Topics

Hi,

Sharing an issue about the os-realtek-re plugin uninstall/reinstall and a question about its configuration please.

Some stability issues with Realtek NICs have reoccurred ar. end of June, but seemed improved or gone after 25.7. These issues have become frequent again recently so I thought to rebaseline the driver, ie. uninstall the os-realtek plugin, and then reinstall it.

Interestingly, this action didn't seem to harm connectivity of the Realtek NICs directly but the only Intel on the LAN couldn't see the (Realtek) interface on the other end, which wasn't visible in the ARP table and impossible to ping from OPNsense.

However, once uninstalled, the Realtek plugin couldn't be seen on the plugin list in the GUI (please see screenshot), where it wasn't possible to reinstall it. Having tried a different repo, same thing : the plugin still wasn't visible in the GUI.

From CLI, the package can been seen on the repo and could be then installed (from the CLI): a message at the end of the install points at two parameters to be added in /boot/loader.conf - the latter config file pointing at /boot/loader.conf.local or the Tunables tab in the GUI System section, where the two parameters have been added.

Once reinstalled from CLI, the Realtek package could be seen again in the GUI, within the list of plugins, but it appeared as "misconfigured", although OPNsense had been rebooted, as stated in the info on the package in the CLI (and in addition of the two parameters already set). Tried to reboot again and power off/on, but the status of the package in the GUI remains "misconfigured".

Could you please advise what should be done then to resolve this misconfig status, knowing that the bootloader conf file now includes the two parameters due to be changed ?

Many thanks,

Alex

Hi the OPNsense community,

In Services > Intrusion Detection > Administration, the GUI enables the user to make a number of configuration changes and there are additional settings too that can be configured in the file suricata.yaml.

The OPNsense document speaks about suricata.yaml and to add additional changes, there is another configuration file, custom.yaml.
https://docs.opnsense.org/manual/ips.html

The question is: what are the possible practices - or advice - to make these additional settings changes in Suricata ?

I have tried the following:
- In addition to the parameters that can be managed directly from the GUI, I edited the suricata.yaml file directly but at boot, changes are erased to keep the ones input from the GUI only ;
- to test the custom.yaml configuration file, I copied in there the full suricata.yaml including the wished changes. Although that suricata.yaml worked when used as main configuration file, it didn't work as custom.yaml ;

For instance, I am wondering please about possibilities to:
- keep an updated suricata.yaml even after reboot ?
- additional info about how to use the custom.yaml ?
- any other thoughts / ideas about this topic ?

Many thanks !

Hi to the OPNsense community,


disclaimer: this is a redirect/repost from a post I made about IPS in the general production series, while there is in fact a specific forum for IPS, hence putting it in the the proper place :)


OPNsense runs in my home lab with IDS/IPS enabled, and I regularly check alerts in Services > Intrusion Detection > Administration - Alerts tab.

The question is : Is there a way to monitor IDS/IPS stats in the GUI, ie. to get an overview ?

For instance, checking log files (/var/log/suricata), I could recently notice, on some specific days, a very unusual number of entries logged, repeating "error reading netmap data via polling: No buffer space available". However, I don't know if there is a way to monitor such stats from the GUI.

In the present case, the high number of buffer error messages (for a home lab) has also probably disabled the protection provided by IPS, as the number of other sorts of messages is much below the normal order of magnitude for daily logs.

By the way, there is another issue: having previously looked at the overall free space on disk with the df command, the output doesn't reflect the actual (and abnormal) size of the Suricata logs; it seems that the correct information is provided with ls when querying the log folder such as for Suricata.

Many thanks,

Hi to the OPNsense community,

OPNsense runs in my home lab with IDS/IPS enabled, and I regularly check alerts in Services > Intrusion Detection > Administration - Alerts tab.

Is there a way to monitor IDS/IPS high level stats in the GUI?

For instance, checking log files (/var/log/suricata), I could recently notice a very high unusual number of entries logged, repeating "error reading netmap data via polling: No buffer space available". However, I don't know if there is a way to monitor such stats from the GUI.

Many thanks.

Hi to the OPNsense community,

I am using OPNsense as a home lab, in the following basic setting :

      Internet access ===> OPNsense 25.1 ==> LAN

After upgrading to OPNsense 25.1, there were some connectivity issues on the LAN interface (instability), which some other users experienced and this made me have a closer look at the LAN interface.

This is how I noticed connections going from the firewall to port 22 on the LAN. Theses connections - or rather attempts,allowed by automatic rules ('let anything out from firewall host itself'), suggest use of SSH as the protocol was TCP.

Please see attached screenshot from the live view in firewall logs : the connections are leaving  the LAN interface, from OPNsense to the computer on the LAN.

I tried to find out if there is any legitimate service on OPNsense 25.1 that could be make this kind of activity, could anyone share any thoughts or advice please ?

Many thanks.