Topics

Hi

Trying to work with netflow data that I am sending to Graylog.  I want to separate it into streams so I can work with it easier, etc.  Is there a way in the firewall (gui or CLI) that I can see what index number for nf_input_snmp matches the actual interfaces?  I have a lot of VLANs, so I want to make sure I am getting it right.  Thanks in advance!

Curious if anyone knows if it's possible to send Naxsi logs to syslog?  I'm not seeing options specific to Naxsi.  While I see NGINX access and error logs, I'm not seeing NAXSI_FMT events.  Thanks!

Trying to convert an existing VPN from policy to route-based.  The tunnel works fine, but when I enable my 1:1 NAT rule, the traffic never actually leaves the firewall.  It's funny, if I do a tcpdump on the VTI, it appears that traffic is leaving.  However, it's not as I don't see the ESP frames leave my WAN interface, nor are they seen at the remote site.  Disable the NAT and traffic flows.

To use the 1:1 NAT on the policy-based tunnel, I had to add the "real" local host into the Manual SPD entries field of the phase2 entry, however that is not present on routed tunnels.  I'm at a loss.

Hi

I have a /28 IP block with my ISP and am required to use PPPoE for these static addresses.  Firewall is being assigned the first IP when viewing packet capture and checking PPP IPCP frames (all other IPs are created as IP Aliases).  It seems that after upgrading to 22.1, the "WAN Address" is showing as the second usable IP now (first Alias), and this is also being used in the Automatic Outbound NAT rules.

I may have to switch to Manual outbound to fix this, but curious if anyone else has seen this?  What can I check?

Thanks!

Hi

Seeing some hiccups/blips in connections every 20-30 seconds, more noticeable with UDP traffic such as video conference calls, and some games running on my server in another VLAN.  All games from LAN to server in DMZ experience the blip at the same time.

Used iperf as client on OPNsense via SSH in a few different scenarios and the firewall is the only common piece.  Tests out LAN interface, and WAN (over ipsec to Azure) show same exact behavior.  They are sharing a dual port GbE Intel card, gonna try and swap it when I can find time.

PktCaps from the firewall only show one packet out of order, so it's like things hum a long fine, then queue up and burst out (see attachment.  No re-transmissions or ZeroWindows that I can see.

Any diagnostics that would show a hardware or software issue?  I checked Interfaces > Overview and don't see any errors on the interfaces in question, however enc0 for the ipsec stuff doesn't show?

Thanks!

I've been using OPNsense for a little over a year as my home firewall (after switching from Sophos).  Been amazing.  I have my LAN interface setup with several VLANs, one of those VLANs is part of my lab.  I have a Cisco ASA plugged into that VLAN that's been working fine with a few VMs behind it.  I've been wanting to play around (troubleshoot for work) with some IPsec stuff on the ASA and so I put a OPNsense VM in the same lab VLAN, with a VM behind it just like the ASA.

ASA outside and OPNsense WAN are in the same /24 subnet.

ASA 192.168.10.11/24
OPNsense 192.168.10.22/24

Here's the bug, traffic leaves the Cisco ASA (or any other VM in the lab subnet), hits the WAN of OPNsense VM, but the response traffic is borked.  The dest IP is the Cisco ASA (great), but the MAC address of the Ethernet header has the gateway of my home OPNsense (physical one).

Route table on the OPNsense VM shows:

ipv4   default   192.168.10.11   UGS   56135   1500   hn1   wan       
ipv4   127.0.0.1   link#2   UH   74   16384   lo0   Loopback       
ipv4   192.168.10.0/24   link#6   U   172   1500   hn1   wan       
ipv4   192.168.10.1   00:15:5d:01:02:bd   UHS   6414   1500   hn1   wan       
ipv4   192.168.10.11/32   192.168.10.11   UGS   54731   1500   hn1   wan       
ipv4   192.168.10.22   link#6   UHS   0   16384   lo0   Loopback       
ipv4   192.168.100.0/24   link#5   U   79009   1500   hn0   lan       
ipv4   192.168.100.1   link#5   UHS   0   16384   lo0   Loopback

Why with the direct /24 route (as well as a /32 with a gateway IP of the Cisco) does the traffic use the wrong MAC address?  This makes OPNsense hard to use in a lab.  Sure I could put each in their own VLAN and route between them on my main OPNsense box, but I shouldn't have to.  Sophos (UTM and XG), pfsense, Cisco, Juniper and all my Linux and Windows VM work just fine in this scenario with no special config.  Is this a bug, or am I missing something?

Hi

Using the WAF/NGINX for a few different apps and it's been awesome!  One thing I am looking to figure out is how can we add specific headers for a single Location via the GUI?  I am working on getting the notifications working for Bitwarden_rs which uses websockets for a specific location/path to route to another port on the backend server.

I need to add the following for /notifications/hub:

  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;

I was able to create the location as needed and then edit /usr/local/etc/nginx/nginx.conf manually and reload the service, but I would rather not have to do this each time I make a change.  I noticed the notifications are working without, but would be nice to include them.

TIA!

Hi
Just moved one of my VMs into my DMZ vlan, which is on the same physical interfaces as the LAN vlan.  This is a minecraft server which has worked flawlessly before attaching to the other vlan.  Having an issue where after 15-20 minutes the clients will just drop, and the server reports as 'xxxxxx left the game'.

This got me interested in knowing the life of the connection and why the connection/state was closed by the server.  I started poking around in logs, and stuff.  At one point I had netflow data going to my Graylog instance, but I must have turned that off as all I have now is filterlog and nginx/waf logs.

So my question is, obviously we have the filterlog which shows the src, dst, interface, action, and so on.  Is there any log like conntrack or similar which will report the states end reason (age-out, FIN, RST, etc), bytes sent/recv, and other metrics?  Would be nice to know for instances where something happened and I can't run a tcpdump while reproducing.

Thanks in advance!

Hi

20.7.7_1 and running postfix to relay external email to my internal Zimbra server (in case it's unavailable, etc.).  I have my only domain configured with the internal IP address (192.168.1.X).  I can see email getting deferred in the log:

Code Select Expand

status=deferred (connect to 192.168.1.X[192.168.1.X]:25: Operation timed out)

I am able to Port-Probe and ping the host just fine from both the GUI and SSH.  So I start a packet capture and the traffic is heading out the pppoe0 interface, when it should be going out the igb0 interface which is the LAN!

Code Select Expand

# route get 192.168.1.X
   route to: mail
destination: 192.168.1.0
       mask: 255.255.255.0
        fib: 0
  interface: [color=red]igb0[/color]
      flags: <UP,DONE,PINNED>

I'm scratching my head.

[[55753]]

Hi

Noticed today that my Graylog instance wasn't parsing the filterlog events, after looking at my regex I noticed that there appears to be a number in square brackets after filterlog.

used to be like this:
<134>Oct 14 18:28:48 gw.domain.com filterlog: 80,,,0,igb0,match,pass,out....

now it's:
<134>Oct 14 18:28:48 gw.domain.com filterlog[55753]: 80,,,0,igb0,match,pass,out....

This must have changed after 20.1?  Any indication what the number is, my guess is the PID of the pf daemon/service.

Thanks

How can we change the ssl-ciphers that get generated in the nginx.conf file?  I've poked around and don't see any obvious place.  Are these hard coded, do they use the system ones from System: Settings: Administration ??

TIA

Hi
Been playing with OPNsense for several months and just replaced my home firewall (SophosXG) with OPNsense.  I used the NGINX (with NAXSI default rules) plugin to configure all my sites. I setup the first server with the hostname "_" so that it gets any traffic that does not match my valid site names, this "HTTP server" also has a Deny ACL of 0.0.0.0/0.  If you hit my WAF with the IP or any other SNI hostnames that don't match, you get a 403 response which is what the WAF on my XG did and while it's security through obscurity it seems to work great.

I tried to use NXAPI on another workstation but it seems like it's designed to run on the actual web servers as it seems to be trying to pull rules from a already configured list.  I don't want to dig through the error log manually and try to create whitelists, but I guess if that's all that will work here, then be it.

What are some suggestions, what are others doing here for whitelist creation?

Thanks!

I have 19.1 deployed in Hyper-V for testing, it's WAN interface is on VLAN10 (access) within Hyper-V, no tagging done in OPNSense (have tried no VLAN as well).  I am observing some strange behavior while trying to build an IPsec tunnel to another network appliance in the same WAN subnet.  After scratching my head for 2 days wondering why that other network appliance was not getting any response from the OPNsense appliance, i found the issue but have been unable to figure out the why.

Traffic from any host in the same /24 WAN network going to OPNsense WAN address, the response/return goes to the default gateway of the WAN interface (my actual home firewall).  The IP in the TCP/IP header is correct, but the MAC address is that of my home firewall.  ARP table looks correct, no static routes, no custom NAT, I am stumped.

root@OPNsense:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.10.1       UGS         hn1
127.0.0.1          link#2             UH          lo0
172.16.16.0/24     link#5             U           hn0
172.16.16.1        link#5             UHS         lo0
192.168.10.0/24    link#6             U           hn1
192.168.10.9       link#6             UHS         lo0

root@OPNsense:~ # arp -a -n
? (192.168.10.1) at a0:36:9f:28:75:24 on hn1 expires in 1132 seconds [ethernet]
? (192.168.10.9) at 00:15:5d:01:02:32 on hn1 permanent [ethernet]
? (192.168.10.13) at 00:15:5d:01:02:38 on hn1 expires in 1087 seconds [ethernet]
? (172.16.16.100) at 00:15:5d:01:02:33 on hn0 expires in 1041 seconds [ethernet]
? (172.16.16.1) at 00:15:5d:01:02:31 on hn0 permanent [ethernet]

Here is where it get's interesting.  A ping from the OPNsense appliance uses the correct MAC, but immediately after I ping from the other side and the last packet has the wrong MAC (that of the default gateway.

18:54:53.342957 00:15:5d:01:02:32 > 00:15:5d:01:02:38, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 27241, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.10.9 > 192.168.10.13: ICMP echo request, id 16234, seq 15, length 40
18:54:53.343594 00:15:5d:01:02:38 > 00:15:5d:01:02:32, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 55050, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.10.13 > 192.168.10.9: ICMP echo reply, id 16234, seq 15, length 40

18:55:03.320031 00:15:5d:01:02:38 > 00:15:5d:01:02:32, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 15972, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.10.13 > 192.168.10.9: ICMP echo request, id 1, seq 260, length 40
18:55:03.320259 00:15:5d:01:02:32 > a0:36:9f:28:75:24, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 5355, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.10.9 > 192.168.10.13: ICMP echo reply, id 1, seq 260, length 40