Topics

Can anyone help me understand why in the logs often I see blocked packets to allow rules such as this example?

I dont see why an allow rule would show as blocked in the logs when its also got logging disabled on the rule:

Ran the update but after it came back up something has gone wrong and it has half installed.

If I go to firmware - changelog it still thinks 24.7.12 is installed.
When I go to check for updated it finds "packages" and wants to upgrade from 24.7 to 25.1 but if I choose update, it installs then offers the exact same update again.

If I run an audit it says:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.7.12_4 (amd64) at Wed Jan 29 17:03:40 EST 2025
>>> Root file system: /dev/ufs/OPNsense
>>> Check installed kernel version
Version 25.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-cpu-microcode-intel 1.1
os-ddclient 1.26
os-dmidecode 1.1_1
os-hw-probe 1.0_1
os-smart 2.3
os-theme-cicada 1.38
os-theme-rebellion 1.9.2
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
opnsense has a missing dependency: php82-session
opnsense has a missing dependency: php82-phalcon
opnsense has a missing dependency: php82-xml
opnsense has a missing dependency: php82-simplexml
opnsense has a missing dependency: php82-dom
opnsense has a missing dependency: php82-ctype
opnsense has a missing dependency: php82-filter
opnsense has a missing dependency: php82-pear-Crypt_CHAP
opnsense has a missing dependency: php82-phpseclib
opnsense has a missing dependency: php82-google-api-php-client
opnsense has a missing dependency: php82-sockets
opnsense has a missing dependency: php82-ldap
opnsense has a missing dependency: php82-pecl-radius
opnsense has a missing dependency: php82-curl
opnsense has a missing dependency: php82-pcntl
opnsense has a missing dependency: php82-gettext
opnsense has a missing dependency: php82-sqlite3
opnsense has a missing dependency: php82-pdo
opnsense has a missing dependency: php82-zlib
php82-pecl-mongodb has a missing dependency: php82
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 24.7.12_4 has 69 dependencies to check.
Checking packages: ..................
lighttpd-1.4.77 version mismatch, expected 1.4.76_1
Checking packages: .......
opnsense-installer-25.1 version mismatch, expected 24.7
Checking packages: .
opnsense-lang-25.1 version mismatch, expected 24.7.8
Checking packages: .
opnsense-update-25.1 version mismatch, expected 24.7.12
Checking packages: ...
Package not installed: php82-ctype
Checking packages: .
Package not installed: php82-curl
Checking packages: .
Package not installed: php82-dom
Checking packages: .
Package not installed: php82-filter
Checking packages: .
Package not installed: php82-gettext
Checking packages: .
Package not installed: php82-google-api-php-client
Checking packages: .
Package not installed: php82-ldap
Checking packages: .
Package not installed: php82-pcntl
Checking packages: .
Package not installed: php82-pdo
Checking packages: .
Package not installed: php82-pear-Crypt_CHAP
Checking packages: .
Package not installed: php82-pecl-radius
Checking packages: .
Package not installed: php82-phalcon
Checking packages: .
Package not installed: php82-phpseclib
Checking packages: .
Package not installed: php82-session
Checking packages: .
Package not installed: php82-simplexml
Checking packages: .
Package not installed: php82-sockets
Checking packages: .
Package not installed: php82-sqlite3
Checking packages: .
Package not installed: php82-xml
Checking packages: .
Package not installed: php82-zlib
Checking packages: .............
radvd-2.20 version mismatch, expected 2.19_4
Checking packages: ......... done
***DONE***

So it seems like it has half installed.

I tried reinstalling kernel and rebooting with this command: opnsense-update -fkbr 25.1

Is there some way to fix this?

Everything is currently working but clearly some issue.

Unclear what command to enter to reinstall the parts that did not work.

Kind regards
P

Got an email notification that a Syn flood has been detected.

Only thing is I cant find any settings in zenarmor that relate to syn flood or how to even turn it on or off and no understanding what to actually do about it or check if the alert is reasonable. How can I check anything at all or set anything at all that relates to a syn flood?

Kind regards
P

On upgrading I had some errors in the firewall log and traffic issues.

I eventually got it working but was unsure what change I made to resolve it, as I made several changes to bring traffic back online. The errors I saw were:

2024-01-31T15:14:44-05:00   Error   firewall   There were error(s) loading the rules: pfctl: DIOCADDRULENV: Argument list too long   
2024-01-31T15:14:44-05:00   Error   firewall   /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'pfctl: DIOCADDRULENV: Argument list too long'   
2024-01-31T15:14:44-05:00   Error   firewall   /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -Of /tmp/rules.limits' returned exit code '1', the output was 'pfctl: DIOCSETTIMEOUT pfctl: DIOCSETTIMEOUT pfctl: DIOCSETTIMEOUT pfctl: DIOCSETTIMEOUT pfctl: DIOCSETTIMEOUT'   
2024-01-31T15:13:34-05:00   Error   firewall   There were error(s) loading the rules: pfctl: DIOCADDRULENV: Argument list too long   
2024-01-31T15:13:34-05:00   Error   firewall   /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'pfctl: DIOCADDRULENV: Argument list too long'   
2024-01-31T15:13:34-05:00   Error   firewall   /usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -Of /tmp/rules.limits' returned exit code '1', the output was 'pfctl: DIOCSETTIMEOUT pfctl: DIOCSETTIMEOUT pfctl: DIOCSETTIMEOUT pfctl: DIOCSETTIMEOUT pfctl: DIOCSETTIMEOUT'   
2024-01-31T15:12:55-05:00   Error   firewall   There were error(s) loading the rules: pfctl: DIOCADDRULENV: Argument list too long


Things I did were delete old disabled gateways not in use, cleared several FW rules, cleared several aliases and other changes like this.

On 24.1, if you click Firmware - Status - Resolve Plugin Conflicts - view and edit local conflicts you get that os-sensei-db (missing).

How can we resolve this?

Kind regards
P

Hi There,

I would like to use zenarmor with a wireguard interface but I believe this can only be done with the GO implementation. However GO has not been updated since 1.3 and kernel wireguard is now on 2.5. Is the only method to get this working to use this old version of the package that is no longer maintained?

Kind regards
P

At 10 minutes in this video the host insinuates that opnsense does not seem to provide commits (or at least very few) to freebsd? Is this true?

Background of this video is yesterday pfsense have changed their license for home users who were previously offered a more pro version for free and this is being revoked.

https://www.youtube.com/live/rXI6-E1nc5M?si=mSkMmn09d4WyQ6go

Hi there,

Since upgrading I have started to get items in my logs I have never seen before as per below:

<see image>

This block rule does prevent devices from accessing a list of IP's in an alias that I have, and 255.255.255.255 is blocked on that port in a firewall rule, so the entry seems valid.

What confuses me is the 0.0.0.0 device is what exactly? And why is it trying to access port 68 UDP (DNS?) to 255.255.255.255?

The other devices are all Unifi AP wifi equipment. (192.168.2.161-164).
Also why do they access 255.255.255.255 on port 10001?

Thank you if anyone has any insight to this.

Pete

Unsure how to progress this. Tried different values and settings but pppoe is always 1492 no matter what I do.

Here are my settings. Why does it not work?

On Opnsense Services - Dynamic DNS - Settings.
Click + to add a new entry.

Description : Up to you
Service: Cloudflare
Username: token
Password: API KEY CREATED IN CLOUDFLARE ACCOUNT
Zone: domain name in format example.com
Hostname: Full FQDN in format ddnsentry.example.com
Check IP method: Interface
Interface to monitor : WAN
Check IP Timeout: 10
Force SSL: YES

For API Key in Cloudflare click my profile, then api tokens.
Create token, use DNS template.
Need:
Zone , DNS, Edit
Zone, Zone, Read
Include - All zones.

Copy the API key and paste as the password in Opnsense.

Works 100%

Unsure how to troubleshoot this. I just uninstalled and then reinstalled and changed to mongo db in the hope it would fix it but it still shows servers are down for cloud threat intel even in the setup as per below. How can I troubleshoot this? Unsure how to access logs. 


https://imgur.com/a/Lyu628m

While blocking quic (under the media streaming policy) does precent dns over quic from working, it also blocks whatsapp audio calls as they use udp 443 also for their calls. How can I allow whatsapp calls while still blocking quic In general? Unfortunately the current rule is too blunt and instrument so I have had to turn it off as whatsapp audio calls are used on the network. This exposes allowing all quic traffic however.

Kind regards
P

Before updating to 22.7 aliases that were of type "URL Table (IPs): with a refresh interval, when updating on the refresh interval would write to the system log "fetched alias <name> from <url>" or something to that effect I dont remember the exact wording. I used this during my daily audits but now it appears this no longer occurs. Where is this information being logged/how can I turn logging back on for the aliases that update. Was this change intentional or a bug? I would like to view the log/when aliases update in some log somewhere, dont mind where but should be exposed in my opinion.

Kind regards
Peter

I switched to kmod a while ago and was happily waiting for zenarmor to 'catch up' and eventually be able to support monitoring on the kmod version of wireguards interface. However now I am thinking that will never happen as the kmod version is stripped down and missing stuff that sensei/zenarmor needs to work. Did I imagine that it was possible for the kernel version of wireguard to be supported one day by zenarmor or is that impossible by design and I shoumd be using wireguard go instead?

Has anyone else ever had an issue where if you follow the guide to the Wireguard Roadwarrior setup everything works except from a LAN client you cant ping a WG client thats connected?

Hi,

Im with an ISP that allows the MTU of 1492 to be brought up to 1500 on a pppoe connection. Its not clear to me how everyone else achieved this. I have read several topics on the forum and tried the suggestions but I cant seem to get it to work on OPNsense 21.7.5-amd64.

I had a pppoe connection on top of em0 interface working on MTU of 1492 and started by setting the MTU to 1508 there which then states "calculated MTU 1500"

This had no effect so I read other posts that said you needed to make a dummy interface of em0 and simply enable it and set an mtu of 1508 there which I also did.

This also had no effect even after rebooting. The pppoe dials and ends up with an mtu of 1492 at the end. What is the method people use to force an mtu as I am clearly missing a step?

Kind regards
P

Hi there,

I had a strange occurrence. I have rules that block certain IP's on my home network and an allow rule above this block rule that allows certain IP's that I dont want captured in the block.

Last night a netflix CDN IP was blocked . I noticed today (the next day) when reviewing the logs. However this IP was already in the allow rule. The effect this had was momentarily netflix would not work and I refreshed a few times and thought nothing of it. However I noticed today that IP was blocked and so I went to add it to the list of allowed IP's and discovered it was already in the list.

This means temporarily the rules did not function as expected last night. However there were no changes to the firewall and in fact I was not logged onto it at all either at that time or around that time (due to watching netflix).

Why would the firewall temporarily ignore a firewall rule? The problem seems to have resolved itself with no intervention. I have not added this IP later on into the alias of allowed IP's. I can confirm it was already in there and did not require a change to the firewall.

Kind regards
Pete

Hi there,

I would like to create a vlan and have this run over the same physical cable as my current untagged LAN.
I have configured what I imagine to be an acceptable configuration but it does not work 100%.

The config is as follows:

Physical:
An RJ45 from port em1 (LAN) to a unifi switch.

Configuration OPNsense
Create under interfaces - other types - vlans - VLAN5 on interface em1.
Under assignments create VLAN5 on em1 so it appears as an interface.
Configuring interface vlan5 I set static ip of 192.168.5.1 (Lan is set to 192.168.2.x already).

Create a rule to allow all traffic anywhere to anywhere on vlan5 firewall rules for testing.

Save config.

At this point I can no longer log into the web interface of my opnsense box, although it appears like everything is working.

So to try resolve logging into opnsense I configured other types - bridge - and added vlan5 and LAN as a bridge.

Once saving, this means I can access the web interface again. However the web interface is very slow, and takes about 30 seconds to load up a page when clicking from page to page, as opposed to immediate when I had no vlan5 config at all.

Can someone assist me in explaining where I am going wrong in understanding what I should do and how to achieve 1 physical interface to run both LAN and a VLAN on top of it? Reason for this requirement is I have no other ports available because I have another VLAN thats on a separate cable and dont have this problem with it.

Kind regards
Pete

Hi there,

I have tried updating 2 times (once from the GUI and one time from the CLI after SSH into the firewall and selecting option 12).
Noth times the files are downloaded and the firewall reboots, but after some time when it has rebooted I am still on 21.1.9 and am offered the update again.

How can I view what is going wrong with the update/what logs can I check?

Pete

From announcements:
Unbound advanced configuration has been removed.  Local override directory /usr/local/etc/unbound.opnsense.d exists.


Does anyone know why this has been removed. Im sad it has been removed because I used that page when setting up unbound. Will it still be easy to set the options that were on that page for me? I ask out of ignorance as I dont know why it was removed or how to configure the same options going forward. Im hoping it will be easy.

P