Topics

OPNsense 24.7.4_1-amd64
FreeBSD 14.1-RELEASE-p4
OpenSSL 3.0.15
os-dnscrypt-proxy (misconfigured)   1.15_1

Problem:
Since some time after one of the upgrades from 24.1 to 24.7 (not sure at what pont exactly) the DNSCrypt-Proxy logs no longer show. The GUI just shows "Loading..."

> Logs are created and properly updated in /var/log/dnscrypt-proxy
but no longer show in the Opnsense GUI (Services, dnscrypt-proxy, Log/General, Log/Queries or Log/NX).

>>> System, Firmware, Log File also no longer shows any log entries !!!!
> System, Log Files, xxx shows logs as expected.

I'd be grateful for any suggestion helping me to solve this and see the logs again.

In the system log I see the following message:
Notice   kernel   518.293049 [2226] netmap_buf_size_validate error: using NS_MOREFRAG on igb0 requires netmap buf size >= 4096

Could anybody enlighten me as to what that means?
How, if required, would I set the netmap buf size to >= 4096?

Thanks for any help.

OPNsense 23.7.3-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023


Hi guys.

I don't know since when, possibly since a recent firmware upgrade, Suricata stops all the time, after displaying quite a few warnings, with this error:
[100549] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:igb0-0/R@conf:host-rings=2 failed: Invalid argument

Note: I tried attaching Suricata to igb1 and the problem is the same.
There is no interface igb0-0. The WAN interface is igb0 and I have not changed anything since it worked last (possibly just a firmware upgrade).

Suricata worked perfectly before! - Until Aug 6 at least
Health Audit is fine.

Any ideas what could be wrong and how to fix this?

Thanks for any help.

Two disabled servers appeared mysteriously in the DNSCRYPT-PROXY configuration (Disabled Servers List):
"replaceAll" and "resolve"
They appeared in that field without me adding them.
"replaceAll" seemed to have appeared after I configured servers in the Relay List.

Does anybody know what these servers are and why they appear?

Hi folks.
I use reverse DNS, aka "Lookup hostnames" extensively to find out quickly if a potential attacker connected to my email server. - No FQDN=likely an attacker.

But yesterday I looked at the list and found that only the IPs at the top of the list were resolved. It looked like the backwards resolution only worked from the moment I checked "Lookup hostnames".
I tried a few times to uncheck/check that. At some point only a few IPs were resolved, it seemed random. And now NO IPs AT ALL are resolved!  :o

I use DNSCrypt-Proxy and only DNSCrypt-Proxy, for all the name resolutions and so far, for months/years, everything worked as expected:
Click "Lookup hostnames" and all the IPs in the Live View list were immediately resolved to hostnames.

I rebooted the firewall - no luck.
The DNSCrypt-Proxy or firewall logs don't seem to show anything unusual, normal domain name resolution works fine.

Any ideas?


-----------------------------------
OPNsense 22.7.6-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

As I got unexplained problems after an upgrade to the latest 21.1.6 I wish to reinstall with an older image from a USB stick.

Where can I download older versions?

Thanks.

Hi.
I upgraded from 21.1.3 or so to the latest 21.1.6 and suddenly I can no longer access the Internet from the LAN.
Everything worked fine before  >:(
Has anybody experienced the same?
All the rules etc seem ok, and like I said, there were no problems before the upgrade.
So now I no longer have Internet access from my home network.  :'(

Any ideas as to how to solve this quickly would be most appreciated!

OPNsense 20.7.1-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020

When I click the arrow icon next to a NAT-port forward rule, the message
"The NAT configuration has been changed. You must apply the changes in order for them to take effect."
pops up at the top of the page.
I click "Apply changes" but this does not solve it.

In short I cannot edit any NAT rules any more.

Help?

OPNsense 20.7.1-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020

Hi.
I have NAT forwarding for port 25 to my email server on the DMZ.
On the WAN interface I have a few rules that forbid connections from certain countries and after that a rule that allows connections from everywhere to my email server.

Now this strange thing happens:
When I activate logging for the blocking rules then they show as expected in the firewall as blocking access.
But when I deactivate logging they show with a label "rdr rule" in the firewall log.
   Interface       Time    Source    Destination    Proto    Label
   wan      Aug 27 14:22:25   193.169.254.107:56236   192.168.0.10:25   tcp   rdr rule

The blocking works but these rules show up in the firewall log although I do not want to see them there.

Any ideas why those rules might show up as "rdr rules" in the FW log and how to not see those rules in the log?

Thanks.

OPNsense 20.1.4-amd64
FreeBSD 11.2-RELEASE-p18-HBSD
OpenSSL 1.1.1f 31 Mar 2020

Hi guys.

I am facing some strange issue with Firewall rules and I wish someone could help me understand.

1) On my WAN interface I have rules (at the top of the list)  that forbid incoming connections from unsafe countries, incoming to unsafe countries and out to unsafe countries. (unsafe countries being a GeoIP alias).
2) On the WAN interface I also have a rule that allows incoming connections to my email server (further down on the rules list)

3) Now occasionally I get RDR entries in the firewall log like this:
__timestamp__   May 8 16:17:10
ack   
action   [rdr]
anchorname   
datalen   0
dir   [in]
dst   192.168.1.43
dstport   25
ecn   
id   24082
interface   igb0
ipflags   none
length   40
offset   0
proto   6
protoname   tcp
reason   match
ridentifier   0
rulenr   15
seq   1031579698
src   195.54.166.3
srcport   43265
subrulenr   
tcpflags   S
tcpopts   
tos   0x0
ttl   245
urp   1024
version   4

4) Now there are 2 issues:
a) The incoming IP is from an unsafe country (Russia) and shouldn't be let through in the first place
b) Even if for some reason the IP's location would not be identified as from some unsafe country, why do I get an [rdr] action instead of a [pass] action?

5) I am not as tech savvy as it may seem so I would appreciate it if someone could explain
a) What does this [rdr] action mean in this case? Was the connection allowed? (and if yes, why?)
b) How can I identify this rule  (ridentifier   0, rulenr   15, right?) in the GUI where no rule identifier or number can be seen?

Any help with this would be greatly appreciated.

Hi guys.

I wish to block all connections to a device on my LAN

So I set up a simple rule. It is the second in the list, right after the default "Anti-Lockout Rule"
These are the first two firewall rules for the LAN interface:

Proto    Source    Port    Destination    Port    Gateway    Schedule    Description    
     *     *            *       LAN Address    80
                                                        22     *                         Anti-Lockout Rule    
IPv4*    *          *      192.168.1.54      *       *               no connections to device

Nevertheless I can still connect to 192.168.1.54 from any device on my LAN.

What am I missing to get this to work?

Thanks for any help.

I checked my firewall log and noticed the occasional entry for blocked connections from devices on my LAN to the internet or even to my DMZ due to the "Default deny rule".
Examples:
   lan   Aug 9 07:34:55   192.168.1.oo:23916   104.95.229.140:443   tcp   Default deny rule
   lan   Aug 9 07:17:23   192.168.1.nn:57579   52.85.221.90:80   tcp   Default deny rule
   lan   Aug 9 05:53:22   192.168.1.nn:52329   192.168.3.xx:80   tcp   Default deny rule

I checked the connection from the LAN device 192.168.1.nn to the DMZ (192.168.3.xx:80) and it worked.
How can this default rule apply to those connections and not to all my connections?
Where can we check these default rules and possibly change them?

Hi..

On this page (https://forum.opnsense.org/index.php?topic=7853.msg36325#msg36325) a new feature was announced: "intrusion detection: provide custom.yaml for user edits"

Has anybody used this feature? How does it work? What's the syntax?

Thanks for any help.

[custom.yaml]

Hallo.

Auf dieser Seite (https://forum.opnsense.org/index.php?topic=7853.msg36325#msg36325) wurde ein neues Features angekündigt: "o intrusion detection: provide custom.yaml for user edits"

Hat jemand dieses Feature schon genutzt? Wie funktioniert das? Wie ist die Syntax?

Viel Dank für jede Hilfe.

Hello.

I have a pretty basic OPNsense configuration (see attached pic).

My problem is that one type of outgoing connections from a PC on the LAN (to a socks proxy mainly, only used on that PC) appear in the log as from the firewall itself (with source IP 192.168.3.101). The label for these log entries is "let out anything from firewall host itself".
I cannot find a firewall rule with that description.

So I have 2 questions:
1) Why would these connection wrongly appear to come from the firewall?
2) Where is that rule "let out anything from firewall host itself" (and how can I avoid it clogging up my log)?

Thanks for any help.

Hi guys.

Today I have a Zyxel USG100 and tomorrow I will use a OPNSense firewall.

On my Zyxell firewall I could define Address/PTR records and I found that was handy, instead of setting addresses on Windows workstations in the hosts file. Can I define PTR rcords with OPNsense?

The Zyxel also lets me set the DNS server to use, based on the destination domain (Domain Zone Forwarder).
Can I do this with OPNsense too?

Thanks for helping this OPNsense beginner  :)