the traffic regardless where the traffic originates. I have created a policy based routing config and based on that all ICMP traffic to 8.8.8.8 should go through WAN gateway 1 and ICMP traffic to 8.8.4.4 should go through WAN gateway 2, even if I have that configured the traffic is sent to WAN gateway 2. Can someone help me identify the issue with Multiwan setup?

Thank you,
Regards,
Bobby Thomas

Sent from my ONEPLUS A5000 using Tapatalk

10

18.7 Legacy Series / DNS doesn't work after upgrade to 18.7.9

« on: December 22, 2018, 07:14:14 am »

Hi Everyone,

I have tried upgrading my OPNsense firewall to 18.7.9 twice from 18.7.8, both of the time after the upgrade DNS doesn't work. So the only way to get this fixed is by rolling back to 18.7.8, as I am running it as a VM I can roll back to 18.7.8 and everything works  after that. Any changes in DNS structure from 18.7.9? Any help highly appreciated.

Thank you,
Regards,
Bobby Thomas

11

18.7 Legacy Series / Openconnect VPN dns is overriding configured DNS servers

« on: September 19, 2018, 12:48:15 am »

Hi,

I am connecting to my office network using openconnect and it's really a nice plugin to have. But my only concern is that the anyconnect vpn to my office is configured with Tunnel-all dns in ASA anyconnect option which inserts my corporate DNS server as the default DNS server for the OPNsense. Is it anyway possible to override the tunnel all dns option, so that Firewall perform the name server lookup based on locally configured dns servers?

Thanks in advance.

Regards,
Bobby Thomas

12

18.7 Legacy Series / PPPoE not reconnecting

« on: August 06, 2018, 08:14:24 am »

 Hi Team,

It was a smooth transition from 18.1 to 18.7 everything went well but after the upgrade I started noticing issues with my PPPoE connection, if the connection goes down it doesn't come back automatically, I have to login to firewall and issue connect option or reload the interface to bring back the connection. I have a multiwan setup and I don't see any specific logs. Anyone else experienced this?

Thank you,
Regards,
Bobby Thomas

13

17.7 Legacy Series / Lots of Parsing errors in Surricata logs for snort_vrt rules

« on: January 25, 2018, 03:39:44 pm »

Hi,

I am seeing a large number of parsing errors in the Surricata logs and most of these are related to the snort_vrt rules. It looks like Surricata is not able to parse snort rules, how can we fix this?

Code: [Select]

19/1/2018 -- 03:55:14 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
19/1/2018 -- 03:55:14 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop  tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-samba.rules at line 53
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 278
19/1/2018 -- 03:55:55 - <Notice> - rule reload complete

Thank you,
Regards,
Bobby Thomas

14

17.7 Legacy Series / IPSec Road warrior VPN only supports one LAN interface?

« on: January 20, 2018, 10:41:06 am »

It looks like we can only add one LAN segment to the encryption domain, even if I add a new phase 2 entry for second LAN interface it's not showing up in IPSec status. I cannot access the 2nd LAN network. Is it possible to add subnets instead of Interface network in IPSec VPN.

Thank you,
Regards,
Bobby Thomas

15

17.7 Legacy Series / Web GUI not loading.

« on: January 19, 2018, 08:57:55 pm »

Hi All,

This is the second time I am posting this in the forum. I am facing issues accessing Opnsense Web GUI from the LAN interface. If I use the dynamic dns it's working. If I disable HTTPS I can access the web console. I created a new internal certificate and used it for https without any success. Changed from LibreSSL to openSSL, no success and it doesn't work. Tried different web browsers, but nothing worked. The same access is working over ZeroTier VPN. I can access web console using the same browser but using the ZeroTier interface IP. If I use LAN IP browser doesn't respond.

When I run wireshark capture, I can see that my PC is trying to start a TLS session (TLS hello message) and 3 way handshaking completes, and then my PC sends a TCP RST, I was wondering that this could be some issue related to SSL parameters. But I tried this on different devices and the results are same. Just wondering how I can fix this.

Thanks in advance.

Regards,
Bobby Thomas