Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - firewall

Pages: [1]

22.7 Legacy Series / WAN Flapping Addressed with 22.7?

« on: August 02, 2022, 11:29:34 pm »

The upgrade to 22.x earlier this year was accompanied by rather severe WAN connectivity issues experienced by many forum users and often echoed by others. These are unique posts from 22.x.

Though admittedly a few of the links above are only possibly related to the underlying issue I'm sure I didn't track down 100% of the threads that were.

Given the extent of my digging I trust it's evident that this has been a major thorn. Regardless, I've stuck with OPNsense with the hopes that a fix would arrive eventually.

Question: noting the handful of interface and dhcpd items in the changelog for 22.7, were any of them intended to address this issue? If not, did the 22.7 release unwind any related changes that may have been introduced with 22.1?

21.7 Legacy Series / Cannot define table bogonsv6: Cannot allocate memory

« on: July 29, 2021, 05:15:08 pm »

Hello,

After upgrading to 21.1.9_1, the error previously discussed here seems to have returned: https://forum.opnsense.org/index.php?topic=7879.0

My "Firewall Maximum Table Entries" is (and has long been) 2,500,000 so this appears an unlikely root cause. Below is the specific error shown:

Code: [Select]

There were error(s) loading the rules: /tmp/rules.debug:132: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [132]: table  persist file /usr/local/etc/bogonsv6

Zenarmor (Sensei) / Trusting Zenarmor (fka Sensei) / Sunny Valley Networks

« on: May 25, 2021, 11:18:39 pm »

Hi,
I poked around with Sensei when it was originally released for OPNsense. Cool product but I ended up uninstalling due to the closed source aspect of certain components.

In the time since, has anyone monitored WAN ingress/egress traffic of their Sensei installation to gauge frequency or (better yet) type of data being shared?

Thanks!

Edit: Subject revision to reflect change of product name. Concerns still not addressed 1 year after initial post.

20.7 Legacy Series / NGINX error after upgrade to 20.7.8

« on: January 19, 2021, 11:13:08 pm »

Hi all,

NGINX fails with the following message after I upgraded to 20.7.8:

SSL_CTX_load_verify_locations("/usr/local/etc/nginx/key/trust_upstream_***GUID***.pem") failed (SSL: error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found)

Any suggestions for how I might rectify?

General Discussion / Trusting Sensei

« on: September 04, 2020, 05:21:16 am »

20.1 Legacy Series / phantom interfaces (wireguard)

« on: February 01, 2020, 03:51:20 am »

in trying to troubleshoot wireguard connectivity (it's damn near rocket science to get those stars to align btw) i tried to run the client from command line. from the attached screenshot i'm sure you can tell what i tried to do.

question is: how do i get rid of them??

19.7 Legacy Series / Plugin: Maltrail: Feature Request

« on: October 17, 2019, 09:23:51 pm »

I stumbled across Maltrail among the plugin options yesterday. Good stuff; thanks.

The OPNsense management front-end for Maltrail rewrites the maltrail.conf file with every save. Would it be possible to either develop an alternative (e.g. scriped editing of conf changes with sed/awk) or enable configuration of the SSL option (this is what I'm chasing after)?

General Discussion / OVPN + PIHOLE - client ip mystery

« on: August 19, 2019, 11:09:52 pm »

Hi All,
At some point I had everything setup properly such that DNS for clients connected to OpenVPN Server on the OPN machine was forwarded to an internal PIHOLE machine, and the OpenVPN client IP/host resolved properly. Now, and although DNS is working properly, all queries show up in PIHOLE logs as having originated from the OPN IP.

So I understand this is specific to a 3rd-party technology (PIHOLE), however there must have been something I changed on the OPN side to cause the masking of IP. The problem no doubt has to do with the fact the OVPN clients reside on a different subnet (by design...I'm not even sure you can configure it to be on the same as LAN) but it worked once so I'm trying to get there again.

Any insight into which settings I need to align to expose the OVPN client IP(s)?

Thanks!

General Discussion / aliases for opnsense-shell

« on: August 11, 2019, 08:23:35 pm »

can someone help me determine which ENV files are sourced during a login to opnsense-shell (e.g. .shellrc, .profile, .login, etc.)? i'd like to set some aliases--specifically replacing the default bsd "watch" command--but i've been unable to figure out where to set this.

i understand i can change the user(s) to another shell but i'm also not familiar with the pros/cons of remaining with opnsense-shell.

i did try searching for an answer here but all results pertain to firewall aliases...and understandably so.

19.7 Legacy Series / Saving FW/NAT Rules: GUI Hangs

« on: August 09, 2019, 12:17:34 am »

After my upgrade to OPNsense 19.7.2 any attempt to apply FW or NAT rules will cause the web-based administration page to "hang", wait for connection, and eventually timeout. A subsequent refresh of the page shows the "Apply changes" button has disappeared as though the changes were accepted, and in testing thus far it seems the rules do indeed stick.

Any suggestions as to where I might start troubleshooting?

19.1 Legacy Series / Unbound + DHCP

« on: June 19, 2019, 03:35:17 am »

From foot of Unbound "General" settings page:

"
If Unbound is enabled, the DHCP service (if enabled) will automatically serve the LAN IP address as a DNS server to DHCP clients so they will use Unbound resolver. If forwarding is enabled, Unbound will use the DNS servers entered in System: General setup or those obtained via DHCP or PPP on WAN if the "Allow DNS server list to be overridden by DHCP/PPP on WAN" is checked.
"

I'm sure there's a good explanation for why this is but I can't for the life of me figure it out. Does this mean that DNS servers specified via DHCP server settings are ignored in favor of distributing LAN IP? Why?

19.1 Legacy Series / Unknown (& Errant) Outbound SSH?

« on: May 11, 2019, 12:46:45 am »

Running OPNsense 19.1.7 on a 6-port QOTOM I7 miniPC. Numerous services to list, so I'll spare you unless you think there's one that may be causing this "problem".

In viewing firewall live log this afternoon I noticed numerous outbound connections with src WAN IP to many different (routed; e.g. 32.242.109.124) IPs at dst port 22. On the surface it looked like an internal machine was scanning on behalf of C&C but then non-routed IPs (e.g. 0.195.6.134) started showing up with same config.

So, I don't think I've been pwned but I'd still like to figure out the source....particularly if this traffic is making it to the (routable) destinations.

See attached screenshot from States Dump. Masked block is my WAN address & there are hundreds of destinations not shown.

Any tips on how I might troubleshoot this?

EDIT: Thanks for moving this post over from 19.7 Dev Series!

Pages: [1]