1
Intrusion Detection and Prevention / IDS and VoIP Audio
« on: May 25, 2022, 03:48:57 pm »
Does anyone know of any particular IDS rules that will block VoIP call audio that I shouldn't enable?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
21.1 Legacy Series / RADIUS Error PHP 76
« on: March 30, 2021, 08:24:43 pm »I just started getting this error after updating today to .4
When using Microsoft Azure MFA through a local Windows RADIUS Server. Previously it would send an Approval popup to the Microsoft Authenticator app on my cell phone. Now it just logs me right in and then grabs this PHP error in the log.
PHP Errors:
[30-Mar-2021 14:16:59 America/New_York] PHP Fatal error: Uncaught Error: Call to undefined method OPNsense\Auth\Radius::getLastAuthErrors() in /usr/local/www/diag_authentication.php:76
Stack trace:
#0 {main}
thrown in /usr/local/www/diag_authentication.php on line 76
[30-Mar-2021 14:21:00 America/New_York] PHP Fatal error: Uncaught Error: Call to undefined method OPNsense\Auth\Radius::getLastAuthErrors() in /usr/local/www/diag_authentication.php:76
Stack trace:
#0 {main}
thrown in /usr/local/www/diag_authentication.php on line 76
3
20.7 Legacy Series / Resize OPNSense Partition
« on: September 22, 2020, 04:32:13 pm »Question about OPNSense Partition Expansion.
I have the paid Business Edition OPNSense and I deployed it to VMWware using the OVF Package.
However, the deployment has a small primary partition size.
If I resize the allocated partition size in vCenter. Is there a simple way to expand the partition size in the FreeBSD shell for OPNsense? Short of reinstalling everything including plug ins and reimporting config on a custom install.
4
20.7 Legacy Series / PHP Error phpDynDNS.inc
« on: September 17, 2020, 09:39:40 pm »
PHP Warning: Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 838
I've been seeing this problem detected a lot lately.
I've been seeing this problem detected a lot lately.
5
20.7 Legacy Series / Crashing
« on: August 01, 2020, 05:15:17 am »I found I was getting kernel panics and reboots when either Sensei was running or Intrusion Detection was enabled on my VMWare ESXi 7 OPNSense VM with vmx drivers for ethernet.
I know the Sensei one seems to be known, but not sure on the known IDS one with vmx on vmware 7.
6
Tutorials and FAQs / High Availability (CARP) on vSphere 7
« on: June 19, 2020, 10:04:50 pm »I was just wondering if anyone has any good setup tutorials for an OPNSense HA Setup on vSphere 7?
If possible, can the CARP interface go over a local vSphere distributed switch without having to use a real physical interface?
7
19.1 Legacy Series / OpenVPN Client (As a Gateway) Connection Issues 18.7.10 -> 19.1.x
« on: April 02, 2019, 12:40:36 am »
Has anyone else noticed issues with utilizing an OpenVPN client in a multi-gateway setup (not redirecting all traffic) on any 19.1.x build of OPNSense? I have tried both a clean reinstall/rebuild and the usual upgrade with existing configuration with same result. There is a bug somewhere.
So here is my basic setup...
I have a VLAN 100 on my LAN... any device in this subnet goes out a Private Internet Access VPN Client GATEWAY that is running on OPNSense as a client. Others do this with a simple Alias for specific devices, regardless the principal setup is the same.
So from what I can tell on any build of 19.1.x (tried them all) and currently 19.1.4 this setup stops working.
Here is what I can see so far:
- OpenVPN client connects perfectly
- OpenVPN client obtains DHCP IP Address from VPN Server (Private Internet Access) and assigns an IP address to the OPNSense Firewall.
- There is an active interface on the firewall (OVPNC1) which then activates a DYNAMIC IPv4 Gateway for this connection... Monitor IP is set to Private Internet Access DNS Server: 209.222.18.218
- There are firewall rules for OpenVPN to allow Any Any
- There are firewall rules for the VLAN 100 interface to allow any traffic out Private Internet Access VPN Gateway.
- There are manual Outbound NAT Rules created
Somehow something is broken somewhere. If I go to ping interface diagnostics, chose the VLAN 100 or Private Internet Access Interfaces. Ping any address. It fails.
On the home screen dashboard, dpinger shows the gateway as down/offline. VPN connection is up perfectly.
- Makes no sense.
I feel this is an outbound NAT issue, but I am not sure where to dig deeper for troubleshooting other than modifying NAT rules, firewall rules, etc... which I have already played around with.
I attached some screenshots of it working perfectly on 18.7.10_4
Reference Topics:
https://forum.opnsense.org/index.php?topic=4979.msg52493#msg52493
https://forum.opnsense.org/index.php?topic=11843.msg53785#msg53785
https://blog.networkprofile.org/pia-vpn-on-pfsense-2-4-4/
So here is my basic setup...
I have a VLAN 100 on my LAN... any device in this subnet goes out a Private Internet Access VPN Client GATEWAY that is running on OPNSense as a client. Others do this with a simple Alias for specific devices, regardless the principal setup is the same.
So from what I can tell on any build of 19.1.x (tried them all) and currently 19.1.4 this setup stops working.
Here is what I can see so far:
- OpenVPN client connects perfectly
- OpenVPN client obtains DHCP IP Address from VPN Server (Private Internet Access) and assigns an IP address to the OPNSense Firewall.
- There is an active interface on the firewall (OVPNC1) which then activates a DYNAMIC IPv4 Gateway for this connection... Monitor IP is set to Private Internet Access DNS Server: 209.222.18.218
- There are firewall rules for OpenVPN to allow Any Any
- There are firewall rules for the VLAN 100 interface to allow any traffic out Private Internet Access VPN Gateway.
- There are manual Outbound NAT Rules created
Somehow something is broken somewhere. If I go to ping interface diagnostics, chose the VLAN 100 or Private Internet Access Interfaces. Ping any address. It fails.
On the home screen dashboard, dpinger shows the gateway as down/offline. VPN connection is up perfectly.
- Makes no sense.
I feel this is an outbound NAT issue, but I am not sure where to dig deeper for troubleshooting other than modifying NAT rules, firewall rules, etc... which I have already played around with.
I attached some screenshots of it working perfectly on 18.7.10_4
Reference Topics:
https://forum.opnsense.org/index.php?topic=4979.msg52493#msg52493
https://forum.opnsense.org/index.php?topic=11843.msg53785#msg53785
https://blog.networkprofile.org/pia-vpn-on-pfsense-2-4-4/
8
18.7 Legacy Series / Hyper-V NIC PCI Passthrough (Not VSwitch)
« on: November 06, 2018, 03:14:01 am »
Hello all,
I was just wondering if anyone has attempted setting up OPNSense using real PCI Express passthrough of the NIC, to bypass the software virtual switch in Hyper-V environments. Which should treat OPNSense as if it was running on a metal box vs dealing with the Host Windows OS and Virtual Switch. Great for things like VLANs, intrusion detection and other plug-ins of that nature better suited with real NIC access.
I tried to do it this evening, but not without an error which may be driver related. However, I am not entirely sure and maybe someone can chime in with ideas.
FreeBSD 11.1 fully supports this type of PCI Passthrough/DDA on a Windows Server 2016+ Host OS w/Hyper-V:
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-FreeBSD-virtual-machines-on-Hyper-V
"With Windows Server 2016 administrators can pass through PCI Express devices via the Discrete Device Assignment mechanism. Common devices are network cards, graphics cards, and special storage devices. The virtual machine will require the appropriate driver to use the exposed hardware. The hardware must be assigned to the virtual machine for it to be used."
I used this as a guide, so I don't take credit for the base script:
https://blogs.technet.microsoft.com/heyscriptingguy/2016/07/14/passing-through-devices-to-hyper-v-vms-by-using-discrete-device-assignment/
Using that guide as a base and making modifications...
The entered Windows Server 2016 PowerShell commands were the following:
$vmName = 'OPNSense Firewall'
$vm = Get-VM -Name $vmName
$dev = "PCI\VEN_8086&DEV_1521&SUBSYS_50018086&REV_01\A0369#############"
^^^ CAN BE FOUND IN DEVICE MANAGER - PROPERTIES - DETAILS - DEVICE INSTANCE PATH PROPERTY - # = omitted information for privacy (just in case)
Disable-PnpDevice -InstanceId $dev -Confirm:$false
$locationPath = (Get-PnpDeviceProperty -KeyName DEVPKEY_Device_LocationPaths -InstanceId $dev).Data[0]
Dismount-VmHostAssignableDevice -LocationPath $locationPath -Force -Verbose
Add-VMAssignableDevice -VM $vm -LocationPath $locationPath -Verbose
Once this was done, the NIC appeared in OPNSense Console immediately and on reboot. However, due to issues with either the NIC, FreeBSD, OPNSense, or Kernel Drivers. I was unable to utilize this Intel I350 NIC Port as a direct PCI Passthrough WAN port for my testing purposes.
I had the following console output errors on OPNSense:
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> at device 0.0 on pci0
igb0: Unable to map MSIX table
igb0: Using an MSI interrupt
igb0: Setup of Shared code failed
device_attach: igb0 attach returned 6
Has anyone seen these igb0 errors or have any information to resolve for the Intel I350 (with latest firmware)?
Not sure if this is Hyper-V pass-through related or OPNSense/FreeBSD Compatibility/Driver Issue.
FYI: Firmware being used on Intel I350 (Dell OEM) Version 18.5.18: https://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=3XJH0
Thanks in advance for any assistance or ideas!
- Dan
I was just wondering if anyone has attempted setting up OPNSense using real PCI Express passthrough of the NIC, to bypass the software virtual switch in Hyper-V environments. Which should treat OPNSense as if it was running on a metal box vs dealing with the Host Windows OS and Virtual Switch. Great for things like VLANs, intrusion detection and other plug-ins of that nature better suited with real NIC access.
I tried to do it this evening, but not without an error which may be driver related. However, I am not entirely sure and maybe someone can chime in with ideas.
FreeBSD 11.1 fully supports this type of PCI Passthrough/DDA on a Windows Server 2016+ Host OS w/Hyper-V:
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-FreeBSD-virtual-machines-on-Hyper-V
"With Windows Server 2016 administrators can pass through PCI Express devices via the Discrete Device Assignment mechanism. Common devices are network cards, graphics cards, and special storage devices. The virtual machine will require the appropriate driver to use the exposed hardware. The hardware must be assigned to the virtual machine for it to be used."
I used this as a guide, so I don't take credit for the base script:
https://blogs.technet.microsoft.com/heyscriptingguy/2016/07/14/passing-through-devices-to-hyper-v-vms-by-using-discrete-device-assignment/
Using that guide as a base and making modifications...
The entered Windows Server 2016 PowerShell commands were the following:
$vmName = 'OPNSense Firewall'
$vm = Get-VM -Name $vmName
$dev = "PCI\VEN_8086&DEV_1521&SUBSYS_50018086&REV_01\A0369#############"
^^^ CAN BE FOUND IN DEVICE MANAGER - PROPERTIES - DETAILS - DEVICE INSTANCE PATH PROPERTY - # = omitted information for privacy (just in case)
Disable-PnpDevice -InstanceId $dev -Confirm:$false
$locationPath = (Get-PnpDeviceProperty -KeyName DEVPKEY_Device_LocationPaths -InstanceId $dev).Data[0]
Dismount-VmHostAssignableDevice -LocationPath $locationPath -Force -Verbose
Add-VMAssignableDevice -VM $vm -LocationPath $locationPath -Verbose
Once this was done, the NIC appeared in OPNSense Console immediately and on reboot. However, due to issues with either the NIC, FreeBSD, OPNSense, or Kernel Drivers. I was unable to utilize this Intel I350 NIC Port as a direct PCI Passthrough WAN port for my testing purposes.
I had the following console output errors on OPNSense:
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> at device 0.0 on pci0
igb0: Unable to map MSIX table
igb0: Using an MSI interrupt
igb0: Setup of Shared code failed
device_attach: igb0 attach returned 6
Has anyone seen these igb0 errors or have any information to resolve for the Intel I350 (with latest firmware)?
Not sure if this is Hyper-V pass-through related or OPNSense/FreeBSD Compatibility/Driver Issue.
FYI: Firmware being used on Intel I350 (Dell OEM) Version 18.5.18: https://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=3XJH0
Thanks in advance for any assistance or ideas!
- Dan
9
18.7 Legacy Series / 1:1 NAT using a WAN w/DHCP (Not Static)
« on: August 08, 2018, 09:43:41 pm »I know OPNSense supports using 1:1 NAT from an external WAN IP to an internal LAN IP.
However, does it support doing this with a DHCP WAN IP Address?
This WAN IP Address will be updated using a DynamicDNS Service - this not worried about it being DHCP vs Static.
If this is possible, what configuration steps are needed to accomplish this?
Thanks!
10
18.7 Legacy Series / [SOLVED] OpenVPN Client Error: --client-connect requires --mode server
« on: July 12, 2018, 02:02:20 am »
I decided to give the 18.7 r1 a try...
My OpenVPN servers are working perfectly....
However, my OpenVPN Client for Private Internet Access is not.
It will not connect, no configuration has changed and was working in 18.1.11.
The OpenVPN log shows the following:
Options error: --client-connect requires --mode server
client2.conf
dev ovpnc2
verb 4
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-client
cipher AES-256-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php client2"
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote us-newyorkcity.privateinternetaccess.com 501
auth-user-pass /var/etc/openvpn/client2.up
ca /var/etc/openvpn/client2.ca
comp-lzo no
passtos
route-nopull
resolv-retry infinite
reneg-sec 0
disable-occ
pull-filter ignore "auth-token"
topology net30
Any suggestions on how to resolve this?
- Dan
My OpenVPN servers are working perfectly....
However, my OpenVPN Client for Private Internet Access is not.
It will not connect, no configuration has changed and was working in 18.1.11.
The OpenVPN log shows the following:
Options error: --client-connect requires --mode server
client2.conf
dev ovpnc2
verb 4
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-client
cipher AES-256-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php client2"
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote us-newyorkcity.privateinternetaccess.com 501
auth-user-pass /var/etc/openvpn/client2.up
ca /var/etc/openvpn/client2.ca
comp-lzo no
passtos
route-nopull
resolv-retry infinite
reneg-sec 0
disable-occ
pull-filter ignore "auth-token"
topology net30
Any suggestions on how to resolve this?
- Dan
11
18.1 Legacy Series / Question on Random Errors I am seeing
« on: June 28, 2018, 10:47:35 pm »
Has anyone seen these errors and have any ideas on what causes/how to fix?
OPNsense 18.1.10-amd64
FreeBSD 11.1-RELEASE-p10
LibreSSL 2.6.5
Running on Hyper-V Gen 2 with 3 NICs (Intel I350)
PHP Warning: A non-numeric value encountered in /usr/local/etc/inc/filter.inc on line 467
opnsense: unable to dlopen /usr/local/lib/sasl2/libotp.so.3: /usr/local/lib/sasl2/libotp.so.3: Undefined symbol "EVP_MD_CTX_free"
opnsense: unable to dlopen /usr/local/lib/sasl2/libotp.so.3: /usr/local/lib/sasl2/libotp.so.3: Undefined symbol "EVP_MD_CTX_free"
opnsense: unable to dlopen /usr/local/lib/sasl2/libntlm.so.3: /usr/local/lib/sasl2/libntlm.so.3: Undefined symbol "HMAC_CTX_new"
opnsense: unable to dlopen /usr/local/lib/sasl2/libntlm.so.3: /usr/local/lib/sasl2/libntlm.so.3: Undefined symbol "HMAC_CTX_new"
Also I run into an issue where my WAN connection will randomly go down (Comcast) and I have to manually Go into interfaces, uncheck the box to disable, recheck the box to enable, then hit apply changes (basically forcing an interface reload) when the internet goes down. I notice it does this more often when I am using PrivateInternetAccess VPN frequently on its own separate Interface... Is there a Cron or script of sorts that can do this automatically if the Gateway checker apinger or now dpinger detects a failed gateway? I have already tried: supersede dhcp-server-identifier 255.255.255.255 but now I don't think it is a DHCP lease issue, although when I fix it, I generally have a different IP - especially if it was down for a couple hours without noticing.
Would calling /usr/local/etc/rc.newwanip do this for me?
OPNsense 18.1.10-amd64
FreeBSD 11.1-RELEASE-p10
LibreSSL 2.6.5
Running on Hyper-V Gen 2 with 3 NICs (Intel I350)
PHP Warning: A non-numeric value encountered in /usr/local/etc/inc/filter.inc on line 467
opnsense: unable to dlopen /usr/local/lib/sasl2/libotp.so.3: /usr/local/lib/sasl2/libotp.so.3: Undefined symbol "EVP_MD_CTX_free"
opnsense: unable to dlopen /usr/local/lib/sasl2/libotp.so.3: /usr/local/lib/sasl2/libotp.so.3: Undefined symbol "EVP_MD_CTX_free"
opnsense: unable to dlopen /usr/local/lib/sasl2/libntlm.so.3: /usr/local/lib/sasl2/libntlm.so.3: Undefined symbol "HMAC_CTX_new"
opnsense: unable to dlopen /usr/local/lib/sasl2/libntlm.so.3: /usr/local/lib/sasl2/libntlm.so.3: Undefined symbol "HMAC_CTX_new"
Also I run into an issue where my WAN connection will randomly go down (Comcast) and I have to manually Go into interfaces, uncheck the box to disable, recheck the box to enable, then hit apply changes (basically forcing an interface reload) when the internet goes down. I notice it does this more often when I am using PrivateInternetAccess VPN frequently on its own separate Interface... Is there a Cron or script of sorts that can do this automatically if the Gateway checker apinger or now dpinger detects a failed gateway? I have already tried: supersede dhcp-server-identifier 255.255.255.255 but now I don't think it is a DHCP lease issue, although when I fix it, I generally have a different IP - especially if it was down for a couple hours without noticing.
Would calling /usr/local/etc/rc.newwanip do this for me?
12
18.1 Legacy Series / WAN DHCP Lease Status
« on: February 22, 2018, 07:04:08 pm »
Is there a spot that shows the date and time a WAN DHCP release is up and will renew? I looked in the interfaces -> Overview section of the dashboard but didn't see anything.
Thanks
Thanks
13
18.1 Legacy Series / ACME - Let's Encrypt Client Certs
« on: February 05, 2018, 01:38:40 pm »Has anyone else on 18.1 had issues with issuing Let's Encrypt certs using the ACME plugin?
HTTP Challenge Type
First I had to change my OPNSense firewall HTTPS port from a custom one back to 443.
Then I originally had a multi domain (SAN) filled out with a few subdomains.
Whenever I issued the cert it would have validation failed.
However, when I edited the cert just to be the main domain with no SAN's, it completed successfully.
I never had this issue before and always had a full multi-domain cert on prior releases.
Notes: All the subdomains are just CNAME entries pointing to the main domain IP to resolve through DNS.
14
18.1 Legacy Series / Hyper-V Gen 2 VM Issues/Workarounds (Supported in Build 18.1/FreeBSD 11.1)
« on: February 02, 2018, 12:02:52 am »
Figured it would be good to have a thread for those specifically running build 18.1 in a Hyper-V Virtual Machine. In this case using the new Gen 2 support which is included in build 18.1 due to the upgrade to FreeBSD 11.1 as the core.
The first issue I noticed is on a clean install.
The installer launches, allows for selecting Keyboard and Display Type/Font
Hit Enter
Freezes on screen where the Guided Install selection is.
However, it is not actually frozen... CTRL+ALT+Delete will still command a shutdown/reboot.
I noticed a weird workaround... change the font/display selection to a really large font (first or section option if I remember correctly)... then go back and change it to the smaller Thin font option. It will mess up the wallpaper shown on the screen, but the menu options actually work and will install successfully.
- Feel Free to add to this or other issues, fixes, or workarounds for Hyper-V Gen 2 related discoveries. -
The first issue I noticed is on a clean install.
The installer launches, allows for selecting Keyboard and Display Type/Font
Hit Enter
Freezes on screen where the Guided Install selection is.
However, it is not actually frozen... CTRL+ALT+Delete will still command a shutdown/reboot.
I noticed a weird workaround... change the font/display selection to a really large font (first or section option if I remember correctly)... then go back and change it to the smaller Thin font option. It will mess up the wallpaper shown on the screen, but the menu options actually work and will install successfully.
- Feel Free to add to this or other issues, fixes, or workarounds for Hyper-V Gen 2 related discoveries. -
15
17.1 Legacy Series / IPv6 / DNS
« on: February 02, 2017, 05:03:30 am »
I updated to 17.1 this evening....
I am having 2 new issues, maybe someone could shine some light.
1. If I leave the DNS servers blank on System-> Settings -> General. Even with "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked... there are no DNS servers passed over to DHCP clients on the LAN using the DNS severs on the WAN interface.
2. IPv6 on Comcast... WAN has IPv6 address. I can ping from OPNSense web interface to ipv6 address. However no client on the LAN network can. It is set to "Track Interface" for IPv6 on LAN. Then WAN / 0 down below under Track Interface settings. I also noticed no IPv6 DNS servers are being passed over DHCP from the WAN address.
Just curious if anyone has any suggestions on what to try to fix these issues.
I am having 2 new issues, maybe someone could shine some light.
1. If I leave the DNS servers blank on System-> Settings -> General. Even with "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked... there are no DNS servers passed over to DHCP clients on the LAN using the DNS severs on the WAN interface.
2. IPv6 on Comcast... WAN has IPv6 address. I can ping from OPNSense web interface to ipv6 address. However no client on the LAN network can. It is set to "Track Interface" for IPv6 on LAN. Then WAN / 0 down below under Track Interface settings. I also noticed no IPv6 DNS servers are being passed over DHCP from the WAN address.
Just curious if anyone has any suggestions on what to try to fix these issues.
Pages: [1] 2