Topics

1

22.1 Legacy Series / Intrusion detection filter logs are filling disk.

« on: June 15, 2022, 05:00:50 pm »

Hi.

How can I manage filter logs from IDS (those written at /var/log/filter directory)?
Is any possibility to add some gzip or bzip2 function to log rotation? At my installation, every daily file has around 5GB of size and this quickly fills up entire disk. I've now limited to keep only 3 files, but it's not comfortable. Compressing those files would save a lot of space, are they are simple txt files...

Thanks a lot in advance for any hint I coudn't find any configuration for this :/

2

22.1 Legacy Series / 22.1.6 failed to check updates.

« on: June 01, 2022, 12:15:06 pm »

Hi.

I'm trying to check updates on my setup running 22.1.6 version, but it fails:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.6 (amd64/OpenSSL) at Wed Jun  1 12:05:57 CEST 2022
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Anyone can assist to help resolve the issue?
Many thanks in advance

Martin.

3

20.7 Legacy Series / VMWare vmxnet3 drivers and VLANs...

« on: November 02, 2020, 09:54:23 am »

Hi

I saw last time, that there is some issue with VLANs using VMXNET3 network interface.
Only the first created VLAN is working. Next vlan's aren't detected at all, even after reboots.
Hardware offload is disabled.

For now, I've bypassed this by creating physical interfaces instead, but this is not the way I want, because I can't add new network interfaces on-line to OpnSense and adding them offline can destroy all previous network assignements.
I know, that I can use E1000E adapter type, but this limits the traffic to 1Gbps.

What is current status of vmxnet3 drivers for OpnSense? Is there any work in progress for them?
Thanks in advance for any reply

4

20.7 Legacy Series / IPSec keepalive

« on: November 02, 2020, 09:46:24 am »

Hi

Is it possible to keep alive IPSec tunels for networks, that OpnSense is not a member (means: have no network interface in it)...
Or something that forces to restart the IPSec tunnel, when SP is expired due to no traffic.
I have one site-to-site tunnel with 3 different "local" networks being routed over to 1 common remote.
2 of those "locals" are in fact remote for this OpnSense router and I can't assign new interface so the opnsense is a part of those networks. On the other side is a FortiGate router, which is requiring each 2nd phase tunel isolation and we had a lot of problems to configure those tunels. Now they are working, but only as long as the 2nd phase lifetime is defined (3600 sec). After that time SP expires and is removed from the list, so the network is not routeable anymore...

 Is there any way to keep those tunells alive?

5

18.1 Legacy Series / Schedule activation of inactive firewall rule.

« on: April 27, 2018, 04:01:52 pm »

Hello

Long time no words from me... But now I've facing a problem - how big, this is the question

Little background:
My company is serving an internet access to some clients. Clients are changing, so the agreements are starting and ending.

Problem:
Sometimes, the end date is in some weird date, which colides with my holidays plan in example

Question is:
- is there any way to schedule the activation of an inactive rule in firewall? This would allow me to create in advance for example a rule to drop packets from that client  and start my holidays without disturbing

Thanks for any hint or clue in this matter

Cheers,

Martin.

6

17.1 Legacy Series / flowd.log location.

« on: February 09, 2017, 11:53:29 am »

Hello

Is it possible to parametrize  flowd.log location in the upcoming versions of OpnSense?

This will allow user to move it to own location (ie. to bigger disk), as it is growing constantly and can fulfill whose available space on disk...

Thanks in advance

Best regards,

Martin.

7

17.1 Legacy Series / Using acme.sh

« on: February 03, 2017, 01:00:36 am »

Dears,

I've just moved my installation to 17.1 (went smooth and easy, thx) to have this acme.sh script and to request Let's Encrypt cert for ssl.

But how to configure this script and how to use it? I've created some config, but I don't know if it is valid. Logs are saying, that issuing new cert was successful, but I do not see this cert nowhere...

Little help? Thx in advance.

Best regards,

Martin.

8

16.7 Legacy Series / Certbot - new feature request.

« on: January 30, 2017, 01:38:20 pm »

Hello

I would like to ask You, Team, if You be so kind to port a python library called py27-certbot into OpnSense.

This library and tool comes from EFF organisation, and is used for managing certificates from Let's Encrypt organisation, which can be used for HTTPS communication.

EFF's Certbot is available in ports for FreeBSD: https://certbot.eff.org/#freebsd-other
but is not available within OpnSense (or I cannot install them with simple pkg install py27-certbot).

Thank You in advance for any help with this subject

Best regards,

Martin.

9

16.7 Legacy Series / Automation using API.

« on: October 31, 2016, 01:47:15 pm »

Dears,

is there any comprehensive documentation of the API of OpnSense?

I would like to make some automation integrated with our billing system and in case of no payment (for example) I want to limit speed of the client's interface.
In online documentation is only an example how to upgrade firmware, but this is to small information of available commands/methods, and so on...

Thanks in advance for Your help

(2Mod: if this question should be placed on other forums, please feel free to move it appropriately).

10

16.1 Legacy Series / [SOLVED] Dashboard empty - opnsense 16.1.16

« on: June 16, 2016, 10:07:12 am »

Hi.

After upgrade from earlier version (if I remember correctly it was 16.1.5) to recent 16.1.16 my dashboard gets empty. When I click on "Add widget" I see all items, but when I click on choosen widget to be added, it dissapears, orange button "save" highlights, but nothing shows up on the dashboard.

What can be done to fix it? Cookies?

Thx in advance for any hint...

11

16.1 Legacy Series / Autobackup configuration to SCP/SFTP server.

« on: May 16, 2016, 04:47:30 pm »

Hi

Is it possible to create automatic occured backup of OpnSense configuration to SCP/SFTP server?
Currently, there is only automated backup onto Google Drive, which is not best way in my opinion

Solution can be triggered from OpnSense itself (even from internal crontab), but also from external server by downloading configuration XML using some fancy script

Can I use for this an API key generated for special user? How?

Thx for any hint how to do this.

Best regards!

12

16.1 Legacy Series / [SOLVED] High CPU usage.

« on: April 13, 2016, 12:03:13 pm »

Hi.

We have noticed, that couple of days after upgrading OpnSense to current production version, CPU starts to be eating by something in user space. Process monitor says, that mostly is is consumed by php-cgi, but CPU usage on those procesess is no more than 3% (there is about 5 of them). But top command says, that CPU is used in 100%, with over 60% taken by user, about 1% for interrupt and the rest for system. Usage in user space is varying between 60-80%.

My installation is working on vmware hypervisor (ESXi 5.5) with 1 vCPUs (Xeon X3430 @2.4GHz). Currently running OpnSense 16.1.7.

What can be do to solve this issue? Thx in advance for any info and hint.

13

16.1 Legacy Series / [SOLVED] Cleaning up interfaces used in health monitoring (quality).

« on: March 24, 2016, 09:48:52 am »

Hi

I had for some time ago changed gateways on my system. Two old has been removed and three new has been added.
Now, when I go to Health monitoring subsystem and enter "Quality" page, I still see those old interfaces and don't know, how to remove them from my system.
On "Gateways" subsystem there is nothing related to those old interfaces anymore.

Can someone from You help me a bit with that?
Thx in advance for every hint.

Cheers!

M.

14

16.1 Legacy Series / [SOLVED] RRD tool discontinued... But what else?

« on: March 04, 2016, 09:44:19 am »

Hi.

After upgrading to current production version I've noticed, that RRD graphs are missing. Why? It was (at least for me) very important tool to monitor of behaviour in my network Now the only possibility is to look at traffic graphs, but  they doesn't keep historical data.

Is it possible to add something like RRD tool again to OpnSense? Or is possible to acquire such data for external analysis on other hosts?

Thanks in advance for every hint and solution.

15

15.7 Legacy Series / [SOLVED] "After-upgrade reboot required" indicator.

« on: August 03, 2015, 05:10:54 pm »

Hi Guys

Is it possible to incorporate into production some indicator, if there will be a reboot necessary after upgrade, which will be visible _before_ clicking "Upgrade" button?

I think this will be very helpful for those system admins, which manages critical services, or important customers.
When no reboot is required, means no service will be disrupted during upgrade process (or the disruption is involved only with simple reloading services with duration of couple of seconds) and thus it can be performed at any time. Opposing this - upgrades with reboot requirements can be postponed until the lowest influence time range.

TYVMIA

Cheers!