Topics

1

Zenarmor (Sensei) / Blocking quic in policies also blocks whatsapp messenger voip calls

« on: November 26, 2022, 03:24:34 pm »

While blocking quic (under the media streaming policy) does precent dns over quic from working, it also blocks whatsapp audio calls as they use udp 443 also for their calls. How can I allow whatsapp calls while still blocking quic In general? Unfortunately the current rule is too blunt and instrument so I have had to turn it off as whatsapp audio calls are used on the network. This exposes allowing all quic traffic however.

Kind regards
P

2

22.7 Legacy Series / Bug? Alias updates no longer logged to system log (or anywhere?)

« on: August 02, 2022, 04:11:52 am »

Before updating to 22.7 aliases that were of type "URL Table (IPs): with a refresh interval, when updating on the refresh interval would write to the system log "fetched alias <name> from <url>" or something to that effect I dont remember the exact wording. I used this during my daily audits but now it appears this no longer occurs. Where is this information being logged/how can I turn logging back on for the aliases that update. Was this change intentional or a bug? I would like to view the log/when aliases update in some log somewhere, dont mind where but should be exposed in my opinion.

Kind regards
Peter

3

Zenarmor (Sensei) / Did I misunderstand wireguard, zenarmor, kmod?

« on: July 31, 2022, 07:13:31 pm »

I switched to kmod a while ago and was happily waiting for zenarmor to ‘catch up’ and eventually be able to support monitoring on the kmod version of wireguards interface. However now I am thinking that will never happen as the kmod version is stripped down and missing stuff that sensei/zenarmor needs to work. Did I imagine that it was possible for the kernel version of wireguard to be supported one day by zenarmor or is that impossible by design and I shoumd be using wireguard go instead?

4

21.7 Legacy Series / Wireguard road warrior (followed default guide) - all work but cant ping clients

« on: November 29, 2021, 05:07:31 pm »

Has anyone else ever had an issue where if you follow the guide to the Wireguard Roadwarrior setup everything works except from a LAN client you cant ping a WG client thats connected?

5

21.7 Legacy Series / I cant work out how everyone else managed to get mtu of 1500 working on pppoe

« on: November 23, 2021, 02:10:18 pm »

Hi,

Im with an ISP that allows the MTU of 1492 to be brought up to 1500 on a pppoe connection. Its not clear to me how everyone else achieved this. I have read several topics on the forum and tried the suggestions but I cant seem to get it to work on OPNsense 21.7.5-amd64.

I had a pppoe connection on top of em0 interface working on MTU of 1492 and started by setting the MTU to 1508 there which then states "calculated MTU 1500"

This had no effect so I read other posts that said you needed to make a dummy interface of em0 and simply enable it and set an mtu of 1508 there which I also did.

This also had no effect even after rebooting. The pppoe dials and ends up with an mtu of 1492 at the end. What is the method people use to force an mtu as I am clearly missing a step?

Kind regards
P

6

21.7 Legacy Series / A rule that should not block on the firewall blocked something temporarily.

« on: October 15, 2021, 09:59:12 pm »

Hi there,

I had a strange occurrence. I have rules that block certain IP's on my home network and an allow rule above this block rule that allows certain IP's that I dont want captured in the block.

Last night a netflix CDN IP was blocked . I noticed today (the next day) when reviewing the logs. However this IP was already in the allow rule. The effect this had was momentarily netflix would not work and I refreshed a few times and thought nothing of it. However I noticed today that IP was blocked and so I went to add it to the list of allowed IP's and discovered it was already in the list.

This means temporarily the rules did not function as expected last night. However there were no changes to the firewall and in fact I was not logged onto it at all either at that time or around that time (due to watching netflix).

Why would the firewall temporarily ignore a firewall rule? The problem seems to have resolved itself with no intervention. I have not added this IP later on into the alias of allowed IP's. I can confirm it was already in there and did not require a change to the firewall.

Kind regards
Pete

7

21.7 Legacy Series / Help with vlan and untagged on 1 interface. Kind of works :(

« on: August 31, 2021, 03:07:47 pm »

Hi there,

I would like to create a vlan and have this run over the same physical cable as my current untagged LAN.
I have configured what I imagine to be an acceptable configuration but it does not work 100%.

The config is as follows:

Physical:
An RJ45 from port em1 (LAN) to a unifi switch.

Configuration OPNsense
Create under interfaces - other types - vlans - VLAN5 on interface em1.
Under assignments create VLAN5 on em1 so it appears as an interface.
Configuring interface vlan5 I set static ip of 192.168.5.1 (Lan is set to 192.168.2.x already).

Create a rule to allow all traffic anywhere to anywhere on vlan5 firewall rules for testing.

Save config.

At this point I can no longer log into the web interface of my opnsense box, although it appears like everything is working.

So to try resolve logging into opnsense I configured other types - bridge - and added vlan5 and LAN as a bridge.

Once saving, this means I can access the web interface again. However the web interface is very slow, and takes about 30 seconds to load up a page when clicking from page to page, as opposed to immediate when I had no vlan5 config at all.

Can someone assist me in explaining where I am going wrong in understanding what I should do and how to achieve 1 physical interface to run both LAN and a VLAN on top of it? Reason for this requirement is I have no other ports available because I have another VLAN thats on a separate cable and dont have this problem with it.

Kind regards
Pete

8

21.7 Legacy Series / Unable to upgrade from OPNsense 21.1.9_1-amd64 to 21.7

« on: July 28, 2021, 02:39:50 pm »

Hi there,

I have tried updating 2 times (once from the GUI and one time from the CLI after SSH into the firewall and selecting option 12).
Noth times the files are downloaded and the firewall reboots, but after some time when it has rebooted I am still on 21.1.9 and am offered the update again.

How can I view what is going wrong with the update/what logs can I check?

Pete

9

General Discussion / Unbound advanced configuration has been removed.

« on: July 14, 2021, 08:01:09 pm »

From announcements:
Unbound advanced configuration has been removed.  Local override directory /usr/local/etc/unbound.opnsense.d exists.


Does anyone know why this has been removed. Im sad it has been removed because I used that page when setting up unbound. Will it still be easy to set the options that were on that page for me? I ask out of ignorance as I dont know why it was removed or how to configure the same options going forward. Im hoping it will be easy.

P

10

21.1 Legacy Series / Wireguard kmod issue I had to overcome.

« on: July 12, 2021, 02:57:25 pm »

Hi there,

I saw everyone said the wireguard kernel version was faster/better than using the wireguard go option in opnsense. I had attempted to use it and found the opposite, and it was unstable so I tried to find the cause.

As it turns out I have a pppoe connection and noticed that MTU on my pppoe interface was 1492. On wireguard interface the MTU was set to 1420 which would be acceptable on an 1500 wan interface setup.

However I found it was impossible to change the MTU on the WG interface. I set 1412 as the MTU on my wireguard interface and it rebooted the Firewall but found even after reboot the overview area showed MTU of 1420 still on the WG interface.

This was causing some timeouts on speedtest on my phone and also WG to run slow.

So I had to go to Firewall - Settings - Normalization and set a Max mss of 1412. This resolved the issues and brought wireguard back to normal.

I did not experience these issues on the WG-go implementation.
Also I dont understand why setting an MTU on the WG interface did not change the MTU after a reboot.

Lastly, while I can see the wg-go service is stopped in the gui, is there a command I can run to check which module is being used from the CLI (ie either go or kmod) in case I need to do so from the CLI easily?

Kind regards
Pete

@franco

11

21.1 Legacy Series / Is it possible to change to libressl if I use wireguard

« on: June 21, 2021, 09:04:29 pm »

I would like to change to libressl but worried it would break my wireguard setup. Does anyone know if this can be changed?

12

Zenarmor (Sensei) / os-sensei-1.9.1: checksum mismatch for /usr/local/sensei/userdefined/policy/Defi

« on: June 17, 2021, 02:15:53 pm »

Hi there,

What does this error mean in the request to audit health.

os-sensei-1.9.1: checksum mismatch for /usr/local/sensei/userdefined/policy/Definitions/systemdefault.policy

Kind regards
Peter

13

Zenarmor (Sensei) / Will the release notes page be updated with 19 or 19.1 changes soon?

« on: June 16, 2021, 05:06:19 am »

Last update was 1.8.2 on the release notes page.

14

21.1 Legacy Series / Outbound Nat Rewrite - how to monitor in logs?

« on: May 20, 2021, 09:52:28 pm »

Hello,

I have an outbound NAT rewrite rule that captures devices that ignore DNS and forces them to go via my internal pihole. For example if a client such as my Roku TV attempts to connect to 8.8.8.8 on port 53 this is captured and sent correctly internal to my pihole.

See figure 1:

My issue is the logs do not tell me what ip this device attempted to access externally. I would like to know how to capture this information. Eg: I can see that 192.168.2.51 tried to access an IP on port 53 as the rewrite rule kicked in. But would like to know what that IP is (ie was it 8.8.8.8 or some other Ip etc).

How can I know this?

Here is the rewrite rule:

Here is the LAN FW rule:


Thanks in advance

Pete

15

Zenarmor (Sensei) / Blocking some things and reporting others. Is this possible?

« on: April 09, 2021, 12:40:45 am »

I have the default policy which has the things I want to block, but some things I only want to report but not block. If I create a new policy I can only seem to block things there is no way to only report on the additional things I am wanting to monitor.  Is this possible to achieve?

P