OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of moware »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - moware

Pages: [1]
1
24.1 Legacy Series / IDS Ignore Policy Checkbox
« on: March 08, 2024, 10:20:59 am »
I just upgraded to 24.1.3_1, but I still cannot see this new checkbox, which would allow me to get rid of my current /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml customization:

https://github.com/opnsense/core/pull/7271/commits/70dfce8d5f95a5e71da48f145e01d1ce9d22503f

Did that change not make it into 24.1.3?

2
23.1 Legacy Series / Upgrade vom 22.10 (business) to 23.1 (community)
« on: April 17, 2023, 04:15:57 pm »
I already have a running opnsense firewall, and I want to use a second device as cold standby. I bought one of the Deciso devices, and they arrive pre-installed with opnsense business (22.10). For compatibility reasons (I want both devices to have exactly the same configuration), I also want this device to run the community edition (just like the main device).

So far, I did the following:
  • Connect on the serial console.
  • Import the configuration from the main device via a USB stick with "8 Shell" and "opnsense-installer".
  • Now, when I try to upgrade the device with "12) Update from console", I get the following error message:

Code: [Select]
Fetching change log information, please wait... fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.10/sets/changelog.txz: Not Found

This will automatically fetch all available updates and apply them.

Usage: pkg version [-IPR] [-hoqvU] [-l limchar] [-L limchar] [-Cegix pattern]
                    [-r reponame] [-O origin|-n pkgname] [index]
        pkg version -t <version1> <version2>
        pkg version -T <pkgname> <pattern>

For more information see 'pkg help version'.
This update requires a reboot.

Proceed with this action? [y/N]:

Indeed, https://pkg.opnsense.org/FreeBSD:13:amd64/22.10/sets/changelog.txz does not exist.

How do I tell my device (from the CLI) to upgrade to the latest community edition?

3
Hardware and Performance / Upgrading RAM on a Deciso "OPNsense Ghz small" box
« on: August 01, 2021, 11:23:49 am »
I have a Deciso OPNsense Ghz small box, which has served me well over the last few years.

However, we seem to be hitting the 2GB RAM limit recently: Every now and then, suricata will crash after downloading new rule sets:

Code: [Select]
...
2021-07-31T20:10:07 /rule-updater.py[9914] download completed for https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
2021-07-31T20:10:29 kernel pid 4369 (suricata), jid 0, uid 0, was killed: out of swap space
...

There is no swap partition enabled (which makes sense, since the system only contains an SD card (16 GB) as permanent storage), so my first thought was to upgrade RAM. I imagine that going from 2 to 4 GB would be the easiest (= least work for me) and probably also the cheapest way to fix this. (Please do tell me if you disagree and recommend something else instead.)

So, my plan would be to (a) open up the device, (b) find out the brand and type of the mainboard, (c) check the mainboard docs for compatible RAM, (d) buy it and (e) replace the RAM.

My question to you, dear community:
  • Anything wrong with this plan? Has anybody already done this successfully/unsuccessfully?
  • Is the mainboard and/or supported RAM for this device documented anywhere (I did not find it in the spec section of the Deciso/applianceshop link mentioned above), so that I can skip steps a-c?

Thanks, best regards

4
20.1 Legacy Series / What's the point of linking users to certificates for OpenVPN?
« on: March 27, 2020, 10:26:48 am »
At the bottom of VPN: OpenVPN: Client Export, I can see which certificates are linked to which users.

I thought that the purpose of this was to ensure that only these combinations of certificate+user are valid, i.e. that a user can only log in with a certificate linked to them.

But it appears that I was mistaken: I just tried connecting with my personal login data and a certificate which is not linked to any user yet and... to my surprise, it just worked.

If that is not the purpose of linking certificates with users, what is the purpose?

Thanks for enlightening me
Heinzi

(Note: I know that I can configure OpenVPN to match user names and certificate CNs. That's not what my question is about. My question is about the linking between users and certificates that can be configured in System: Access: Users: (Choose user): User certificates, and which is shown in VPN: OpenVPN: Client Export.)

5
20.1 Legacy Series / Web UI gone after upgrade from 19.7.10 to 20.1(.1?)
« on: February 14, 2020, 04:14:20 pm »
I just upgraded my Decisio appliance (OPNsense GHz small) from 19.7.10 to 20.1 via the Web UI. This is what happened:

1. After downloading everything, the web UI told me to wait for a reboot.
2. After half an hour, the appliance was still unavailable. This had already happened during the 19.1 -> 19.7 upgrade (see https://forum.opnsense.org/index.php?topic=13749.msg63309), so I didn't worry and power cycled the device.
3. The device was quickly back online, with some services working (NAT, WAN failover), and others not working (OpenVPN, Web UI). Yes, this means that I cannot access the web UI any more!

nmap shows that no ports are open on the LAN interface of the device. I tried another power cycle, but it didn't help.

I just ordered a null-modem cable and a USB-serial adapter to see if I can debug this issue via the serial console; both should arrive next week.

Any other hints on what I can try in the meantime?

6
Intrusion Detection and Prevention / Send IPS alerts by e-mail
« on: October 17, 2019, 03:19:58 pm »
I successfully set up and configured IPS in opnsense. If I try to open a TCP connection from inside my network to a host listed, e.g., in the ET botnet list, the connection is blocked and I get an alert. So far, so good.

The problem is: The alert shows up in the opnsense web UI. I don't want to regularly check the web UI for alerts. If an alert happens, I'd like to be notified (by e-mail), so that I can investigate whether this is a security incident or a false positive.

Is there some built-in functionality in opnsense to activate this kind of e-mail notification? I activated Monit, but none of the built-in service alerts seems to relate to the IPS.

Thanks and best regards

7
19.7 Legacy Series / Unavailable after upgrade to 19.7, works after reboot. Anything I should check?
« on: August 07, 2019, 05:40:25 pm »
I just upgraded my 19.1.10 appliance (an OPNsense Ghz small from Decisio) to 19.7. This is what happened:

  • I unlock and start the upgrade to 19.7 using the web interface.
  • The update log in the web interface shows that a few things (the kernel, maybe 2-3 more items) have been downloaded. A popup overlay informs me that the system will be rebooted and tells me to wait.
  • The device sounds its reboot jingle.
  • Nothing happens for a long time. I start to get nervous.
  • Half an hour has passed, and the device is still unavailable (can't even ping it).
  • I power-cycle the device, afraid that I might have just bricked it.
  • Fortunately, the device comes back online. According to the web interface, the system is at version 19.7.
  • I upgrade the device to 19.7.2 (worked without issue).

So, apparently, something didn't work during the upgrade process to 19.7. Is there anything I should check? Or did the upgrade to 19.7.2 ensure that the system is in a "stable" state again?

Thanks, best regards

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2