Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - sol

#1
Hi there,

Since yesterday opnsense reboots daily. I do not fully understand the log files and what is causing it.
I have attached all log files and change the ssh keys and some ip addresses due to privacy.
Looking forward to any help.
Fo some reason zenarmor also shows reports for the same ip but 2 different names or rather put it uses the same ip for different hostnames that are on different vlans and have the right settings in their dhcp server on their corresponding subnet.

Thank you.

System Information
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
FreeBSD 13.0-STABLE stable/22.1-n248071-cafeb6ce414 SMP amd64
OPNsense 22.1.6 42de9d6d9
Plugins os-acme-client-3.9 os-boot-delay-1.0_1 os-etpro-telemetry-1.6_1 os-intrusion-detection-content-et-open-1.0.1 os-iperf-1.0_1 os-mdns-repeater-1.1 os-netdata-1.1 os-nextcloud-backup-1.0_1 os-sensei-1.11.1 os-sensei-updater-1.11 os-smart-2.2 os-sunnyvalley-1.2_1 os-vnstat-1.3 os-wireguard-1.10
Time Tue, 03 May 2022 17:41:48 +0200
OpenSSL 1.1.1n  15 Mar 2022
PHP 7.4.28


dmesg.boot:
Copyright (c) 1992-2021 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 13.0-STABLE stable/22.1-n248071-cafeb6ce414 SMP amd64
FreeBSD clang version 13.0.0 (git@github.com:llvm/llvm-project.git llvmorg-13.0.0-0-gd7b669b3a303)
VT(efifb): resolution 800x600
CPU: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz (1900.00-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x806ea  Family=0x6  Model=0x8e  Stepping=10
  Features=0xbfebfbff
  Features2=0x7ffafbff
  AMD Features=0x2c100800
  AMD Features2=0x121
  Structured Extended Features=0x29c6fbf
  Structured Extended Features3=0xc000000
  XSAVE Features=0xf
  VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
  TSC: P-state invariant, performance statistics
real memory  = 17179869184 (16384 MB)
avail memory = 16503267328 (15738 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table:
FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s) x 2 hardware threads
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
random: unblocking device.
ioapic0  irqs 0-119
Launching APs: 1 2 6 4 5 7 3
random: entropy device external interface
wlan: mac acl policy registered
kbd0 at kbdmux0
WARNING: Device "spkr" is Giant locked and may be deleted before FreeBSD 14.0.
efirtc0:
efirtc0: registered as a time-of-day clock, resolution 1.000000s
aesni0:
acpi0:
acpi0: Power Button (fixed)
cpu0:  on acpi0
hpet0:  iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 24000000 Hz quality 950
Event timer "HPET" frequency 24000000 Hz quality 550
atrtc0:  port 0x70-0x77 irq 8 on acpi0
atrtc0: Warning: Couldn't map I/O.
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
attimer0:  port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
pcib0:  port 0xcf8-0xcff on acpi0
pci0:  on pcib0
vgapci0:  port 0xf000-0xf03f mem 0xde000000-0xdeffffff,0xc0000000-0xcfffffff irq 16 at device 2.0 on pci0
vgapci0: Boot video device
xhci0:  mem 0xdf200000-0xdf20ffff irq 16 at device 20.0 on pci0
xhci0: 32 bytes context size, 64-bit DMA
usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0
pci0:  at device 22.0 (no driver attached)
ahci0:  port 0xf090-0xf097,0xf080-0xf083,0xf060-0xf07f mem 0xdf214000-0xdf215fff,0xdf218000-0xdf2180ff,0xdf217000-0xdf2177ff irq 16 at device 23.0 on pci0
ahci0: AHCI v1.31 with 3 6Gbps ports, Port Multiplier not supported
ahcich0:  at channel 0 on ahci0
ahcich1:  at channel 1 on ahci0
ahcich2:  at channel 2 on ahci0
pcib1:  irq 16 at device 28.0 on pci0
pci1:  on pcib1
igb0:  port 0xe000-0xe01f mem 0xdf100000-0xdf11ffff,0xdf120000-0xdf123fff irq 16 at device 0.0 on pci1
igb0: NVM V0.6 imgtype1
igb0: Using 1024 TX descriptors and 1024 RX descriptors
igb0: Using 2 RX queues 2 TX queues
igb0: Using MSI-X interrupts with 3 vectors
igb0: Ethernet address: 00:a5:27:e0:0b:9e
igb0: netmap queues/slots: TX 2/1024, RX 2/1024
pcib2:  irq 17 at device 28.1 on pci0
pci2:  on pcib2
igb1:  port 0xd000-0xd01f mem 0xdf000000-0xdf01ffff,0xdf020000-0xdf023fff irq 17 at device 0.0 on pci2
igb1: NVM V0.6 imgtype1
igb1: Using 1024 TX descriptors and 1024 RX descriptors
igb1: Using 2 RX queues 2 TX queues
igb1: Using MSI-X interrupts with 3 vectors
igb1: Ethernet address: 00:a5:27:e0:0b:9f
igb1: netmap queues/slots: TX 2/1024, RX 2/1024
isab0:  at device 31.0 on pci0
isa0:  on isab0
pci0:  at device 31.2 (no driver attached)
acpi_button0:  on acpi0
acpi_button1:  on acpi0
acpi_tz0:  on acpi0
acpi_tz1:  on acpi0
uart0: <16950 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart1: <16950 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
uart2: <16950 or compatible> port 0x3e8-0x3ef irq 6 on acpi0
uart3: <16950 or compatible> port 0x2e8-0x2ef irq 7 on acpi0
uart4: <16950 or compatible> port 0x2f0-0x2f7 irq 10 on acpi0
uart5: <16950 or compatible> port 0x2e0-0x2e7 irq 11 on acpi0
orm0:  at iomem 0xc0000-0xcffff pnpid ORM0000 on isa0
hwpstate_intel0:  on cpu0
hwpstate_intel1:  on cpu1
hwpstate_intel2:  on cpu2
hwpstate_intel3:  on cpu3
hwpstate_intel4:  on cpu4
hwpstate_intel5:  on cpu5
hwpstate_intel6:  on cpu6
hwpstate_intel7:  on cpu7
Timecounter "TSC" frequency 1896000501 Hz quality 1000
Timecounters tick every 1.000 msec
ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
Trying to mount root from zfs:zroot/ROOT/default []...
Root mount waiting for: usbus0 CAM
ugen0.1: <0x8086 XHCI root HUB> at usbus0
uhub0 on usbus0
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
uhub0: 18 ports with 18 removable, self powered
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0:  ACS-3 ATA SATA 3.x device
ada0: Serial Number 50026B77847DA92E
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada0: Command Queueing enabled
ada0: 244198MB (500118192 512 byte sectors)
ada1 at ahcich1 bus 0 scbus1 target 0 lun 0
ada1:  ACS-4 ATA SATA 3.x device
ada1: Serial Number S4BFNJ0MC13526Y
ada1: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada1: Command Queueing enabled
ada1: 238475MB (488397168 512 byte sectors)


/var/crash/info.0:
Dump header from device: /dev/ada0p3
  Architecture: amd64
  Architecture Version: 4
  Dump Length: 77312
  Blocksize: 512
  Compression: none
  Dumptime: 2022-05-03 17:39:30 +0200
  Hostname: OPNsense.home
  Magic: FreeBSD Text Dump
  Version String: FreeBSD 13.0-STABLE stable/22.1-n248071-cafeb6ce414 SMP
  Panic String: Unrecoverable machine check exception
  Dump Parity: 3559993632
  Bounds: 0
  Dump Status: good


#2
Hi there,

How can I list the total number of active drop and alert rules?
Is it possible in the gui or are there any commands for the shell.

Thx.
#3
Hi there,

some ips in my network are blocked from the internet after a schedule kicks in.
There is also a cron job to kill all states to make sure that these clients cannot connect to the internet anymore.

Instead of killing all connections with pfctl -f state
I know that with pfctl -k 192.168.1.100 this ips states will be kicked.
How can kill states for several ips with 1 rule?
Or do I have to use an own rule for each ip I want to kick the states of?
#4
19.7 Legacy Series / wireguard and 2fa
August 30, 2019, 08:05:06 PM
Hi there,

openvpn supports 2fa and also client certificates.
Is there or will there be an option for wireguard as well?
#5
Hi there,

since the update to 19.1.1 I have a weird issue.
Openvpn works. I can connect to my lan and browse the web from an external wlan.
But the status under vpn / openvpn / connection status shows this:

OpenVPN Status
OpenVPN Privat UDP:1194 Client connections
Common Name Real Address Virtual Address Connected Since Bytes Sent Bytes Received
[error] Unable to contact daemon Service not running? 0 0 bytes 0 bytes




System: Diagnostics: Services also shows that openvpn isnt running, although it works. Restarting the firewall or just the service doesnt solve the issue.

This is the openvpn log
Date Message
Feb 19 17:51:49 openvpn[3190]: Exiting due to fatal error
Feb 19 17:51:49 openvpn[3190]: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)
Feb 19 17:51:49 openvpn[3190]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 19 17:51:49 openvpn[3190]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 17:51:49 openvpn[22887]: library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10
Feb 19 17:51:49 openvpn[22887]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 4 2019
Feb 19 17:13:06 openvpn[52155]: MULTI_sva: pool returned IPv4=10.10.0.6, IPv6=(Not enabled)
Feb 19 17:13:06 openvpn[52155]: 46.xxx.xx.49:56646 [stefan] Peer Connection Initiated with [AF_INET]46.xxx.28.49:56646
Feb 19 17:13:06 openvpn: user 'stefan' authenticated using 'TOTP VPN Access Server'
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5180_3.7.8__build_5180)"
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_TCPNL=1
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_COMP_STUBv2=1
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_COMP_STUB=1
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_LZO=1
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_LZ4v2=1
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_LZ4=1
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_NCP=2
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_PROTO=2
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_PLAT=mac
Feb 19 17:13:06 openvpn[52155]: 46.189.28.49:56646 peer info: IV_VER=2.4.6
Feb 19 16:13:07 openvpn[52155]: stefan/46.xxx.xx.xx:53468 MULTI_sva: pool returned IPv4=10.10.0.6, IPv6=(Not enabled)
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 [stefan] Peer Connection Initiated with [AF_INET]46.xxx.xx.xx:53468
Feb 19 16:13:07 openvpn: user 'stefan' authenticated using 'TOTP VPN Access Server'
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5180_3.7.8__build_5180)"
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_TCPNL=1
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_COMP_STUBv2=1
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_COMP_STUB=1
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_LZO=1
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_LZ4v2=1
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_LZ4=1
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_NCP=2
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_PROTO=2
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_PLAT=mac
Feb 19 16:13:07 openvpn[52155]: 46.xxx.xx.xx:53468 peer info: IV_VER=2.4.6
Feb 19 13:57:15 openvpn[97551]: Exiting due to fatal error
Feb 19 13:57:15 openvpn[97551]: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)
Feb 19 13:57:15 openvpn[97551]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 19 13:57:15 openvpn[97551]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 13:57:15 openvpn[92632]: library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10
Feb 19 13:57:15 openvpn[92632]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 4 2019
Feb 19 13:57:13 openvpn[93621]: Exiting due to fatal error
Feb 19 13:57:13 openvpn[93621]: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)
Feb 19 13:57:13 openvpn[93621]: TUN/TAP device ovpns1 exists previously, keep at program end
Feb 19 13:57:13 openvpn[93621]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 13:57:13 openvpn[28853]: library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10
Feb 19 13:57:13 openvpn[28853]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 4 2019
Feb 18 22:21:32 openvpn[52155]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.66:53610
Feb 18 13:27:13 openvpn[15599]: Exiting due to fatal error
Feb 18 13:27:13 openvpn[15599]: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)
Feb 18 13:27:13 openvpn[15599]: TUN/TAP device ovpns1 exists previously, keep at program end


Looking forward to your replies.
Thx.

PS
what does this mean
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.66:53610

I get this from time to time from ip of the 185.200.118.xx range?
Is someone trying to connect to my openvpn using a port scan?
#6
Hi there,

with the recent update ntopng wants a data migration

https://www.ntop.org/support/faq/migrate-the-data-directory-in-ntopng/

How can this guide from ntop be used the change the settings on opnsense via console / ssh?

Thank you.
#7
Hi,

Anschluss ist von Netcologe mit einer Fritzbox 7590 mit der internen IP 192.168.178.1       
Opnsense ist als Exposed host hinter der Fritzbox geschaltet mit 192.168.178.42
DynDNS ist in der Fritzbox mit duckdns erfolgreich eingerichtet und die IPv4 Adresse kennt duckdns.
Port 80 und 443 und 1194 (UDP für OpenVPN) sind zusätzlich forwarded in der Fritzbox.

Internet und alles im Lan funktionieren auch wunderbar. Lan hat subnet 192.168.1.1 auf der Opnsense.
Openvpn wurde auf der OpnSense wie im guide eingerichtet, inkl. 2fa und cert.

Wie teile ich den clients nun in VPN / CLIENT EXPORT die DynDns Adresse mit, damit ich von außen auf meinen OpenVPN Server auf der Opnsense zugreifen kann?


Hatte schon einmal mit einer festen Ip und nur der Opnsense als Router erfolgreich OpenVPN betrieben.
Mit dem neuen Anschluss bekomme ich dies noch nicht hin.

Vielen Dank.
#8
Hey there,

has anyone else experienced this too?
My Lan Rule with firehol level 1 blocks internet for windows 10.
The rule does not block it on linux, android or ios when active and set before the default allow lan to any rule.
If set after the defaul allow lan rule winodows 10 will connect to the internet of course but this wont help me in blocking those ips in the list as the allow rule overwrite the firehol rule.

Alias is set like this:
firehol    URL Table (IPs)    firehol    https://iplists.firehol.org/files/firehol_level1.netset  expiration 0 days + 12hours

See attachment for the rule setting.

Thank you!

Using Firehol level 2 works with Windows