Topics

I still have two Deciso A10 Appliances running in production with 24.7.12.
I have a third, spare unit also running 24.7.12 which I tried to upgrade to 25.1.
The upgrade fails no matter how I try to get 25.1 installed.

I used Clonezilla to create an image of the 24.7.12 installation. Each of my attempts to upgrade starts from this exact same image.

I tried:
- in-place upgrade via GUI
- in-place upgrade via console
- download 25.1 image, copy to empty SSD using Rufus and install that SSD in the appliance, then boot from it
- boot a live system from USB-Stick using a second USB-Stick having config.xml in a /conf directory (like documentation suggests)

In all cases the system starts to boot but hangs after a few seconds.
In most cases the last lines visible in the serial console show that the connected network interfaces switch state to UP.
I think I saw a line regarding PIO being the last visible. Not sure...

So:
Is 25.1 supposed to run on this hardware ad I'm doing it wrong?
Or is this AMD chipset too old to be supported?

Any help apprechiated.

While preparing to update from 24.1.10_8 to 24.7.x I'm reading through this forum and find I should adhere to

https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces

and set "System->Settings->Administration->Web GUI->Listen Interfaces" to All (Recommended).
I had it set to LAN since the beginning (2016 I think).

Problem:
No matter which setting I try to change on that page I get
"Certificate webConfigurator default is not intended for server use"
I do not use a certificate in that configuration. Or am I?
I see a "webConfigurator default" certificate under "System->Trust->Certificates" but that has expired more than eight years ago.

Not sure what to do!?

See attached screenshots.

I just updated a system from 23.1.2 to 23.1.4_1 and found the following in the update protocol:

Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.

pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:

python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed

>>> There are still missing dependencies.
>>> Try fixing them manually.


Anything I need to worry about?
Is there something I need to do?

I just read that FreeBSD 12.1 has some issues with its TCP/IP stack that make it vulnerable for Remote Code Execution attacks that go by the name of NAME:WRECK.

I'm alarmed as we use OPNsense 21.1.4 to secure our company network.
Do I need to worry?

I have two Deciso A10 appliances. One with a GX416RA SOC, the other has a GX415GA SOC.
The first one is currently active, the second one should provide some redundancy (cold stand-by).
So I want to export the config of the GX416 and load it into the GX415.
As I already found out I have to rename the network interfaces from igb0 to em0 etc.

Now when testing I can connect to the stand-by machine and I see that its WAN interface is connected to the internet.
But not a single data packet is moving from LAN to WAN and vice versa.

What else do I need to change in the config?

After the update to 20.1.4 I seeing some NAT problems.
This is on a Deciso DEC2630 or DEC2640 device.
I have two internal -  physically seperated - networks. LAN on igb0 (172.16.30.1/16) and a new one called BBB on igb2 (172.31.30.1).
WAN is on igb1 with a fixed IP.
I have some NAT rules to 172.16.x.x which are all LAN clients. These still work.
And I have some rules to 172.31.0.2 which is a server in the BBB network. These do not work anymore after the update. The server itself is listening to all ports, I checked that from behind the firewall. Coming in over WAN I only get connection timeouts (10060).
I double ( and triple) checked my rules. They look good and unchanged.

Any changes in the last update that could cause this trouble?

Is there an easy way back to 20.1.3 to do some cross checks?

Regards, stay safe
Stefan

I just found an unknown IP (192.168.0.45) in our network. It replies to a ping and looking at the reply with Wireshark the answer originates from the LAN interface of our OPNsense firewall. We never used 192.168.x.x here at the company, so I'm quite sure I did not configure it somewhere. And looking through the firewall's config I don't find any place where this is set.

Clueless here, anyone with an idea?

Stefan

Edit (fabian): Mark as solved

According to this

http://borncity.com/win/2017/08/07/us-cert-warns-microsoft-windows-lnk-vulnerability/

we should block outgoing SMB and WEBDAV traffic to close some attack vectors which can be used by the vulnerability.

How to block WEBDAV in OPNsense?

Stefan

With 17.1.2 now out what is the common sense about upgrading from 16.7.14?
Production systems on Deciso hardware (OPN20077R-EUPC3-S2YN).
Any known risks still lurking?

Is 16.7.14 still safe? Or are there known security issues?

Best regards
  Stefan

- Create voucher
- Use voucher to connect a device over WIFI -> works
- Disconnect device
- Drop voucher
- Reconnect device over WIFI -> still works

Is this WAD?
I'd expect a dropped voucher to be invalid even if its validity period is not yet expired.

Best regards
  StP

It seems the general discussion forum is not (regularly) visited by OPNsense developers. So I'm reposting here...
------

We did set up a guest WIFI access point following

https://docs.opnsense.org/manual/how-tos/guestnet.html?highlight=captive%20portal

It works fine for Windows PCs and iOS devices.
But Android devices do not show the login screen.
Neither automatically (as my iPhone does) nor after opening a browser and entering an arbitrary URL.

Any ideas?

Stefan

We did set up a guest WIFI access point following

https://docs.opnsense.org/manual/how-tos/guestnet.html?highlight=captive%20portal

It works fine for Windows PCs and iOS devices.
But Android devices do not show the login screen.
Neither automatically (as my iPhone does) nor after opening a browser and entering an arbitrary URL.

Any ideas?

Stefan

If I log into OPNsense, navigate to the dashboard and just leave it alone for some hours I get an error message about a hanging script. This is the link mentioned in the error box:

https://172.16.30.1/ui/js/d3.min.js:2

My dashboard shows:
- Traffic graph
- Interface statistics
- System information
- Interface list

OPNsense 16.7.1
Browser: Firefox 48.0

Regards
  Stefan

Hi,

as the topic says: I want to create a user that is allowed nothing but to create vouchers for the Captive Portal.
So I create user "VoucherAdmin" and set only one privilege "WebCfg-Services: Captive Portal".

Now I can login as "VoucherAdmin" and I see a heavily reduced UI.
But I have two problems:
1. The UI is not reduced enough - all the Captive Portal functionality is available. Not only "Vouchers" but "Administration", "Sessions" and "Log File", too. That is more than our office ladies can (and should) handle.
Anything I (or you) can do to further reduce the privilege?

2. In the reduced UI there is no "Logout" button. I see no way to login again as "admin" except waiting for a timeout.
This is not by intention, is it?

Regards
  Stefan

Hi!

I have two similar Deciso firewall boxes (OPNsense A10 Quad Core SSD rack OPN20077R) with this installed:

  OPNsense 16.1.5-amd64
  FreeBSD 10.2-RELEASE-p12
  OpenSSL 1.0.2g 1 Mar 2016

When I "Click to check for Updates" on the dashboard I get this on one of the boxes:

  Warning:
  stream_socket_client(): unable to connect to unix:///var/run/configd.socket (Connection refused) in
  /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php on line 93 Connection Error
  Click to retry

Don't know what to do. Retry doesn't help.
The other box is working fine and shows one available update.

Any help welcome...

Best regards
  Stefan

Hi,
see attached picture.

As you can see the graph itself shows high incoming traffic and very low outgoing traffic.
In reality it is the other way around.
The list on the right has it right.
One upload from 172.16.1.23 is generating the outgoing traffic.
Incoming traffic is necligible.

Looks a bit mixed up.

Stefan

Hi,

I have several machines that are not allowed to access the WAN. I have created a firewall rule for that.
Problem: All machines run Secunia's CSI agent (www.secunia.com).
The firewall requirement for this agent is: "Allow https to *.secunia.com"
How do I create such a rule? It seems wildcards are not supported.

Regards
  StP

Hi,

our old CISCO security appliances allowed LAN devices to be blocked by MAC address.
It seems this is not possible with OPNsense. Correct?

StP

Hi,

on Status->Traffic graph I can only see a textual representation of the current data, but no diagram.
OPNsense 15.1.9.2, Firefox 37.0.2
Any setting I have to activate?

Regards
  StP