Topics

Hello OPNsense Community,

Is this not right?
It looks like AdGuard blocks a rule here:
You cannot view this attachment.


And then passes the same rule here:
You cannot view this attachment.


AdGuard setup is listening on port 53 and forwarding to unbound to port 8953.


Can someone please offer advice?



OPNsense 25.1.6_4-amd64
AdGuard Version: v0.107.61

Can Monit be configured to alert when an IDS rule is triggered - drop or alert?

If so which log file is it in /var/log?

Shot in the dark here, but this happened with my iPhone a year ago, now my wife's, and I can't figure why old to new iPhone data transfers won't work on my network.

I don't see Adguard blocking anything Apple, nor the firewall except for the occasional WAN incoming. Everything else on my network works fine.

Anybody care to take a stab in the dark as to why this Apple function won't work on my network?

Thanks

Basically, I want this rule to stop all traffic to an iPad completely, but it's hit-or-miss on iMessages:


1. I have a rule to block an iPad to *Any which works for most apps and internet,  but iMessages still goes through.

2. I next check the states for the iPad, delete them, iMessages then stops transmitting... cool.

3. I turn off the rule, everything transmits again.

4. I reactivate the block rule, back to step 1  :-[.

5. I deactivate the iPads WiFi, then reactivate it. The rule works  -  iMessage is blocked   :-\.


But why are the states getting locked in when the rule is deactivated then  reactivated?

Hi,

Any workaround for the improbability of Alias implements in Shaper rules?

I just want to throttle back traffic to two ASN's. But since I can't put the alias for those in Shaper rules, I can't figure out if there's something else that I can do. Any suggestions?


Thanks

Hello all,

I need to know if my NIC's support PTP hardware time stamping and a clock but it does not look like there's a PTPd.

Is there a freebsd equivalent of ethtool -T em0 ?

Ultimately this is to see if I can use OPNsense for long distance transmission of precision-clocked multichannel audio.


Thank you

After the upgrade to 23.7.8...     Firewall > Rules:  Hitting "Inspect" while on any interface now only shows N/A on all rule stats - homemade and auto-generated. I used to get counters.

Searched with no luck. What could it be?

I was getting reporting data with Wireguard-Go before the upgrade but not now.

The WG interface is selected in the Zenarmor Settings > Config, but the the Dashboard traffic graph just shows flatline.
Reports shows all other interfaces but not Wireguard.
Live Sessions - Can filter wg0 interface but reports nothing.

Log Message:
Engine configuration error
Cannot validate interface: netmap@wg0 line: 2, 1, netmap@wg0, netmap@wg0^, 0, 3, 4345 ,lan;netmap;routedmode


Anybody else experiencing the same and is there a fix?



OPNsense 23.7.1_3
Zenarmor   1.14.2

I administer an AV broadcast system which has dozens of hardware components on a RFC 1918 network running through various Dlink switches.

The PC that I use to administer the network has a 4-port NIC card. One port is WAN for general internet and the other's are my AV subnets. I disable the WAN interface when not working on the system because it seems prudent.

Almost all hardware components are logged into through a web GUI but all are HTTP. They just have general logins with no security features built in. What are the ways to better secure these components so I'm logging into them with HTTPS?

Any advice on how the topology should look like, as if in a professional environment?


Thanks

Hello,
Can someone offer some insight as to why my IoT interface is getting pounded with this IANA EMC-Documentum Content Server Product? If it's bad how do I stop it. If it's okay how do I stop seeing it?

Whois: https://findipv6.com/ipv6-whois/https://findipv6.com/ipv6-whois/fe80::76ac:b9ff:fed3:53cd
iana.org: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=10002
Port 10002: https://www.adminsub.net/tcp-udp-port-finder/10002

I have IPv6 deactivated/blocked.

   Interface       Time    Source    Destination    Proto    Label    
   IoT      Dec 15 17:53:25   [fe80::76ac:b9ff:fed3:53cd]:53715   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:53:25   [fe80::76ac:b9ff:fed3:53cd]:46932   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:53:25   [fe80::76ac:b9ff:fed3:53cd]:33760   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:52:55   [fe80::76ac:b9ff:fed3:53cd]:39756   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:52:55   [fe80::76ac:b9ff:fed3:53cd]:59475   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:52:55   [fe80::76ac:b9ff:fed3:53cd]:41079   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:52:24   [fe80::76ac:b9ff:fed3:53cd]:52025   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:52:24   [fe80::76ac:b9ff:fed3:53cd]:59129   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:52:24   [fe80::76ac:b9ff:fed3:53cd]:34023   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:51:55   [fe80::76ac:b9ff:fed3:53cd]:60361   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:51:55   [fe80::76ac:b9ff:fed3:53cd]:53706   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:51:55   [fe80::76ac:b9ff:fed3:53cd]:54928   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:51:54   fe80::26f5:a2ff:fec3:25a0   ff02::1   ip   Block all IPv6   
   IoT      Dec 15 17:51:25   [fe80::76ac:b9ff:fed3:53cd]:38620   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:51:25   [fe80::76ac:b9ff:fed3:53cd]:40426   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:51:25   [fe80::76ac:b9ff:fed3:53cd]:46277   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:50:25   [fe80::76ac:b9ff:fed3:53cd]:48740   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:50:25   [fe80::76ac:b9ff:fed3:53cd]:38381   [ff02::1]:10002   udp   Block all IPv6   
   IoT      Dec 15 17:50:25   [fe80::76ac:b9ff:fed3:53cd]:39179   [ff02::1]:10002   udp   Block all IPv6


Thanks   -Chris

The 1.1.1.1/help webpage shows "NO" on using DNS over TLS.  However, Connectivity to Resolver IP Address is "YES"

I guess it's a Cloudflare engineering issue as per this post: https://community.cloudflare.com/t/cloudflare-dot-and-dnssec/118414/17

Still, any concerns with this log?

[65483:1] info: Verified that unsigned response is INSECURE
[65483:1] info: NSEC3s for the referral proved no DS.
[65483:1] info: reply from <.> 1.1.1.1#853

I already have FIREWALL and NAT>PORT FORWARD rules for port 53 as per OPNsense forum: https://forum.opnsense.org/index.php?topic=9245.0

Do I have to include port 853 rules anywhere in the firewall?


Thanks,
Chris
21.7.6

OPNsense was getting erratic and any relation my messing around with Sensei and ntopng possibly causing it is questionable. Normalcy was restored with the removal of the plugins, however, I'm getting this Error 2 message.

Any idea how I can fix it?


***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.6 (amd64/OpenSSL) at Fri Dec  3 21:38:27 UTC 2021
>>> Check installed kernel version
Version 21.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.5 is correct.

>>> Check for missing or altered base files
Error 2 ocurred.
etc/sysctl.conf:
   size (311, 611)
   sha256digest (0x8c57d647047d84b9be4cddbb0b6d58c1d5839f148b62d1137b8bf2611f681cfd, 0x3e005c84fa203b0f56e38ee7d1fd21003ece7f945d69b8fd6bd1842bf5fddb69)

>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Using Wireguard-go as roadwarrior is suiting my needs well as a single iPhone VPN. Problems arise when I try to add more endpoints because the configurations don't work as I imagined -- basically I thought I just add more endpoints and reuse the original Local Config, Public Key, and Tunnel Address.

In a nutshell, for each additional device, do I reuse the the local config's (Public Key, Tunnel Address) and just add additional endpoints or do I need to create completely new Local Config + Tunnel pairs for each additional device?


Thanks,
Chris

Can someone help me understand why I'm not getting internet on my IoT interface when I enable the Block Private Networks rule?



Private networks are: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

There's 1 WAN interface, 1 LAN (192.168.1.1), & 1 IoT (192.168.2.1)


:-\ And I'm unable to insert the screenshot URL so I'm attaching it. Please have a look.


Thanks,
Chris