Topics

1

19.7 Production Series / [SOLVED] Traffic Shapper - Bug on entering or modify IP's

« on: October 17, 2019, 05:33:09 pm »

Hello,

I am having issues in editing my current TS config.
When i try to edit the IP on the rules section, or set it to any, the webgui deletes what i have added.
The behavior is the same if i create a new rule for TS.

This happens on chrome, firefox, and IE with or without incognito mode on.

What am i missing here?

PS: this server is part of a opncluster, i removed the config sync, and the issue remains on the other node as well, so i think we can rule out any issue with the config that might be causing this

Thanks,
Nuno

2

19.7 Production Series / haproxy transparent

« on: August 05, 2019, 05:29:31 pm »

Hello all,

Does anyone know when this will be implemented on the main tree of opnsense:

https://forum.opnsense.org/index.php?topic=4609.0

It is quite wanted by a lot of people.

Thanks for a kick ass product!

3

19.1 Legacy Series / IPSEC con selection fail.

« on: June 06, 2019, 10:19:30 am »

Hello,

I think i might be doing something wrong here.

I have two ipsec phase 1 selections:

conn con1
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  type = tunnel
  dpdaction = none
  left = %any
  right = %any
 
  leftid = con1@vpn
  ikelifetime = 1500000000s
  lifetime = 360000s
  rightsourceip = 172.16.8.0/24
  ike = aes128-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-pam
  leftsubnet = 0.0.0.0/0
  esp = aes128-sha1!
  auto = add

conn con2
  aggressive = yes
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
  type = tunnel
  dpdaction = none
  left = %any
  right = %any
 
  leftid = con2@vpn
  ikelifetime = 28800s
  lifetime = 3600s
  rightsourceip = 172.16.8.0/24
  ike = aes128-sha1-modp1024!
  leftauth = psk
  rightauth = psk
  rightauth2 = xauth-pam
  leftsubnet = 0.0.0.0/0
  esp = aes128-sha1!
  auto = add


Why does it then, select always CON1, with every possible option in the identifier section: Distinguished name, user distinguished name, ASN.1 dist. Name, KeyID tag

Error:

With shared secret for CON1:

charon: 11[CFG] <6> looking for XAuthInitPSK peer configs matching 10.0.1.1...X.X.XX.X[con1@vpn]
charon: 11[CFG] <6> selected peer config "con1"

With shared secret for CON2:

charon: 11[CFG] <6> looking for XAuthInitPSK peer configs matching 10.0.1.1...X.X.XX.X[con2@vpn]
charon: 11[CFG] <6> selected peer config "con1"

What am i doing wrong? Who does it defaults back to the con1 always?

Thanks for a ubber product!

4

19.1 Legacy Series / SQUID + LDAP error since upgrade.

« on: May 22, 2019, 10:13:46 am »

Hello,

Since my upgrade from 19.1.4 to 19.1.7 my ldap auth with squid stopped working.
I've looked inside my backup's and found that the auth part of squid.conf has changed:

From:
auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php

To:
auth_param basic program  /usr/local/libexec/squid/basic_pam_auth -o

What happened to the original basic program auth-user.php? Was it discontinued? How was it replaced?

It is still possible to authenticate against a ldap server with a few lines of configuration:

auth_param basic program  /usr/local/libexec/squid/basic_ldap_auth -b "dc=net,dc=xpto" -f "uid=%s" ipa.net.xpto:33389 -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxxxxx


external_acl_type memberof %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -R -b "dc=net,dc=xpto" -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxx  -h ipa.net.xpto:33389 -f
 "(&(objectclass=*)(memberof=cn=app_squid_users,cn=groups,cn=accounts,dc=net,dc=xpto)(uid=%uid))"


This works fine, but it's a deviation from using the webgui and I would like to avoid it.
How can it be made ldapauth to work with the configuration passed by the gui?
What am I missing?

Can you help me please?
Thanks

5

19.1 Legacy Series / SOLVED: Endless booting,crashing and looping on KVM, on a AMD

« on: March 09, 2019, 11:12:06 pm »

Hello All!

I've finally got around to upgrade to the latest version 19.1.3, on my homelab servers, and on a AMD Phenom i am getting an endless panic/reboot cycle.

The OPNsense runs on a Linux/KVM system, and the interaction is trowing an KVM: Guest triggered AMD Erratum 383.
I've done all i knew, on the kvm side (cpu passsthrough) and nothing. Sometimes it boots. Sometimes it reboots endlessy.

What am i missing? To the best of my knowlege this was not happening on 19.1.

EDIT: Tested upgrading it to the Dev version and the issue is not felt here. The only thing i can think of is that freebsd is having a tantrum.
In 19.1 the version is FreeBSD 11.2-RELEASE-p9-HBSD, on 19.7 the version is FreeBSD 11.2-RELEASE-p8-HBSD.
Form p9 to p8. Why the downgrade?

EDIT2: Nope... just crashed again with the same error  KVM: Guest triggered AMD Erratum 383. It appears that is felt also on 19.7.

Can you plesae help me?

Thanks!

6

18.7 Legacy Series / Nextcloud backup woops?

« on: August 02, 2018, 05:23:16 pm »

Hello all,

I'm having issues getting the nextcloud backup plugin to work. I am having this errors:

config[76475]: Error while fetching filelist from Nextcloud
config[93176]: {"url":"https:\/\/cloud.blablabla.com\/remote.php\/dav\/files\/config\/OPNsense-Backup\/config-pfsense01.net.xpto-2018-08-02_15:53:53.xml","content_type":"text\/html; charset=iso8859-1","http_code":403,"header_size":480,"request_size":326,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":1.293437,"namelookup_time":7.6e-5,"connect_time":0.003817,"pretransfer_time":0.029171,"size_upload":878690,"size_download":295,"speed_download":228,"speed_upload":679574,"download_content_length":-1,"upload_content_length":878690,"starttransfer_time":0.032878,"redirect_time":0,"redirect_url":"","primary_ip":"104.28.6.80","certinfo":[],"primary_port":443,"local_ip":"192.168.1.20","local_port":38604}

For what i am able to notice i am getting a 403 http error.
However i am able to upload to the nextcloud  instance with that user using either the browser or the native nextcloud client.
 
The nextcloud IS able to create the destination dir, so it appears not to be permission related. I just am not able to upload the xml file.

I can also see the opnsense logging in with success to the nextcloud instance:

{"reqId":"W2MlzKwQACkAAE3Xt7QAAAAC","level":1,"time":"2018-08-02T15:39:56+00:00","remoteAddr":"172.16.3.161","user":"config","app":"admin_audit","method":"PROPFIND","url":"\/remote.php\/dav\/files\/config\/","message":"Login successful: \"config\"","userAgent":"OPNsense Firewall","version":"13.0.5.2"}

Can you shed some light on this? What am i missing?

Nuno

7

18.7 Legacy Series / [SOLVED] Missing? Or i am looking in the wrong place?

« on: August 02, 2018, 03:40:36 pm »

Hello All,

After updating, I've lost the place where i used to configure access to the opnsense webgui.
It used to be in system--> Access --> Config

After the upgrade the config part disappeared. Where is it now?
I want to give access to an LDAP user to access the webgui.

Thanks for a wonderful product!
Nuno

8

18.1 Legacy Series / [SOLVED] Cannot upgrade to 18.1.6 - Bus error

« on: April 11, 2018, 03:59:39 pm »

Hello all,

I have been trying to upgrade my opnsense 18.1.5 to the latest version and i keep getting this error:

Checking integrity...Child process pid=13361 terminated abnormally: Bus error

On my system console the error is more detailed:

[HBSD SEGVGUARD] [/usr/local/sbin/pkg-static (12794)] Suspension expired.
 -> pid: 12794 ppid: 12349 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
pid 13361 (pkg-static), uid 0: exited on signal 10 (core dumped)

I have tried to execute pkg-static upgrade -y and i keep getting a coredump on the process.

I have rebooted the server but the problem remains

Can you please help me?

Thanks,
Nuno

9

17.7 Legacy Series / Netflow not working as expected

« on: November 07, 2017, 05:24:53 pm »

Hello all,

I've been trying to get my netflow working with my Argus accounting server with no luck.
My configuration is as showned on attach1.png

If i look inside the firewall, there is indeed a process that i suspect that is the flow analyser:

# 0:00.01 /usr/local/bin/samplicate -s 127.0.0.1 -p 2055 172.16.0.155/9666

I have checked and there is a very slow of data being put my the firewall on my argus accounting server.
I have other softflow devices that are recording data correctly with this configuration.
The same for radium/argus native client.

One issue that i've found is that usual netflow network packets (at least the kind that i am used to) are much smaller that thoose produced by the netflow engine of opnsense: opn packets - 1506 bytes versus usual packets 120 to 280 bytes.

What am i missing here?

Thanks for your product and your help!

10

17.7 Legacy Series / HAProxy Transparent Mode IPFW - Is it available?

« on: October 18, 2017, 12:51:55 pm »

Hello all!

I'm using the HAProxy plugin and I needed to run it inline, in transparent mode.
I have been digging around on the forum and found this past thread:

https://forum.opnsense.org/index.php?topic=4609

@Franco,

Have you had the time to see the solution presented by Rosu?

Thanks!

11

17.7 Legacy Series / [SOLVED] [Suricata] Suricata dropping traffic with IPS.

« on: October 17, 2017, 08:50:34 pm »

 Hello All.

I've installed the latest version of opnsense and tryed to run suricata.
My HW is a 3 vCore QEMU/KVM (tryed on qemu 2.7 and 2.9) with 2GB of ram and several VIRTIO NICs.

I've pulled the latest rules, and checked if there was updates to be installed.
Both suricata and opnsense are on the latest version.

When i boot suricata in IPS configuration, on the WAN interface, i loose conectivity.
Here's a ping form the firewall to the next hop to demonstrate what appends:

64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=1.135 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.991 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.595 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=64 time=0.749 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=64 time=0.828 ms
64 bytes from 192.168.1.254: icmp_seq=5 ttl=64 time=0.803 ms
64 bytes from 192.168.1.254: icmp_seq=6 ttl=64 time=0.766 ms
64 bytes from 192.168.1.254: icmp_seq=7 ttl=64 time=68606.310 ms < Suricata boot
64 bytes from 192.168.1.254: icmp_seq=8 ttl=64 time=68300.215 ms
64 bytes from 192.168.1.254: icmp_seq=10 ttl=64 time=67848.197 ms
64 bytes from 192.168.1.254: icmp_seq=14 ttl=64 time=68108.471 ms
64 bytes from 192.168.1.254: icmp_seq=17 ttl=64 time=67052.875 ms
64 bytes from 192.168.1.254: icmp_seq=18 ttl=64 time=67528.361 ms
64 bytes from 192.168.1.254: icmp_seq=19 ttl=64 time=68002.670 ms
64 bytes from 192.168.1.254: icmp_seq=22 ttl=64 time=67999.273 ms
64 bytes from 192.168.1.254: icmp_seq=23 ttl=64 time=67995.854 ms

There are NO rules loaded for this test, I just started the daemon.

If i stop the IPS mode (active defense) it goes back to normal:

64 bytes from 192.168.1.254: icmp_seq=10 ttl=64 time=38098.266 ms
64 bytes from 192.168.1.254: icmp_seq=15 ttl=64 time=36568.727 ms
64 bytes from 192.168.1.254: icmp_seq=16 ttl=64 time=36987.789 ms
64 bytes from 192.168.1.254: icmp_seq=20 ttl=64 time=37390.267 ms
64 bytes from 192.168.1.254: icmp_seq=21 ttl=64 time=36703.024 ms
64 bytes from 192.168.1.254: icmp_seq=24 ttl=64 time=36385.351 ms
64 bytes from 192.168.1.254: icmp_seq=26 ttl=64 time=51639.619 ms
64 bytes from 192.168.1.254: icmp_seq=27 ttl=64 time=52612.838 ms
64 bytes from 192.168.1.254: icmp_seq=29 ttl=64 time=51815.528 ms
64 bytes from 192.168.1.254: icmp_seq=30 ttl=64 time=51632.411 ms
64 bytes from 192.168.1.254: icmp_seq=32 ttl=64 time=50433.146 ms
64 bytes from 192.168.1.254: icmp_seq=85 ttl=64 time=0.504 ms
64 bytes from 192.168.1.254: icmp_seq=86 ttl=64 time=0.473 ms
64 bytes from 192.168.1.254: icmp_seq=87 ttl=64 time=0.462 ms
64 bytes from 192.168.1.254: icmp_seq=88 ttl=64 time=0.404 ms
64 bytes from 192.168.1.254: icmp_seq=89 ttl=64 time=0.502 ms
64 bytes from 192.168.1.254: icmp_seq=90 ttl=64 time=0.444 ms
64 bytes from 192.168.1.254: icmp_seq=91 ttl=64 time=0.474 ms

Am i missing something or is this a bug?
I need the IPS active to do active defense on my system?
Or can it be run with active defence on legacy configuration thru pcap thus being only and IDS and not a IPS?

Thanks,
Nuno