Topics

1

24.7 Production Series / IPS/IDS filling my log file

« on: September 10, 2024, 07:01:21 pm »

I enable IPS/IDS last night using "ETPRO Telemetry edition". I assume this is causing the log to fill with:

Notice   send_telemetry.py   telemetry data collected 16 records in 0.01 seconds

every 60 seconds. Is there a way to keep this from getting logged? It makes the "Live Log" widget absolutely useless.

2

24.7 Production Series / Kea and Unbound

« on: September 10, 2024, 12:05:46 am »

Does the Unbound option to "Register DHCP Static Mappings" work yet? I remember when it was first added it didn't. I found a script to import my ISC mappings into Kea :
https://github.com/EasyG0ing1/Migration/

It seemed to work fine, but I haven't enabled Kea yet. Thats a midnight task or I'll piss people off. The "Register DHCP Static Mappings" option has been the only thing keeping me with ISC.

3

24.7 Production Series / NUT / TrippLite / Permission problems?

« on: September 09, 2024, 11:55:20 pm »

 I have a TrippLite su1000rtxl2ua UPS setup with NUT.

General Settings
  Service Mode = standalone
  Name = TrippLiteTest
  Listen Address 127.0.0.1
UPS Type
  Driver: USBHID-Driver
    port=auto vendorid=09ae productis=40004 (values found on the console)



I don't ever get an output on the diagnostics page, so i check the logs and see.

Notice   usbhid-ups   writepid: fopen /var/db/nut/usbhid-ups-TrippliteTest.pid: Permission denied


So I stop the services and jup on the console and google. I manage to start the services as root no problem. So I stop them and try to start them as the "nut" user. Everything starts, I hop on the UI and boom UPS stats! So I reboot. 95% sure its going to break, and i was right. So I try modifying the service to do this for me by changing the nut-prestar to start it with root, kill it, and start it the second time as nut.

nut_prestart() {
        #
        # As of PR/268960 UID/GID uucp is no longer used by nut.
        # Instead UID/GID nut is used. Make sure preexisting nut files
        # and directories are owned by nut instead of uucp.
        #
        if [ "${nut_file_fixup}" == "YES" ]; then
                find ${nut_prefix}/etc/nut -user uucp -exec chown nut {} \;
                find ${nut_prefix}/etc/nut -group uucp -exec chgrp nut {} \;
                find /var/db/nut -user uucp -exec chown nut {} \;
                find /var/db/nut -group uucp -exec chgrp nut {} \;
        fi

        # Start the driver as root first
        /usr/local/libexec/nut/usbhid-ups -a TrippliteTest -u root
        # Give it a moment to initialize
        sleep 2
        # Kill the root instance
        pkill -f "/usr/local/libexec/nut/usbhid-ups -a TrippliteTest -u root"

        # Now start the driver normally
        ${nut_prefix}/sbin/upsdrvctl start
}

This works but of course gets nuked with reboots, updates, and sometimes seemingly at random. I assume there is a proper way of editing services and this isn't it. So instead of learning the right way i save a copy in my home folder and create a script to copy the file and restart the service.

#!/bin/sh

# Define the source and destination paths
SOURCE="/home/tekgeek/nut"
DESTINATION="/usr/local/etc/rc.d/nut"

# Move the file from the source to the destination
cp -p "$SOURCE" "$DESTINATION"

# Restart the NUT service to apply changes
service nut restart


I also put the script here /usr/local/opnsense/scripts/fixNUT/fixNUT.sh, and an action for the script to gain UI access to setup a cron job.

[run]
command:/usr/local/opnsense/scripts/fixNUT/fixNUT.sh
parameters:
type:script
message:Fixing NUT
description: Fix NUT


This still breaks so I need to occasionally run the script in my home folder manually?

This seems like a permissions bug in one of the startup scrips, but I don't know where or how to fix it. I would really like to not have this kludgy, fragile config. ChatGPT was used to modify the service and create the scripts.

4

24.1 Legacy Series / Error in logs I can't google away.

« on: February 21, 2024, 08:34:52 pm »

[Error]
opnsense

/xmlrpc.php: Unable to retrieve authenticator for ec+/VzE7xRr3xhGzFyZJk0n1PgAg+ZriD2Ty3SFq/4PtAhLpdOj0RZxeDorEKMKE2l47/1L4OAKZy+Po

I cant find this key aynwhere. Its not related to any VPN, the self-signed https cert, my lets-encrypt https cert. I don't have "High Availability" so CARP (where google pointed me) shouldn't be running. The error repeats about every 80 seconds.

5

23.7 Legacy Series / Typo: Services - Unbound DNS - Advanced - Cache Settings - Message Cache Size

« on: January 20, 2024, 11:53:05 pm »

"DNS rcords" should probably be "DNS records".


Checked for an update, seems its the current build. OPNsense 23.7.12-amd64

Check the picture

6

23.7 Legacy Series / VPN Guide is wrong or my install is broken.

« on: January 16, 2024, 05:13:20 pm »

Tried to follow
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

During step 2 there seem to be contradictions in the guide and the help notes when "full help" is selected. The attached image shows the section of the guide, and the wireguard instance error and help contradiction. 

7

23.1 Legacy Series / Disable logging of DHCP sever in firewall possible?

« on: April 09, 2023, 03:28:45 pm »

I trying to clean up my FW logs and l can't seem to hide the logs for the automatic DCHP access rule. I tried to override it with a pass rule with logging disabled but realized it's a quick rule. Is there a check box, FW rule, or some other secret sauce that can hide this log?


The attached SS is my attempt at overriding the rule with another. I have the log enabled to see it catch the traffic, which it does. Just after it's already been let through by the Quick rule. The Idea was if it supplanted the automatic rule. I would just turn off the logging for the manual rule.

To be clear. I don't want to block traffic, just drop the logs.

8

18.7 Legacy Series / 4 interfaces, 1 wan, 3 lans, 1 vpn

« on: September 28, 2018, 03:18:58 am »

FIXED:
See 2nd post


So im trying to set up OPNsense with 3 LANs, a gateway, a vpn, and 4 physical interfaces.

bce0 - WAN     : DHCP from cable modem       : will soon be upgrading to gigabit internet, currently just 300/75     

bce1 - LAN       : 10.10.1.1/24                       : TV's, Roku's, "Smart" devices, gaming devices, WIFI 1

bce2 - PIA        : 10.10.2.1/24                       : Servers, Desktops, Laptops, Cell Phones, WIFI 2

bce3 - MAN      : 10.10.0.1/24                        : Switches, IPMI (ILO, DRAC, BMC), UPCs, Tape Library

 
I want every device accessible to each other but.....
-The devices on the PIA lan should only be able to access the internet via the PIA VPN
-LAN - WAN
-MAN - no internet access,

I can get the interfaces configured and DHCP working on all the networks, but when it comes to the firewall im completely useless. I've been using pfSense guides and just general poking around to get this far. Opnsense's firewall is a lot different than pfSense's, and ive always just let the firewall do it own thing in the past with a simple 2 interfaces 1 WAN, 1 LAN config, with NAT.

So starting with a factory reset then the guided setup. Here is what I've done:
-add the 2 other interfaces and configured DHCP for them
-Copied/modified the default allow all rules to all the LAN's
-when that failed to allow a ping from one lan to another I tried adding allow rules in both directions on all lans, still no ping

 haven't touched anything else? What should I do next? I can get internet on all LAN's and can ping the other LAN interfaces but I cant ping any clients in the LANs.

 

LAN : CAN reach the internet and ping opnsense MAN and PIA interfaces. CANNOT ping any computer on MAN or PIA

MAN : CAN reach the internet and ping  opnsense LAN and PIA Interfaces. CANNOT ping any computer on LAN or PIA

PIA : CAN reach the internet and ping opnsense LAN and MAN interfaces. CANNOT ping any computer on LAN or MAN

I feel like all my firewall rules are redundant except the copied default rule? What am I missing? I havent had a more complicated setup than a Netgear or Linksys WIFI router? So im a bit out of my dept.

Current firewall rules:

LAN

Code: [Select]

Firewall: Rules: LAN
 Add
  Proto Source Port Destination Port Gateway Schedule Description
  * * * LAN Address 443, 80 * Anti-Lockout Rule
  IPv4 * LAN net * * * * Default allow LAN to any rule    
  IPv4 * LAN net * PIA net * *    
  IPv4 * PIA net * LAN net * *    
  IPv4 * LAN net * MAN net * *    
  IPv4 * MAN net * LAN net * *
PIA

Code: [Select]

Firewall: Rules: PIA
 Add
  Proto Source Port Destination Port Gateway Schedule Description
  IPv4 * PIA net * * * * Default allow PIA to any rule    
  IPv4 * PIA net * LAN net * Null4    
  IPv4 * LAN net * PIA net * Null4    
  IPv4 * PIA net * MAN net * *    
  IPv4 * MAN net * PIA net * *
MAN

Code: [Select]

Firewall: Rules: MAN
 Add
  Proto Source Port Destination Port Gateway Schedule Description
  IPv4 * MAN net * * * * Default allow WAN to any rule    
  IPv4 * MAN net * LAN net * *    
  IPv4 * LAN net * MAN net * *    
  IPv4 * MAN net * PIA net * *    
  IPv4 * PIA net * MAN net * *    

WAN

Code: [Select]

Firewall: Rules: WAN
 Add
  Proto Source Port Destination Port Gateway Schedule Description
  * RFC 1918 networks * * * * Block private networks
  * Reserved/not assigned by IANA * * * * Block bogon networks