Topics

Hi folks,

I noticed an increase of the CPU load during the last month and during my investigations I noticed also a big jump of the CPU utilization between the 21th and 22th of August 2024. I would suspect that the two have something to do with each other. (see attachment)

Unfortunately I didn't documented what I've changed during this days.
If it was an OPNsense update it must be version 24.7.1 according the timeline.

My CPU is an Intel Core i5-6200U Skylake-U Dual Core (4 Threads) 2,3 GHz with 16GB RAM.

Any ideas what could be the reason? The "top" output shows no processes with a high load.

Thank you.

Jas

Hi,

I've configured static DHCPv6 leases for some of my IoT devices to be able to resolve the DNS name to their IPv6 address in my LAN.

When my provider gives me a new IPv6 suffix DHCPv6 distributes the new suffix to all clients correctly.
But Unbound does not update the DNS AAAA records with the new suffix. Unbound resolves the names to the previous IPv6 addresses until I restart Unbound.

I'm sure that this behaviour was already disscused in the past. But I can't find the disscusion in the forum.

Have I missed a setting to force Unbound to reload when the WAN IP changes? Or what would be the best way to solve my little issue?

Jas

I've issues with the new dashboard cards in 24.7.

The traffic graph is not continuosly. It shows empty parts for 2-3 seconds at the end.
The CPU graph is completly empty.

I tried different browsers and users. Same issues.

I run a test version of OPNsense in Hyper-V, and the graphs are fine there.

Any ideas?

Hey,

I rebooted my OPNsense 24.1.10_3 after I've moved it to another location.
Now I can't login anymore via SSH and WebGUI (Wrong username or password). I tried it with three different users with and without TOTP and also with different clients. The times on the clients and on OPNsense are correct.

Next strange thing: the internal network and services are working fine (NTP, DHCP, DNS). But I've no Internet access. Tracerout dies after the default gateway (OPNsense). All DNS queries for external names run into a SERVER_FAIL.
The WAN interface is up and reachable via ICMP.

Any ideas? I guess I need to reinstall OPNsense because I can't login. Or is there another way to import the latest backup?

Hi,

Since some month I noticed that my OPNsense needs a long time until all services are fully up after a complete reboot (up to 10 minutes).
The other day I noticed the same behaviour when I restart the Zenarmor engine.

Today I found some time to digging into this.

When I restart the Zenarmor engine several services like Unbound and NTP stop and start several times immediatly after Zenarmor is up again.
The log shows a lot of the following errors for this range of time:

/usr/local/etc/rc.linkup: dhcpd_dhcp4_configure() found no suitable IPv4 address on INTERFACE_NAME

When all calmed down, everything works fine.

I played arround and found out, that this issue is solved as soon as I choose the emulated netmap driver for Zenarmor.
The interfaces of my system are all Intel I211.

Is this an expected behaviour when the hardware/driver doesn't support the native netmap driver? Or did I configured something wrong?


Jas Man

Hi,

I'm curious if there's a syntax for the log filters in OPNsense, or if I can filter for a single character / word / phrase only?

Currently I want to filter for todays warning messages in the dashboard system log widget to save space. Is it possible? I can't find any documentation about the filter syntax.

Jas Man

Hi all,

I had an issue after my ISP changed the IPv6 prefix of my Internet line. None of my clients was able to establish a IPv6 connection.

I did a packet capture and noticed, that my clients received always four DHCPv6 advertisments in respone of their solicit. Three of them contained the previous IPv6 address with the old prefix. Only one contained the new address/prefix.

The clients requested the address of the first advertisment, which was always the old address. The request was (of course) denied by OPNsense, because of the wrong prefix (status code 13, NotOnLink). Result: no IPv6 connection.

I was wondering why the clients got always four advertisments. Then I noticed that the process list showed four DHCPv6 instances. That's the same number of enabled IPv6 interfaces on my OPNsense (one static, three with DHCP enabled).
I decided to disable IPv6 on one of the interfaces, and after that the clients received "only" three advertisements.

I'm pretty sure that this is a bug, because I see only one DHCPv4 instance for my five IPv4 interfaces. I guess that only one DHCPv6 instance was notified about the new prefix, and the other ones used the old one. After I rebooted OPNsense, all advertisments contained the new prefix/address.

If I#m right and this is a bug, I'm wondering why nobody else has noticed this before, because many users would have the same issue then after a prefix change.

I would like to be sure that this isn't a configuration issue. Therefore, could somebody please check if her/his OPNsense has also more than one DHCPv6 instance running, if more than one interface uses IPv6? Would be great :-)

Thank you.
Jas

Hi there,

Since the update of Zenarmor to 1.12 I've some strange issues after rebooting my OPNsense appliance:

- Wireguard tunnels don't come up
My WG tunnels are not comming up. When I do a packet capture, I see incomming and outgoing packets on the WG tunnels. But the outgoing packets have all 0.0.0.0 as source IP.

- Name queries for Zenarmors rDNS are routed through the wrong interface
Zenarmors PTR request (for client names in the report), which should be send to my internal DNS resolver 10.0.1.6, are routed through the WAN interface with destination 10.0.1.6. Therefore reverese lookup is not working anymore. But only for Zenarmor. For all other clients and servers in my network DNS is running fine.

I have to disable the "Start on boot" switch for packet inspection to solve both issues. When I start packet inspection manual after reboot, everything works fine.

Any ideas?
Thanks.

Jas Man

Hey,
Since I've configured IPv6 on my OPNsense 22.7.4, the web GUI is sometimes not available.
According to the logs this happens after the rc.newwanipv6 has run due to a connection change, and the lighthttpd is restarted (can't bind to socket: 127.0.0.1:443: Address already in use).

System.log

Code Select Expand

<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="45"] plugins_configure vpn (,wan)
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="46"] plugins_configure vpn (execute task : ipsec_configure_do(,wan))
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="47"] plugins_configure vpn (execute task : openvpn_configure_do(,wan))
<11>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="48"] /usr/local/etc/rc.newwanipv6: Resyncing OpenVPN instances for interface WAN.
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="49"] plugins_configure newwanip (,wan)
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="50"] plugins_configure newwanip (execute task : dnsmasq_configure_do())
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="51"] plugins_configure newwanip (execute task : ntpd_configure_do())
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 35924 - [meta sequenceId="52"] plugins_configure newwanip (execute task : opendns_configure_do())
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 35924 - [meta sequenceId="53"] plugins_configure newwanip (execute task : openssh_configure_do(,wan))
<11>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="54"] /usr/local/etc/rc.newwanipv6: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '1', the output was ''
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="55"] plugins_configure newwanip (execute task : opendns_configure_do())
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="56"] plugins_configure newwanip (execute task : openssh_configure_do(,wan))
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 68729 - [meta sequenceId="57"] plugins_configure newwanip (execute task : unbound_configure_do(,wan))
<13>1 2022-09-17T09:05:34+02:00 FIREWALLNAME php 35924 - [meta sequenceId="58"] plugins_configure newwanip (execute task : unbound_configure_do(,wan))
<13>1 2022-09-17T09:05:35+02:00 FIREWALLNAME php 68729 - [meta sequenceId="59"] plugins_configure newwanip (execute task : vxlan_configure_do())
<13>1 2022-09-17T09:05:35+02:00 FIREWALLNAME php 35924 - [meta sequenceId="60"] plugins_configure newwanip (execute task : vxlan_configure_do())
<13>1 2022-09-17T09:05:35+02:00 FIREWALLNAME php 68729 - [meta sequenceId="61"] plugins_configure newwanip (execute task : webgui_configure_do(,wan))
<13>1 2022-09-17T09:05:35+02:00 FIREWALLNAME php 35924 - [meta sequenceId="62"] plugins_configure newwanip (execute task : webgui_configure_do(,wan))
<11>1 2022-09-17T09:05:36+02:00 FIREWALLNAME php 35924 - [meta sequenceId="63"] /usr/local/etc/rc.newwanipv6: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2022-09-17 09:05:36: (network.c.540) can't bind to socket: 127.0.0.1:443: Address already in use'

WebGUI log

Code Select Expand

<27>1 2022-09-17T09:05:35+02:00 FIREWALLNAME lighttpd 67897 - [meta sequenceId="1"] (server.c.2097) server stopped by UID = 0 PID = 14049
<27>1 2022-09-17T09:05:36+02:00 FIREWALLNAME lighttpd 16538 - [meta sequenceId="2"] (server.c.1588) server started (lighttpd/1.4.66)
<27>1 2022-09-17T09:05:36+02:00 FIREWALLNAME lighttpd 16538 - [meta sequenceId="3"] (gw_backend.c.378) child signalled: 1
<27>1 2022-09-17T09:05:36+02:00 FIREWALLNAME lighttpd 16538 - [meta sequenceId="4"] (gw_backend.c.378) child signalled: 1
<27>1 2022-09-17T10:52:08+02:00 FIREWALLNAME lighttpd 16538 - [meta sequenceId="1"] (gw_backend.c.283) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-1: Connection refused
<27>1 2022-09-17T10:52:08+02:00 FIREWALLNAME lighttpd 16538 - [meta sequenceId="2"] (gw_backend.c.283) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-0: Connection refused
<27>1 2022-09-17T10:52:08+02:00 FIREWALLNAME lighttpd 16538 - [meta sequenceId="3"] (gw_backend.c.993) all handlers for /index.php? on .php are down.

A restart of the web GUI (/usr/local/etc/rc.restart_webgui) fails too. I've to kill and start the lighthttpd process to restore it.
The web GUI is configured to listen on two interfaces only. Any thoughts what could be the issue here?

Jas

Hey,

I'm often looking onto the "Inspect" page of my firewall rules to check if a rule has been hit.
Now I noticed that the statistics get reset after a short time (1 or 2 hours). As far as I can remember the counters have been never reseted in the past, only if I reloaded the rules.

Is this a new behaviour in 22.1?

Jas Man

Hey,
I've connected two sites over a Wireguard VPN connection. There's an OPNsense at site A and a OpenWRT router at site B.
Everything works fine. Each site can reach the internal addresses of the other site over the WG tunnel.

Now I want to route a hugh amount of external addresses from site A over the Internet connection of site B.

I've tested it already successfully with an single IP address. I've added the single IP address to the WG peer configuration on the OPNsense as allowed IP, created a FW rule for the traffic to this address and choosed the WG gateway of site B as gateway.

But it's not very conveniant for more than a few addresses, because I've to add them all to the WG peer configuration as allowed addresses.
So I added 0.0.0.0/0 instead, but then I've two default routes on the OPNsense and the WG route is prefered. Every external traffic is routed to site B then.

Next try: I disabled the routes in the local WG configuration of the OPNsense to prevent routing entries for the WG tunnel allowed IP addresses. That works perfect at site A. But in this case, site B is not able to reach the clients at site A anymore. The packet arrives at the host at site A, but the answer packets are routed back over the default route of site A, means to the Internet.

Did I missed something? Or what would be the preffered solution for my needs?

Thanks.
Jas Man

Hi,
I noticed a recuring issue with the two processes "eastpect: Eastpect Instance 1 (eastpect){Eastpect Main Event}" and "eastpect: Eastpect Instance 2 (eastpect){Eastpect Main Event}". After some time both processes are producing 100% CPU load on two of four processors on my OPNsense appliance. I can only solve this by restarting Zensei or the whole appliance.

I've already found out, that this occures when Suricata has downloaded and installed the ET ruleset (https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz), which is updated daily.
But the issue occures not every day. Sometimes it works for four or five days, and sometimes it happens on two or three consecutive days.

Has anybody noticed the same issue?
I've already opened a ticket at Sensei, but they don't know this issue.

Jas

EDIT: Changed the subject due to new findings

Hi folks,

I've configured a DHCPv4 lease with static ARP entry containing the broadcast mac address ff:ff:ff:ff:ff:ff. I'm using this IP to send WoL packets from other subnets to reach all clients in this subnet.

Worked well for years. But now, I've no idea since when exactly, OPNsense doesn't reply to queries for this IP address.

I did a packet capture and the ARP queries are arriving on the right interface. But I can't see any response. Only when the clients request the gateway address, which is the OPNsense interface, I can see the responses.
Any idea ?

EDIT: The ARP table of OPNsense contains the static ARP entry.

Hey,

When I restart the Wireguard service, OPNsense is no longer able to resolve DNS names by itself. The LAN clients are all fine, only OPNsense can't resolve e.g. FQDN aliases.

2021-05-23T12:21:01    unable to resolve download.qnap.com for alias WAN_QNAP_Download

I've to restart the appliance to resolve the issue.

I'm using Unbound as DNS resolver. It's listening on a loopback adapter, which address I have configured in the DHCP DNS server options for the clients as well as in the general settings of OPNsense (System: Settings: General)

I can remember that there was a similiar issue with OpenVPN, but I can't find the thread/issue on Github.

Any recommendations?

EDIT: Found out that saving the genereal settings of OPNsense again also solves the issue.

Hey,

I'm often watching TV shows that I've recorded in the past, and saved on my NAS as MPG-2 file.
The playing device is a Dreambox (Linux based) in a different VLAN. The Dreambox uses SMB2 to play the file. The connection uses about 5 Mbit/s.

After approxm. 30 minutes watching I get an warning from my OPNsense, that the memory usage has reached 80% of 8 GB. The activity page shows that Suricata uses the most of it. The memory usage continues to grow up to 97% as long as the episode plays. Then the SWAP usage starts to grow.
My OPNsense uses about 20% of the memory during normal operation.

I do not see any drops or alerts in the IDS/IPS logs regarding this connection. I can try to define an IP-to-IP exception in the user rules section to prevent it. But if it's a single rule which causes this behaviour, I would prefer to identify and disable this rule.
Is this a normal behaviour? If not, how should I go through to prevent this?

Current Suricata settings: Promiscus & IPS modes are active. The pattern matcher is Hyperscan, and Suricata is only listening on the physical LAN interface. The home network subnets are entered.

Jas

EDIT: I'm not able to reproduce this issue by using iPerf3 to create an TCP connection with an constant bandwidth usage.

Hey,

I've different VLANs in my LAN and Suricata is enabled in IPS mode on the physical interface on which all VLANs mapped to.

When I copy some big files from a host in VLAN1 to a host in VLAN2 via SMB, Suricata reaches 100% of the CPU time because it inspects the traffic of course. Due to the high CPU utilization the bandwidth of the copy job is much lower than whitout IDS/IPS enabled.

So I added two user defined pass rules for the hosts (from host 1 to host 2 and vice versa). The rules are matching, but the Suricata process still uses 100% of the CPU time during the copy job.

My question is: should the traffic bypass IDS/IPS completly when there's a pass rule for it? Or is the traffic still inspected by IDS/IPS, and the pass rule overwrites only all alert/block rule that may match? The documentation of Suricata is not understandable for me in this point (https://suricata.readthedocs.io/en/suricata-4.1.2/performance/ignoring-traffic.html).
What would be the best way to perform my requirement?

Thanks.
Jas

Hey,

I've seperated all my IoT devices into a single VLAN.
The associated Android management app of one of the IoT devices uses Multicasts to discover the device. Unfortunately the Multicast packets from the app have an TTL of 1. My mobile phone is in another VLAN and therefore the packets are discarted before PIMD can forward them to the IoT VLAN.

What would be the Best-Practise to handle this? Should I use iptable to mangle the TTL of the packets?

Jas

Hey,

I have noticed that the Firewall states dump overview under

Firewall:Diagnostics:States Dump

shows a lot of connections that should be closed long time ago.
Example: I've shut down my PC about 10 hours ago, and due to the state dump overview there are still over 140 HTTP and HTTPS established (only ESTABLISHED:ESTABLISHED, nothing else) connections to different destinations.

Did anybody else noticed that issue? How can I be prove that this is only an display issue?

Jas

Hey,
I've a question regarding firewall rules, DNS and host aliases.

I would like to allow an internal host to talk to an external host. Therefore I created an host alias with the FQDN of the external host, and added it to the firewall rule as destination.
The firewall did an DNS query for this external host alias and saved the resolved IP addresses to its pfTables.

Now the internal host tries to connect to the external host. He does an DNS query and got different IP addresses than the firewall has got for the host alias. Means the rule doesn't match, and the internal host is not able to connect to the external host.

I did some nslookups for the external host, and nearly every second query I got back different IP addresses.

What would be the best way to solve this? Should I create an alias with all the resolved IP addresses? I count over 20 different addresses.


Jas

Hey,

I've an IPsec connection to the network of a friend of mine (192.168.0.0/24). He has an Raspi with Nextcloud (192.168.0.10) which I would like to use to backup my OPNsense config regularly.

But OPNsense can't reach this address. When I traceroute the destination raspi.fritz.box from the web interface, OPNsense sends this traffic to the WAN interface/Internet and not through the IPsec tunnel.

Code Select Expand

# /usr/sbin/traceroute -w 2 -n  -m '18'  'raspi.fritz.box'
traceroute to raspi.fritz.box (192.168.0.10), 18 hops max, 40 byte packets
1  10.0.224.1  1.122 ms  0.631 ms  0.628 ms
2  [WAN IP]  5.984 ms  5.896 ms  5.888 ms
3  * * *
4  * * *
5  * * *
....

From my LAN behind the OPNsense  I can reach the Nextcloud client. So it's not a general routing issue.
Any ideas to solve this or for a workaround?

Thanks
Jas