Topics

1

24.7 Production Series / Should I be concerned about this repeated error in my logs regarding xmlrpc ?

« on: August 10, 2024, 04:22:44 pm »

Code: [Select]

Error opnsense /xmlrpc.php: Unable to retrieve authenticator for PW/4...
I don't (yet) have anything set up for high availability.

2

24.7 Production Series / opnsense-code ports fails with "index file smaller than expected" [SOLVED]

« on: August 05, 2024, 10:19:45 pm »

Am running the latest firmware on OPNsense on bare metal, but this problem might have existed earlier, unnoticed. I am updating my tailscale installation with

Code: [Select]

root@OPNsense:/home # opnsense-code src
fatal: .git/index: index file smaller than expected

This typically indicates a corrupt index file which can be removed and rebuilt.  However, the index does not exist in the usual place

Code: [Select]

root@OPNsense:/home # git status
fatal: not a git repository (or any of the parent directories): .git
, though I am not sufficiently familiar with freeBSD to know.  The OPNsense documentation (https://docs.opnsense.org/manual/software_included.html#the-ports-tree) does suggest that this should be the usual place.

Am hoping that anyone more knowledgeable than I knows how to find the index and fix this. Thanks.

3

Zenarmor (Sensei) / Zenarmor blocks Magic Earth map downloads

« on: May 14, 2023, 10:47:58 pm »

Because it believes that it is a parked domain. However, the solution is fairly easy.
Go to Zenarmor -> Policies -> Default -> Exclusion.  Whitelist the domain services.generalmagic.com
Just in case anyone else runs into this problem.

4

21.7 Legacy Series / How to find logs from system crashes?

« on: July 07, 2022, 05:09:33 pm »

My OPNsense box has started crashing (seemingly) randomly every couple of days. It is difficult to debug without logs from the time of the crash.  When it crashes there is no responsiveness from pings or ssh or webUI, so I have to reboot.  However, after I reboot, all the logs I can find (e.g., /var/log/system) are from times after the reboot.

How can I get info from the crash to debug?  Any help appreciated.

5

21.7 Legacy Series / [Solved] Netdata Web UI unavailable

« on: October 13, 2021, 05:25:33 pm »

I am running  21.7.3_3-amd64 on a Protectli box. I don't think I have anything too strange in my setup. But for some time, the netdata web ui has been unavailable, and I finally tried today to see what might be going wrong. I uninstalled the os-netdata plugin and reinstalled it. Made sure that it was enabled, and checked that the daemon is running according the OPNsense dashboard. But still not available. I checked the General System logfiles, but did not find anything. I use the IP address of the box to make sure that there is not a DNS issue. Double-checked the correct port and checked CLI:

Code: [Select]

root@OPNsense:~ # sockstat | grep 19999
netdata  netdata    92292 5  tcp4   192.168.yy.yy:19999    *:*

 But trying to load the UI just times out. Tried different browsers.

I would appreciate any pointers for where else to investigate. If there is anything else in the forum, I haven't been able to find it.

6

21.1 Legacy Series / [Solved] Unable to ping gateway from LAN

« on: July 15, 2021, 10:33:06 pm »

I read problems in the forum involving dual WAN setups, but mine is not dual and pretty simple. The 'block private network' switch on WAN is not checked. Yet, I cannot ping the gateway from inside the LAN.  I must be missing something stupid, so any suggestions are likely to be useful, and certainly appreciated.

7

20.7 Legacy Series / MQTT broker mosquitto possible?

« on: November 13, 2020, 05:25:07 pm »

Mosquitto was available for installing a few versions ago, but was ended, apparently, because of problems with LibreSSL.  In a previous version @poupin claimed that it could be installed directly from the FreeBSD repos, and claimed that it worked (https://forum.opnsense.org/index.php?topic=14388.0).

Is this advisable, or is it likely to break sometimes? 

8

20.1 Legacy Series / [Solved] Cannot reach maltrail server

« on: June 15, 2020, 09:45:03 pm »

I was trying again to setup maltrail. The GUI says that both the sensor and the server are running fine.  In fact, /var/log/maltrail/2020-06-15.log logs very recent suspicious activity.  There is nothing in the general or backend system logs that looks problematic.
Apparently, it takes some time for the server to show up, but after waiting several hours, I still can not reach the server.  The sensor is on the default 8337 port, and the server on the default 8338 port.  The URL to listen on is the opnsense static LAN IP. Any attempt to reach that IP:8338 just times out.

Here is the config file (which still shows the default login credentials):

Code: [Select]

# [Server]
HTTP_ADDRESS 192.168.1.50
HTTP_PORT 8338
USE_SSL false


DISABLE_LOCAL_LOG_STORAGE false

SENSOR_NAME $HOSTNAME
CUSTOM_TRAILS_DIR /usr/local/maltrail/trails/custom/
PROCESS_COUNT $CPU_CORES
DISABLE_CPU_AFFINITY false
USE_FEED_UPDATES true
DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault
UPDATE_PERIOD 86400
USE_SERVER_UPDATE_TRAILS false
USE_HEURISTICS true
CHECK_MISSING_HOST false
CHECK_HOST_DOMAINS false
SHOW_DEBUG false
LOG_DIR /var/log/maltrail
MONITOR_INTERFACE em0,ovpnc2,em3
CAPTURE_BUFFER 10%
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))
USERS
    admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:2000:0.0.0.0/0                        # changeme!
Can anyone suggest where else to dig?

9

20.1 Legacy Series / Update to 20.1.7 killed zerotier interface

« on: May 20, 2020, 10:00:34 pm »

UPDATE:  In case anyone else has this issue.  I uninstalled ZT, rebooted, deleted the old data and went through the process of enabling, and connecting to the ZT virtual network.  That did it.  Don't know why the update broke it.

Had zerotier running nicely on OPNsense, without any issues.  However, once I updated to 20.1.7 it stopped working.  The daemon was apparently running, the network was enabled, and OPNsense had connection to the intertubes.  Eventually I found that the ZeroTier interface was assigned to em0 instead of ztxxxxxxx.  In fact, there was no zt interface even available.  I restarted the daemon, rebooted the router, uninstalled and reinstalled the zerotier plugin.  However, the interface just won't return.

On the zerotier web portal, I have set the OPNsense router "Do Not Auto-Assign IPs" checked, and in OPNsense ZeroTier interface, I have Static IPv4 for the configuration type.  Below that I have set the IPv4 address.

Did the update break something?

10

20.1 Legacy Series / High CPU from maltrail

« on: May 10, 2020, 05:57:06 pm »

Is anybody else seeing this?  I had to disable and uninstall it, or there was a huge performance hit. 
I was seeing something between 40 and 80% CPU usage from it in System->Diagnostics->Activity.
Then my download rate was only about 55Mbps, whereas if I disabled maltrail and rebooted, it went
back up to about 320Mbps.

I did find this forum message for OPNsense 19.7: https://forum.opnsense.org/index.php?topic=14021.msg64454#msg64454

It is likely that my installation was not correct, since I didn't really know what I was doing.  The sensor and the server are on the same machine, so most of the setting seemed to be the default ones.

11

20.1 Legacy Series / Install files verification fails

« on: April 11, 2020, 11:11:38 pm »

Am I the only one with this problem.  It seems straightforward enough.  Using the instructions from here:
https://docs.opnsense.org/manual/install.html#download-and-verification.  Have tried two different mirrors, two times each.
The latest one that I used is https://mirror.wdc1.us.leaseweb.net/opnsense/releases/20.1/.  I downloaded the four files to my harddrive:

OPNsense-20.1-OpenSSL-checksums-amd64.sha256 
OPNsense-20.1-OpenSSL-vga-amd64.img.bz2 
OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig 
OPNsense-20.1.pub

Then ran
openssl base64 -d -in OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig  -out image.sig
openssl dgst -sha256 -verify OPNsense-20.1.pub -signature image.sig OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig

But receive:
Verification Failure

The public key file is the same on both mirrors.

I assume that I am just missing something stupid, and that the files have not been hacked.   

12

20.1 Legacy Series / Praise for intrusion detection plus ETPro implementation

« on: March 07, 2020, 03:46:56 pm »

I implemented intrusion detection a couple of weeks ago using the free rules from abuse.ch, from OPNsense and the open ones available from ETpro, if you let them gather some anonymized data from your machine. OPNsense scrubs your personally identifying information from the data that they receive, apparently. This seems a total win-win to me. My machine benefits from the protection against emerging threats, and contributes back to help identifying growing ones. It was straightforward to set up from the tutorial, and gives you lots of information, once running. I recommend it. The only ambiguous part is how many rules to implement. They can become resource heavy, if you use too many.

Of course, there could be a few improvements here. First, you do not get information about attacks from outside your network on your WAN until you add your WAN IP address to the home network. Once this number is changed by your ISP, it needs to be updated by hand again. Is that really necessary? Could that not be automated?

Is there a more artional way to choose the rules? It seems that part of the decision should be based on what is most useful to ET to know. Or really, that would be mutually beneficial.

The log files fill with lots of information. But you either scroll though and read, or download and process yourself. Graphs that are integrated with OPNsense seem ideal. It would be useful to have pie graphs that show which.ports are being most attacked, or which geolocations are the most frequent, or if there are a few IP addresses that are persistent, or which categories of attacks are common. This would also help in deciding which rules to use.

Finally, there are logs of harmless events like

suricata[3877]: [100255] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs

which would be nice to remove.

Yeah, I know, it is always easy to request these endless streams of new features, but thought that the feedback might be useful anyway. Thanks for this great feature!

13

19.1 Legacy Series / Can anyone reach their cable modem through OpnSense?

« on: March 18, 2019, 05:18:55 pm »

I recently replaced my DOCSIS 3.0 cable model with DOCSIS 3.1 (Arris) modem, and the performance
actually got worse.  I wanted to look at the GUI for the modem and search for errors.  The only way to
do this was by plugging an ethernet cable from my laptop into the second port on the modem, and then
I could reach the modem at 192.168.100.1.  However, it would be better if I could just reach the cable
modem from my LAN.  I found a couple of posts on this for pfsense:

https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html
https://superuser.com/questions/1243134/how-do-i-reach-the-modem-settings-page-from-inside-firewall

but nothing on the forum, or online for OPNsense.

There are just a few steps, but I get hung up on the earliest one, assuming that something analogous would work for OPNsense. Namely, how to "create a new OPT interface, and assign it to the physical network card that is on WAN" ?  If I go to Interface -> Assignments, I could add a new interface, but it has to be attached to a NIC
different from the WAN.  I can do that, and go edit to try to assign it to the same NIC, but OPNsense complains.
I am guessing that it needs a bridge ?  But I am lost.

Can anyone point me in the right direction? Thanks.
 

14

18.7 Legacy Series / WAN to LAN fast, inside LAN slow

« on: December 30, 2018, 02:53:42 am »

It is hard to be sure that this is really an OPNsense issue, but was hoping someone here could help.
My setup is cable modem to mini PC running 18.7.9 OPNsense.  Plugged into this firewall is a gigabit TP-Link
switch, which further connects to a linux box as a server (ethernet), a ubiquiti AC LR AP, a powerline
adapter, and an Obihai VOIP box.  OPNSense has almost everything running out through openvpn.

When I run speedtest-cli on the server, I get a respectable ~120mbps.  When I run anything connected
WiFi (via the AP, android tablet, phone, laptop), I get at least 70mbps from outside. However, when I run
iperf3 in server mode on the server, and check the speed to my laptop, I get only ~10mbps. 
I have rebooted everything (OPNsense, laptop, server, AP) but repeatedly get only ~10mbps.
It has persisted for several days.  The reverse is true with running iperf3 as server on the laptop and checking
speed to the server.

Is it possible that OPNsense is somehow limiting the bandwidth for purely LAN connections?
Is it the switch?  The AP?  What other tests could I run to try and pinpoint the source of the problem?
Any help is appreciated.

15

18.7 Legacy Series / [SOLVED] I am losing my mind with transparent proxy

« on: November 04, 2018, 03:28:31 pm »

This very well might be some Google problem, but getting help.from them is impossible, so am hoping someone here has fixed this before, or has some clues.

I wset up cache proxy, then transparent http proxy both according to the opnsense howtos,, and everything was working. I then set up SSL inspection, again according to the howto. I set up to bump certain sites, including the Google, googleapis and similar domains. I imported the certificate to my browser, and to the apps and vpn on my android tablet and phone. Everything worked fine, except the Google play store. It claimed that there was no internet connection. I double checked, triple checked everything. No joy. Rebooted everything, but no change. I gave up and restored my opnsense configuration to before even the cache proxy. No good. Rebooted the firewall. The router, the phone. Still no good. Removed the certificate, rebooted. No connection to Google. Even did a factory reset on the tablet after backing up everything to the micro sd. Seemed to work for a little while, but then started sending the same error again.the whole time, everything else on the interwebs was reachable.

It is the strange timelags the get me. Sometimes a setting takes time to.propagate, including on this issue. Rebooting isn't sufficient. But most urgently, is how do I fix this? I haven't found any clues in any logs, but I may not be looking in the right place.

UPDATE: Well, I solved the play store problem, but have not yet reimplemented the transparent proxy.  The key was finding out that it was NOT a firewall block, so OPNsense was not the issue, but rather a DNS filter.  One of the lists on pihole added the android.clients.google.com domain which blocked access. This happened at the same time that I set up transparent blocking, so that confused me.  Now I can reach the play store.  During this adventure, I discovered that (1) it is nearly impossible to reach anyone at Google, and (2) if that person you eventually reach does not have the information, they cannot ask someone else, or put you in contact with anyone else. This person could tell me what port the app uses, but could not find out the URL. I will try later to set up the transparent blocking again, but it will probably be necessary to add this domain to the bump list, too.  I found the list from here: https://community.arubanetworks.com/t5/Security/2017-Google-Play-Store-URL-whitelist/td-p/284663

Two asides:  I occasionally find (usually small) errors in the manuals or how-to lists.  Is there a place to send those correction, so that I can help keep them up to date?
Second aside, the web proxy mentions the yoyo ad blocking list, and references the squidblacklist, but says that it is only pay. However, they do provide a free list to block malicious domains.  This would seem to be a great minimum web filter to suggest in the how-to:
https://blog.squidblacklist.org/?p=1658