Topics

1

Virtual private networks / IPsec logs why a tunnel fails

« on: June 26, 2023, 08:36:12 pm »

Let me start by saying all my IPsec Debug options are set to highest.

Problem: I noticed I do not receive any good logging as to why an IPsec tunnel is failing. I would expect to see PROPOSAL MISMATCH or NONE CHOSEN or its equivalent.
I have even purposely changed the IKE P1 details of one of my tunnels just to see if im getting that notification of why the tunnel is failing and i am not.

My IPsec > Log File is set to Notice.

I am on OPNsense 23.1.10_1-amd64

2

23.1 Legacy Series / FRR - Severity Error

« on: June 24, 2023, 10:25:12 pm »

I have an existing Github ticket tracking this but i wanted to bring it to the forum as it may be a more appropriate place to troubleshoot

Background: Moving from a pfsense to an opnsense deployment. Currently in POC stage. Routing is done over an IPsec VTY with eBGP.  Routing neighborships do come up and i am able to route across.

Problem: I am not getting any protocol adjacency messages in the log. So for example if a neighbor bonces i should get the following message in the logs

bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(790-OPNsensePOC.xxyy) in vrf default Down Peer closed the session

This is useful for me as this is how i build my alerting system off of syslog.

I even switched to OSPF just to see if maybe there was something wrong in my bgp config but even there all ospfd messages are with severity Error.

Not only do those messages not appear I noticed today that all bgpd/ospfd messages are set at severity level Error. Just really strange stuff. All notifications related to routing are at the default and this isnt a logging issue per se. 
This was never seen in pfSense. Comparing of .conf files between both OSs show they are the same.


Dont mind sharing the config here.

Building configuration...

Current configuration:
!
frr version 7.5.1
frr defaults traditional
hostname OPNsense
log syslog notifications
!
router bgp 65001
 bgp router-id 192.168.50.254
 no bgp ebgp-requires-policy
 no bgp default ipv4-unicast
 bgp graceful-restart
 no bgp network import-check
 neighbor 172.28.0.5 remote-as 65002
 !
 address-family ipv4 unicast
  redistribute connected
  neighbor 172.28.0.5 activate
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
!
line vty
!
end

3

Intrusion Detection and Prevention / IPS not alerting

« on: June 23, 2023, 03:53:29 am »

Coming from an pfSense box running Suricata i know which rules would generate alerts on my network and which wont. Very consistent behavior.

Moving to OPNsense I enabled the ruleset for UserAgents. The expectation is that when i run the following command within my linux terminal it will generate an alert " curl -A "BlackSun" google.com"
This is not occuring.
What I have done so far.
Enabled IPS mode
Enabled Suricata on my WAN interface
Using advanced mode, i placed my WAN address as part of the home network
Created a Policy which included my UserAgent rules which is enabled and set for Alert,Drop.

Additionally, because this is running on my WAN i enabled the SCAN rule set as i know i am being harassed on the interface. This is all for testing purposes to make sure Suricata is functioning and will be turned off in the future.
Why are alerts not generating? Thats the mystery.

4

23.1 Legacy Series / FRR logs missing neighbors going down

« on: June 22, 2023, 03:19:13 am »

I am running BGP and I typically send all syslogs to my collector where I will parase the logs to generate alerts.
I noticed that bgp flaps  are not producing any alerts in the logs
For example in my other system running pfsense here is the message i receive

<30>Jun 19 22:12:41 bgpd[73781]: %ADJCHANGE: neighbor 10.6.106.2(OPNsenseFW.moore.home) in vrf default Down Peer closed the session

I am expecting to see a similar message on OPNsense but noticed that type of log is not being generated at all. 
Does anyone know how to get this type of log to be created or if its being created ?

5

Zenarmor (Sensei) / ZenArmor - backend questions

« on: June 22, 2023, 02:53:41 am »

Hello all,
still exploring zen and i have two questions.
1. I started with MongoDB but i want to switch to another db as i want more retention than 2 days worth of reporting. Is there a way to keep all my policies and switch databases?

2. Its easy to test if apps or URLs are being blocked but for Malware activity or for advanced security blocking botnet CnC how do we test thats working? What is it even looking for? Are there IPs we can try to access to see if Zen is blocking?

3. Through OPNsense the dashboard isnt as flexiable as the portal. Is the online portal the best way to use Zen? Will that change soon as I prefer to keep cloud management off the table for now.

6

Virtual private networks / VTI tunnels no longer work after system tunables set

« on: June 20, 2023, 09:15:20 pm »

Hello everyone,
Back to OPNsense from PFsense and there is a setting available labeled experimental in pfsense but in OPNsense it seems to require system tunables.
I have IPsec VTIs running dynamic routing. I wanted to filter on each VTI interface and create separate rules per interface. I set the system tunables as outlined in the documentation.
I can no longer ping my devices - server to server - across the tunnel. Oddly, routing comes up and because i have a gateway assigned dpinger is able to ping the VTI interface of the remote side. So there is some connectivity.

Any ideas how i can get my LAN 2 LAN traffic working? I have tried bouncing the VPN tunnel with no luck.

7

23.1 Legacy Series / Traffic analysis capabilities

« on: April 05, 2023, 12:17:32 am »

Hello everyone,
Strongly leaning going back to opnsense from pfsense for one main reason. I need some form of basic analytics when it comes to top talkers and reporting.  Right now I am hunting high bandwidth users on pfsense and there are absolutely no good tools for reporting of that info on pfsense. I see that OPNsense has a built in Netfllow collector which is peaking my interest greatly. How good is it?
I also see there is support for dns sinkholing now which is great. Can I add my custom white/black list?

8

Web Proxy Filtering and Caching / Squid roadmap

« on: February 14, 2022, 08:04:49 am »

Is anyone aware of any future development or extensibility to Squid that would enable it to be a more powerful proxy manager? I have current business needs to have SSL inspection and AV scanning while for some vlans and for other vlans SSL inspection with content control and / or black list.  based under current implementation this is not possible.

9

Web Proxy Filtering and Caching / Random errors related to TLS

« on: February 09, 2022, 09:46:46 pm »

Hello,
I am a working proxy SSL decryption scnerio running but when I cherck the Cache Log I notice strange errors. Google-Fu does not work so researching these very cryptic meanings are coming up empty.
Also I noticed that some websites such as Google.com or Youtube.com DO NOT use my Opnsense firewall certificate and instead use the certificate issued by the real CA. If this was certificate pinning I would expect the site to fail.  Any ideas here?



kid1| ERROR: negotiating TLS on FD 93: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (1/-1/0)   

kid1| Error negotiating SSL connection on FD 87: error:00000001:lib(0):func(0):reason(1) (1/-1)   

kid1| Error parsing SSL Server Hello Message on FD 49   

10

Zenarmor (Sensei) / What is in a Web Category

« on: February 08, 2022, 03:24:39 pm »

Hello,
ZenArmor documentation doesnt mention this but does anyone know what websites fall under the different categories? For example, what is considered "Society". Palo Alto has a tool that you can use to identify how they classify sites but ZenArmor documentation isn't great at all. What is considered 'Swimsuits and Underwear' but not Pornography?
This tool isn't that great and documentation needs to be better.

11

General Discussion / OPNsense compared to turn-key solutions from other vendors

« on: February 07, 2022, 07:40:59 pm »

Hello All,
I am testing OPNsense in my lab looking to perhaps deploy this as a small/medium-sized business solution to my customers.
Curious as to what people think of OPNsense as it compares to others such as Palo Alto or Fortigate.

The biggest headache I've come across is the SSL inspection and A/V scanning. I have no option but to run in transparent mode and there is no option to bypass all banking sites. I can use the SSL bumplist but that doesn't help if there are dozens of banking sites.  Also I want to be granular where I want to do SSL inspection on one interface but not on my Guest network interface. Theres no way to select different policies unless Im missing something. Same issue with ClamAV and scanning. Great feature but I don't want it running on my Guest Network but I have no choice.
Now that I am writing this, I think URL filtering has the same problem.

Ive looked into ZenArmor so that seems like a bit more of a promising solution so still need to investigate.

What does the community think. Is OPNsense on par with the closed source vendors?

12

Virtual private networks / ZeroTier site 2 site

« on: January 20, 2022, 04:17:04 pm »

Hello everyone,
Got a strange issue regarding ZT and a site2site set up between 2x OPNsense firewalls (Protectli).
I am currently running ZT between my hosts in the cloud , my smart devices and my OPNsense firewall. Everything works flawlessly, no complaints.
The problem is when I set up my remote Opnsense with ZeroTier. I add it to my NetworkID. I make sure the routes in the cloud controller point to the remote sites LAN using the remote OPNsense ZT IP address. When I send pings the pings go through but after a couple of seconds the pings stop. Restartin the ZT service on the remote side, pings go through but after a while it stops. So I know the configuration is correct because it works briefly but the fact it stops after a few seconds is disappointing. For a quick fix I set up a wireguard site2site between my sites and that has been very stable but I prefer to keep my VPN standard everywhere I use it.
I have seen some postings on GitHub that this is an issue as well as some Reddit post but I want to put something out here a bit more formal to see if anyone has come across this and whats the fix.