Topics

1

19.1 Production Series / [SOLVED] 19.1.7 update fails - disk full

« on: May 05, 2019, 03:18:28 pm »

Hi!

Tryingto update a 4GB Cf-card install of 386 nano (currently on 19.1.4), but after downloading all updates the install process gives "disk full" and update fails...

Any ideas?

2

19.1 Production Series / Since 19.1.5 - Reload button/F5 not function in GUI on Firefox 60.6.0ESR ?

« on: April 05, 2019, 01:24:43 pm »

Hy!

Just updated to 19.1.5 and on virtually no page of the GUI I can trigger a reload in FF. Have to load a different page and then come back...

F5 doesn't help, also reboot of client or sense is no help.

3

General Discussion / DHCP on WAN with public IP via RFC1918?

« on: April 02, 2019, 10:19:00 am »

Hy!

Setup is a cable modem (Cisco) provided by ISP, opnsense (latest) with DHCP IPv4 on WAN ("block private networks" is enabled on WAN).

I had a minor hick-up at the tunnels and therefore had a look at the General logs of the sense and found that to my surprise the DHCP for my public WAN address (no CG-NAT, IP in the 80.x.y.z range) is done via a 10.x.y.z IP on the WAN interface:

Code: [Select]

Apr 2 08:42:39 dhclient[33436]: bound to 80.xxx.yyy.zzz -- renewal in 5211 seconds.
Apr 2 08:42:39 dhclient: Creating resolv.conf
Apr 2 08:42:39 dhclient[33436]: DHCPACK from 10.0.173.52
Apr 2 08:42:39 dhclient[33436]: DHCPREQUEST on em0 to 10.0.173.52 port 67
Traceroute gives

Code: [Select]

# /usr/sbin/traceroute -w 2 -n  -m '18' -s '80.xxxx.yyy.zzz'   '10.0.173.52'
traceroute to 10.0.173.52 (10.0.173.52) from 80.xxx.yyy.zzz, 18 hops max, 40 byte packets
 1  10.190.1.66  11.226 ms  7.541 ms  7.763 ms
 2  * * *
 3  * * *
 4  213.xxx.yyy.zzz  14.084 ms  15.887 ms  15.735 ms
 5  10.20.41.71  33.475 ms
    10.20.41.69  28.584 ms  16.428 ms
 6  10.20.11.69  20.135 ms  16.666 ms
    10.20.11.71  23.914 ms
 7  10.20.12.70  21.543 ms  17.166 ms
    10.20.11.70  19.720 ms
 8  10.20.12.37  20.519 ms
    10.20.11.37  17.143 ms  17.849 ms
 9  10.0.1.113  21.072 ms  16.629 ms  19.003 ms
10  10.0.1.41  14.813 ms  15.923 ms  15.973 ms
11  10.0.1.41  15.873 ms  16.019 ms  16.052 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
Apparently this is going on for longer, oldest log is from 23. March, but maybe the log simply rotated for the GUI.

Can anybody help me understanding this setup...

4

Intrusion Detection and Prevention / DNS over HTTPS - any way to block?

« on: March 28, 2019, 03:08:12 pm »

Hi!

Is there an option in suricata to block access to DNS servers via https (e.g. via a list of DNS servers)?

Any other options for blocking DNS over HTTPS below the level of deep package inspection of HTTPS with all its implications?

5

General Discussion / 600 targets - some 500 thousand infections

« on: March 26, 2019, 08:33:06 am »

Interesting operation:

https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

Where did the 600 target MACs come from? An why did ASUS sign the update?

Something to keep in mind ;-)

6

General Discussion / openVPN with TLS 1.3 ?

« on: March 01, 2019, 05:16:36 pm »

Hy!

I found this here

https://community.openvpn.net/openvpn/ticket/1080

and tried to establish a peer-to-peer with TLS 1.3, but got the same error as reported above (19.1.1). Is TLS 1.3 in sight for 19.7? Or any plans for the nearer future?

7

19.1 Production Series / Can't reach Cron (Schedule) in GUI

« on: February 21, 2019, 09:37:53 am »

Hi!

Only way to check my Cron jobs is via

Services -> Intrusion Detection -> Administration -> Schedules

However, reaching the page in the GUI, a window pops up for a new Cron rule. If I close this window, the GUI automagically jumps to "Settings" instead of letting me have a look at the "Schedule" page.

So I can't manage the existing Cron jobs....

8

19.1 Production Series / Since 18.7.10 ? OpenVPN client resets with "disabeling NCP mode"

« on: February 20, 2019, 03:31:36 pm »

Hi again!

I first noticed this on my 19.1.1/LibreSSL (opnsense-patch 90c0c395 installed) with OpenVPN client for site-to-site doing fine for years.

Repeated resetting the connection (no useful entry in OpenVPN server log) with:

Code: [Select]

openvpn[59431]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
...and afterwards trying to reconnect. Ok, I thought, let's have a look in the logs of the second machine I upgraded to 19.1.1 LibreSSL yesterday. And there where the same errors, but starting from December 2018, i.e. where I set up the machine with 18.7.10. So the problems apparently started with 18.7.10.

Any ideas what this could mean, a quick Startpage gave me nothing conclusive (as usual with tunnels and error messages...).

9

19.1 Production Series / Revert unbound to 18.7.7 - not possible?

« on: February 15, 2019, 03:15:38 pm »

Hello again!

Have here a fresh install of 19.1.1 amd64 with LibreSSL and DNS over TLS configured. Unbound not stable under these conditions, see here

https://forum.opnsense.org/index.php?topic=7811.msg48949#msg48949


:-(

But if I try to revert unbound to the version doing fine with 18.7.x, by

Code: [Select]

opnsense-revert -r 18.7.7 unbound
I only get "Fetching unbound.txz... failed"

(while unbound is UP und running).

Is it not possible to run 19.1.1 with this old version of unbound?

___________________

Was it only a problem with Suricata (not yet) configured correctly (and therefore not starting up)? Now Unbound has been stable for quite some time.

10

18.7 Legacy Series / Interface lost with 18.7.10

« on: January 11, 2019, 11:41:55 am »

Hy!

Updated this morning to 18.7.10 amd64 with LibreSSL, some minutes ago I lost one interface, which came up again after plugging out/in the RJ45:

Code: [Select]

Jan 11 11:36:40 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 10.45.23.1) (interface: iNET[opt1]) (real interface: igb1).
Jan 11 11:36:40 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb1'
Jan 11 11:36:40 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for iNET(opt1) but ignoring since interface is configured with static IP (10.45.23.1 ::)
Jan 11 11:36:40 kernel: igb1: link state changed to UP
Jan 11 11:36:20 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for iNET(opt1) but ignoring since interface is configured with static IP (10.45.23.1 ::)
Jan 11 11:36:20 kernel: igb1: link state changed to DOWN

11

German - Deutsch / VDSL mit congstar - Wie?

« on: January 09, 2019, 09:04:29 am »

Hallo!

Im Zuge der Umstellung auf VOIP werde ich von meinem DSL-Anbieter (congstar) mit VDSL zwangsbeglückt.

Bisheriger Aufbau:

Splitter - Draytek Vigor 130 (bridged) - sense (PPPoE)

Für den Tag der Umstellung habe ich folgende Fragen:

1. Splitter MUSS weg, oder? Hat ja keine Funktion mehr...

2. Auch wenn die sense das VLAN 7 macht, MUSS trotzdem die VLAN 7 Firmware auf das Draytek, oder?

3. Ist das hier https://forum.opnsense.org/index.php?topic=7270.0 eigentlich behoben?

4. Hab ich was übersehen? :-)

Vielen Dank vorab!

12

18.7 Legacy Series / Added new floating rule - in live view wrong rules are given

« on: December 22, 2018, 03:10:37 pm »

Hi everybody!

Have here an up-to-date amd64 install I configured these days. This morning I had a look at the live view of the FW log and found that for some (not all) entries the WRONG FW rule was indicated that resulted in blocking this traffic.

I had to add a rule (Floating this time) and afterwards I had a look into live view of FW logs again. This time even more entries had the wrong FW rule listed.

Here is an example:

Code: [Select]

lan Dec 22 07:20:27 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:19 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:15 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:13 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:12 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs

As can been seen, the port does not match to the description of the FW rule which caused the block. And I have more of this in my list. Is there any known bug in parsing the "decription" of the FW rules to the live view?

13

18.7 Legacy Series / Scheduled BLOCK rule - Will states be killed?

« on: December 21, 2018, 09:50:16 am »

Hello again!

I have scheduled BLOCK rules (not Allow rules!) and would like to know, if the states are killed automagically when the block rule kicks in.

Is there anybody who could enlighten me? :-)

For scheduled ALLOW rules I guess the states will be killed when the permited interval is over, or?

14

18.7 Legacy Series / Cron job - Reset states- How?

« on: December 20, 2018, 03:19:23 pm »

Hi again!

From time to time I have to reset the states with a simple

Code: [Select]

/sbin/pfctl -F state
via Cron.

However, I don's see any "free text" option for Cron under "System"-"Settings"-"Cron".

Is it possible to create an arbitrary Cron job and switch the <command> in the config.xml to make this work?

15

18.7 Legacy Series / Block private on WAN- How to stop logging?

« on: November 19, 2018, 09:44:09 am »

Hello again!

Have a broadcast spammer with a private IP on my Wan address (with a public IP...) and would like to stop logging this, as it's flooding my firewall log.

Editing this rule is not possible in GUI, as you get redirected to the interface, where the only option is to turn on/off. Any other options from command line or editing the confing.xml? :-)

Many thanks in advance...