Topics

1

24.7 Production Series / [SOLVED] CPU temp increase since 24.7.8

« on: November 07, 2024, 11:32:35 am »

After upgrading from 24.7.7 to 24.7.8, the CPU temp of the Proxmox host that OPNsense runs on has increased a fair bit. Has anyone else seen this?


It's still within an acceptable range but it's never been like this for the all the time I've been running it as a VM. There are a couple of other very small containers on the same host, but even when I shut them down the temperature doesn't change. It's also a passively cooled unit so I'd rather it was back to previous temperatures.

2

24.1 Legacy Series / Delete old OpenVPN interface under Firewall Rules

« on: April 24, 2024, 09:49:41 am »

I was tidying up a few things on the firewall rules and noticed it still listed OpenVPN as an interface with a single disabled rule. I stopped using OpenVPN back when WireGuard was introduced and there are no OpenVPN instances or any settings in the VPN section for it. Yet this interface and rule remain.


I think I can delete the rule, but how can I delete the interface? It doesn't show up anywhere under "Interfaces" either, only under "Firewall, Rules".

3

24.1 Legacy Series / NUT will not start

« on: February 08, 2024, 09:53:02 am »

I did try this with v23 but waited for the v24 upgrade to see if anything in that would fix the problem, but I cannot get the NUT service to start after configuring the usbhid driver. When it starts all I see is:

Code: [Select]

root@bart:/usr/local/etc/rc.d # ./nut start
Network UPS Tools - UPS driver controller 2.8.1
Network UPS Tools - Generic HID driver 0.52 (2.8.1)
USB communication driver (libusb 1.0) 0.46
interrupt pipe disabled (add 'pollonly' flag to 'ups.conf' to get rid of this message)
Can't claim USB device [051d:0003]@0/0: Other error
upsnotify: failed to notify about state 4: no notification tech defined, will not spam more about it
Driver failed to start (exit status=1)
./nut: WARNING: failed precmd routine for nut


The USB device is definitely showing when it gets connected, and the device above is correct for the UPS (an APC Smart-UPS). I have also tested the UPS on both a Windows PC and another Linux machine and they both worked, but I need this UPS to be connected to the firewall under the control of OPNsense.

4

23.7 Legacy Series / [Solved] Permission error with os-lldpd

« on: December 18, 2023, 02:53:27 pm »

I was checking the logs when I noticed the following:

Code: [Select]

2023-12-18T14:46:06
[Warning]
lldpd   unable to create /var/empty/etc directory: Operation not permitted

I tried uninstalling and reinstalling the plugin but it's still the same - wondering if this is why it cannot detect any neighbours. Would manually creating this folder help?



OPNsense 23.7.10_1-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

5

General Discussion / Backup to Nextcloud no longer working

« on: November 29, 2023, 05:52:12 pm »

After rebuilding my firewall and importing my old config, I have noticed for many months that the backup to my Nextcloud server is no longer working. My fault for not keeping an eye on it and fortunate I had exported settings manually beforehand, but I looked at the firewall logs and I'm seeing this:

Code: [Select]

2023-11-29T17:40:58 Error php-cgi Check Nextcloud configuration parameters
2023-11-29T17:40:58 Error php-cgi {"url":"https:\/\/nextcloud.mydomain.com\/remote.php\/dav\/files\/ferd\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":20,"redirect_count":0,"total_time":0.014606,"namelookup_time":0.001385,"connect_time":0.002656,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.1.70","certinfo":[],"primary_port":443,"local_ip":"192.168.1.1","local_port":36218,"http_version":0,"protocol":2,"ssl_verifyresult":0,"scheme":"HTTPS","appconnect_time_us":0,"connect_time_us":2656,"namelookup_time_us":1385,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":14606,"effective_method":"PROPFIND"}
2023-11-29T17:40:58 Error php-cgi Error while fetching filelist from Nextcloud '/.' path
2023-11-29T17:40:58 Error php-cgi {"url":"https:\/\/nextcloud.mydomain.com\/remote.php\/dav\/files\/ferd\/","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":20,"redirect_count":0,"total_time":0.014942,"namelookup_time":0.001351,"connect_time":0.002172,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.1.70","certinfo":[],"primary_port":443,"local_ip":"192.168.1.1","local_port":30182,"http_version":0,"protocol":2,"ssl_verifyresult":0,"scheme":"HTTPS","appconnect_time_us":0,"connect_time_us":2172,"namelookup_time_us":1351,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":14942,"effective_method":"PROPFIND"}
2023-11-29T17:40:58 Error php-cgi Error while fetching filelist from Nextcloud '/.' path
2023-11-29T17:40:58 Error php-cgi {"url":"https:\/\/nextcloud.mydomain.com\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":20,"redirect_count":0,"total_time":0.015546,"namelookup_time":0.001167,"connect_time":0.002836,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.1.70","certinfo":[],"primary_port":443,"local_ip":"192.168.1.1","local_port":9636,"http_version":0,"protocol":2,"ssl_verifyresult":0,"scheme":"HTTPS","appconnect_time_us":0,"connect_time_us":2836,"namelookup_time_us":1167,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":15546,"effective_method":"GET"}
2023-11-29T17:40:58 Error php-cgi Cannot get real username


The Nextcloud server is on my local LAN but can be reached externally as well via HAProxy. Running a ping from terminal on the firewall it returns the internal IP of the server so it should be connecting directly and not being proxied. On the Nextcloud server itself nothing seems to be logged, which is strange as well.


Any ideas? I did see another similar thread back in August with the same issue reported, but I'm not connecting via a reverse-proxy in my case as mentioned.



OPNsense 23.7.9-amd64
FreeBSD 13.2-RELEASE-p5
OpenSSL 1.1.1w
Nextcloud 27.1.4

6

Intrusion Detection and Prevention / Factory reset Intrusion Detection

« on: September 20, 2023, 11:45:17 am »

Over time I've messed with the Intrustion Detection system in OPNsense, but I don't think I've ever got the hang of and it's become a mess. It's disabled for now but I really want to start over with a fresh config and get it right.


How can I factory reset Intrusion Detection to what it would have been for a fresh installation of OPNsense?

7

Intrusion Detection and Prevention / How do I exclude a VLAN from IDS/IPS?

« on: March 22, 2023, 09:03:31 am »

I have IDS/IPS set to scan two physical networks, LAN and Guest, and this seems to be fine, however on LAN I have a VLAN that I need to be excluded from IPS.


How can I tell it to ignore just the VLAN traffic?

8

23.1 Legacy Series / Upgrade vs Clean Install

« on: January 30, 2023, 10:07:12 am »

I'm debating doing a fresh install of OPNsense of v23.1 rather than upgrading from v22.7 but I'm wondering if it's worth it.


I don't recall what version my install started at but it's been pretty reliable, though one thing that's been on my mind is that it's still running on UFS with the new default being ZFS. Is it worth a clean upgrade just to get on ZFS or should a wait until I am forced e.g. new hardware or total loss?


The thing that holds me back is recreating all the "custom" stuff that isn't backed up normally e.g. I have scripts that execute speed tests against 5 servers, some custom commands for Unbound and who know how many other tweaks I have probably forgotten about. I'd be installing to a new drive so getting anything back shouldn't be too difficult, just a pain, also fully reverting will be simple.


Also, is it just a case of backing up the current installation, copying that to a USB drive then pointing the installer to that file?

9

22.7 Legacy Series / [Solved]How to choose EU or Europe for GeoIP?

« on: September 27, 2022, 07:22:14 pm »

Hi,


I've been trying to figure why some external connections, in this case from Google, are being blocked when their IP is, or so I thought according to my usual whois look-ups in the US but the USA is in my list of allowed countries.


I then looked up the same IP at Maxmind, where I get my GeoIP data and they don't have it as a US IP but as one from Europe and US, but not a specific country in Europe.


This is the address block of the IP:

Code: [Select]


network,geoname_id,registered_country_geoname_id,represented_country_geoname_id,is_anonymous_proxy,is_satellite_provider

66.249.81.0/25,6255148,6252001,,0,0


According to the country lookup in the file from Maxmind that's:

Code: [Select]


6255148,en,EU,Europe,,,0

6252001,en,NA,"North America",US,"United States",0
See the attached for what their website returns


So how do set this in the firewall alias, as there's no EU or Europe as a single choice other than all the separate countries? Is there any way to debug/test the GeoIP check from the GUI or the console? I'd like to see how the firewall is interpreting the location it looks up.

10

22.1 Legacy Series / VLAN fails if I set Hardware Filtering to "Leave default"

« on: August 18, 2022, 09:34:09 pm »

Still running 22.1.10_4-amd64 as I'm having issues preparing my VLANs for the upgrade - I've made sure to create the parent entry for one which is missing, after which I rebooted and all was well. Then I set "VLAN Hardware Filtering" to "Leave default" as I have seen recommended in the 22.7 forum, but after a reboot the VLAN stops accepting traffic in any direction. At this point the only way to get it back is to set the parent interface's override to "Disable VLAN Hardware Filtering" and all starts working again. So to recap, I have it set to "Leave default" for global, and "Disable VLAN hardware Filtering" just on the parent interface. I have also tried deleting and recreating the VLAN but that made no difference.



The interfaces in question are the main LAN and my DMZ running over it - the WAN was interface I needed to add a parent entry to as it's a PPPoE connection to my ISP i.e. another VLAN and somehow got missed a while back.


I'm concerned even if I temporarily revert the "Disable VLAN Hardware Filtering" to "Leave default" that after the upgrade to 22.7 it won't come back to life even if I set it back again. I don't relish having to rebuild the whole firewall which is a physical box to revert back to 22.1

11

General Discussion / Create alias based on MX records

« on: August 03, 2022, 10:35:48 am »

Is it possible to create a firewall alias that is based on the IPs from the MX records of the domain I set?


I want to block just the mail servers of a few annoying providers that seem to constantly try to test my mail server.

12

General Discussion / Enable version display for HAProxy stats page

« on: June 30, 2022, 02:30:12 pm »

Is there a way to override the default setting for HAProxy that hides the version number? I'd like my Zabbix server to be able to get the information:

Code: [Select]

listen  remote_statistics
    bind            192.168.1.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats hide-version
    acl auth_ok http_auth(stats_auth)
    stats http-request allow if auth_ok
    stats http-request auth realm HAProxy\ statistics

There's no "stats show-version" that I can place in the custom options box, and the only one that may work is "stats enable" but that sets everything to default which I think could break things.

13

21.7 Legacy Series / Unable to use MAC alias in another MAC alias that is a group of MACs

« on: January 05, 2022, 09:37:51 am »

Is this a bug or a feature that I need to request?


I have a MAC address alias made up of 3 MAC addresses and I wanted to make it easier to know which was which device. I created a separate MAC address alias for a device and then attempted to add that alias to the grouped alias - it throws an error "Entry .... is not a valid (partial) MAC address", see the attached screen shot.


Perhaps there's a better way to do this.

14

21.7 Legacy Series / Recommendation for using extra disk space

« on: October 13, 2021, 05:49:58 pm »

I've just had to replace the SSD in my firewall as I wanted the smaller drive for another machine where the larger spare I had would have been total overkill (it's for a Raspberry Pi). It's probably more than I need for the firewall but it's better than what my RPI will be i.e. just for Pi-Hole.


Now that it's replaced I have a lot of extra space and was wondering what best to do with it. Do I simply expand the main partition or can I use it for something else. E.g. expand the boot partition or maybe somehow convert to ZFS.

15

21.7 Legacy Series / How to test Google Drive configuration backups

« on: October 11, 2021, 04:03:00 pm »

What's the best way to test the Google Backup config backups I have been creating for several years are actually fine? It's such a long time since I set it up and also not sure if I have the original key file to decode them after a complete loss of the firewall.