Topics

1

24.7 Production Series / Interface flapping issue back after 24.7.9 release

« on: November 27, 2024, 03:46:12 pm »

https://forum.opnsense.org/index.php?topic=34026.msg164617#msg164617 I had this issue for a long time but it was finally resolved with the netmap changes and it's not been a problem.  After the latest release this has happened three times now.  I'm not sure if it's due to the new intel drivers or what.  But the symptoms are exactly the same as before.  I'm going to test the emulated netmap drivers again as that resolved it last time for me. But I think there was a regression somewhere. 

2

General Discussion / Suggestions for LTE/5G modem

« on: October 01, 2024, 08:58:37 pm »

I currently have a LB1120 LTE modem setup as a secondary WAN on my OPNsense box.  Sadly it's VERY slow for whatever reason, I think it's just getting a bit old.  I can only get 20-30 Mbps down on a really good day.  Compared to my cellphone on LTE I can get upwards of 150-170 Mbps down consistently.  Would really like to upgrade to something a bit more robust.  I'm really struggling to locate devices for this.  Lots of hotspots available but I really don't need/want any of the fluff, just need an LTE/5G modem and a ethernet port.

Anyone have any recomendations?  ATT Mobile network currently.   

3

24.7 Production Series / WAN failover seems completly broken

« on: September 28, 2024, 12:51:25 am »

I've had the same configuration for WAN fail-over for years now.  I've always had issues with the connections being a bit sticky after my primary WAN is back online after an outage/fail-over scenario. But otherwise has been flawless.  However, I'm currently failed over to my backup LTE modem due to storm damage taking down the copper lines.  My primary connection shows 100% packet loss and shows offline status under gateway.  However as long as that connection is enabled the firewall continues to route traffic to my primary connection obviously this doesn't work well for having internet connectivity.  I figured this out by watching firewall logs.

I've rebooted all modems and the firewall trying to correct it but OPNsense simply will not route traffic to my secondary fail-over connection until I disable my primary under gateways.  Did something change recently that I missed that might require new configuration or is this simply borked?   

4

24.1 Legacy Series / Periodic Speedtest

« on: March 13, 2024, 02:53:41 pm »

I'm not sure when it stopped working but my periodic speedtest cron job doesn't seem to be working.  At least I don't see any tests logged and the widget doesn't show any data.  The cron job seems pretty straight forward but doesn't seem to work.  I know you need to set a parameter for the server id, I'm just using the id digits, does it also need brackets or parenthesis?  Not fully sure how to troubleshoot it. 

5

23.7 Legacy Series / Wazuh agent seems to be missing dependancies

« on: January 06, 2024, 04:15:49 pm »

Was curious on the best way to resolve the below warning.

Code: [Select]

wazuh-agent is missing a required shared library: libthr.so.3
wazuh-agent is missing a required shared library: libc.so.7

6

23.7 Legacy Series / SSH out of date per health check?

« on: December 29, 2023, 03:10:10 pm »

Ran a health check on my firewall and it had a line for what appears to be an older version of SSH. 

Code: [Select]

openssh-portable-9.3.p2_2,1 version mismatch, expected 9.6.p1_1,1
Admittedly I don't fully understand how these health checks work, but with SSH being in the news lately, it caught my attention. 

Thoughts?

7

Hardware and Performance / i3-9100 vs i5-8500

« on: October 27, 2023, 06:30:48 pm »

My current opnsense box has an i3-9100, I was looking through my parts pile an noticed I have a i5-8500.  They are nearly identical for the most part.  Some of the perks of the i5 are thread count and memory bandwidth.  But it's all so minimal and I know Zenarmor isn't multi-threaded yet and I'm not sure if there are other parts of opnsense that would benefit. 

I own both so other than the time to swap them it's no loss to me either way.  Was just a thought, I couldn't make a conclusion I was happy with so figured I'd crowd source it lol. 

Thoughts? TIA!

8

23.7 Legacy Series / Unbound DHCP watcher script keeps stopping

« on: September 04, 2023, 04:43:55 pm »

I had this issue a long time ago with the bug with block lists.  I monitor the service with Monit still since that issue, after one of the last updates that service is stopping multiple times a day.  I don't see any error logs related to it, so not 100% sure what's happening.  I've disabled block lists in DNS but it's still struggling to stay running.

Anyone know of a way to automatically restart unbound or manually start that service back with Monit?  Getting tired of restarting that service multiple times a day...     Extra points if anyone else is experiencing this and knows a fix. 

9

23.7 Legacy Series / Wireguard hangs connected with last connected device

« on: August 28, 2023, 01:47:29 am »

Since apparently I'm gonna dig out all the issues today 

I noticed that for some reason Wireguard has started thinking there is an active connection with the last connected device even after that device has disconnected.  I've been using this current config for ages and ages now, haven't made any type of change other than the recent upgrade to 23.7.x.  I initially thought my key was somehow compromised when I saw an active connection that wasn't mine.  But after some testing I can reproduce the problem 100% of the time.  The only way to clear the old connection is to restart the service, which would be hard to do obviously if I was remote  .  I'm using the os-wireguard vs go, not sure if there was a recent update to the plugin that maybe broke it?  Thoughts?  Without logs I'm not sure how to troubleshoot why this is happening.

10

23.7 Legacy Series / ddclient no longer updating IP address

« on: August 28, 2023, 01:11:09 am »

Wondering if anyone had some guidance on what's going on.  Had ddclient up and running right before the upgrade to 23.7.x seemed to work after the upgrade.  I noticed today I could no longer connect to my VPN, noticed my wan IP wasn't correct so checked ddclient and noticed it hasn't updated since the 23rd of this month.  See log output.  Seems like it's unable to detect my wan IP for some reason.

11

General Discussion / Network Security Methodologies

« on: August 25, 2023, 06:14:16 pm »

Wanted to discuss with folks on methodology for securing networks on my network.  Currently have have various vlans internally a DMZ and two wan connections.  I host a few services on the DMZ, and a Wireguard connection, that is exposed to the internet. 

Currently, I have Zenarmor enabled on my internal vlans, and Suricata on my DMZ connection.  Finally I use Crowdsec on all interfaces. 

I like the deeper inspection and rules of Suricata on my DMZ, but I'm not sure it's effectiveness with transport security preventing it from being super useful now days.  However it feels like I'm chewing resources unnecessarily. 

My goal is to detect and/or block if there is a compromise of a server on the DMZ, without a SIEM on my network I'm not sure to get close-ish. In the past IPS/IDS was the answer, but maybe not anymore.

Is the simple answer just enable Zenarmor on the DMZ as well and disable Suricata?  Is there another tool I should be using that I'm not? Should I just rely on Crowdsec and hope for the best     

I welcome any thoughts. 

12

23.1 Legacy Series / No alerts in latest Crowdsec

« on: June 01, 2023, 08:27:44 pm »

I was noticing I'm no longer seeing alerts in Crowdsec.  Anyone else noticing this after the latest update? 

I found a reddit thread with the same issue was just curious how wide spread this might be or if anyone knew why it might be happening. 

https://www.reddit.com/r/CrowdSec/comments/13xd7xf/no_decisions_or_alerts_in_5_days/

13

23.1 Legacy Series / Occasional interface flapping on all interfaces

« on: May 15, 2023, 03:34:36 pm »

I've been struggling for a while now with seemingly random flapping of all of my interfaces that lasts for 10-15 min sometimes then clears on its own.  I initially thought it was related to the firewall as all traffic gets blocked during these events.  I don't see any other events in the logs, even at debug level the first event is the "DEVD attached" event, then that just spams that and related items related to interface events till the event is over, nothing else logged before.

I do have a few plugins so maybe one of those is to blame?  I run Zenarmor on my internal interfaces, Suricata on my DMZ, and Crowdsec on my WAN.  Zenarmor and suricata do not monitor the same physical interfaces so there shouldn't be overlap. 

I'm starting to get to my wits end on solving this, my wife and I work from home and having the network go down at random sometimes inopportune times is starting to cause some tension. 

I've attached a few screenshots to add some color, I'd be glad to add anything else that might be helpful just let me know.

Edit: Adding dmesg output, this flapping goes on for pages and pages.  I do see a few entries of eastpack exiting with signal 11.  Not sure what that is but makes me wonder if Zenarmor is triggering this somehow or if it's just struggling with the interface flapping.

Code: [Select]


pid 59481 (eastpect), jid 0, uid 0: exited on signal 11
ix0: link state changed to DOWN
ix0_vlan10: link state changed to DOWN
ix0_vlan11: link state changed to DOWN
ix0_vlan12: link state changed to DOWN
ix0_vlan13: link state changed to DOWN
ix0: link state changed to UP
ix0_vlan10: link state changed to UP
ix0_vlan11: link state changed to UP
ix0_vlan12: link state changed to UP
ix0_vlan13: link state changed to UP
ix0: link state changed to DOWN
ix0_vlan10: link state changed to DOWN
ix0_vlan11: link state changed to DOWN
ix0_vlan12: link state changed to DOWN
ix0_vlan13: link state changed to DOWN
ix0: link state changed to UP
ix0_vlan10: link state changed to UP
ix0_vlan11: link state changed to UP
ix0_vlan12: link state changed to UP
ix0_vlan13: link state changed to UP
193.368040 [ 851] iflib_netmap_config       txr 4 rxr 4 txd 2048 rxd 2048 rbufsz 2048
193.368304 [ 851] iflib_netmap_config       txr 4 rxr 4 txd 2048 rxd 2048 rbufsz 2048
ix0: link state changed to DOWN
ix0_vlan10: link state changed to DOWN
ix0_vlan11: link state changed to DOWN
ix0_vlan12: link state changed to DOWN
ix0_vlan13: link state changed to DOWN
ix0: link state changed to UP
ix0_vlan10: link state changed to UP
ix0_vlan11: link state changed to UP
ix0_vlan12: link state changed to UP
ix0_vlan13: link state changed to UP
ix0: link state changed to DOWN
ix0_vlan10: link state changed to DOWN
ix0_vlan11: link state changed to DOWN
ix0_vlan12: link state changed to DOWN
ix0_vlan13: link state changed to DOWN
ix0: link state changed to UP
ix0_vlan10: link state changed to UP
ix0_vlan11: link state changed to UP
ix0_vlan12: link state changed to UP
ix0_vlan13: link state changed to UP
pid 48117 (eastpect), jid 0, uid 0: exited on signal 11
ix0: link state changed to DOWN
ix0_vlan10: link state changed to DOWN
ix0_vlan11: link state changed to DOWN
ix0_vlan12: link state changed to DOWN
ix0_vlan13: link state changed to DOWN
ix0: link state changed to UP
ix0_vlan10: link state changed to UP
ix0_vlan11: link state changed to UP
ix0_vlan12: link state changed to UP
ix0_vlan13: link state changed to UP
ix0: link state changed to DOWN
ix0_vlan10: link state changed to DOWN
ix0_vlan11: link state changed to DOWN
ix0_vlan12: link state changed to DOWN
ix0_vlan13: link state changed to DOWN
ix0: link state changed to UP
ix0_vlan10: link state changed to UP
ix0_vlan11: link state changed to UP
ix0_vlan12: link state changed to UP
ix0_vlan13: link state changed to UP
223.756165 [ 851] iflib_netmap_config       txr 4 rxr 4 txd 2048 rxd 2048 rbufsz 2048
223.756223 [ 851] iflib_netmap_config       txr 4 rxr 4 txd 2048 rxd 2048 rbufsz 2048
ix0: link state changed to DOWN
ix0_vlan10: link state changed to DOWN
ix0_vlan11: link state changed to DOWN
ix0_vlan12: link state changed to DOWN
ix0_vlan13: link state changed to DOWN
ix0: link state changed to UP
ix0_vlan10: link state changed to UP
ix0_vlan11: link state changed to UP
ix0_vlan12: link state changed to UP
ix0_vlan13: link state changed to UP
ix0: link state changed to DOWN
ix0_vlan10: link state changed to DOWN
ix0_vlan11: link state changed to DOWN
ix0_vlan12: link state changed to DOWN
ix0_vlan13: link state changed to DOWN
ix0: link state changed to UP
ix0_vlan10: link state changed to UP
ix0_vlan11: link state changed to UP
ix0_vlan12: link state changed to UP
ix0_vlan13: link state changed to UP


14

23.1 Legacy Series / Can unbound be configured to accept DNS over TLS on 853?

« on: May 11, 2023, 10:53:28 pm »

I have a few clients most notably android devices that hit my firewall with dns requests on 853, currently they get blocked as there aren't any rules in place to accept them.  Is there any way to configure unbound to accept DNS over TLS on the client side?  Didn't find much trying to search for it, probably more trouble than I care for anyway, but was just curious. 

15

Zenarmor (Sensei) / Subscription revoked after last update? (Maybe PSA)

« on: May 05, 2023, 05:05:01 pm »

Not sure if this happened to anyone else.  After the last update my subscription was revoked, I was able to reactivate it.  However it reset all the non-premium features back to defaults so any policies using premium features need to be looked through. 

Just a heads up to anyone who installs the latest update, there were no notifications to this until I happened to see the information the banner of the UI on the OPNsense side, if you only use the cloud port this wasn't clear.