Topics

Hi Folks,

I just upgraded a couple of my firewalls to test the new 25.x release stream before committing to move our entire estate.

So far everything looks good and we've only encountered one niggle, specifically the API responses seems to have changed e.g.

On a 24.x series and earlier instance calling core/system/status would return:

{
  "CrashReporter": {
    "statusCode": 2,
    "message": "No problems were detected.",
    "logLocation": "/crash_reporter.php",
    "timestamp": "0",
    "status": "OK"
  },
  "Firewall": {
    "statusCode": 2,
    "message": "No problems were detected.",
    "logLocation": "/ui/diagnostics/log/core/firewall",
    "timestamp": "0",
    "status": "OK"
  },
  "System": {
    "status": "OK"
  }
}

Since the 25.x upgrade this same call now returns:

{
  "metadata": {
    "system": {
      "status": 2,
      "message": "No pending messages",
      "title": "System"
    },
    "translations": {
      "dialogTitle": "System Status",
      "dialogCloseButton": "Close"
    },
    "subsystems": []
  }
}


It appears that the 3 previous sections, crash reporter / firewall / system, have been combined into a single 'No pending messages' response.

No problem and this kinda makes sense, the issue is I can't find documentation on what the various responses will be in the event of say a PHP crash or a firmware update failure, thus we cannot code around that change.

Can anyone provide me with info or a link to the 'Status/Message' responses that may be returned?

Cheers :)

Hi Folks,

I have a question regarding updates or more accurately the availability check of updates.

I have a few OPNsense firewalls in use and to conserve in-bound bandwidth I RSYNC the contents of a remote 'official' repo to a local web server on my site. Each firewall is then configured with a custom repo URL pointing at this local web server.

This solution works well and allows me to conserve bandwidth as designed. It does however leave me with one question. If I DON'T update my local repo my firewalls still 'detect' firmware updates/releases. Attempting to update from the local 'out of date' repo correctly gives a 'No updates available on repo' error.

So if the configured repo does not have an update where is the firewall looking to 'find' the updates availability? What other un-configured 'dial home' activities does the firewall do?

Simon

Hi Folks,

Sorry me again :)

More of an observation than a bug. I have a number of 'site to site' IPsec VPN's in place between 5 different sites. All sites run OPNsense, mostly 17.1.7 but a one is 17.1.4.

Everything works and for the most part is trouble free but on each host I see odd numbers reported for the number of connected tunnels. For example I have one FW configured with 1 phase link and two phase two using IKEv1. The Dashboard shows 4 Active tunnels and -2 In-Active.

I have also noted at times that all the tunnels on a host can be 'Active' and working and the Dashboard shows 0 Active and 0 in-active. When this occurs checking VPN/IPSec/Status Overview shows nothing. Restarting the StrongSWAN daemon corrects this.

Whilst this odd behaviour doesn't seem to affect the IPSec function it does make diagnosing problems somewhat tricky.

Cheers

Hi Folks,

I'm having an issue with FTP Proxy so need some guidance again.

Ok first off the network plan is as follows:

[Internet] > [OPNSense] > [FTP Server vsftpd]

So far I've:

/ I've installed the FTP-Proxy plugin
/ Configured a single proxy instance listening on 127.0.0.1:8021, reverse address set to internal ip of ftp server port 21
/ Added a WAN rule allowing ftp/21 to the WAN IP Address
/ Added a port forward rule forwarding WAN ftp/21 to 127.0.0.1:8021

Ok, if I ftp to the WAN IP Address I can connect to the FTPProxy and logon to the target FTP server (either anonymous or a local user account). However if I then try and perform any action I get the following, the command hangs hence the Ctrl+C to cancel:

yyyyy@GC-JUMPBOX:~$ ftp -v 159.8.x.x
Connected to 159.8.x.x.
220 Welcome to the Txxx Sxxxx Patching FTP service.
Name (159.8.x.x:yyyyy): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
^C
421 Service not available, remote server has closed connection

receive aborted
waiting for remote to finish abort
ftp>

The clients tested are Debian's default FTP and MS Windows, both can connect to ftp.debian.org for example eliminating the local firewall.

It looks like when the FTP client issues the N+1 request the proxy doesn't work.

If I connect directly to the FTP server using a client on the same lan everything works.

Any help very much appreciated.

Simon

Hey Folks,

I'm just setting up a small VM server for a gaming convention, nothing I haven't already done but for the life of me I can't seem to get this simple thing working.

So system is as follows.

XenServer 7.0 HP DL380 G5 Xeon L5420
2 nics (1 dedicated to management, 1 VM trunk) + 1 'Internal' Network hosted within the Xenserver

2 VM's :
1/ Debian Jessie running SSH server 1 nic connected to 'internal' network.
2/ OPNSense 16.1 (also tried 16.7) 2 nics (1 x trunk, 1 x 'internal')

TOE disabled on ALL virtual and physical Nic's on the XenServer and also within the OPNSense VM itself.

network plan:
<Client> ----- <trunk net 172.16.10.0/24> ----- < Nic1 Firewall VM Nic2> ------- <Internal Net 192.168.111.0/24> ----- <Debian server>

Default install of OPNSense no mods to rules / nat etc.

So all I want to do is setup a simple port forward from the external Nic1 of the FW port 22 to the same port on the internal Debian Server but it simply doesn't work.

The WAN (nic 1) on the FW has block private networks turned OFF.
1 Port Forward rule, auto FW rule.
I've tried adding a 2nd Virtual IP to the WAN

Looking at the FW logs the traffic is 'passed' by the FW, running TCP dump on the Debian server i can see the incoming request and the reply.

The state table of the firewall shows two entries :

ALL TCP 192.168.111.100 (172.16.10.90) <- 172.16.10.112:58457 SYN_SENT:ESTABLISHED
ALL TCP 172.16.10.112:58457 -> 192.168.111.100:22 ESTABLISHED:SYN_SENT

The state entries stay like this until purged from the table i.e. the 3 way handshake never completes.

I already have pretty much exactly this configuration, WAN is public IP subnet but other than that the same, up an running on my main home VM Platform with no issues so know it can work.

So thinking there must be a VM Host platform issue, switch issue this is a new server for just this job after all I checked everything a dozen times over and couldn't find a problem. Out of desperation I built a new VM this time installing a Linux based UTM/Firewall platform (Sophos/Astaro UTM). Using this software with the exact same VM guest configuration for nics/disks/IP's etc everything works first time and a I can access the servers SSH instance from the client.

I've tried 16.7 with no luck, totally flummoxed, suggestions?

About to try an alternate VM Platform but as I say it works perfectly on my home server.

Hi Folks,

My first post  :)

Firstly many thanks to the devs for a fantastic firewall platform!

Ok my problem, I've been running 16.1.x for some time now under XenServer 6.5 and latterly 7.0 and its been working like a charm.

This morning I upgraded from 16.1.20 to 16.7, everything appeared to go well and the dashboard now reports:

OPNsense 16.7-amd64
FreeBSD 10.3-RELEASE-p5
OpenSSL 1.0.2h 3 May 2016

However I have a problem in that Suricata now no longer runs, crashing shortly after starting.

My config is as follows:

IDS is 'enabled' and IPS mode turned on.

I have one monitor interface defined 'WAN' which is a standard ethernet port with a static IP address.

Pattern matcher is AHO

As far as rules go I have the following rules enabled.

%YAML 1.1
---
rule-files:
- compromised.rules
- emerging-exploit.rules
- modbus-events.rules
- smtp-events.rules
- dns-events.rules
- emerging-malware.rules
- app-layer-events.rules
- OPNsense.rules
- emerging-pop3.rules
- emerging-scan.rules
- emerging-trojan.rules
- emerging-web_client.rules
- emerging-web_server.rules
- abuse.ch.sslblacklist.rules
- abuse.ch.sslipblacklist.rules
- abuse.ch.dyre_sslipblacklist.rules
- abuse.ch.feodotracker.rules
~

If I manually start suricata from the cmd line I get the following:

root@XEN-FW: # /usr/local/bin/suricata --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml
28/7/2016 -- 11:37:09 - <Info> - Including configuration file installed_rules.yaml.
Illegal instruction (core dumped)

I have tried disabling all the user selectible rules with no success.

root@XEN-FW:/var/log # cat suricata.log
28/7/2016 -- 11:37:09 - <Notice> - This is Suricata version 3.1.1 RELEASE
28/7/2016 -- 11:37:16 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.

DMESG :


pid 80601 (suricata), uid 0: exited on signal 4 (core dumped)
125.869766 [ 798] generic_netmap_dtor       Restored native NA 0
236.646486 [ 266] generic_find_num_desc     called, in tx 1024 rx 1024
236.659997 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
236.673112 [ 798] generic_netmap_dtor       Restored native NA 0
236.688968 [ 266] generic_find_num_desc     called, in tx 1024 rx 1024
236.702597 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
236.716042 [ 798] generic_netmap_dtor       Restored native NA 0
236.729174 [ 266] generic_find_num_desc     called, in tx 1024 rx 1024
236.742635 [ 274] generic_find_num_queues   called, in txq 0 rxq 0

Any help greatly appreciated :)