Topics

1

24.1 Legacy Series / Firewall 1:1 Nat rule auto upgrade seems wrong

« on: July 03, 2024, 04:15:14 pm »

Hello:

I'm not sure why I noticed this between the 2nd and 3rd of July, as I thought I did the updates earlier. But there was a recent update that changed the syntax of my 1:1 NAT rules. There seems to be a mistake in the destination .. it was previously set to ANY but the auto-update changed it to be the same as the source IP. Here's before and after for one of them:

Code: [Select]

-    <onetoone>
-      <external>81.xxx.xxx.xxx</external>
-      <category/>
-      <descr>1:1 Nat for 3cx machine on lan</descr>
-      <interface>wan</interface>
-      <type>binat</type>
-      <source>
-        <address>192.168.1.10</address>
-      </source>
-      <destination>
-        <any>1</any>
-      </destination>
-    </onetoone>

Code: [Select]

+        <onetoone>
+          <rule uuid="362ae75b-xxxx-xxxx-a050-0a98fb27c888">
+            <enabled>1</enabled>
+            <log>0</log>
+            <sequence>1</sequence>
+            <interface>wan</interface>
+            <type>binat</type>
+            <source_net>192.168.1.10/32</source_net>
+            <source_not>0</source_not>
+            <destination_net>192.168.1.10/32</destination_net>
+            <destination_not>0</destination_not>
+            <external>81.xxx.xxx.xxx</external>
+            <natreflection/>
+            <categories/>
+            <description>1:1 Nat for 3cx machine on lan</description>
+          </rule>
+        </onetoone>
I had to manually modify the rule to change the destination back to ANY. I may have had to change the nat reflection setting also, but not sure as my debugging was not the most rigorous. Just letting you know that it seems like your script to update my rules needs a tweak. Thanks.

2

23.1 Legacy Series / IPv6 can't ping from WAN and other problems

« on: March 16, 2023, 09:37:47 pm »

Hello:

I think someone is just going to know the answer once I state the problem. I have a PPPoE connection which requires (not sure why) static config for IPv6. The ISP (Andrews and Arnold in UK) gave me an IPv6 WAN IP to use through which they will route my actual v6 IP block (a /48 and a /64 within that). The WAN IP is not in my /48 or /64.  I may well have an incorrect network prefix set somewhere. Everywhere I have defined an address I used /64 except the WAN IP since it was not in my /64 or /48 I came up with /96 which was at least accepted by Opnsense.

On IPv4, the WAN IP and gateway come up fine automatically on the PPPoE interface. I have then put the IPv6 WAN IP they gave me (/96) on the PPPoE Interface (v6 Static address) and a gateway comes up automatically.

With this setting, when I try to ping6 to a host, I cannot do it from the default interface (WAN). But if I ping with source address of one of my LAN IPv6 addresses (I have three LANs, and statically assigned an IP within my /64 block to each) I can ping.

I wouldn't care about that, but I seem to be having other issues also. Like, only from one of my LANs am I able to communicate on IPv6 (a mac and a linux desktop on wifi through that LAN work fine) but on another LAN I cannot communicate even though the computer has a real IPv6 address (2001:etc) and can do IPv6 dns lookups.

Any suggestions?

What additional info should I show you?

The failed ping does attempt to work, does not show an error, but gets no replies.

Code: [Select]

# ping6 -v google.com
PING6(56=40+8+8 bytes) 2001:xxx:ffff:4d8:xxx --> 2a00:1450:4009:820::200e(where that masked source address is the WAN IP the ISP gave me to use.)

Actually, now I see if I keep pinging longer in verbose I see some messages about Neighbor Solicitation and Neighbor Advertisement and Router Advertisement from other interfaces on my system.

Thanks!

3

23.1 Legacy Series / [SOLVED] PPPoE gets wrong IP

« on: March 13, 2023, 06:33:34 pm »

Hello:

I'm on an Andrews & Arnold (UK) Fibre connection (uses BT backhaul). I have a connection with a certain static WAN IP but also have a routed /29. When Opnsense brings up the PPPoE connection it uses the first routeable IP of the /29 as its WAN IP address. This, and the other usable IPs are mapped as virtual IPs over the PPPoE/WAN interface. This results in nothing working, unsurprisingly. I do have a Dummy Wan interface (not PPPoE) I could perhaps try mapping the virtual IP over that interface.

When I connect my Mac computer directly to the fibre ONT and bring up the PPPoE connection, it gets the correct WAN IP every time.

I recall there used to be a function to REJECT certain IPs as the PPPoE 'leased' IP which might work, but I can't find that option anymore. Also, if I could assign Static IP to the PPPoE connection that would be fine as it won't change. But when I type that into the advance PPPoE options in OpnSense, it will start working, but the setting does not stick, just disappears and the problem will recur.

If I manually bring down and up the PPPoE connection one to two times, it will sort itself out and get the right WAN IP like the Mac did.

What can I do? Thanks.

4

Virtual private networks / wireguard road warrior setup docs problem

« on: April 18, 2021, 06:43:30 pm »

I could not get opnsense to act as my wireguard vpn host/server by following the official docs.

At some point I was just trying anything I could think of, and it's possible that I had not restarted the service after changing something else. But, the last thing I changed that made it work was to specifically add the port for the endpoint.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html says, about configuring the endpoint(s):

Endpoint Port  (empty)  Not required for inbound connections - dynamic

I put the default port (51820) I was using in there and it started working. Before that I could get the connection to come up from a remote endpoint but no traffic would pass.

Again, perhaps I'm wrong and it was something else I initially set wrong then fixed and had not restarted the service yet.

5

17.7 Legacy Series / Netflow CPU usage question

« on: January 05, 2018, 02:48:46 pm »

Hello ... I noticed that if I have netflow set to capture to localhost, on my machine that means about every 15 seconds a Python2.7 process uses 100% cpu (of one core that is) for about 3 seconds. If I turn off 'Capture local' this stops.

My question is, if I set up a VM on another computer on my LAN and have that machine be the 'Destination' for the netflow capture, will that reduce significantly or eliminate that CPU usage? I guess this high CPU use is during the process of writing the cached data for the past 15 seconds to disk and thus the answer will be Yes.

Secondly, can you recommend a software package that is libre and free ($) I could set up on a VM to store the netflow data and also draw pretty graphs like OPNsense does?

Thanks.

6

17.7 Legacy Series / how to further tweak Suricata

« on: January 03, 2018, 11:33:18 pm »

Hello:

My hardware is quad core AMD GX-412TC (https://www.pcengines.ch/apu2.htm) and Suricata is killing it. My WAN is about 20 up 200 down, I run a wired LAN and Wifi LAN on separate private IP subnets. I also run traffic shaper and local netflow.

I have removed all rules from Suricata except country blocking and still it cannot handle 200 megabits of traffic, especially if it is multiple streams. Suricata process goes over 300%. I have already changed to hyperscan.

I wanted to try a few things to improve it, but there are not switches to do it in the GUI and if I hand modify /usr/local/etc/suricata/suricata.yaml I'm not sure it is being applied, but even if so, is gone after a reboot.

I wanted to try:

Code: [Select]

detect-engine:
  - profile: high [it is set to medium, high would use more ram to save some CPU, I have 4GB of RAM]

app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443

      no-reassemble: yes [remove comment here so it IS set for no-reassemble:yes]
This second one is supposed to make it ignore the contents of an encrypted stream after the handshake, which seems like a good idea to me, especially if CPU challenged. From the docs:

If no-reassemble is set to true, all processing of this session is stopped. No further parsing and inspection happens. If bypass is enabled this will lead to the flow being bypassed, either inside Suricata or by the capture method if it supports it.

If no-reassemble is set to false, which is the default, Suricata will continue to track the SSL/TLS session. Inspection will be limited, as content inspection will still be disabled. There is no point in doing pattern matching on traffic known to be encrypted. Inspection for (encrypted) Heartbleed and other protocol anomalies still happens.

Finally I wanted to try to add a PASS rule so that Suricata will not inspect traffic to/from my own personal server so at least there I can get my full bandwidth for file transfers. When I created that rule in the config files it did not seem to work and was gone after a reboot. The GUI is limited in the creation of user rules -- it seems to only let me create the country-blocker rule there. Would be great if I could create any type of rule, including this PASS rule I want to try.

Thanks for any help.

7

General Discussion / help with getting rules to block not just Alert

« on: December 30, 2017, 06:04:41 pm »

Hello:

I tried to enable some intrusion prevention by following this guide: https://wiki.opnsense.org/manual/how-tos/ips-feodo.html

I believe I followed the steps correctly, including changing the default behavior 'change all alerts to drop actions' which I saved and updated. But when I look at the rules they still show the Action is Alert and under 'Alerts' I saw this which seems to indicate (though I'm not sure) a matched rule caused an alert not a block:

Code: [Select]

2017-12-30T16:22:00.512712+0000 allowed wan [redacted]  65264 69.192.76.62 443 SURICATA STREAM excessive retransmissions
It would be kind of tedius to switch all 3000 rules to block manually. Thanks for any help.

8

General Discussion / Suggestion - use rule label not just number

« on: December 30, 2017, 05:40:05 pm »

Hello:

When perusing the firewall logs I like to know (in certain cases) what rule caused a pass or a block action, so I found the setting where I could choose to have that displayed as a second line (the other option was in a column). Now when I go to the firewall log, normal view, I see the pass or block line as usual and a new line just below that which says something like:

Code: [Select]

@9
and that's it. A whole line dedicated to that rule number. But how do I know what that rule number refers to? I googled up a way, login to opnsense on the command line, switch to root, and enter the command:

Code: [Select]

pfctl -vvsr
then scroll through and find the number, or grep for it I suppose. You might find a line like:

Code: [Select]

@79 pass in quick on igb1 inet from (igb1:network:1) to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
In my opinion, this is not the best way for a system which does provide a GUI like opnsense!

I suggest you use the large amount of space available on that line after the @(rule-number) to parse the LABEL and show it to the user there in GUI.

Is this an appropriate place to suggest / request this improvement, so should I also post elsewhere? Thanks.