Topics

1

21.1 Legacy Series / OPNsense does not response to ARP requests for static entries

« on: June 05, 2021, 03:41:44 pm »

Hi folks,

I've configured a DHCPv4 lease with static ARP entry containing the broadcast mac address ff:ff:ff:ff:ff:ff. I'm using this IP to send WoL packets from other subnets to reach all clients in this subnet.

Worked well for years. But now, I've no idea since when exactly, OPNsense doesn't reply to queries for this IP address.

I did a packet capture and the ARP queries are arriving on the right interface. But I can't see any response. Only when the clients request the gateway address, which is the OPNsense interface, I can see the responses.
Any idea ?

EDIT: The ARP table of OPNsense contains the static ARP entry.

2

21.1 Legacy Series / Local DNS resolving is not working after restart of Wireguard

« on: May 23, 2021, 12:31:20 pm »

Hey,

When I restart the Wireguard service, OPNsense is no longer able to resolve DNS names by itself. The LAN clients are all fine, only OPNsense can't resolve e.g. FQDN aliases.

2021-05-23T12:21:01    unable to resolve download.qnap.com for alias WAN_QNAP_Download

I've to restart the appliance to resolve the issue.

I'm using Unbound as DNS resolver. It's listening on a loopback adapter, which address I have configured in the DHCP DNS server options for the clients as well as in the general settings of OPNsense (System: Settings: General)

I can remember that there was a similiar issue with OpenVPN, but I can't find the thread/issue on Github.

Any recommendations?

EDIT: Found out that saving the genereal settings of OPNsense again also solves the issue.

3

Intrusion Detection and Prevention / Memory usage grow during a constant traffic flow

« on: November 22, 2020, 01:52:02 pm »

Hey,

I'm often watching TV shows that I've recorded in the past, and saved on my NAS as MPG-2 file.
The playing device is a Dreambox (Linux based) in a different VLAN. The Dreambox uses SMB2 to play the file. The connection uses about 5 Mbit/s.

After approxm. 30 minutes watching I get an warning from my OPNsense, that the memory usage has reached 80% of 8 GB. The activity page shows that Suricata uses the most of it. The memory usage continues to grow up to 97% as long as the episode plays. Then the SWAP usage starts to grow.
My OPNsense uses about 20% of the memory during normal operation.

I do not see any drops or alerts in the IDS/IPS logs regarding this connection. I can try to define an IP-to-IP exception in the user rules section to prevent it. But if it's a single rule which causes this behaviour, I would prefer to identify and disable this rule.
Is this a normal behaviour? If not, how should I go through to prevent this?

Current Suricata settings: Promiscus & IPS modes are active. The pattern matcher is Hyperscan, and Suricata is only listening on the physical LAN interface. The home network subnets are entered.

Jas

EDIT: I'm not able to reproduce this issue by using iPerf3 to create an TCP connection with an constant bandwidth usage.

4

Intrusion Detection and Prevention / Understanding of "user defined" rules

« on: June 07, 2020, 01:51:49 pm »

Hey,

I've different VLANs in my LAN and Suricata is enabled in IPS mode on the physical interface on which all VLANs mapped to.

When I copy some big files from a host in VLAN1 to a host in VLAN2 via SMB, Suricata reaches 100% of the CPU time because it inspects the traffic of course. Due to the high CPU utilization the bandwidth of the copy job is much lower than whitout IDS/IPS enabled.

So I added two user defined pass rules for the hosts (from host 1 to host 2 and vice versa). The rules are matching, but the Suricata process still uses 100% of the CPU time during the copy job.

My question is: should the traffic bypass IDS/IPS completly when there's a pass rule for it? Or is the traffic still inspected by IDS/IPS, and the pass rule overwrites only all alert/block rule that may match? The documentation of Suricata is not understandable for me in this point (https://suricata.readthedocs.io/en/suricata-4.1.2/performance/ignoring-traffic.html).
What would be the best way to perform my requirement?

Thanks.
Jas

5

19.7 Legacy Series / How to handle Multicasts with TTL=1?

« on: January 06, 2020, 02:07:40 pm »

Hey,

I've seperated all my IoT devices into a single VLAN.
The associated Android management app of one of the IoT devices uses Multicasts to discover the device. Unfortunately the Multicast packets from the app have an TTL of 1. My mobile phone is in another VLAN and therefore the packets are discarted before PIMD can forward them to the IoT VLAN.

What would be the Best-Practise to handle this? Should I use iptable to mangle the TTL of the packets?

Jas

6

19.7 Legacy Series / Firewall States Dump shows closed connections as established

« on: October 02, 2019, 07:28:29 am »

Hey,

I have noticed that the Firewall states dump overview under

Firewall:Diagnostics:States Dump

shows a lot of connections that should be closed long time ago.
Example: I've shut down my PC about 10 hours ago, and due to the state dump overview there are still over 140 HTTP and HTTPS established (only ESTABLISHED:ESTABLISHED, nothing else) connections to different destinations.

Did anybody else noticed that issue? How can I be prove that this is only an display issue?

Jas

7

19.7 Legacy Series / DNS mismatch firewall alias table and host query

« on: September 13, 2019, 06:09:37 pm »

Hey,
I've a question regarding firewall rules, DNS and host aliases.

I would like to allow an internal host to talk to an external host. Therefore I created an host alias with the FQDN of the external host, and added it to the firewall rule as destination.
The firewall did an DNS query for this external host alias and saved the resolved IP addresses to its pfTables.

Now the internal host tries to connect to the external host. He does an DNS query and got different IP addresses than the firewall has got for the host alias. Means the rule doesn't match, and the internal host is not able to connect to the external host.

I did some nslookups for the external host, and nearly every second query I got back different IP addresses.

What would be the best way to solve this? Should I create an alias with all the resolved IP addresses? I count over 20 different addresses.


Jas

8

19.7 Legacy Series / Backup to Nextcloud over IPsec fails

« on: August 31, 2019, 01:50:04 pm »

Hey,

I've an IPsec connection to the network of a friend of mine (192.168.0.0/24). He has an Raspi with Nextcloud (192.168.0.10) which I would like to use to backup my OPNsense config regularly.

But OPNsense can't reach this address. When I traceroute the destination raspi.fritz.box from the web interface, OPNsense sends this traffic to the WAN interface/Internet and not through the IPsec tunnel.

Code: [Select]

# /usr/sbin/traceroute -w 2 -n  -m '18'  'raspi.fritz.box'
traceroute to raspi.fritz.box (192.168.0.10), 18 hops max, 40 byte packets
 1  10.0.224.1  1.122 ms  0.631 ms  0.628 ms
 2  [WAN IP]  5.984 ms  5.896 ms  5.888 ms
 3  * * *
 4  * * *
 5  * * *
....
From my LAN behind the OPNsense  I can reach the Nextcloud client. So it's not a general routing issue.
Any ideas to solve this or for a workaround?

Thanks
Jas

9

Intrusion Detection and Prevention / IDS/IPS Logs source IP

« on: August 12, 2019, 01:42:03 pm »

Hey,

I've enabled the IDS and IPS mode for the WAN interface only on my OPNsense 19.7.2.

I noticed that the IDS/IPS log shows sometimes the client IP, and sometimes the OPNsense WAN interface IP as source IP of blocked connections (see attachment, red client IP, green WAN IF IP). NAT is not enabled.

Of course I would like to see always the client IP to identify the client which tries to initialize the connection.

Any idea how to do that or why I see sometimes the WAN IP?

Thank you.
Jas

10

19.7 Legacy Series / Firewall statistics show N/A for most of the rules

« on: July 19, 2019, 10:19:26 pm »

Hey,

When I switch to the "Inspect" view in the overview of any interfaces firewall rules, most of the statistic columns shows "N/A". Only the NAT and Floating rules shows values for states, packets and bytes.

Do I have to enable something to see the statistics for all rules?

Thanks.

Jas

11

19.1 Legacy Series / ACK packet of TCP Three-Way-Handshake get lost

« on: March 07, 2019, 12:57:58 pm »

Hey,
I've a stange issue with my clock radio, which is able to play Internet radio streams as wake-up sound.

Once or twice a week the radio is not able to start the stream when it should wake me up.
I did an capture on the LAN side of the OPNsense aplliance (see attachment). It looks like the clients ACK for the SYN-ACK never reached his destination. The server retransmit the SYN-ACK again and again, and the client retrasnmit his ACK again and again, too.
The firewall and IPS log showed no blocked packets. I will now capture the WAN side to be sure that the packet has left the OPNsense appliance.

Funny fact: this happens only when the stream is started by the wake-up timer. When I start the radio manually, the stream starts always without any problem.

Any idea what can cause this issue? Is there another log were I should have a look to be sure, that nothing was blocked?
Thanks.

Jas

12

General Discussion / [SOLVED] Firewall blocks TCP RST when TCP FIN was sent already

« on: January 02, 2019, 01:37:49 pm »

Hey,

I have an issue with an TCP connection (LAN client downloads data from WAN server). I did some troubleshooting and found out, that a packet with RST flag set is blocked by the firewall (I guess), when a packet with FIN flag set was send before in the TCP session.
An example:

RST packet blocked

• Session between Client and Server is up and running
• Client decides to close the session and sends an FIN/ACK packet to the server
• Server apparently ignores the FIN/ACK packet and still sends data packets to the client
• Client sends an RST packet to the server, which is blocked by the OPNsense aplliance. I can see the packet in the packet trace on the LAN site but not on the WAN site.
• Server still sends data packets, but the client don't acknowledge them. He stops when the clients receive window is "full".

RST packet is not blocked

• Session between Client and Server is up and running
• Client decides to close the session and sends an RST packet to the server
• Server sends ACK packet and stops sending data

Is this a normal behaviour?
I think my issue has to do with this behaviour, because when the RST packet is blocked the session state remains open on the server. When a certain limit has reached, I guess the server will not allow any more connections from/to my IP address.

Jas Man

13

General Discussion / Logging for all firewall rules

« on: December 31, 2018, 04:00:50 pm »

Hey,
I'm curios if OPNsense has a switch or option, where I can enable the logging for all firewall rules at once.

Why? When the ruleset becomes bigger and bigger, and you found out that an client has access to something that it shouldn't have, it's difficult to find the rule which allowes the traffic.
In this case it would be great to temporary enable the logging for all rules at once to check the log which rule allowes the specific traffic.

Thank you.
Jas Man

14

18.7 Legacy Series / [SOLVED] Circular logging seems to be not working

« on: September 22, 2018, 02:20:51 pm »

Hi,
I've noticed that some logs like those from NTP and Unbound showes only old entrys. I guess the circular logging is not working for those logs.

The log files under /var/log/ for this services have reached the configured maximum file size (System: Settings: Logging: Log File Size (Bytes), 20.000.000 Bytes on my OPNsense) and therefore, I guess, logging has stopped.

I haven't found any known issue about that. Maybe I've forgot only a setting or something like this.
The circular logging for the system log looks fine. The file has reached the maximum size too, but new logs are shown and the old ones dissapear.

Any idea?

Thank you.
Jas Man

15

Intrusion Detection and Prevention / IDS/IPS Surciata fails to start when abuse.ch/URLhaus is activated

« on: August 24, 2018, 02:32:06 pm »

Hi,
I switched back from a PPoE Connection and therefore I can use IDS/IPS again.
I noticed that Suricata fails to start when I activate the rule list "abuse.ch/URLhaus". The following error is shown in the logs:

Aug 24 14:03:22    suricata: [100180] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/url=http://wordpress.p364918.webspaceconfig.de/614tiscfz/com/us|26|data=02|01|rcorm1@jcp.com|ec2a6ed25318490bd27608d6077bf11e|9c0ac0b90217468aa4322649cd6ed297|0|0|636704626242706015|26|sdata=g3qlynktc59ma3fllqbbfs0uwnigsem1mwi/cdfotvu=|26|reserved=0"; http_uri; depth:250; isdataat:!1,relative; content:"na01.safelinks.protection.outlook.com"; http_host; depth:37; isdataat:!1,relative; metadata:created_at 2018_08_21; reference:url, urlhaus.abuse.ch/url/45633/; classtype:trojan-activity;sid:80908733; rev:1;)^M" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 1595

I thougt "Okay, maybe there's a problem with the list. Wait some days and check again." But the issue still exist.

I've found only one other topic in this forum with nearly the same issue, but this was still unsolved. So I'm wondering why nobody else have this problem.
Is this an issue of Spamhouse or maybe OPNsense?

Jas