Topics

1

23.7 Legacy Series / Feature suggestion: Persistence of interface assignments - after change

« on: January 15, 2024, 11:11:32 am »

Hi,

I ran into this problem quite a lot already, particularly when running opnsense as a VM and when changing underlying virtualized interfaces which is well why you run it virtualized

For explanation let's assume I have 4 interfaces, 1 passthrough physical, 3 virtual ones (vtnet0-2).
Now we remove vtnet1:

How opnsense behaves today:
- opnsense forgets all interface assignments and starts randomly assigning interfaces similar like when on initial setup
--> In many cases you end up with a totally unusable opnsense installation unless you boot into console and start manual interface assignment again

How opnsense should imho behave:
- vtnet1 is removed assigned settings are deactivated (or removed best if it's asked somewhere) the remaining interfaces remain assigned as they were
--> Like this - one can deal with the specific changes only but opnsense remains usable if not the core LAN interface was removed

Thanks for considering. Though I'd write it down before I forget it again

2

23.1 Legacy Series / OPNsense config file maintenance recommendation

« on: April 21, 2023, 12:54:10 pm »

I have an OPNsense installation that is now a bit older ~2 years. I did some hardware changes and reconfigurations along this.

Now I have the feeling that my config file probably accumulated quite some stuff that may not be ideal anymore.
On the other hand I'd want to avoid time consuming setup from scratch. OPNsense is a critical piece of my infrastructure and longer internet downtimes are socially not acceptable

On the other hand some times OPNsense config pages load slow. In general they're fast but sometimes they just keep loading which let me believe some clean up would be beneficial.

Manually cleaning out the config file seems to be a bit dangerous as well.

Any recommendations regarding low-risk OPNsense house-keeping? How does everybody do this?
Thx

3

General Discussion / Single host firewall rules in the age of IPv6 privacy extensions

« on: January 15, 2023, 11:36:14 am »

Hi,

I'm playing around with IPv6 and start asking myself how I can at all work with firewall rules that are specific for a single host while privacy extensions are active.

Privacy extensions are probably wise to use to not expose to much information.

But it seems that I am loosing the ability to i.e. open up specific ports for single hosts when the ipv6 address is constantly changing.

Any thoughts / advice on this?

Thx

4

22.7 Legacy Series / Why does OPNsense report different CPU load than Proxmox

« on: September 17, 2022, 07:37:03 pm »

Hi,

I run OPNsense on Proxmox. With suricata enabled I max out at around 3 Gbps when testing, effectively it seems to be around 1.3 Gbps.

Looking for bottlenecks I discovered that
1. OPNsense reports a CPU usage of about 40%
2. Proxmox reports a CPU usage of >80%

This is a bit odd since one must be wrong. Proxmox would indicate that CPU is maxed out whereas according to OPNsense there's plenty of CPU left.

I assume Proxmox reports the real figure. Why does OPNsense say something completly different?

5

General Discussion / [Solved] Add domain name lists as aliases for use in firewall rules

« on: June 27, 2022, 08:59:03 pm »

Hi,

Wouldn't it be nice if one could provide a list of domains to be blocked such as DoH or adserver domains as an alias to be blocked.

It seems to me that functionally speaking almost everything is there
1. loading remote lists like "URL Tables (IPs)"
2. fqdns can be added as "hosts" for blocking

But just not the combination of the above two and maintaining fqdns manually as aliases is cumbersome.
Wouldn't it be possible to combine both capabilities and allow fetching remote fqdn lists for blocking or am I missing something?

I am aware that similar could be achieved with suricata, proxy or dns blocking but none of them would be as practical and effective as being able using fqdns lists in firewall rules.

Thoughts?

6

22.1 Legacy Series / Monitoring and analysing packet loss on OPNsense

« on: January 31, 2022, 11:50:27 am »

Hi,

Since quite a while I experience occasional connection interruptions and can observe packet loss on OPNsense (not just since 22.1). I do suspect my ISP but I have not enough evidence to approach it yet.

I have already activated gateway monitoring. Interestingly packet loss is displayed as 0.0% in System -> Gateways -> Single.
Although Reporting -> Health -> Quality displays packet loss for the Gateway.
Which one is correct?

How can I investigate this further in OPNsense?

Thanks

7

21.7 Legacy Series / iflib_netmap_config entries in dmesg

« on: July 24, 2021, 08:19:27 pm »

I'm seeing these in dmesg on 21.7.:

Code: [Select]

055.723348 [ 853] iflib_netmap_config       txr 2 rxr 2 txd 2048 rxd 2048 rbufsz 2048

(did not appear on 21.1 only UP/DOWN)
which might be related to my SR-IOV NIC issues.
Would anyone know what it is and by what it may be caused?

Code: [Select]

ixv1: link state changed to DOWN
ixv1: link state changed to UP
ixv1: link state changed to DOWN
ixv1: link state changed to UP
ixv1: link state changed to DOWN
ixv1: link state changed to UP
055.451495 [ 853] iflib_netmap_config       txr 2 rxr 2 txd 2048 rxd 2048 rbufsz 2048
055.452924 [ 853] iflib_netmap_config       txr 2 rxr 2 txd 2048 rxd 2048 rbufsz 2048
ixv0: link state changed to DOWN
ixv0: link state changed to UP
055.723348 [ 853] iflib_netmap_config       txr 2 rxr 2 txd 2048 rxd 2048 rbufsz 2048
ixv0: link state changed to DOWN
ixv0: link state changed to UP

Edit:
What is the intel driver version used in 21.7?
3.3.24 seems to be the most recent.

8

Tutorials and FAQs / Blocking malicious IPs with OPNsense and blacklists

« on: July 22, 2021, 08:20:31 pm »

Cross posting this here for better discoverability:

Blocking malicious IPs with OPNsense using spamhaus droplists and dshield_30_days is actually quite easy.

How it's done:
➡️ https://www.allthingstech.ch/blocking-malicious-ips-with-opnsense/

9

21.1 Legacy Series / SR-IOV with intel X550-T2 and OPNsense on Proxmox [solved]

« on: July 20, 2021, 07:42:41 pm »

Hi,

I'm having inconsistent to erratic behavior with OPNsense as a VM guest in combination with SR-IOV.
I have SR-IOV enabled on the Proxmox host and also for a Debian guest - the latter as a verification.
The throughput increase on OPNsense with suricata enabled is an impressive factor 3-4 which makes SR-IOV worthwhile.

But the OPNsense guest sometimes doesn't want to run at all with the VF interface, sometimes runs fine for hours  and then the VF interfaces suddenly stops working for OPNsense - sometimes after a reboot or just out of the blue, for no obvious reason.

I have no clue what the cause of this inconsistent behavior is and I do not see anything meaningful in dmesg output or in /var/log/system.log or on the host besides sudden link state changes of the VF interface in the guest VM only.

On the Debian guest though everything keeps running smoothly all the time so the problem seems only to be related to the OPNsense guest.

Is this a known upstream FreeBSD issue or should this work in general with OPNsense?
Where could I look for helpful log data - dmesg and system.log have not proofed to be very helpful so far.

Thanks

Edit: Wrong forum this is on 21.1

10

21.7 Legacy Series / Bug / feature request: Change of alias in use should trigger fw rule reload

« on: July 13, 2021, 06:28:49 pm »

A minor thing I observed and thought I'd report:

Current behavior
If you change an alias that is in use with a firewall rule, nothing happens and the change is not applied to the fw rule set.

Desired behavior
A change of an alias that is in use by a fw rule should trigger the fw rule reload notification so the users are aware that the change is not applied immediately and requires a reload of the ruleset.

11

21.1 Legacy Series / Firewall log proto/protoname to rule protcol mapping [solved]

« on: June 30, 2021, 09:40:22 am »

Hi,

In the live log I see that a connection gets blocked:

Code: [Select]

proto 0
protoname ip

Now I want to create a rule that allows this.
But I have no "ip" only protocol I could select nor a number "0" in the rule creation UI.

How can one translate the protocol mentioned in the log to the ones available for the rules?

Edit: As it does not appear in the logs atm it seems that my guess for IPV6-ICMP may have been right - but how could I determine without guessing?

12

Zenarmor (Sensei) / 10.0.0.1 Top remote host

« on: June 01, 2021, 10:35:54 pm »

Why does sensei think 10.0.0.1 is the top remote host?

It's the OPNsense LAN interface IP, gateway, local DNS resolver and very obviously not a remote host?

13

General Discussion / What's your firewall rule / alias naming scheme

« on: May 26, 2021, 12:13:09 am »

As I'm just in progress of setting up everything from scratch again I am thinking about how to name the aliases and firewall rules best in order to have an efficient and self-explainable standard.

What is the alias and firewall rule naming scheme you guys use and why?

For aliases I'm thinking of something like

Code: [Select]

[Domain]_[Asset type]_[Name]

Domain = net, web, com, p2p, media, ...
Asset type = ip, network, port, ...
Name = Service or App name

and use nesting wherever it makes sense.

For rules I'm thinking of

Code: [Select]

[Origin] to [Target] [Service or App] [allow/deny]

Does this make sense?
Would you recommend something else, why?

Bonus question: Would you recommend using interface groups even if there's only 1 interface?

14

Zenarmor (Sensei) / Speedtests Sensei and Suricata

« on: May 13, 2021, 07:59:34 am »

Hi,

Just wanted to share my speedtestresults to see if folks here observe similar behaviour.
VM-to-VM, Suricata using Hyperscan pattern matcher with ET Pro Telemetry rules, speedtest-cli (Ookla).

• Suricata only ~8 Gbs
• Sensei only ~4.7 Gbs
• Suricata plus Sensei ~3 Gbs

The speed decrease when using Suricata and Sensei together is quite significant.
Anything one can do about this?




Detailed test results:

Suricata❌, Sensei❌

Code: [Select]

    Latency:     1.90 ms   (0.49 ms jitter)
   Download:  8047.50 Mbps (data used: 4.0 GB)
     Upload:  7408.12 Mbps (data used: 8.7 GB)

Suricata✅, Sensei❌

Code: [Select]

    Latency:     1.49 ms   (0.19 ms jitter)
   Download:  8036.28 Mbps (data used: 5.6 GB)
     Upload:  7309.16 Mbps (data used: 8.9 GB)

Suricata❌, Sensei✅

Code: [Select]

    Latency:     2.84 ms   (0.19 ms jitter)
   Download:  4705.11 Mbps (data used: 7.4 GB)
     Upload:  5264.34 Mbps (data used: 6.4 GB)

Suricata✅[, Sensei✅

Code: [Select]

    Latency:     2.92 ms   (0.28 ms jitter)
   Download:  2819.69 Mbps (data used: 3.0 GB)
     Upload:  1090.61 Mbps (data used: 670.7 MB)


15

21.1 Legacy Series / 21.1.5 Suricata broken (partially solved)

« on: May 04, 2021, 07:12:47 pm »

Hi,

Are there any known issues with suricata since 21.1.5?

Code: [Select]

2021-05-04T17:37:14 suricata[80991] [100697] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:vtnet1/R failed: Invalid argument
2021-05-04T17:36:42 suricata[38241] [100229] <Notice> -- This is Suricata version 5.0.6 RELEASE running in SYSTEM mode

It doesn't want to run here?
Also hyperscan is broken but that seems to be a known issue?