OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of bob@afrinet.eu »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - bob@afrinet.eu

Pages: [1]
1
Development and Code Review / EMMC support on 19.1 ß
« on: October 23, 2018, 03:31:20 pm »
We were testing the 19.1ß since It should now be able to boot on Denverton MB.
But we think that there is a problem with the EMMC support.

Do you know if the following modules are compiled with the actual ß kernel in 19.1 ?

  • sdhci_pci/mmc
  • sdhci_acpi/mmc
  • mmc/mmcsd


Thanks for your reply.

2
Development and Code Review / PKCS-11 compile option for OpenVPN
« on: October 05, 2018, 05:10:22 pm »
I wanted to know why compile options used in OPNsense (and pfSense®) didn't include pkcs11 ?

What is the reason ?

And what would you recommend for stronger authentication method / physical (like smart card ok USB dongle) ?

The optic is a large scale VPN where we would need to push dynamic routes && get strong authentication (firewall to firewall).



Actual OpenVPN compile options are as follow :


root@FW1:~ # openvpn --version
OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 17 2018
library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

3
Hardware and Performance / Yandex patch in OPNSense ?
« on: September 18, 2018, 12:20:06 pm »
Just a simple question, I wanted to know if the "yandex patches" have been ported in OPNSense.
I am talking about two sets of patch which are used to enhance performance of arpresolve & ip_findroute :

https://people.freebsd.org/~olivier/fbsd11.1.ae.afdata-radix.patch
https://reviews.freebsd.org/D12040


4
Intrusion Detection and Prevention / Suricata as flow loggin engine
« on: July 11, 2018, 11:20:18 am »
I think It would be nice to be able to use the suricata flow logging feature as described here :
https://blog.inliniac.net/2014/07/28/suricata-flow-logging/

For the time being there does not seem to have any option in the GUI to send flow to an external loger (beside local log files).

Is there any way to override the configuration of Suricata ?
What are the compile time options used ?

Main idea would be to be able to use Suricata as a Netflow / Flow collector.
I know this is handled using Netflow in OPNSense, but wouldn't the Suricata log collecting be more efficient ?

Furthermore Suricata has the ability to handle bi-directional flows, where Netflow handles them only unidirectional.

Thanks for your answer.

5
18.7 Legacy Series / 18.7 based on FBSD 11.1 or 11.2 ?
« on: June 20, 2018, 01:25:07 pm »
I wanted to know if the upcoming release will be based on FBSD 11.1 or 11.2 ?

6
Hardware and Performance / Impossible to boot from USB Key : "CAM status: Command timeout"
« on: June 20, 2018, 01:01:42 pm »
I was trying to install OPNSense on a box and bumped into this problem :

Quote
Booting...                                                                     
KDB: debugger backends: ddb                                                     
KDB: current backend: ddb                                                       
Copyright (c) 1992-2017 The FreeBSD Project.                                   
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994       
        The Regents of the University of California. All rights reserved.       
FreeBSD is a registered trademark of The FreeBSD Foundation.                   
FreeBSD 11.1-RELEASE-p9  e86703e30(stable/18.1) amd64                           
FreeBSD clang version 4.0.0 (tags/RELEASE_400/final 297347) (based on LLVM 4.0.)
VT(vga): resolution 640x480                                                     
[HBSD LOG] logging to system: enabled                                           
[HBSD LOG] logging to user: disabled                                           
[HBSD HARDENING] procfs hardening: enabled                                     
[HBSD ASLR] status: opt-out                                                     
[HBSD ASLR] mmap: 30 bit                                                       
[HBSD ASLR] exec base: 30 bit                                                   
[HBSD ASLR] stack: 42 bit                                                       
[HBSD ASLR] vdso: 28 bit                                                       
[HBSD ASLR] map32bit: 18 bit                                                   
[HBSD ASLR] disallow MAP_32BIT mode mmap: opt-in                               
[HBSD ASLR (compat)] status: opt-out                                           
[HBSD ASLR (compat)] mmap: 14 bit                                               
[HBSD ASLR (compat)] exec base: 14 bit                                         
[HBSD ASLR (compat)] stack: 14 bit                                             
[HBSD ASLR (compat)] vdso: 8 bit                                               
[HBSD SEGVGUARD] status: opt-out                                               
[HBSD SEGVGUARD] expiry: 120 sec                                               
[HBSD SEGVGUARD] suspension: 600 sec                                           
[HBSD SEGVGUARD] maxcrashes: 5                                                 
CPU: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz (2200.07-MHz K8-class CPU)           
  Origin="GenuineIntel"  Id=0x506f1  Family=0x6  Model=0x5f  Stepping=1         
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,>
  Features2=0x4ff8ebbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,>
  AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>                         
  AMD Features2=0x101<LAHF,Prefetch>                                           
  Structured Extended Features=0x2294e283<FSGSBASE,TSCADJ,SMEP,ERMS,NFPUSG,MPX,>
  Structured Extended Features3=0x2c000000<IBPB,STIBP,ARCH_CAP>                 
  XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES>                             
  IA32_ARCH_CAPS=0x1<RDCL_NO>                                                   
  VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID,VID,PostIntr                             
  TSC: P-state invariant, performance statistics                               
real memory  = 8589934592 (8192 MB)                                             
avail memory = 8187076608 (7807 MB)                                             
Event timer "LAPIC" quality 600                                                 
ACPI APIC Table: <INTEL  TIANO   >                                             
WARNING: L1 data cache covers less APIC IDs than a core                         
0 < 1                                                                           
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs                             
FreeBSD/SMP: 1 package(s) x 4 core(s)                                           
random: unblocking device.                                                     
ioapic0 <Version 2.0> irqs 0-23 on motherboard                                 
SMP: AP CPU #1 Launched!                                                       
SMP: AP CPU #2 Launched!                                                       
SMP: AP CPU #3 Launched!                                                       
Timecounter "TSC-low" frequency 1100035729 Hz quality 1000                     
random: entropy device external interface                                       
wlan: mac acl policy registered                                                 
netmap: loaded module                                                           
module_register_init: MOD_LOAD (vesa, 0xffffffff810ab110, 0) error 19           
random: registering fast source Intel Secure Key RNG                           
random: fast provider: "Intel Secure Key RNG"                                   
kbd1 at kbdmux0                                                                 
nexus0                                                                         
vtvga0: <VT VGA driver> on motherboard                                         
cryptosoft0: <software crypto> on motherboard                                   
acpi0: <ALASKA A M I > on motherboard                                           
acpi0: Power Button (fixed)                                                     
cpu0: <ACPI CPU> on acpi0                                                       
cpu1: <ACPI CPU> on acpi0                                                       
cpu2: <ACPI CPU> on acpi0                                                       
cpu3: <ACPI CPU> on acpi0                                                       
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0       
Timecounter "HPET" frequency 24000000 Hz quality 950                           
Event timer "HPET" frequency 24000000 Hz quality 550                           
Event timer "HPET1" frequency 24000000 Hz quality 440                           
Event timer "HPET2" frequency 24000000 Hz quality 440                           
Event timer "HPET3" frequency 24000000 Hz quality 440                           
Event timer "HPET4" frequency 24000000 Hz quality 440                           
atrtc0: <AT realtime clock> port 0x70-0x77 irq 8 on acpi0                       
atrtc0: Warning: Couldn't map I/O.                                             
Event timer "RTC" frequency 32768 Hz quality 0                                 
attimer0: <AT timer> port 0x40-0x43,0x50-0x53 irq 0 on acpi0                   
Timecounter "i8254" frequency 1193182 Hz quality 0                             
Event timer "i8254" frequency 1193182 Hz quality 100                           
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900                       
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0         
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0                         
pcib0: _OSC returned error 0x10                                                 
pci0: <ACPI PCI bus> on pcib0                                                   
pcib1: <ACPI PCI-PCI bridge> at device 6.0 on pci0                             
pci1: <ACPI PCI bus> on pcib1                                                   
pci1: <processor> at device 0.0 (no driver attached)                           
pcib2: <ACPI PCI-PCI bridge> mem 0xdff60000-0xdff7ffff irq 20 at device 14.0 on0
pci2: <ACPI PCI bus> on pcib2                                                   
pcib3: <ACPI PCI-PCI bridge> mem 0xdff40000-0xdff5ffff irq 21 at device 15.0 on0
pci3: <ACPI PCI bus> on pcib3                                                   
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0xd000-0xd3
igb0: Using MSIX interrupts with 5 vectors                                     
igb0: Ethernet address: 00:90:00:00:00:01                                       
igb0: Bound queue 0 to cpu 0                                                   
igb0: Bound queue 1 to cpu 1                                                   
igb0: Bound queue 2 to cpu 2                                                   
igb0: Bound queue 3 to cpu 3                                                   
igb0: netmap queues/slots: TX 4/1024, RX 4/1024                                 
pcib4: <ACPI PCI-PCI bridge> mem 0xdff20000-0xdff3ffff irq 22 at device 16.0 on0
pci4: <ACPI PCI bus> on pcib4                                                   
igb1: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0xc000-0xc4
igb1: Using MSIX interrupts with 5 vectors                                     
igb1: Ethernet address: 00:90:00:00:00:02                                       
igb1: Bound queue 0 to cpu 0                                                   
igb1: Bound queue 1 to cpu 1                                                   
igb1: Bound queue 2 to cpu 2                                                   
igb1: Bound queue 3 to cpu 3                                                   
igb1: netmap queues/slots: TX 4/1024, RX 4/1024                                 
pcib5: <ACPI PCI-PCI bridge> mem 0xdff00000-0xdff1ffff irq 23 at device 17.0 on0
pci5: <ACPI PCI bus> on pcib5                                                   
ahci0: <AHCI SATA controller> port 0xe0c0-0xe0c7,0xe0b0-0xe0b3,0xe040-0xe05f me0
ahci0: AHCI v1.31 with 1 6Gbps ports, Port Multiplier supported                 
ahcich0: <AHCI channel> at channel 0 on ahci0                                   
ahciem0: <AHCI enclosure management bridge> on ahci0                           
ahci1: <AHCI SATA controller> port 0xe0a0-0xe0a7,0xe090-0xe093,0xe020-0xe03f me0
ahci1: AHCI v1.31 with 1 6Gbps ports, Port Multiplier supported                 
ahcich8: <AHCI channel> at channel 7 on ahci1                                   
ahciem1: <AHCI enclosure management bridge> on ahci1                           
xhci0: <XHCI (generic) USB 3.0 controller> mem 0xdff80000-0xdff8ffff irq 19 at 0
xhci0: 32 bytes context size, 64-bit DMA                                       
usbus0 on xhci0                                                                 
usbus0: 5.0Gbps Super Speed USB v3.0                                           
pcib6: <ACPI PCI-PCI bridge> irq 16 at device 22.0 on pci0                     
pci6: <ACPI PCI bus> on pcib6                                                   
pci6: <network, ethernet> at device 0.0 (no driver attached)                   
pci6: <network, ethernet> at device 0.1 (no driver attached)                   
pcib7: <ACPI PCI-PCI bridge> at device 23.0 on pci0                             
pci7: <ACPI PCI bus> on pcib7                                                   
pci7: <network, ethernet> at device 0.0 (no driver attached)                   
pci7: <network, ethernet> at device 0.1 (no driver attached)                   
pci0: <simple comms> at device 24.0 (no driver attached)                       
pci0: <simple comms, UART> at device 26.0 (no driver attached)                 
pci0: <simple comms, UART> at device 26.1 (no driver attached)                 
pci0: <simple comms, UART> at device 26.2 (no driver attached)                 
isab0: <PCI-ISA bridge> at device 31.0 on pci0                                 
isa0: <ISA bus> on isab0                                                       
pci0: <memory> at device 31.2 (no driver attached)                             
pci0: <serial bus> at device 31.5 (no driver attached)                         
acpi_tz0: <Thermal Zone> on acpi0                                               
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 7 flags 0x10 on acpi0         
uart0: console (115200,n,8,1)                                                   
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 10 on acpi0                   
ppc0: cannot reserve I/O port range                                             
est0: <Enhanced SpeedStep Frequency Control> on cpu0                           
est: CPU supports Enhanced Speedstep, but is not recognized.                   
est: cpu_vendor GenuineIntel, msr 21eb00001600                                 
device_attach: est0 attach returned 6                                           
est1: <Enhanced SpeedStep Frequency Control> on cpu1                           
est: CPU supports Enhanced Speedstep, but is not recognized.                   
est: cpu_vendor GenuineIntel, msr 21eb00001600                                 
device_attach: est1 attach returned 6                                           
est2: <Enhanced SpeedStep Frequency Control> on cpu2                           
est: CPU supports Enhanced Speedstep, but is not recognized.                   
est: cpu_vendor GenuineIntel, msr 21eb00001600                                 
device_attach: est2 attach returned 6                                           
est3: <Enhanced SpeedStep Frequency Control> on cpu3                           
est: CPU supports Enhanced Speedstep, but is not recognized.                   
est: cpu_vendor GenuineIntel, msr 21eb00001600                                 
device_attach: est3 attach returned 6                                           
Timecounters tick every 1.000 msec                                             
nvme cam probe device init                                                     
ugen0.1: <0x8086 XHCI root HUB> at usbus0                                       
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0       
uhub0: 8 ports with 8 removable, self powered                                   
ugen0.2: <UFD 3.0 Silicon-Power16G> at usbus0                                   
umass0 on uhub0                                                                 
umass0: <UFD 3.0 Silicon-Power16G, class 0/0, rev 3.00/11.00, addr 1> on usbus0
umass0:  SCSI over Bulk-Only; quirks = 0x4000                                   
umass0:4:0: Attached to scbus4                                                 
ahcich8: Timeout on slot 5 port 0                                               
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00000020 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout                           
(aprobe0:ahcich8:0:0:0): Retrying command                                       
run_interrupt_driven_hooks: still waiting after 60 seconds for xpt_config       
ahcich8: Timeout on slot 6 port 0                                               
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00000040 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout                           
(aprobe0:ahcich8:0:0:0): Error 5, Retries exhausted                             
ahcich8: Timeout on slot 11 port 0                                             
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00000800 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout                           
(aprobe0:ahcich8:0:0:0): Retrying command                                       
run_interrupt_driven_hooks: still waiting after 120 seconds for xpt_config     
ahcich8: Timeout on slot 12 port 0                                             
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00001000 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout                           
(aprobe0:ahcich8:0:0:0): Error 5, Retries exhausted                             
ses0 at ahciem0 bus 0 scbus1 target 0 lun 0                                     
ses0: <AHCI SGPIO Enclosure 1.00 0001> SEMB S-E-S 2.00 device                   
ses0: SEMB SES Device                                                           
ses1 at ahciem1 bus 0 scbus3 target 0 lun 0                                     
ses1: <AHCI SGPIO Enclosure 1.00 0001> SEMB S-E-S 2.00 device                   
ses1: SEMB SES Device                                                           
da0 at umass-sim0 bus 0 scbus4 target 0 lun 0                                   
da0: <UFD 3.0 Silicon-Power16G 1100> Removable Direct Access SPC-4 SCSI device 
da0: Serial Number P1503809737151200347                                         
da0: 400.000MB/s transfers                                                     
da0: 15376MB (31490048 512 byte sectors)                                       
da0: quirks=0x2<NO_6_BYTE>                                                     
Trying to mount root from ufs:/dev/ufs/OPNsense_Install [ro,noatime]...         
Mounting filesysahcich8: Timeout on slot 16 port 0                             
ahcich8: is 00000002 cs 00000000 ss 00000000 rs 00010000 tfd 50 serr 00000000 c7
(aprobe0:ahcich8:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich8:0:0:0): CAM status: Command timeout                           
(aprobe0:ahcich8:0:0:0): Error 5, Retries exhausted 


Then system endlessly loops into :

Quote
Trying to mount root from ufs:/dev/ufs/OPNsense_Install [ro,noatime]...         
Mounting filesysahcich0: Timeout on slot 16 port 0                             
ahcich0: is 00000002 cs 00000000 ss 00000000 rs 00010000 tfd 50 serr 00000000 c7
(aprobe0:ahcich0:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich0:0:0:0): CAM status: Command timeout                           
(aprobe0:ahcich0:0:0:0): Error 5, Retries exhausted
 

I am not really sure what to try from there on… ??


Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2