Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - xupetas

Pages: [1]

21.7 Legacy Series / [SOLVED]: Issue with Geoblock - Not working after system lost power.

« on: October 25, 2021, 12:57:01 pm »

Hello all,

I had a crash on a opnsense 21.7 (powerloss), and when it came back up the geoip alias was not working.

I've tried to see if the download/key for my geoip list was working, and it is:

root@XXXXX:/usr/local/opnsense/scripts/filter/lib # python3
Python 3.8.12 (default, Sep 20 2021, 23:00:57)
[Clang 8.0.1 (tags/RELEASE_801/final 366581)] on freebsd12
Type "help", "copyright", "credits" or "license" for more information.
>>> from geoip import download_geolite
>>> download_geolite()
{'address_count': 775784, 'file_count': 500, 'timestamp': '2021-10-19T09:47:50', 'locations_filename': 'GeoLite2-Country-Locations-en.csv', 'address_sources': {'IPv4': 'GeoLite2-Country-Blocks-IPv4.csv', 'IPv6': 'GeoLite2-Country-Blocks-IPv6.csv'}}
>>>

The list is active, but it does not work - tested with multiple IP's from a IP range that *is* included.
Also, i have enough table entries to acomodate the list:

# pfctl -sm | grep table-entries
table-entries hard limit 4000000000

Is there a way to see using pfctl that the alias is being loaded? The main simptom of this issue is that the list appears that is not being loaded and thus the rule is doing nothing.

21.7 Legacy Series / HA-Proxy - Not validating ACL correctly

« on: September 23, 2021, 10:30:11 am »

Hello all,

I have been experimenting on HA WSS and WS with HAproxy.
Since the webgui does not support the HA, i selected the pass-trought option and wrote this ACL:

acl is_upgrade hdr(connection) -i upgrade
acl is_websocket hdr(upgrade) -i websocket

However i cannot load it pass that page because it gives an error: text validation error

The ACL is correct. What am i missing?

Thanks for your help!

21.7 Legacy Series / Issues with API using example from docs.opnsense.org

« on: July 29, 2021, 12:08:12 pm »

Hello All,

Thanks for spending your time reading this.

I've been following the how to regarding the API interface for creating/modifying an Alias, that is located in https://docs.opnsense.org/manual/aliases.html.

Inside is stated that one can add an Alias like this:

curl \
--header "Content-Type: application/json" \
--basic \
--user "key:secret" \
--request POST \
--insecure \
--verbose \
--data '{"address":"10.0.0.2"}' \
https://opnsense.firewall/api/firewall/alias_util/add/MyAlias

So, i've built my script like this:
curl \
--header "Content-Type: application/json" \
--basic \
--user "XXXXX:YYYYYYY" \
--request POST \
--insecure \
--verbose \
--data '{"Ports":"512"}' \
https://172.16.0.20/api/firewall/alias_util/add/APP_FORWARD_PORTS

And i keep getting this error {"status":"failed"}.

I've tried to validate the script and credentials by using --data '{"address":"10.0.0.2"}' for the address and it works perfectly.
So it appears that my issue is related do "Ports".
I tried the script with Ports, Port, port, ports and nothing works.

Also, if i try to list ports from the API Alias it will not display any ports even those that exist:

curl -k -u "XXXXXXX":"YYYYYY" https://172.16.0.20/api/firewall/alias_util/list/EXISTING_PORT

i get:

{
"total": 0,
"rowCount": -1,
"current": 1,
"rows": []
}

If i try to export, i see the ports via API.

What is the syntax i should use? I don't see the ports directive being used in the manual. Is it not supported?

Thanks for your help.

19.7 Legacy Series / [SOLVED] Traffic Shapper - Bug on entering or modify IP's

« on: October 17, 2019, 05:33:09 pm »

Hello,

I am having issues in editing my current TS config.
When i try to edit the IP on the rules section, or set it to any, the webgui deletes what i have added.
The behavior is the same if i create a new rule for TS.

This happens on chrome, firefox, and IE with or without incognito mode on.

What am i missing here?

PS: this server is part of a opncluster, i removed the config sync, and the issue remains on the other node as well, so i think we can rule out any issue with the config that might be causing this

Thanks,
Nuno

19.7 Legacy Series / haproxy transparent

« on: August 05, 2019, 05:29:31 pm »

Hello all,

Does anyone know when this will be implemented on the main tree of opnsense:

https://forum.opnsense.org/index.php?topic=4609.0

It is quite wanted by a lot of people.

Thanks for a kick ass product!

19.1 Legacy Series / IPSEC con selection fail.

« on: June 06, 2019, 10:19:30 am »

Hello,

I think i might be doing something wrong here.

I have two ipsec phase 1 selections:

conn con1
aggressive = yes
fragmentation = yes
keyexchange = ikev1
mobike = yes
reauth = yes
rekey = yes
forceencaps = yes
installpolicy = yes
type = tunnel
dpdaction = none
left = %any
right = %any

leftid = con1@vpn
ikelifetime = 1500000000s
lifetime = 360000s
rightsourceip = 172.16.8.0/24
ike = aes128-sha1-modp1024!
leftauth = psk
rightauth = psk
rightauth2 = xauth-pam
leftsubnet = 0.0.0.0/0
esp = aes128-sha1!
auto = add

conn con2
aggressive = yes
fragmentation = yes
keyexchange = ikev1
mobike = yes
reauth = yes
rekey = yes
forceencaps = no
installpolicy = no
type = tunnel
dpdaction = none
left = %any
right = %any

leftid = con2@vpn
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = 172.16.8.0/24
ike = aes128-sha1-modp1024!
leftauth = psk
rightauth = psk
rightauth2 = xauth-pam
leftsubnet = 0.0.0.0/0
esp = aes128-sha1!
auto = add

Why does it then, select always CON1, with every possible option in the identifier section: Distinguished name, user distinguished name, ASN.1 dist. Name, KeyID tag

Error:

With shared secret for CON1:

charon: 11[CFG] <6> looking for XAuthInitPSK peer configs matching 10.0.1.1...X.X.XX.X[con1@vpn]
charon: 11[CFG] <6> selected peer config "con1"

With shared secret for CON2:

charon: 11[CFG] <6> looking for XAuthInitPSK peer configs matching 10.0.1.1...X.X.XX.X[con2@vpn]
charon: 11[CFG] <6> selected peer config "con1"

What am i doing wrong? Who does it defaults back to the con1 always?

Thanks for a ubber product!

19.1 Legacy Series / SQUID + LDAP error since upgrade.

« on: May 22, 2019, 10:13:46 am »

Hello,

Since my upgrade from 19.1.4 to 19.1.7 my ldap auth with squid stopped working.
I've looked inside my backup's and found that the auth part of squid.conf has changed:

From:
auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php

To:
auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o

What happened to the original basic program auth-user.php? Was it discontinued? How was it replaced?

It is still possible to authenticate against a ldap server with a few lines of configuration:

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -b "dc=net,dc=xpto" -f "uid=%s" ipa.net.xpto:33389 -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxxxxx

external_acl_type memberof %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -R -b "dc=net,dc=xpto" -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxx -h ipa.net.xpto:33389 -f
"(&(objectclass=*)(memberof=cn=app_squid_users,cn=groups,cn=accounts,dc=net,dc=xpto)(uid=%uid))"

This works fine, but it's a deviation from using the webgui and I would like to avoid it.
How can it be made ldapauth to work with the configuration passed by the gui?
What am I missing?

Can you help me please?
Thanks

19.1 Legacy Series / SOLVED: Endless booting,crashing and looping on KVM, on a AMD

« on: March 09, 2019, 11:12:06 pm »

Hello All!

I've finally got around to upgrade to the latest version 19.1.3, on my homelab servers, and on a AMD Phenom i am getting an endless panic/reboot cycle.

The OPNsense runs on a Linux/KVM system, and the interaction is trowing an KVM: Guest triggered AMD Erratum 383.
I've done all i knew, on the kvm side (cpu passsthrough) and nothing. Sometimes it boots. Sometimes it reboots endlessy.

What am i missing? To the best of my knowlege this was not happening on 19.1.

EDIT: Tested upgrading it to the Dev version and the issue is not felt here. The only thing i can think of is that freebsd is having a tantrum.
In 19.1 the version is FreeBSD 11.2-RELEASE-p9-HBSD, on 19.7 the version is FreeBSD 11.2-RELEASE-p8-HBSD.
Form p9 to p8. Why the downgrade?

EDIT2: Nope... just crashed again with the same error KVM: Guest triggered AMD Erratum 383. It appears that is felt also on 19.7.

Can you plesae help me?

Thanks!

18.7 Legacy Series / Nextcloud backup woops?

« on: August 02, 2018, 05:23:16 pm »

Hello all,

I'm having issues getting the nextcloud backup plugin to work. I am having this errors:

config[76475]: Error while fetching filelist from Nextcloud
config[93176]: {"url":"https:\/\/cloud.blablabla.com\/remote.php\/dav\/files\/config\/OPNsense-Backup\/config-pfsense01.net.xpto-2018-08-02_15:53:53.xml","content_type":"text\/html; charset=iso8859-1","http_code":403,"header_size":480,"request_size":326,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":1.293437,"namelookup_time":7.6e-5,"connect_time":0.003817,"pretransfer_time":0.029171,"size_upload":878690,"size_download":295,"speed_download":228,"speed_upload":679574,"download_content_length":-1,"upload_content_length":878690,"starttransfer_time":0.032878,"redirect_time":0,"redirect_url":"","primary_ip":"104.28.6.80","certinfo":[],"primary_port":443,"local_ip":"192.168.1.20","local_port":38604}

For what i am able to notice i am getting a 403 http error.
However i am able to upload to the nextcloud instance with that user using either the browser or the native nextcloud client.

The nextcloud IS able to create the destination dir, so it appears not to be permission related. I just am not able to upload the xml file.

I can also see the opnsense logging in with success to the nextcloud instance:

{"reqId":"W2MlzKwQACkAAE3Xt7QAAAAC","level":1,"time":"2018-08-02T15:39:56+00:00","remoteAddr":"172.16.3.161","user":"config","app":"admin_audit","method":"PROPFIND","url":"\/remote.php\/dav\/files\/config\/","message":"Login successful: \"config\"","userAgent":"OPNsense Firewall","version":"13.0.5.2"}

Can you shed some light on this? What am i missing?

Nuno

18.7 Legacy Series / [SOLVED] Missing? Or i am looking in the wrong place?

« on: August 02, 2018, 03:40:36 pm »

Hello All,

After updating, I've lost the place where i used to configure access to the opnsense webgui.
It used to be in system--> Access --> Config

After the upgrade the config part disappeared. Where is it now?
I want to give access to an LDAP user to access the webgui.

Thanks for a wonderful product!
Nuno

18.1 Legacy Series / [SOLVED] Cannot upgrade to 18.1.6 - Bus error

« on: April 11, 2018, 03:59:39 pm »

Hello all,

I have been trying to upgrade my opnsense 18.1.5 to the latest version and i keep getting this error:

Checking integrity...Child process pid=13361 terminated abnormally: Bus error

On my system console the error is more detailed:

[HBSD SEGVGUARD] [/usr/local/sbin/pkg-static (12794)] Suspension expired.
-> pid: 12794 ppid: 12349 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
pid 13361 (pkg-static), uid 0: exited on signal 10 (core dumped)

I have tried to execute pkg-static upgrade -y and i keep getting a coredump on the process.

I have rebooted the server but the problem remains

Can you please help me?

Thanks,
Nuno

17.7 Legacy Series / Netflow not working as expected

« on: November 07, 2017, 05:24:53 pm »

Hello all,

I've been trying to get my netflow working with my Argus accounting server with no luck.
My configuration is as showned on attach1.png

If i look inside the firewall, there is indeed a process that i suspect that is the flow analyser:

# 0:00.01 /usr/local/bin/samplicate -s 127.0.0.1 -p 2055 172.16.0.155/9666

I have checked and there is a very slow of data being put my the firewall on my argus accounting server.
I have other softflow devices that are recording data correctly with this configuration.
The same for radium/argus native client.

One issue that i've found is that usual netflow network packets (at least the kind that i am used to) are much smaller that thoose produced by the netflow engine of opnsense: opn packets - 1506 bytes versus usual packets 120 to 280 bytes.

What am i missing here?

Thanks for your product and your help!

17.7 Legacy Series / HAProxy Transparent Mode IPFW - Is it available?

« on: October 18, 2017, 12:51:55 pm »

Hello all!

I'm using the HAProxy plugin and I needed to run it inline, in transparent mode.
I have been digging around on the forum and found this past thread:

https://forum.opnsense.org/index.php?topic=4609

@Franco,

Have you had the time to see the solution presented by Rosu?

Thanks!

17.7 Legacy Series / [SOLVED] [Suricata] Suricata dropping traffic with IPS.

« on: October 17, 2017, 08:50:34 pm »

Hello All.

I've installed the latest version of opnsense and tryed to run suricata.
My HW is a 3 vCore QEMU/KVM (tryed on qemu 2.7 and 2.9) with 2GB of ram and several VIRTIO NICs.

I've pulled the latest rules, and checked if there was updates to be installed.
Both suricata and opnsense are on the latest version.

When i boot suricata in IPS configuration, on the WAN interface, i loose conectivity.
Here's a ping form the firewall to the next hop to demonstrate what appends:

64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=1.135 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.991 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.595 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=64 time=0.749 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=64 time=0.828 ms
64 bytes from 192.168.1.254: icmp_seq=5 ttl=64 time=0.803 ms
64 bytes from 192.168.1.254: icmp_seq=6 ttl=64 time=0.766 ms
64 bytes from 192.168.1.254: icmp_seq=7 ttl=64 time=68606.310 ms < Suricata boot
64 bytes from 192.168.1.254: icmp_seq=8 ttl=64 time=68300.215 ms
64 bytes from 192.168.1.254: icmp_seq=10 ttl=64 time=67848.197 ms
64 bytes from 192.168.1.254: icmp_seq=14 ttl=64 time=68108.471 ms
64 bytes from 192.168.1.254: icmp_seq=17 ttl=64 time=67052.875 ms
64 bytes from 192.168.1.254: icmp_seq=18 ttl=64 time=67528.361 ms
64 bytes from 192.168.1.254: icmp_seq=19 ttl=64 time=68002.670 ms
64 bytes from 192.168.1.254: icmp_seq=22 ttl=64 time=67999.273 ms
64 bytes from 192.168.1.254: icmp_seq=23 ttl=64 time=67995.854 ms

There are NO rules loaded for this test, I just started the daemon.

If i stop the IPS mode (active defense) it goes back to normal:

64 bytes from 192.168.1.254: icmp_seq=10 ttl=64 time=38098.266 ms
64 bytes from 192.168.1.254: icmp_seq=15 ttl=64 time=36568.727 ms
64 bytes from 192.168.1.254: icmp_seq=16 ttl=64 time=36987.789 ms
64 bytes from 192.168.1.254: icmp_seq=20 ttl=64 time=37390.267 ms
64 bytes from 192.168.1.254: icmp_seq=21 ttl=64 time=36703.024 ms
64 bytes from 192.168.1.254: icmp_seq=24 ttl=64 time=36385.351 ms
64 bytes from 192.168.1.254: icmp_seq=26 ttl=64 time=51639.619 ms
64 bytes from 192.168.1.254: icmp_seq=27 ttl=64 time=52612.838 ms
64 bytes from 192.168.1.254: icmp_seq=29 ttl=64 time=51815.528 ms
64 bytes from 192.168.1.254: icmp_seq=30 ttl=64 time=51632.411 ms
64 bytes from 192.168.1.254: icmp_seq=32 ttl=64 time=50433.146 ms
64 bytes from 192.168.1.254: icmp_seq=85 ttl=64 time=0.504 ms
64 bytes from 192.168.1.254: icmp_seq=86 ttl=64 time=0.473 ms
64 bytes from 192.168.1.254: icmp_seq=87 ttl=64 time=0.462 ms
64 bytes from 192.168.1.254: icmp_seq=88 ttl=64 time=0.404 ms
64 bytes from 192.168.1.254: icmp_seq=89 ttl=64 time=0.502 ms
64 bytes from 192.168.1.254: icmp_seq=90 ttl=64 time=0.444 ms
64 bytes from 192.168.1.254: icmp_seq=91 ttl=64 time=0.474 ms

Am i missing something or is this a bug?
I need the IPS active to do active defense on my system?
Or can it be run with active defence on legacy configuration thru pcap thus being only and IDS and not a IPS?

Thanks,
Nuno

Pages: [1]