Topics

Hi

Just a note to everyone, I updated 4 different Opnsense firewalls and experienced the same thing. Before the upgrade, the policy was "moderate control", and all was blocking as it should. After the upgrade, "moderate control" is highlighted as this is what it was configured to. However, the actual option sliders are all set to "allowed". I had to reselect moderate control, which enabled the sliders, and then apply.

Just an FYI, as in my case this was for schools, and they could access naughty sites they could not access before.

I'm trying to upgrade to 24.1, but I'm getting an error - anyone seen this before, and found a way to overcome it? I don't have direct access to the box, so need to fix this remotely.

"***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.12 at Sat Jan 21 04:38:19 SAST 2012
Fetching changelog information, please wait... Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
18314631475200:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
Waiting for another process to update repository OPNsense
Updating SunnyValley repository catalogue...
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:13:amd64/23.7/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:13:amd64/23.7/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:13:amd64/23.7/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***"

[transfer: 0 B received, 23.12 KiB sent]

Edit: Just a note that the s2s VPN was working perfectly on all versions before 23.7.10. The site is 800km away from me, so a little nervous to roll back to previous Opnsense version remotely.

At a total loss here...have checked every post, guide etc and can't figure out what I'm doing wrong.

Firewall rules on both sites are configured to allow connections on port 5180 and traffic from WG to LAN. There is a handshake, and this is the result.

However, I cannot ping from one site to the next.

Site 1 shows transfer rx and tx.
Site 2 shows zero transfer rx but traffic on tx. Any suggestions on what to check, or output I can share that will help?

Site1:
interface: wg2
  public key: pnRhuA2blsBbPLsaZCA3bgQcB36fJzpZTXPy5DvZVhg=
  private key: (hidden)
  listening port: 51820

peer: DjojsEKBxxxxxxxKzX6/Dk76Munatg4=
  endpoint: 102.xxx.xxx.15:51820
  allowed ips: 10.11.0.1/32, 192.168.1.0/24
  transfer: 23.41 KiB received, 16.87 KiB sent
  persistent keepalive: every 25 seconds

Site2:
interface: wg2
  public key: DjojsEKxxxxxxxxxx/Dk76Munatg4=
  private key: (hidden)
  listening port: 51820

peer: pnRhuxxxxxxxxxxfJzpZTXPy5DvZVhg=
  endpoint: 102.221.100.138:51820
  allowed ips: 10.11.0.2/32, 192.168.0.0/24
  transfer: 0 B received, 23.12 KiB sent
  persistent keepalive: every 25 seconds


Thanks

Hi

The environment is a campus network with 6 sites, all connected wirelessly to the main site where the Opnsense firewall and internet breakout is.

I have a client using Mimecast S1 for email and phishing security (onsite Exchange server), but we're looking for alternatives. Does anyone have any experience using Suricata ET Pro and/or Zenarmor Business? Will it provide the same/better level of protection?

TIA

Right, so this is a weird one.

OPNsense 23.1.5_4-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

WAN: Dual, igb0 and igb1.
VPN: Zerotier, Wireguard
Firewall Alias: Telephony - contains all IP phones, voip-related services.

Firewall is configured to block inbound on the Telephony alias on Zerotier and Wireguard interfaces.

I've been struggling with the shaper / pipes etc to separate out voip and data. Configured the rule on the WAN (igb0) and LAN (igb3) interfaces to cover both upload and download. When checking the shaper status, the rules would never get hits on a rule to push UDP 5060 into the voip pipe. I ran the packet capture across all interfaces and found that all UDP 5060 was going through the Zerotier interface (pic attached - 192.168.10.9 is the voip server onsite).

Side note - the VoIP service is 3CX, which seems to be very chatty on all sorts of ports. But my main concern is the packet capture showing the traffic on the wrong port.

Any advice, or is there something I'm doing wrong?

Thanks in advance.