Topics

1

21.7 Production Series / Certificate renewal

« on: September 25, 2021, 03:24:50 pm »

Hello,
is there any way to renew certificates that have been issued?

I use this as "light" CA, as other systems are to comlicated.

Cheers

2

21.7 Production Series / SSL Certificates signing | Error 500

« on: August 19, 2021, 03:08:28 pm »

Hello,
currently running latest OPNSense 21.7.

I'm not able to sign certificates anymore (Internal Certificate Signing). Trying to sign a certificate results in "500 Internal Server Error"

Code: [Select]

2021-08-19T15:00:47 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2438 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T15:00:47 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1
2021-08-19T14:59:29 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2396 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T14:59:29 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1
Anyone able to verify if this is a general problem or just mine?

Cheers

3

21.7 Production Series / OPNSense Upgrade 21.7

« on: July 28, 2021, 06:06:56 pm »

Hello,
my setup seems to be broke after the update.

Updated via console and it is leaving me with a 10 minute reboot. configd does not start as some pyhton library is missing. I'm not able to ssh or login on console via root or my user account. It say login incorrect or access denied.

I can login via web, but I'm not able to see logs or running the update again. The dashboard stays empty and the widgets throw an error.

Warning: Invalid argument supplied for foreach() in /usr/local/www/widgets/widgets/smart_status.widget.php on line 48

Is there any way to recover from it? The missing python library seems to be jinja2.

Report is sent via WebUI, maybe someone can see the full log, as I cant.

Any chances to modify the boot parameter to be logged in as root without pw prompt?

Cheers

4

21.1 Legacy Series / [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing

« on: April 01, 2021, 07:35:01 pm »

Hello,
thanks for the update to 21.1.4 and Suricata 6.x on Devel.

Suricata does not want to start after the update.

The log shows:

Code: [Select]

2021-04-01T18:34:09 root[7389] /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata
Manual start shows:

Code: [Select]

1/4/2021 -- 19:31:36 - <Info> - Including configuration file installed_rules.yaml.
1/4/2021 -- 19:31:36 - <Info> - Configuration node 'rule-files' redefined.
1/4/2021 -- 19:31:36 - <Info> - Including configuration file custom.yaml.
./suricata: WARNING: failed to start suricata

Code: [Select]

OPNsense 21.7.a_314-amd64
FreeBSD 12.1-RELEASE-p15-HBSD
LibreSSL 3.2.5
Trying to investigate further or does it simply require a reinstall?

EDIT: Looks like Hyperscan support is missing with this build.

Code: [Select]

Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.

Recompiling /usr/ports/opnsense/suricata-devel

5

20.7 Legacy Series / Safe to delete?

« on: October 23, 2020, 12:26:19 am »

Hey,
with recent update from 20.7.3 to 20.7.4 it shows the following messages:

Code: [Select]

You may need to manually remove /usr/local/etc/php-fpm.d/www.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/sudoers if it is no longer needed.
You should remove /usr/local/etc/raddb if you don't need it any more.
You may need to manually remove /usr/local/etc/nginx/mime.types if it is no longer needed.
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.

Really safe to delete?

6

Web Proxy Filtering and Caching / Squid SSL Inspection and Windows Updates

« on: October 08, 2020, 07:37:06 pm »

Hello,
Microsoft is using Certificate Pinning for Windows Update. I can't get this working properly.

Can anyone help me to paste this to the correct section? I feel this is overwritten by the bump settings of OPNSense.

https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

7

20.7 Legacy Series / Weird problem with NAT Reflection

« on: September 27, 2020, 01:09:43 am »

Hello,
so I noticed the following problem.

Before using NAT Reflection I used remapping specific domains to internal IP Adresses (my dyndns address) with Unbound and Pi-Hole. Worked perfectly, certificates valid.

I thought about using NAT-Reflection to get rid of these domain rewrites. So I enabled it and removed the DNS entries.

My Application is forwareded on Port 80 and 443.

When I enable NAT-Reflection + Create Rules and connect via Wireguard and enter for ex. x.x.x.1 to get access on OPNSense, I land on the application forwareded to 80 and 443 instead of OPNSense WebIF.

Any ideas or solution to this?

Cheers

8

20.7 Legacy Series / Firewall Rules Optimization

« on: September 03, 2020, 07:59:04 pm »

Hello @Firewall Advanced Settings, I can find "Firewall Rules Optimization". It allows None, Basic and Profile.

I searched for pfctl and found the exact same description. What is it exactly doing on "Profile"?

What is the best setting for maximum optimization if I've spare memory and processor time?

Cheers

9

Intrusion Detection and Prevention / Stats.log

« on: July 28, 2020, 09:36:34 pm »

Hello,
I found out, not sure if this is new with 20.7.r_13, that IDS only shows the stats.log under LogFile. This seems to be pretty useless and I'm sure that it was the sucricata.log once in a while.

Can anyone confirm this behavior?

Code: [Select]

OPNsense 20.7.r_13-amd64
FreeBSD 12.1-RELEASE-p7-HBSD
LibreSSL 3.0.2
suricata.log is placed /var/log/
all other logs are placed /ar/log/suricata/

10

General Discussion / GPS huge offset

« on: May 28, 2020, 12:27:17 am »

Hello,
I've setup a u-blox GPS Module. Using it via u-center and or checking console output via:

Code: [Select]

cat gpsinit | cu -s 9600 -l /dev/gps0
Shows me the correct timing:

Code: [Select]

$GNZDA,221311.00,27,05,2020,00,00*7A
Setting it up via the Interface and checking the status shows an offset of ~330 seconds and marks the GPS Module as falseticker.

What am I doing wrong? Using default settings.

11

Intrusion Detection and Prevention / Suricata locksup igb1

« on: May 20, 2020, 09:45:00 pm »

Hello,
I've a Qotom with 4 x Intel i211AT.

Pretty every reboot Suricata locksup igb1 (LAN). Suricata is listening on WAN (PPPoE - igb0) and LAN (igb1).

I'm only able to access OPNSense via Wireguard VPN of my Phone. After 4-5 restarts of suricata is working again.

What am I doing wrong? Can someone confirm this issue?

Cheers

12

20.7 Legacy Series / Aliases broken?

« on: May 14, 2020, 11:26:07 pm »

Hello,
I added an Alias named for ex. ABCD. I selected URLs (IPs) and added to Domains. Saving and pressed "Apply".

pfTable showing -> ABCD stay empty even with URLs Table.

Is this correct behavior?

Cheers

13

20.7 Legacy Series / Monit PAM Authentication

« on: May 13, 2020, 10:31:26 pm »

Hello,
is it intended that Monit offers PAM Authentication and its actually even displayed in the settings but does not work?

I can see a upstreamed root password in monitrc, but it obviously not mine.

The pam.d file seems to be missisng. Intented or Bug?

14

20.7 Legacy Series / Hyperscan and IPS Policy

« on: May 09, 2020, 07:24:34 pm »

Hello there,
first of all thx for all the time you invest in development.

Is it possible to get an upgrade of hyperscan, 4.7.0 is more than 3 years old and hyerscan got some performance improvements over time with currently 5.2.1.

5.0.0 is supported with suricata: https://github.com/OISF/suricata/blob/master/doc/userguide/performance/hyperscan.rst

Right now you compile it with "core2" (SSE3)which results in not benefiting from SSE4.2, AVX2 and POPCNT (starting Haswell). This would improve performance further. Or do you compile with 'NATIVE' ?

I'm not familar with pkg mgmt, chances to get multiple configurations for that? Like choosing the appropriate hyperscan package?

https://github.com/intel/hyperscan/blob/90cd1863d64135323cae44606c6eff5fc76a1532/doc/dev-reference/getting_started.rst#fat-runtime

For ex. right now I've an "old" i3 which would support SSE4.2 and AVX2 (Released Q4/2014)
-------

Second question, snort rules have an ips policy within the file, right now "balanced" seems to be the default thats activated with snortrules-snapshot-29151.tar.gz (seems to work best with suricata 5.0.3). Any chances to get a field to choose which policy will be activated (beside the rules I've choosen myself)?

https://www.snort.org/faq/why-are-rules-commented-out-by-default

TL:DR

• Update Hyperscan to 5.2.1
• Compile Hyperscan to benefit from SSE4 and/or AVX2
• Make use of policys in IDS/IPS Rulesets (balanced, max-detect, etc)

Thanks for reading and your hard work!

15

General Discussion / OPNSense Beginner - Wireguard- Firewall

« on: May 07, 2020, 02:51:13 pm »

Hello,
I've setup my OPNSense switching from UniFi. I've some basic questions.

1. I setup Wireguard via this:
https://wiki.opnsense.org/manual/how-tos/wireguard-client.html
and
https://www.thomas-krenn.com/de/wiki/OPNsense_WireGuard_VPN_für_Road_Warrior_einrichten#Firewall_Regel_f.C3.BCr_WireGuard
this guide.

I partly skipped configuration of Step 2c of the first guide.

Everything is setup and when the Wireguard Interface is not assigned, internal traffic isn't working.
Assigning the Interface allows me internal + external traffic via VPN even without the Firewall NAT Outbound Rule.
What am I doing wrong?

2. I'm using Pi-Hole as DNS. Works like a charm.

However I want to block all other DNS traffic, only pi-hole is allowed to connect to external dns.

- WAN-OUT <Pi-Hole> DST* TCP/UDP 53
- WAN-OUT * DST* TCP/UDP 53

With this rules Pi-Hole is blocked as well, why? Stop on first match is ticked.

Cheers