Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - myksto

#1
Hi,
I'm on Opnsense 25.1.4_1-amd64 and trying to implement squid web proxy for a network.
Everything looks ok and works fine but the inline base64 image/logo doesn't appear in error pages, when using the squid pages and opnsense pages.
I've tried to implement custom error pages with a personal logo encoded with base64: the custom page show perfectly but not the logo.
I read againg and again the opnsense guide pages but I can't make it to work.
Do I have to activate anything in configuration? Do I have to add some line of code?
The stange fact is that the logo doesn't appear even ewith the standard error pages configuration.

Thanks a lot,
Michele.
#2
Hi.
Just upgraded to latest version 23.7.2.
I read in this topic https://forum.opnsense.org/index.php?topic=35149.0 that to push static IP to clients in the tunnel we just have to use the "IPv4 Tunnel Network" field.
Well, I just copied the command "ifconfig-push 10.160.71.2 255.255.255.255" and receive the error "please specify a valid network segment or address (IPv4/IPv6)" (see screenshot).

What am I doing wrong?

Thanks a lot,
Michele.
#3
Hi.
I noticed several warnings on Intrusion Detection logs after update to version 22.1.8_1.
Warnings are like these (some examples):

  • [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default.
  • [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default.
  • [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default.
  • [...]

I know those are "just" warnings but do I have to worry about?

Thanks a lot,
Michele
#4
Hi guys.
I have lots of Openvpn clients who leave connections open even if they don't use for hours and some of them also go home leaving VPN connections open!
Is there a way in server or client side or both to setup a timeout so that after e.g. 60 minutes without utilization clients automatically disconnects from server?

Thanks a lot.

Michele.
#5
21.1 Legacy Series / Problems after 21.7.1_1 update
June 22, 2021, 10:07:34 AM
I read some other threads and saw that this update caused some problems.
I did the update, something has gone wrong or better, update log in the gui stopped but the firewall did the reboot.
When the firewall rebooted the update check stucks (see image attached).
I tried re-installing the 21.1.7_1 packed with no luck and it seems to not work properly.
I also launched "/usr/local/opnsense/scripts/firmware/health.sh" but everything is ok. I tried to launch it from the gui but it doesn't work.

What else can I do to restore normal behaviour?

Thanks a lot,
Michele.
#6
20.7 Legacy Series / Upgrade no more available
September 07, 2020, 09:20:22 AM
Hi to everybody.
I'm on 20.1.9_1 version and want to upgrade to 20.7.x.
I tried to upgrade but received the error "no signature found".
I follow the advice of this post https://forum.opnsense.org/index.php?topic=11199.0 where Franco says to delete two files: /usr/local/opnsense/firmware-upgrade and /usr/local/opnsense/firmware-message.
I did that but now when I check for new version, 20.7 is no more proposed, the message simply says that there's no update available on selected mirror.

How can I solve this and upgrade to version 20.7.x?

Thanks a lot,

Michele.
#7
Hi.
As I just wrote in the object: I noted that on the right side of the GUI tools to manage rules are not visible in Google Chrome while they're in Mozilla Firefox and in IE.
I attached two shots of both browsers just to see the differences (see the red circles).

Is there anyone who knows the reason ot this strange behaviour in Google Chrome and eventually how to solve this little problem?

Thanks and cheers,
Michele.
#8
19.7 Legacy Series / Error on Suricata 4.1.4_4 Logs
September 12, 2019, 04:37:13 PM
I recently noted this error on Suricata logs:
"suricata: [100148] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml."

I also can't see any packet blocked by suricata so I guess it's not working.

I tried to restart the service but error comes again.

I searched for 2225 ticket and found this for version 4.1.3: "Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can output" but to tell the truth I did not understand whether I can solve the issue or not.

Is there a way to solve it?

Thanks and cheers.

Michele.
#9
I have two Openvpn servers in the same firewall: OPN1 and OPN2.
Sometimes after a firewall reboot both deamons don't come up and in dashboard they're red. If I try to restart them they don't and logs says that:
"openvpn[76450]: Exiting due to fatal error;
openvpn[76450]: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)
openvpn[76450]: TUN/TAP device ovpns1 exists previously, keep at program end"

I found an old post https://forum.opnsense.org/index.php?topic=6376.0 and there I found the solution to find and kill processes. In that post a bug was opend at Github but I was not able to understand whether the bug had been correct or not.

Is it known why this happens?
Is there a more simply way to make Open VPN deamons come up after a simple firewall reboot (for example for a system update)?

Thanks a lot.

Best regards,
Michele
#10
I have a Dell server with 19.1.4 x64 release.
I saw lots of messages in "System -> Log Files -> Backend" showing "Request filter log output".
Times ago it happened the same, I shutdown and restart server and logs went away (so it's not versione related).
Today I have the same "problem".
It seems like a sort of container gets full and needs to be emptied.
Can someone tell me why this is happening and eventually how to stop it?

Thanks a lot.

Cheers,
Michele.
#11
In one of my scenario I have two Dell PE 1950, they are identical in hardware: then they have WAN, DMZ and LAN interfaces.
The first firewall is in production and is LAN, DMZ and WAN (to a router with public IP) connected.
The second is a backup, same configuration as the first but connected only to the LAN interface with another private IP (of course). In this backup machine I set the first firewall LAN address as the default gateway. In this way it's connected to the internet anche can check for updates.
This morning I tried to update this backup firewall from 18.7.10_4 to the 19.1_1 through the GUI. I unlocked the upgrade and pressed the UPGRADE button. I waited for half an hour but apart from the dots on the screen no upgrade has been done. I rebooted the firewall and started the upgrade over but the result has been the same. Then I tried to upgrade from console but apart from the dots increasing on the screen nothing happened.
In this forum I found a thread who suggested another way to upgrade and tried it. Through the console I launched these commands:
# opnsense-update -fp -n "19.1\/latest"
Lots of packages were installed and all processes completed (apparently) with succes but at the end the firewall was not pingable and the GUI not accessible. I then tried to check for updates from console, the process installed some packages making the a "kernel update" and the rebooted the firewall. At that point everything were ok, the firewall pingable again and the GUI accessible.

This is not the first time I have problems to update this backup firewall and I really can't understand why.
Could it be the fact it's not WAN connected? Any other idea, suggestions?

Thanks and cheers,
Michele.
#12
I have several machine around the world and one by one I updated them to the latest release 18.7.10_3.
Well, I have a Dell server machine, identical to 3 others that I manage that can't complete the update process.
All packages and plugins have been updated apart from "base" and "kernel" packages.
I tried to reboot the server after an incomplete update process but with no luck. Dashboard says it's version 18.7.10_3 but if I check for updates I found that "base" and "kernel" need to be updated. I click on update button again but it starts to try to updated with no result.
I attached screen of the dashboard, the update process page,and the list of packages to be updated.
How can I overcome this strange situation?

Thanks and cheers,
Michele.
#13
I have to open a thread not to complain about something but to highligth the fact tha surfing between pages has been sped up after update to latest version. In firewall rules I have dozen of rows and before it took 5-6 seconds to surf from a page to another. Now it's almost immediate and it's a very very good thing!
Maybe it's because the cleanup you've made to the code I don't know but a very good job has been made.

Best regards,
Michele.
#14
Hi.
I've OPNSense 18.7.8 installed on an old (but still good) Dell server with 2 sata disk configured in RAID1.
Well, this morning while I was making my usual tour check I saw one of the disks blinking orange meaning it was in an error state. I usually give a second chance to faulty disk extracting it and inserting it again after few seconds forcing RAID controller to rebuild the array. In Windows, Dell gives an utility to monitor the rebuid status and the RAID status as well.
Is there a way to monitor the RAID rebuild process through OPNSense? I tried to search through the logs in System -> Log Files but I saw nothing useful. I also searched Google but with no luck.

Thank you very much.

Cheers,

Michele.
#15
I have two OpnSense machines: one is a production one, the second is for backup and test.
I usually make tests and then export configuration and import it to the production machine.
Today I need to import new Aliases and noticed that the item "Aliases" is missing in the "Restore Area".
I searched several times but I really can't find that key.

Has "Aliases" been removed? Can I ask you why and how can I import Aliases then?

Thanks a lot and cheers,

Michele.
#16
I mean I would like to check whether lists as firehol, spamhouse drop, ecc. are updated or not and would like to know where they're are saved as files in OpnSense filesystem.
I searched in different directory but with no luck.

Can anyone help me find them?

Tnahks,
Michele.
#17
Hello everybody.
I would like to create and mantain a local (or more than one) list of ip addresses to use within alias and then in traffic rules.
I created a txt file and put it in a local folder in Opnsense (/mkst/lists/ip.txt).
I would like to load it and use an alias to do that.
So I created an alias using the URL IP type but I receive error and ip's don't load.
I tried in different ways and these are some errors:
update_tables.py: error fetching alias url \\127.0.0.1\mkst\lists\ips.txt
update_tables.py: error fetching alias url https://127.0.0.1/mkst/lists/ips.txt
update_tables.py: error fetching alias url https:\\127.0.0.1\mkst\lists\ips.txt

What is the right way to load a local list?

Thank you.

Cheers,
Michele.
#18
Hi guys.
I setup the Insigt reporting feature so that I can monitor traffic from inside my networks.
In Netflow configuration I added my LAN, DMZ and OpenVPN interfaces.
When I go to the Insight function I can see all traffic and graphs for all interfaces except OpenVPN.
I attached screenshot of Netflow configuration and Insigth for OpenVPN interfaces where, you can see, no data is available and I have several OpenVPN connections active (mine too now).

Am I doing anything wrong or missing something?

Thanks and cheers,

Michele.
#19
Hello.
I've been using OPNSense for some months.
I'm on version 18.1.7, just updated.
I noticed a strange behaviour on the fantastic reporting section named "Insight".
I go on "Totals" tab then I go down to "Top usage ports/sources.
By default WAN is selected.
On the right of the graph I see several ip addresses (public ones) and if I go on the pie chart and select one of them, system takes me to the "Details" tab and put the ip address I select inside the "(src) Address" field as expected.
If I go back to the "Totals" tab, select "LAN" as the interface, choose and click on a IP adrress (private one this time) on the pie chart, system takes me to the "Details" tab but on the "src Address" put another IP address (public one) and NOT the one I chose before.

Beside if "WAN" is selected a small pop-up showing the ip address comes up when I go over the pie chart with the mouse but if I select LAN or another interface more often than not no IP is being shown.

I tried with Google Chrome and Mozilla Firefox and the behaviour is the same.

Is there a way to fix this "issue"?

Thanks a lot and cheers.

Michele.
#20
Hi.
Here's my OPNSense 18.1.5 configuration (ip are not real of course):

  • WAN: public ip 88.40.191.10/29
  • LAN: 192.168.59.0/24
  • DMZ: 192.168.10.0/24
GW is a Huawei router whose address is the first available public address of my public pool: 88.40.191.9/29.
I inserted the GW ip address as the default GW in OPNSense gateways.
WAN cable of OPNSense is plugged in a port ot the Huawei router.
OPNSense WAN ip and Huawei router ip are in the same public subnet (/29) of course.

Well I found these strange behaviours (or better I think there're strange but maybe they're not):
if I ADD the "upstream gateway" (Huwaei router IP) in WAN interface OPNSense can't reach that gateway so no internet connection can be established, nothing at all.
if I DON'T ADD add the "upstream gateway" in WAN interface OPNSense can reach the gateway but noone in private networks can surf because the automatic OUTBOUND NAT rules are empty. If I manually add my private networks in OUTBOUND NAT everything is fine.

My questions are:

  • why my GW is unreachable if I add it in upstream gateway of the WAN interface? I mean, is it not correct to insert it there?
  • Why no outbound nat rule are automatically created if no upstream gw is set on WAN?
  • What is the default/correct practise in these cases?

Thanks a lot, Michele.