Topics

1

21.7 Production Series / Update to OPNsense 21.7.1-amd64 /bin/bash missing

« on: August 10, 2021, 12:41:25 am »

I had an SSD block go bad which took my system down hard. I downloaded the 21.7 image and restored assuming that the bad block would be found and marked bad. When I attempted to use the  backup/restore option all hell broke loose. Lots of strange things, like unable to log in and interfaces not coming up.

Suspecting version incompatibility, I located the 21.1 image and restored. I was able to recover to it, just fine. So it does appear to be some sort of issue with the older backups. ?

Now though I have an odd issue that I need to resolve. I can ssh in, with no trouble, but if I try to su, or sudo su, it says: /usr/local/bin/bash: No such file or directory. how can I get a copy of this file back with no admin privileges? How does it not get installed from a scratch install? (21.1) If I save my backup from this 21.7 image, then install the newer image, I wonder if that works.

2

21.1 Legacy Series / Freeraduis - Multiple uses fails

« on: June 26, 2021, 05:11:18 pm »

This may or may not be possible, but it seems it should be.

I have had a multifactor Freeradius system set up for well over a year now where I use it to grab the google Authenticator.

Now I am wanting to also use it to provide 802.11x authentication, but in testing it shows a garbled password and fails. On a system only uses the 802.11x, it works fine. If I remove the Google authenticator it works. Is there a way to pass this to the proper client, or is it one and done? I think I may have confused client for server and I can only have one opnsense FreeRadius "server" in place and it is one or the other, but hoping there is a work around.

Thanks in advance.

3

20.7 Legacy Series / Wan Multicast traffic not wanted

« on: December 01, 2020, 06:28:04 pm »

I am using the latest firmware updates and while looking at NTOPNG data, I have discovered that my security cameras that use multicast are blasting the traffic out the WAN port as well as LAN. I thought you had to specifically open multicast to WAN. ?? I am not seeing where I have activated it and do not know what the ramifications would be by attempting to block this traffic. I'm sure it is something simple, but my searches have come up blank. Anybody?

4

20.7 Legacy Series / Uncaught Google_Service_Exception:

« on: November 18, 2020, 09:51:34 pm »

I've been getting this error now for a year. I have sent in dozens and dozens of "A problem was detected. Click here for more information." I guess these are not responded to or followed? I don't see any open subjects on this matter. I hope this is a simple fix, but I'm not sure where to start. I tried by removed Google SDK and that did not seem to resolve it. It is apparently a default install, but I can't see what I would need it for. It appears that it is trying to connect to a Google service that I have no account for.

[18-Nov-2020 01:00:08 America/Phoenix] PHP Fatal error:  Uncaught Google_Service_Exception: {"error":"invalid_grant","error_description":"Invalid grant: account not found"} in /usr/local/share/google-api-php-client/src/Google/Http/REST.php:118
Stack trace:
#0 /usr/local/share/google-api-php-client/src/Google/Http/REST.php(94): Google_Http_REST::decodeHttpResponse(Object(GuzzleHttp\Psr7\Response), Object(GuzzleHttp\Psr7\Request), 'Google_Service_...')
#1 /usr/local/share/google-api-php-client/src/Google/Task/Runner.php(176): Google_Http_REST::doExecute(Object(GuzzleHttp\Client), Object(GuzzleHttp\Psr7\Request), 'Google_Service_...')
#2 /usr/local/share/google-api-php-client/src/Google/Http/REST.php(58): Google_Task_Runner->run()
#3 /usr/local/share/google-api-php-client/src/Google/Client.php(842): Google_Http_REST::execute(Object(GuzzleHttp\Client), Object(GuzzleHttp\Psr7\Request), 'Google_Service_...', Array, NULL)
#4 /usr/local/share/google-api-php-client/src/Google/Service/Resource.php(232): Google_Client->execute(Object(GuzzleHttp\Psr7\Request), 'Google_Service_ in /usr/local/share/google-api-php-client/src/Google/Http/REST.php on line 118

So the only plugin I have is Google Cloud SDK, but I didn't ask for it. How do I disable this? Or does that cause a problem?

5

20.7 Legacy Series / updatedb locate proper usage

« on: August 21, 2020, 08:58:57 pm »

I LOVE the locate utility, but I'm not sure how to do a database update in Opnsense. If I run updatedb as root, it kicks me out saying it is unsafe. If I try to use just a system username it says permissions denied. What is the proper way to rung updatedb to update the database?

6

20.7 Legacy Series / NTOPNG will not start

« on: August 21, 2020, 08:15:31 am »

I have been using NTOPNG for awhile now and I'm not sure if the update to 20.7 borked it, or something else. The Redis service has started, but the ntopng service will not start. I've removed both redis and ntopng and started over, but something is corrupt. Even though I delete the redis program, when I re-install it, my old settings are still there, so it looks like I'll have to delete something from bash. Anybody know how?

7

20.7 Legacy Series / Possible error checking while backing up, or restoring

« on: July 28, 2020, 09:49:24 pm »

I have been (wrongly) cursing Opnsense for about 6 months now, threatening to go another direction. My son has the same setup, same hardware and never has a problem. Well, the issue finally raised it's ugly head for good last night.

I had just successfully got my multi factor auth openvpn working like a champ. So the very first thing I did was to backup! So I would have a proper copy. I then proceeded to attempt to connect to my NAS to save it in another location. I could not connect. Long story short, it is a firewall problem. So I reboot to see if something is borked. DONE!! Never comes up!! I go connect a monitor to it and it is attempting to load /root.

So now I have some sort of corruption going on and I can't seem to fix it. I did an fsck on it, and it didn't show any errors. Well I was desperate to get this up before sunrise. I had a new box sitting here, so I loaded the OS, restored the data, but alas, I'm missing things.

Let me go back to 6 months ago. I would routinely save so as to not lose data. Then a week or so later, things that were working were no longer working. Rules were just gone!! Not all, just some. Aliases, gone! Not all. I have had this mysterious stuff missing for months now. My son swore I was borking stuff. I was not.

So it appears to be an SSD HD sector failure. Why it did not mark it out and keep going, I am not sure yet. But.. would be possible to do some sort of error trapping during backup and restores? I'm not a programmer, and maybe this isn't even possible, but it seems some sort of checksum or something to catch an early problem. At least the bald patch on my head can now start growing out, once I redo all the lost data and save once more.

IDeas?

8

20.7 Legacy Series / Firewall Live View filtering

« on: July 28, 2020, 03:37:50 am »

Something has either broken or changed.

The live view is an incredibly useful troubleshooting log because I was able to filter on Interface port and even down to an IP address. Filtering by IP address allows me to view a particular device I'm having issues with.

All of a sudden since the last update, (possibly the one before the last one) I can no longer filter on IP address. it ignores the filter and shows all.

Is this a bug that was introduced or has the way it worked changed?

9

20.7 Legacy Series / OpenVPN and certifcate issue

« on: July 25, 2020, 02:58:02 am »

At one point I had my OpenVPN working just fine and awhile back, it quit working, and I borked it so badly it has never worked since. I made the mistake of posting this question on an OLD thread. I finally found this place to post.

I finally decided to come back and revisit this and found that I had the wrong certificate in the Client export. It is showing "SSLVPN Server Certificate" and I believe it should be the user certificate. I can not for the life of me figure out where to change this. I thought that maybe if I deleted the linked user certificate under my user id might force it. Alas, when I went to select System/Access/User/User Certificate, I chose use existing certificate. Nothing came up. Just 2 boxes to past raw certificate data. I tried about 5 times, and all of a sudden it popped up. I am wondering if I have uncovered a bug?

More importantly, how do I change the certificate under VPN/OPENVPN/ClientExport/ at the very bottom where is shows Accounts/Certificates mine shows SSLVPN Server Certificate. Linked users are blank. I don't see anywhere in the documentation where to modify this. Anybody?

10

Intrusion Detection and Prevention / suricata reporting Scirius, Evebox or Kibana

« on: October 27, 2019, 11:19:18 pm »

I'm fairly new to Opnsense and Suricata. I came from Pfsense and Snort where reporting was built in.

Either I'm totally missing something, or there is no built in reporting for Suricata in Opnsense. I've digging around and found 3 utilities listed above that apparently will do that for me. I do not see any built in support for any of this. So the question is, what am I missing? If I'm not missing something, then can we get a request in for package support for one of the above?

Is it at all possible for me to manually install Scirius into a web server on the box? I can see a HUGE problem trying implement it on an external server and trying to integrate it all.

I activated IPS and within minutes it  blocked a game for a user and because all I can see is raw logs I can't find the rule to clear. In Snort/Pfsense, I could clear a rule within seconds.

Any guidance appreciated.

11

General Discussion / Kill DHCP6 daemon?

« on: September 04, 2019, 01:04:23 am »

Hopefully I am not asking a duplicate question. I could not find it if it is.

I noticed that I am getting tons of dhcp6 [50828] (process id?) "sending solicit" and  Listen queue overflows.

Since I do not wish to have dhcp6 running at all in any way shape or form on this little box, I went through and thought I had turned it all off. I can not find anything left that has dhcp6 turned on in the GUI anywhere.

so I looked at the processes and sure enough there is dhcp6 cranking away. I killed the process and now the buffer overflows are gone as well.

So the question is, shouldn't I be able to turn this service off via gui? If not, how can I permanently keep it off after reboot?

12

Documentation and Translation / 2FA to multi factor authentication

« on: September 03, 2019, 03:49:45 am »

Greetings. This will be my first post, so be gentle. I recently made the switch to Opnsense from PF and now need to get everything running. One of the things I'm trying to do, is multi-factor authentication. Here is where I'm getting my instructions from: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Where I'm stuck is this line: Go to VPN ‣ OpenVPN ‣ Servers and click the pencil icon next to the server we just created to change the 2FA to multi factor authentication.

There simply is NO such place to make this change. So is there an undocumented package that needs installing? As a result the following steps don't work and a certificate is not exported. I'm so close! Any help appreciated. It is just a missing piece of the puzzle, or a change has been made to the system and this didn't get updated. ??