Topics

1

18.7 Legacy Series / Empty /var/log/flowd.log

« on: October 31, 2018, 02:50:17 pm »

Greetings!

I have just completed a fresh install on new hardware,updated to 18.7.6 then restored my config using the web ui. For some reason flowd does not appear to be writing data to /var/log/flowd.log

I have started flowd from the shell in the foreground:

Code: [Select]

root@hades:/var/netflow # flowd -d
read_config: entering
child_get_config: entering
drop_privs: dropping privs without chroot
send_config: entering fd = 4
send_config: done
child_get_config: child config done
recv_config: entering fd = 3
recv_config: ready to receive config
Listener for [127.0.0.1]:2056 fd = 3
Adjusted socket receive buffer from 42080 to 524288
Setting socket send buf to 1024
privsep_init: entering
drop_privs: dropping privs with chroot
init_pfd: entering (num_fds = 0)
init_pfd: done (num_fds = 2)
client_open_log: entering
answer_open_log: entering
^Cprivsep_master: child exited
flowd_mainloop: monitor closed
Exiting on signal 2
I've removed the file and allowed flowd to recreate it, but still nothing.

Any pointers would be appreciated.

Thanks in advance!

2

17.1 Legacy Series / Suricata using only one core

« on: March 03, 2017, 04:55:36 am »

Forgive my newbieness but it appears to me that Suricata while being multithreaded is only using one core on my OPNSense box. I noticed this while doing multiple downloads of large files simultaneously.

I initially noticed it because I wanted to check the load on my new OPNSense firewall. After running 'top' from the shell I noticed one CPU running Suricata was pinned at 100% while the other was relatively idle. I then did some checking about Suricata to see if it was multithreaded or multiprocess. It claims to be multithreaded. I tried the downloads again, same behavior so I put 'top' into threads mode. Sure enough, multiple threads but the ones under load were running on the same core.

I don't believe this is the correct or expected behavior for a multithreaded application.

System in question is OPNSense 17.1.2 running on a x86_64 Core 2 Duo with 2GB ram and SSD drive.

Steps to reproduce:

1) Download multiple streams of "stuff" at a sufficiently high download speed

2) run top or something else to watch the load on the system. Press "H" to view all the threads under load running on one core (there were other Suricata threads but with little to no CPU time)

Can anyone else confirm this behavior?

3

17.1 Legacy Series / [WORKAROUND] OpenVPN Site to site not routing

« on: February 08, 2017, 03:27:20 pm »

Hi folks,

I've been trying to set up a site to site tunnel with OpenVPN on both 16.7 and 17.1 to no avail. I have the actual tunnel connecting just fine. I have an additional OpenVPN server service running on the same OPNSense system for remote clients and that is working also. The site to site tunnel is pingable from the OPNSense firewalls. The firewalls themselves can ping remote hosts on the respective networks.

Here is the setup -

Home (client) network: 192.168.64.0/24
Work (server) networks: 192.168.29.0/24;172.16.29.0/24
OpenVPN network: 10.0.100.0/24

It seems like a routing problem however when I check the routes on both OPNSense boxes they look right

Home (client)
ejprice@hades:~ % netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            148.74.168.1       UGS        bge1
10.0.10.0/24       10.0.100.1         UGS      ovpnc1
10.0.100.0/24      10.0.100.1         UGS      ovpnc1
10.0.100.1         link#10            UH       ovpnc1
10.0.100.2         link#10            UHS         lo0
127.0.0.1          link#7             UH          lo0
148.74.168.0/21    link#2             U          bge1
148.74.175.197     link#2             UHS         lo0
167.206.13.180     00:0a:f7:13:24:25  UHS        bge1
167.206.13.181     00:0a:f7:13:24:25  UHS        bge1
172.16.29.0/24     10.0.100.1         UGS      ovpnc1
192.168.29.0/24    10.0.100.1         UGS      ovpnc1
192.168.64.0/24    link#1             U          bge0
192.168.64.1       link#1             UHS         lo0

Work (server)
ejprice@ppt-fw:~ % netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            24.187.203.129     UGS        igb0
10.0.10.0/24       10.0.10.2          UGS      ovpns1
10.0.10.1          link#9             UHS         lo0
10.0.10.2          link#9             UH       ovpns1
10.0.100.0/24      10.0.100.2         UGS      ovpns2
10.0.100.1         link#10            UHS         lo0
10.0.100.2         link#10            UH       ovpns2
24.187.203.128/29  link#1             U          igb0
24.187.203.130     link#1             UHS         lo0
24.187.203.131     link#1             UHS         lo0
24.187.203.133     link#1             UHS         lo0
127.0.0.1          link#6             UH          lo0
172.16.29.0/24     link#12            U      igb1_vla
172.16.29.254      link#12            UHS         lo0
192.168.29.0/24    link#2             U          igb1
192.168.29.251     link#2             UHS         lo0
192.168.64.0/24    10.0.100.2         UGS      ovpns2
192.168.100.0/24   link#4             U          igb3
192.168.100.1      link#4             UHS         lo0

I have tried both network topology settings. Currently, the server is set to topology subnet but I tried net30. I have no preference here, I just want it to work 

Any help would be appreciated. I've been beating my head against this for a week now.

Cheers!
Ean

4

17.1 Legacy Series / [SOLVED]LDAP users import missing/broken

« on: February 08, 2017, 01:15:10 am »

Hi folks,

I'm setting up a brand new 17.1 server. I have configured LDAP and the users are testable in /diag_authentication.php

However, the import user icon is not showing up on the /system_usermanager.php.

So I went directly to the /system_usermanager_import_ldap.php which tells me "Could not connect to the LDAP server. Please check your LDAP configuration."

The OPNSense server is bound to the LDAP server and I see the queries returning data when I use the /diag_authentication.php so it seems unlikely to me that there is a connection issue. I used the same setup in 16.7 with no issues.

Lastly, I have added the patch for the CSRF errors because I couldn't add the LDAP server without the patch. I don't know if this is somehow related but I figured I should mention it.

Thanks in advance!
Ean

5

17.1 Legacy Series / [SOLVED] pkg broke during 17.1 upgrade

« on: February 02, 2017, 04:45:06 am »

Hi folks,

I've just completed an upgrade from 16.7 to 17.1 and it seems pkg is broken. Here is the output I'm getting:

Shared object "libssl.so.7" not found, required by "pkg"

So I tried to force it to reinstall with pkg-static:
pkg-static install -f pkg

pkg-static: Warning: Major OS version upgrade detected.  Running "pkg-static install -f pkg" recommended
Updating OPNsense repository catalogue...
pkg-static: http://mirrors.nycbug.org/pub/opnsense/FreeBSD:11:amd64/17.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg-static: http://mirrors.nycbug.org/pub/opnsense/FreeBSD:11:amd64/17.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
All repositories are up-to-date.
pkg-static: Repository OPNsense cannot be opened. 'pkg update' required

pkg-1.9.3_2 is locked and may not be modified

pkg-1.9.3_2 is locked and may not be modified

So far I've tried changing mirrors, doing an update with pkg-static but I'm still stuck. Any ideas?

Thanks in advance!