Topics

Hi,

I ran into this problem quite a lot already, particularly when running opnsense as a VM and when changing underlying virtualized interfaces which is well why you run it virtualized ;)

For explanation let's assume I have 4 interfaces, 1 passthrough physical, 3 virtual ones (vtnet0-2).
Now we remove vtnet1:

How opnsense behaves today:
- opnsense forgets all interface assignments and starts randomly assigning interfaces similar like when on initial setup
--> In many cases you end up with a totally unusable opnsense installation unless you boot into console and start manual interface assignment again

How opnsense should imho behave:
- vtnet1 is removed assigned settings are deactivated (or removed best if it's asked somewhere) the remaining interfaces remain assigned as they were
--> Like this - one can deal with the specific changes only but opnsense remains usable if not the core LAN interface was removed

Thanks for considering. Though I'd write it down before I forget it again ;)

I have an OPNsense installation that is now a bit older ~2 years. I did some hardware changes and reconfigurations along this.

Now I have the feeling that my config file probably accumulated quite some stuff that may not be ideal anymore.
On the other hand I'd want to avoid time consuming setup from scratch. OPNsense is a critical piece of my infrastructure and longer internet downtimes are socially not acceptable ;)

On the other hand some times OPNsense config pages load slow. In general they're fast but sometimes they just keep loading which let me believe some clean up would be beneficial.

Manually cleaning out the config file seems to be a bit dangerous as well.

Any recommendations regarding low-risk OPNsense house-keeping? How does everybody do this?
Thx

Hi,

I'm playing around with IPv6 and start asking myself how I can at all work with firewall rules that are specific for a single host while privacy extensions are active.

Privacy extensions are probably wise to use to not expose to much information.

But it seems that I am loosing the ability to i.e. open up specific ports for single hosts when the ipv6 address is constantly changing.

Any thoughts / advice on this?

Thx

Hi,

I run OPNsense on Proxmox. With suricata enabled I max out at around 3 Gbps when testing, effectively it seems to be around 1.3 Gbps.

Looking for bottlenecks I discovered that
1. OPNsense reports a CPU usage of about 40%
2. Proxmox reports a CPU usage of >80%

This is a bit odd since one must be wrong. Proxmox would indicate that CPU is maxed out whereas according to OPNsense there's plenty of CPU left.

I assume Proxmox reports the real figure. Why does OPNsense say something completly different?

Hi,

Wouldn't it be nice if one could provide a list of domains to be blocked such as DoH or adserver domains as an alias to be blocked.

It seems to me that functionally speaking almost everything is there
1. loading remote lists like "URL Tables (IPs)"
2. fqdns can be added as "hosts" for blocking

But just not the combination of the above two and maintaining fqdns manually as aliases is cumbersome.
Wouldn't it be possible to combine both capabilities and allow fetching remote fqdn lists for blocking or am I missing something?

I am aware that similar could be achieved with suricata, proxy or dns blocking but none of them would be as practical and effective as being able using fqdns lists in firewall rules.

Thoughts?

Hi,

Since quite a while I experience occasional connection interruptions and can observe packet loss on OPNsense (not just since 22.1). I do suspect my ISP but I have not enough evidence to approach it yet.

I have already activated gateway monitoring. Interestingly packet loss is displayed as 0.0% in System -> Gateways -> Single.
Although Reporting -> Health -> Quality displays packet loss for the Gateway.
Which one is correct?

How can I investigate this further in OPNsense?

Thanks

I'm seeing these in dmesg on 21.7.:

Code Select Expand


055.723348 [ 853] iflib_netmap_config       txr 2 rxr 2 txd 2048 rxd 2048 rbufsz 2048


(did not appear on 21.1 only UP/DOWN)
which might be related to my SR-IOV NIC issues.
Would anyone know what it is and by what it may be caused?

Code Select Expand


ixv1: link state changed to DOWN
ixv1: link state changed to UP
ixv1: link state changed to DOWN
ixv1: link state changed to UP
ixv1: link state changed to DOWN
ixv1: link state changed to UP
055.451495 [ 853] iflib_netmap_config       txr 2 rxr 2 txd 2048 rxd 2048 rbufsz 2048
055.452924 [ 853] iflib_netmap_config       txr 2 rxr 2 txd 2048 rxd 2048 rbufsz 2048
ixv0: link state changed to DOWN
ixv0: link state changed to UP
055.723348 [ 853] iflib_netmap_config       txr 2 rxr 2 txd 2048 rxd 2048 rbufsz 2048
ixv0: link state changed to DOWN
ixv0: link state changed to UP


Edit:
What is the intel driver version used in 21.7?
3.3.24 seems to be the most recent.

Cross posting this here for better discoverability:

Blocking malicious IPs with OPNsense using spamhaus droplists and dshield_30_days is actually quite easy.

How it's done:
➡️ https://www.allthingstech.ch/blocking-malicious-ips-with-opnsense/

Hi,

I'm having inconsistent to erratic behavior with OPNsense as a VM guest in combination with SR-IOV.
I have SR-IOV enabled on the Proxmox host and also for a Debian guest - the latter as a verification.
The throughput increase on OPNsense with suricata enabled is an impressive factor 3-4 which makes SR-IOV worthwhile.

But the OPNsense guest sometimes doesn't want to run at all with the VF interface, sometimes runs fine for hours  and then the VF interfaces suddenly stops working for OPNsense - sometimes after a reboot or just out of the blue, for no obvious reason.

I have no clue what the cause of this inconsistent behavior is and I do not see anything meaningful in dmesg output or in /var/log/system.log or on the host besides sudden link state changes of the VF interface in the guest VM only.

On the Debian guest though everything keeps running smoothly all the time so the problem seems only to be related to the OPNsense guest.

Is this a known upstream FreeBSD issue or should this work in general with OPNsense?
Where could I look for helpful log data - dmesg and system.log have not proofed to be very helpful so far.

Thanks

Edit: Wrong forum this is on 21.1

A minor thing I observed and thought I'd report:

Current behavior
If you change an alias that is in use with a firewall rule, nothing happens and the change is not applied to the fw rule set.

Desired behavior
A change of an alias that is in use by a fw rule should trigger the fw rule reload notification so the users are aware that the change is not applied immediately and requires a reload of the ruleset.

Hi,

In the live log I see that a connection gets blocked:

Code Select Expand


proto 0
protoname ip


Now I want to create a rule that allows this.
But I have no "ip" only protocol I could select nor a number "0" in the rule creation UI.

How can one translate the protocol mentioned in the log to the ones available for the rules?

Edit: As it does not appear in the logs atm it seems that my guess for IPV6-ICMP may have been right - but how could I determine without guessing?

Why does sensei think 10.0.0.1 is the top remote host?

It's the OPNsense LAN interface IP, gateway, local DNS resolver and very obviously not a remote host?

As I'm just in progress of setting up everything from scratch again I am thinking about how to name the aliases and firewall rules best in order to have an efficient and self-explainable standard.

What is the alias and firewall rule naming scheme you guys use and why?

For aliases I'm thinking of something like

Code Select Expand


[Domain]_[Asset type]_[Name]

Domain = net, web, com, p2p, media, ...
Asset type = ip, network, port, ...
Name = Service or App name


and use nesting wherever it makes sense.

For rules I'm thinking of

Code Select Expand


[Origin] to [Target] [Service or App] [allow/deny]


Does this make sense?
Would you recommend something else, why?

Bonus question: Would you recommend using interface groups even if there's only 1 interface?

[Suricata❌, Sensei❌]

Hi,

Just wanted to share my speedtestresults to see if folks here observe similar behaviour.
VM-to-VM, Suricata using Hyperscan pattern matcher with ET Pro Telemetry rules, speedtest-cli (Ookla).

• Suricata only ~8 Gbs
• Sensei only ~4.7 Gbs
• Suricata plus Sensei ~3 Gbs

The speed decrease when using Suricata and Sensei together is quite significant.
Anything one can do about this?




Detailed test results:

Suricata❌, Sensei❌

Code Select Expand


    Latency:     1.90 ms   (0.49 ms jitter)
   Download:  8047.50 Mbps (data used: 4.0 GB)
     Upload:  7408.12 Mbps (data used: 8.7 GB)


Suricata✅, Sensei❌

Code Select Expand


    Latency:     1.49 ms   (0.19 ms jitter)
   Download:  8036.28 Mbps (data used: 5.6 GB)
     Upload:  7309.16 Mbps (data used: 8.9 GB)


Suricata❌, Sensei✅

Code Select Expand


    Latency:     2.84 ms   (0.19 ms jitter)
   Download:  4705.11 Mbps (data used: 7.4 GB)
     Upload:  5264.34 Mbps (data used: 6.4 GB)


Suricata✅[, Sensei✅

Code Select Expand


    Latency:     2.92 ms   (0.28 ms jitter)
   Download:  2819.69 Mbps (data used: 3.0 GB)
     Upload:  1090.61 Mbps (data used: 670.7 MB)


Hi,

Are there any known issues with suricata since 21.1.5?

Code Select Expand


2021-05-04T17:37:14 suricata[80991] [100697] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:vtnet1/R failed: Invalid argument
2021-05-04T17:36:42 suricata[38241] [100229] <Notice> -- This is Suricata version 5.0.6 RELEASE running in SYSTEM mode


It doesn't want to run here?
Also hyperscan is broken but that seems to be a known issue?

Hi,

I'm somewhat lost with getting "Call of Duty - Modern Warfare Multiplayer" to work.

Has someone managed to make it working and would be so kind to share the details?

I'm stuck with "NAT Type: Strict" and the game even failing to connect to the server.

Thanks
-b

Hi,

I'm experiencing interesting behaviour on same size VMs with similar setups
- suricata enabled on WAN
- sensei enabled on LAN

20.1

Code Select Expand

   Download:  2024.22 Mbps (data used: 3.0 GB)
     Upload:  1468.70 Mbps (data used: 1.3 GB)

20.7

Code Select Expand

   Download:   567.38 Mbps (data used: 683.8 MB)
     Upload:   603.91 Mbps (data used: 391.8 MB)

20.7 seems 4 times slower?
Any ideas why that could be the case?

Hi,

How are interfaces configured the right way from the cli?
I recently changed nics on my vm which caused the interface auto assignment to kick in and configure my interfaces wrongly.

How can I properly configure them again from the cli?
Is there a way to invoke the original script from the installer to do that?

I only managed to set the ip manually via ifconfig and could then luckily connect to the webui again.
Guess there must be a better way but haven't found one.

What causes this?

Code Select Expand

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0xa
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80a790d2
stack pointer         = 0x0:0xfffffe0228dbf8e0
frame pointer         = 0x0:0xfffffe0228dbf9a0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (irq260: virtio_pci1)

OPNsense failed hard. I had to reboot it twice.

This is on VM. Eeverything else on the host was fine.

[Current KVM VM setup]

Hi,

Anyone using KVM and can share experiences regarding configuration and performance?

I wasn't able to get it running on Q35/UEFI which probably would result in another performance boost.

Current KVM VM setup
- i440FX UEFI
- VirtIO Disk
- VirtIO NICs

VM sizing
- 4 vCPUs
- 8 GB RAM

With this I'm able get around 2 Gbps trhoughput with Suricata and Sensei enabled.

Any recommendations / experiences regarding KVM to share?
Does someone know which NICs perform best with OPNsense: virtIO, e1000, rtl8139?
Anyone managed to get Q35/UEFI running with OPNsense?

Thx