Topics

Hello,
I feel I get this problem with every major version upgrade of suricata. As soon as suricata starts, all traffic is blocked, except the wireguard interface.

Suricata is listening on the physical interfaces igb0 (Modem) and igb1 (LAN). Network cards are Intel i211-AT.

Any suggestions, is it driver issue? netmap issue?

Code Select Expand

OPNsense 23.7.r_14-amd64
FreeBSD 13.2-RELEASE-p1
OpenSSL 1.1.1u 30 May 2023

Second question, why is the file /usr/local/www/ntpd.core 1.0G? (Timestamp 2020)

Cheers

Hallo zusammen,
mein normaler DSL Anschluss geht über einen Vigor 165 von Draytek.

Damit ich das WebInterface vom Vigor erreichen kann, habe ich eine NAT Outbound Regel auf dem physischen Interface der OPNSense in Richtung des Modems konfiguriert.

Funktioniert auch wunderbar.

Nun habe ich meine OPNSense mit einem LTE Modem ergänzt und eine Gateway Group erstellt mit Prio 1 DSL und Prio 254 LTE. Soweit so gut.

Sobald ich nun in der Default LAN Rule im "Gateway", statt Default, die WANGROUP verwende, erreiche ich das Modem (Vigor) und auch den NTP (auf OPNSense) nicht mehr.

Quasi sobald ich "Step 4" anwende.

https://docs.opnsense.org/manual/how-tos/multiwan.html

Jemand eine Idee, wie sich das lösen lässt?

Hello,
I'm facing the following problem with Suricata with 22.7. Hardware offloading is off. I set VLAN Filtering to "Leave Default" prior the update.

Interfaces:
WAN = PPPoE on igb0
MODEMACCESS = igb0
LAN = igb1
VLAN1, VLAN2 = Child of igb1

Suricata is configured in Promiscous and IPS Mode to LAN and MODEMACCESS as those are the physical interfaces. LAN because I want to see which machines maybe compromised and communicating to the internet. However it worked flawless with 22.1.

After the update. VLANs are not reachable when Suricata is running. No settings changed.

Code Select Expand

Stats for 'igb0':  pkts: 78997, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb0^':  pkts: 84275, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb1':  pkts: 102971, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb1^':  pkts: 107821, drop: 0 (0.00%), invalid chksum: 0


Switching to MODEMACCESS only. Seems to work but it doesnt. emergering_user_agents ruleset is enabled and added to the Policy. But # curl -A "BlackSun" www.google.com results in nothing although it should be blocked. It does work when adding LAN again BUT VLANs stop working. In general I question the use of IPS on WAN interface?!

Code Select Expand

Stats for 'igb0':  pkts: 3342, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb0^':  pkts: 4858, drop: 0 (0.00%), invalid chksum: 0

Any advices? I can life with not IPS on LAN, but it does not work on WAN physical interface. This renders IPS pretty useless for me.

I downgraded to 6.0.5 as well without improvement.

Is this related to the merge of EM and IGB Driver in 13.1?

https://www.freebsd.org/cgi/man.cgi?query=em&apropos=0&sektion=4&manpath=FreeBSD+13.1-RELEASE+and+Ports&arch=default&format=html
https://www.freebsd.org/cgi/man.cgi?query=netmap

Hello,
obviously I'm to stupid to get traffic from one VLAN to another one.

I do get traffic from LAN to VLAN2. But I can't reach VLAN2 to LAN (only ICMP works).

Can someone help me with that? I tried rules in every direction on every interface (LAN, VLAN2). I'm able to reach LAN -> VLAN2 but not in the other direction. What am I doing wrong?

As ICMP works, I would rule out any routing problem.

Is this related to the webproxy? (transparent mode, but rules deleted on VLAN2)

Cheers and thx for help.

Hello,
is there any way to renew certificates that have been issued?

I use this as "light" CA, as other systems are to comlicated.

Cheers

Hello,
currently running latest OPNSense 21.7.

I'm not able to sign certificates anymore (Internal Certificate Signing). Trying to sign a certificate results in "500 Internal Server Error"

Code Select Expand

2021-08-19T15:00:47 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2438 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T15:00:47 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1
2021-08-19T14:59:29 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2396 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T14:59:29 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1

Anyone able to verify if this is a general problem or just mine?

Cheers

Hello,
my setup seems to be broke after the update.

Updated via console and it is leaving me with a 10 minute reboot. configd does not start as some pyhton library is missing. I'm not able to ssh or login on console via root or my user account. It say login incorrect or access denied.

I can login via web, but I'm not able to see logs or running the update again. The dashboard stays empty and the widgets throw an error.

Warning: Invalid argument supplied for foreach() in /usr/local/www/widgets/widgets/smart_status.widget.php on line 48

Is there any way to recover from it? The missing python library seems to be jinja2.

Report is sent via WebUI, maybe someone can see the full log, as I cant.

Any chances to modify the boot parameter to be logged in as root without pw prompt?

Cheers

Hello,
thanks for the update to 21.1.4 and Suricata 6.x on Devel.

Suricata does not want to start after the update.

The log shows:

Code Select Expand

2021-04-01T18:34:09 root[7389] /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata

Manual start shows:

Code Select Expand

1/4/2021 -- 19:31:36 - <Info> - Including configuration file installed_rules.yaml.
1/4/2021 -- 19:31:36 - <Info> - Configuration node 'rule-files' redefined.
1/4/2021 -- 19:31:36 - <Info> - Including configuration file custom.yaml.
./suricata: WARNING: failed to start suricata

Code Select Expand

OPNsense 21.7.a_314-amd64
FreeBSD 12.1-RELEASE-p15-HBSD
LibreSSL 3.2.5

Trying to investigate further or does it simply require a reinstall?

EDIT: Looks like Hyperscan support is missing with this build.

Code Select Expand

Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.


Recompiling /usr/ports/opnsense/suricata-devel

Hey,
with recent update from 20.7.3 to 20.7.4 it shows the following messages:

Code Select Expand


You may need to manually remove /usr/local/etc/php-fpm.d/www.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/sudoers if it is no longer needed.
You should remove /usr/local/etc/raddb if you don't need it any more.
You may need to manually remove /usr/local/etc/nginx/mime.types if it is no longer needed.
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.


Really safe to delete?

Hello,
Microsoft is using Certificate Pinning for Windows Update. I can't get this working properly.

Can anyone help me to paste this to the correct section? I feel this is overwritten by the bump settings of OPNSense.

https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

Hello,
so I noticed the following problem.

Before using NAT Reflection I used remapping specific domains to internal IP Adresses (my dyndns address) with Unbound and Pi-Hole. Worked perfectly, certificates valid.

I thought about using NAT-Reflection to get rid of these domain rewrites. So I enabled it and removed the DNS entries.

My Application is forwareded on Port 80 and 443.

When I enable NAT-Reflection + Create Rules and connect via Wireguard and enter for ex. x.x.x.1 to get access on OPNSense, I land on the application forwareded to 80 and 443 instead of OPNSense WebIF.

Any ideas or solution to this?

Cheers

Hello @Firewall Advanced Settings, I can find "Firewall Rules Optimization". It allows None, Basic and Profile.

I searched for pfctl and found the exact same description. What is it exactly doing on "Profile"?

What is the best setting for maximum optimization if I've spare memory and processor time?

Cheers

Hello,
I found out, not sure if this is new with 20.7.r_13, that IDS only shows the stats.log under LogFile. This seems to be pretty useless and I'm sure that it was the sucricata.log once in a while.

Can anyone confirm this behavior?

Code Select Expand

OPNsense 20.7.r_13-amd64
FreeBSD 12.1-RELEASE-p7-HBSD
LibreSSL 3.0.2

suricata.log is placed /var/log/
all other logs are placed /ar/log/suricata/

Hello,
I've setup a u-blox GPS Module. Using it via u-center and or checking console output via:

Code Select Expand

cat gpsinit | cu -s 9600 -l /dev/gps0

Shows me the correct timing:

Code Select Expand

$GNZDA,221311.00,27,05,2020,00,00*7A

Setting it up via the Interface and checking the status shows an offset of ~330 seconds and marks the GPS Module as falseticker.

What am I doing wrong? Using default settings.

Hello,
I've a Qotom with 4 x Intel i211AT.

Pretty every reboot Suricata locksup igb1 (LAN). Suricata is listening on WAN (PPPoE - igb0) and LAN (igb1).

I'm only able to access OPNSense via Wireguard VPN of my Phone. After 4-5 restarts of suricata is working again.

What am I doing wrong? Can someone confirm this issue?

Cheers

Hello,
I added an Alias named for ex. ABCD. I selected URLs (IPs) and added to Domains. Saving and pressed "Apply".

pfTable showing -> ABCD stay empty even with URLs Table.

Is this correct behavior?

Cheers

Hello,
is it intended that Monit offers PAM Authentication and its actually even displayed in the settings but does not work?

I can see a upstreamed root password in monitrc, but it obviously not mine.

The pam.d file seems to be missisng. Intented or Bug?

Hello there,
first of all thx for all the time you invest in development.

Is it possible to get an upgrade of hyperscan, 4.7.0 is more than 3 years old and hyerscan got some performance improvements over time with currently 5.2.1.

5.0.0 is supported with suricata: https://github.com/OISF/suricata/blob/master/doc/userguide/performance/hyperscan.rst

Right now you compile it with "core2" (SSE3)which results in not benefiting from SSE4.2, AVX2 and POPCNT (starting Haswell). This would improve performance further. Or do you compile with 'NATIVE' ?

I'm not familar with pkg mgmt, chances to get multiple configurations for that? Like choosing the appropriate hyperscan package?

https://github.com/intel/hyperscan/blob/90cd1863d64135323cae44606c6eff5fc76a1532/doc/dev-reference/getting_started.rst#fat-runtime

For ex. right now I've an "old" i3 which would support SSE4.2 and AVX2 (Released Q4/2014)
-------

Second question, snort rules have an ips policy within the file, right now "balanced" seems to be the default thats activated with snortrules-snapshot-29151.tar.gz (seems to work best with suricata 5.0.3). Any chances to get a field to choose which policy will be activated (beside the rules I've choosen myself)?

https://www.snort.org/faq/why-are-rules-commented-out-by-default

TL:DR

• Update Hyperscan to 5.2.1
• Compile Hyperscan to benefit from SSE4 and/or AVX2
• Make use of policys in IDS/IPS Rulesets (balanced, max-detect, etc)

Thanks for reading and your hard work!

Hello,
I've setup my OPNSense switching from UniFi. I've some basic questions.

1. I setup Wireguard via this:
https://wiki.opnsense.org/manual/how-tos/wireguard-client.html
and
https://www.thomas-krenn.com/de/wiki/OPNsense_WireGuard_VPN_für_Road_Warrior_einrichten#Firewall_Regel_f.C3.BCr_WireGuard
this guide.

I partly skipped configuration of Step 2c of the first guide.

Everything is setup and when the Wireguard Interface is not assigned, internal traffic isn't working.
Assigning the Interface allows me internal + external traffic via VPN even without the Firewall NAT Outbound Rule.
What am I doing wrong?

2. I'm using Pi-Hole as DNS. Works like a charm.

However I want to block all other DNS traffic, only pi-hole is allowed to connect to external dns.

- WAN-OUT <Pi-Hole> DST* TCP/UDP 53
- WAN-OUT * DST* TCP/UDP 53

With this rules Pi-Hole is blocked as well, why? Stop on first match is ticked.

Cheers