Topics

I'm struggling with suricata quite a long time. I activated it today since long time ago again and I reckon that's not working properly. I'm sending all logs to pfelk and my kibana log is empty. If I check the Alerts Tab in Intrusion Detection --> Administration --> Alerts the last shown log entries are back from 2019.

My config looks like the following.

There are a lot of threads in this forum and I also checked the Wiki from opnsense. Could you please help me, where should I start?

Thank you for your help.

Regards Manuel

Hello
I have collectd running on my opnsense box which is a apu2e4 with 4 cores (AMD Embedded G series GX-412TC) and 4GB RAM. As you can see in my Grafana Graphics there is a zigzag of the CPU Usage. Normally the cpu load raises over 2 or 3 days continuously and then drops to 1%.

Does anybody know the reason for this or has made same observation?

Thank you very much for a hint.

Greetings Manuel

Hello
I managed to toggle a firewall alias to enable and disable through the api with postman. Unfortunately it seems, that after this change a firewall reload seems to be necessary. How can I do this through the api?

My goal is to enable/disable a firewall rule to block my kids devices completely from accessing the internet. For this reason I created a firewall alias with all ips of my kids devices and then I created a firewall rule using that alias as source.

I just want to enable/disable that rule or alias very quickly from my smartphone without accessing the web gui. Any advice is very welcome.  ;)

Thank you for your help.

Greetings Manuel

Hello
I'm trying to setup a separate dmz network (no dhcp). The goal is to have only Internet access from this network. No Access to LAN on this new network at all. How can I achieve this? I tried to configure the fw according to the opnsense how to "Setup a guest network" but I can't resolve host names at all and browse the internet.

What is wrong with my fw rules?

Thank you very much for your help.

Manuel

Hello
I'm still on 18.7.9 and Suricata 4.0.6. I followed the instructions on https://wiki.opnsense.org/manual/how-tos/ips-feodo.html and downloading all abuse.ch rules daily via cron. I also enabled them and changed Filter to drop. If I check my alerts I only can find log entries with action allowed. I can't find not one blocked action. Strange.

Does my IPS really do his job? How can I test it and force a blocked action?

Thank you very much for your help.

Greetings,
Manuel

Hello friends
I'm having two different opnsense installation in two different location each on a apu2d4 which are both connected to a cable modem and the same provider. One box was update to 18.7.10 automatically this Monday 7th January. The second box still has 18.7.9 installed and is working fine.

After updating to 18.7.10 I don't get anymore an IP address on the WAN interface from my provider via DHCP. If I reboot the firewall and go to the dashboard I can see an IP from the range of my provider for a couple of seconds. After that, the IP is gone and I have only 0.0.0.0 and at the end there is no IP at all.

I rebooted opnsense several times and also my cable modem. No luck. I also tried to downgrade with

opnsense-revert -r 18.7.9 opnsense

but then I only get a

Fetching opnsense.txz: .. failed

I checked the release notes from 18.7.10. There are some changes in the code for the interfaces.

I attached my kernel message log and also some ifconfig commands. igb0 is my internal interface and igb1 for WAN.

Thank you very much for your help.

Regards Manuel

Hello
I enabled IPS/IDS according to the howto "IPS SSLBlacklists & Feodo Tracker". Enabled all abuse.ch rulesets and set filter to drop. If I check the alerts tab I only see actions which were allowed. Do I have to edit each action manually and change configured action from alert to drop?

2018-10-02T09:17:28.703243+0200   allowed   WAN   80.218.168.190   53516   23.205.182.44   443   SURICATA STREAM Last ACK with wrong seq   
2018-10-02T08:43:02.760728+0200   allowed   WAN   80.218.168.190   60441   203.119.201.255   443   SURICATA TLS error message encountered   
2018-10-02T08:43:02.252406+0200   allowed   WAN   203.119.201.255   443   80.218.168.190   60441   SURICATA Applayer Detect protocol only one direction   
2018-10-02T08:43:02.252406+0200   allowed   WAN   203.119.201.255   443   80.218.168.190   60441   SURICATA TLS error message encountered

I expected that if I change the Filter Action of the rulesets to drop that they will be dropped automatically.

Thank you very much for your help.

Regards Manuel

Hello
Today we had a problem on the ISP and had to reboot the modem which is connected to my opnsense box. Unfortunately the WAN interface didn't come up again after rebooting the modem. Does opnsense try to open the WAN port several times until it times out and then give up?

Because I like long uptimes very much ;) I hate to reboot my opnsense FW. Is there a way without rebooting it through the GUI to bring up WAN Interface again without rebooting it?

Thank you very much for your hints.

Manuel

Under VPN --> OpenVPN --> Connection Status there is a really nice statistics about every user bytes sent and bytes received. Is there a way to send this information via collectd to grafana?

Thank you for your answer.

Manuel

Hello
Did some manual changes in  /usr/local/etc/collectd.conf  to add openvpn plugin in collectd.conf. After reboot of opnsense my changes were gone. Are there any plans to add an "Advanced" field also in collectd
to simply appended to /usr/local/etc/collectd.conf?

There was already a thread https://forum.opnsense.org/index.php?topic=6072.0 about this matter.

Thank you for your answer.

Regards Manuel

Hello
I have setup a openvpn server according to the "Setup SSL VPN Road Warrior" including TOTP. Login works fine but after about 30 Minutes openvpn Client Login pops up and I have to login again using the token from google authenticator and my password. Renegotiate time (reneg-sec 0) is set to 0 in the openvpn server config.

I would like to be connected to the vpn server even there is no activity/traffic. How can I achive this?

Thank you very much for your help.

Regards Manuel

Tue Jul 24 10:02:16 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Jul 24 10:02:16 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 24 10:02:16 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Tue Jul 24 10:02:46 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:46 2018 UDP link local (bound): [AF_INET][undef]:0
Tue Jul 24 10:02:46 2018 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:47 2018 [myopenvpn Server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:02:48 2018 open_tun
Tue Jul 24 10:02:48 2018 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{AB71E12E-4CCE-42DE-84BA-E28854305B69}.tap
Tue Jul 24 10:02:48 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of xx.xx.xx.xx/255.255.255.xx on interface {xxxxxxxxx} [DHCP-serv: xx.xx.xx.xx, lease-time: 31536000]
Tue Jul 24 10:02:48 2018 Successful ARP Flush on interface [15] {xxxxxxxxx}
Tue Jul 24 10:02:48 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 24 10:02:53 2018 Initialization Sequence Completed
Tue Jul 24 10:31:57 2018 [myopenvpn Server] Inactivity timeout (--ping-restart), restarting
Tue Jul 24 10:31:57 2018 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jul 24 10:42:58 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:42:58 2018 UDP link local (bound): [AF_INET][undef]:0
Tue Jul 24 10:42:58 2018 UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:42:59 2018 [SSLVPN Server Certificate] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Tue Jul 24 10:43:00 2018 Preserving previous TUN/TAP instance: Ethernet 3
Tue Jul 24 10:43:00 2018 Initialization Sequence Completed

- Server Config File
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
client-disconnect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
local xx.xx.xx.xx
tls-server
server xx.xx.xx.xx 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'TOTP VPN Access Server' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'SSLVPN+Server+Certificate' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route xx.xx.xx.xx 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
reneg-sec 0

- Client Config File
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
reneg-sec 0
resolv-retry infinite
remote myopenvpnserver.com 1194 udp
lport 0
verify-x509-name "myopenvpn Server" name
auth-user-pass
pkcs12 Home.p12
tls-auth Home.key 1
#ns-cert-type server
remote-cert-tls server
comp-lzo adaptive
auth-nocache

Hello
I would like to connect an AP to the third interface on my OPNsense FW. The plan is that some dedicated and authorised WLAN Clients in the office can access everything on the LAN Net (Windows Servers and NAS) and also access the internet. But if a hacker from outside the office gains access through the AP to the net he can do nothing and all traffic to the WAN (Internet) and LAN will be blocked.

How would you do that? Create some MAC based firewall rules? Is that possible? FW rules based on IP doesn't make sense and also MAC addresses could be spoofed. What would be the most secure approach?

Thank you very much for your answer.

Manuel