Topics

Updated to latest version of zenarmor, whitelisting site doesnt work for me. I add it to whitelist but still being blocked with reason "Whitelisted" ??

I also dont see any blocks anymore on the UI (livesessions->blocks).

Hi,
Im running an external elasticsearch index for zenarmor, I had to reset/remove the whole index because reporting from zenarmor was not working anymore.

Now I have reporting partly working again except for a few parts (cant see blocks for example)

The error I get when opening the reporting page for block is:

Code Select Expand

{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index",
        "resource.type": "index_or_alias",
        "resource.id": "alert_all",
        "index_uuid": "_na_",
        "index": "alert_all"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index",
    "resource.type": "index_or_alias",
    "resource.id": "alert_all",
    "index_uuid": "_na_",
    "index": "alert_all"
  },
  "status": 404
}

Is there a way to force the recreation of the whole index in a remote elasticsearch setup ? (i tried uninstalling zenarmor and reinstalling but did not recreate the whole index).

Thanks!

Hi, since about 2 days I get the error from zenarmor about disk being full. It also stopped logging to my remote elasticsearch. I see the temp dir is full

/usr/local/sensei/output/active/temp [ufs] (45M/48M)

How do I clean that out ?

Hi,
Im trying to set up opnsense in bridge mode, followed the instruction on: https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

Bridging works, but I get a lot of denies on "default deny rule" while I set an "allow any" on all interfaces (lan, wan and bridge) .. how can I check why the default deny rule gets hit ?

Hi, I reinstalled opnsense and reconfigured manually. Can I import the HAproxy of my old opnsense to my new ?

Hello,

Been trying to get mullvad wireguard to work in opnsense in bridge mode, I got the tunnel up but im not able to push traffic through the tunnel. Im wondering if it is possible in bridge mode ?

Hi,

Sensei is using 100% cpu and is capping my throughput, is it possible to exclude an IP in sensei so sensei does not scan the traffic at all ?
Have added the IP to the exempted network/ip list but sensei is still scanning.

Hi,

I am using sensei to block access to websites, while testing it seems to work, however, after being blocked I go to the URL bar again and just press enter and im allowed through to the website.. This happens when the page switches over from http to https, but it also happens when just pressing enter a few times in a row..

Also, will it be possible to redirect to a block page on https traffic ?
Thanks!

Hi,

Is it possible to use sensei to check / report on which IP is uploading or downloading  ? I dont have alot of devices on my network, still one of my devices has been uploading data constantly, its about 20 to 25gb a day.. Last friday when i was at work, and did not do anything on my own home network, still I saw 40gb of data going out in the status screen of sensei..

How can i find out which device it is ?

Thanks!

Hello,

im trying to set up a mysterium node in a DMZ on opensense. Mysterium is a dVPN service running wireguard server in it. From the outside im able to forward traffic to the mysterium node and can see it connect to the node, but im having problems getting traffic back out from the node. The wireguard set up in the mysterium node sets up its own subnet 172.18.0.0/16 as "allowed subnet". I dont know how to allow this traffic to pass out. My DMZ has subnet 10.42.246.0/24 im not sure if this is the problem ?

I tried entering the subnet range 172.18.0.0 in an alias an allow it through using a rule with the alias set a source but the default rule keeps blocking the traffic. Tried all kinds of nat rules but still being blocked..

Hi,

I have an elasticsearch instance running and am connecting to it from sensei (version 1.8 ). When trying to view reports I get the following error:

Code Select Expand

{
  "error": {
    "root_cause": [
      {
        "type": "circuit_breaking_exception",
        "reason": "[parent] Data too large, data for [] would be [1039763720/991.5mb], which is larger than the limit of [1020054732/972.7mb], real usage: [1039763184/991.5mb], new bytes reserved: [536/536b], usages [request=0/0b, fielddata=142807/139.4kb, in_flight_requests=536/536b, model_inference=0/0b, accounting=59793368/57mb]",
        "bytes_wanted": 1039763720,
        "bytes_limit": 1020054732,
        "durability": "PERMANENT"
      }
    ],
    "type": "circuit_breaking_exception",
    "reason": "[parent] Data too large, data for [] would be [1039763720/991.5mb], which is larger than the limit of [1020054732/972.7mb], real usage: [1039763184/991.5mb], new bytes reserved: [536/536b], usages [request=0/0b, fielddata=142807/139.4kb, in_flight_requests=536/536b, model_inference=0/0b, accounting=59793368/57mb]",
    "bytes_wanted": 1039763720,
    "bytes_limit": 1020054732,
    "durability": "PERMANENT"
  },
  "status": 429
}

I am building up logging for about 365 days and am about 90 days in.. could the ammount of kept logs be too large ?

Hi,

I found a new option available in the policy window:
"Please specify for whom this policy applies and when it becomes in effect"  It has my interface IGB1, it is not selected. What does this option do ? If it is unchecked, does it mean the policy is not applied/not working ?

Also, im not able to change the default policy anymore, i want to add an IP address exclusion but it is no longer allowed ?

Hi,
I have a question about sensei, I have configured sensei with a remote elasticsearch location. Now browsing the live session explorer it is filled with sessions from the firewall going to the elasticsearch server.. Is there a way to choose to ignore this connection to the elastic server so it wont show up in live explorer ?

Also not related to sensei but maybe someone knows, I read about SSL/TLS and user authentication, im not really clear on the license... is this functionality included in the basic license of elasticsearch ?

Thanks!

Hi, I forgot my ntopng password, how can I reset it (reinstalling didnt work) ?

Hi, I seem to have some issues with suricata. Currently im on the latest opnsense with netmap kernel also have sensei installed on it.

Suricata seems to generate alerts, I see some scan attempts on my open ports on the WAN side, but I also have a few rules enabled where I would expect suricata to alert and block the connection. In the emerging-info rules there is a rule enabled for a visit to http://www.whatismyip.com. Visiting this website should be blocked and alerted by suricata but there is no alert .. Regarding this, I only have suricata enabled on my WAN interface ... since I also have sensei enabled, if I also enabled suricata on my LAN the suricata service seems to crash.

How/where/what log can I check to see if suricata is doing anything ?
Thanks!

Hi, Im trying to configure the traffic shaper on opnsense. On the shaper settings I created:

1 upstream pipe 40mb
1 downstream pipe 180mb

1 normal upstream queue - weight 1 (used for normal upstream traffic)
1 normal downstream queue - weight 1 (used for normal downstream traffic)
1 higher prio upstream queue - weight 10 (used for higher prio upstream traffic)
1 higher prio downstream queue - weight 10 (used for higher prio downstream traffic)

1 rule with tcp/ack proto (sequence 1) - connected to higher prio upstream queue with weight 10, left settings default (src/dst any)
1 rule for download (sequence 2) - connected to normal downstream queue all settings default
1 rule for upstream (sequence 3) - connected to normal upstream queue also all settings left default

Tried a speed test and my max download is now 40mb, how do I make it use the downstream pipe (switched it around aswell, setting upstream to downstream but the download speed remains 40mb) ?

Thanks!

Hi, I updated from 19.7 stable branch to 20.1rc6 development branch. Update went fine, however since updating the logging is no longer working/updating. Im not using remote logging, disable write logs to disk is also disabled. Is this a known issue in this version of opnsense ?

Hi, since updating to version 19.7.7 openvpn is no longer pushing dns server IP to my openvpn client (android phone). Everytime I try to browse to a website I first get a err_name_not_resolved error page on my phone (im blocking dns/53 in/out), when doing a packet capture I see my phone is trying to send queries to google dns 8.8.8.8 and not to the dns server specified in the server configuration so I think the vpn client is not receiving the correct dhcp/dns settings.

On opnsense I set up a port forward to pick up all dns traffic and forwarding it to my local dns server, this seems to work but only on the second or third lookup (i have to refresh the page a few times before it resolves and loads the website). Openvpn has an option to block outside dns, maybe im overlooking but where can I find this option in opnsense ? I cant seem to find it anywhere..

Thanks!

When trying to update opnsense to 19.7.7 im seeing an error and it wont update to 19.7.7:

Fetching base-19.7.7-amd64.txz: .. failed, no signature found

Is this something I can fix myself ?

Hi,

Im trying to set up a logging server where im sending logs from opnsense to. The rule numbers are sent to the logging server but the rule decription is not, im trying to match the rule number I got from the log to the rule number in opnsense to set a description in grafana manually. Is there a way to lookup all rule numbers + description somewhere in opnsense ?