Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Deathmage85

Pages1
#1
25.1, 25.4 Legacy Series / Run away PHP processes on latest firmware
July 22, 2025, 07:46:06 AM
Hello,

root@firewall1:~ # opnsense-version
OPNsense 25.1.11 (amd64)


I cant seem to get past this issue with the Main dashboard, it seem the widgets are causing a PHP loop that is pegging my CPU at 100%:

Here is the top -SH dump:

last pid:  2502;  load averages: 18.75,  6.95,  2.82                                                                                                                    03151:23:06:58  36 running, 250 sleeping, 29 waiting
CPU: 98.0% user,  0.0% nice,  2.0% system,  0.0% interrupt,  0.0% idle
Mem: 5858M Active, 4870M Inact, 3206M Wired, 637M Buf, 17G Free
Swap: 10G Total, 10G Free

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
46478 root        101    0   117M    85M CPU6     6   0:07  64.58% php
47835 root         68    0   121M    88M piperd   4   0:10  60.97% php
92555 root         99    0   113M    80M RUN      7   0:04  47.68% php
33251 root        102    0   165M   129M RUN      4   0:10  43.04% php
97776 root         97    0   119M    77M RUN      5   0:02  42.44% php
82542 root        103    0   117M    85M RUN      5   0:06  39.67% php
94243 root         99    0   113M    79M CPU7     7   0:04  36.66% php
57773 root         68    0   217M   169M select   4   0:10  26.23% php
48910 root         97    0   117M    84M RUN      0   0:07  25.51% php
47339 root         97    0   117M    84M RUN      2   0:07  24.04% php
79294 root         97    0   115M    81M RUN      0   0:05  23.93% php
78748 root         97    0   113M    81M CPU0     0   0:05  23.63% php
84494 root         96    0   111M    79M RUN      1   0:03  22.56% php
81368 root         96    0   113M    80M RUN      3   0:04  22.54% php
42735 root         98    0   117M    85M RUN      3   0:08  22.26% php
47253 root         97    0   117M    85M RUN      1   0:07  21.72% php
50218 root         97    0   115M    83M RUN      1   0:06  21.72% php
91636 root         94    0   109M    77M RUN      2   0:02  21.72% php
83427 root         96    0   111M    79M RUN      3   0:03  21.58% php
93904 root         96    0   119M    78M RUN      1   0:03  20.80% php
37465 root         97    0   119M    87M RUN      0   0:09  20.25% php
82481 root         97    0   113M    80M RUN      3   0:04  20.11% php
58274 root        103    0   165M   130M RUN      5   0:10  19.64% php
95345 root         92    0   107M    74M RUN      0   0:01  19.46% php
91112 root         95    0   111M    79M RUN      2   0:03  18.21% php
79491 root         96    0   113M    81M CPU2     2   0:04  16.47% php
85055 root         21    0   223M   182M kqread   2   0:01   2.29% python3.11
 1977 root         20    0    99M    67M select   4   0:01   1.93% php-cgi
11076 root         20    0    10G  6631M uwait    4   0:00   0.31% suricata{FM#01}
  364 root         68    0   258M   120M accept   4   0:00   0.15% python3.11{python3.11}
48606 root         20    0    17M  4720K CPU1     1   0:00   0.14% top
11076 root         20    0    10G  6631M nanslp   7   1:43   0.12% suricata{suricata}
    0 root        -60    -     0B  1296K -        4   0:00   0.11% kernel{if_config_tqg_0}
    0 root        -60    -     0B  1296K -        2   0:00   0.09% kernel{if_io_tqg_2}
    0 root        -60    -     0B  1296K -        0   0:00   0.08% kernel{if_io_tqg_0}
11076 root         20    0    10G  6631M select   4   0:01   0.07% suricata{W#01-igc0}
18091 root         20    0    45M    16M kqread   1   0:00   0.07% syslog-ng{syslog-ng}
    0 root        -60    -     0B  1296K -        6   0:00   0.06% kernel{if_io_tqg_6}
97990 root         20    0    23M    11M kqread   3   0:00   0.06% lighttpd
11076 root         20    0    10G  6631M select   4   0:00   0.05% suricata{W#04-igc0}
70739 root         20    0    28M    14M select   4   0:00   0.04% python3.11
11076 root         20    0    10G  6631M select   4   0:00   0.03% suricata{W#03-igc0}
11076 root         20    0    10G  6631M select   4   0:00   0.03% suricata{W#02-igc0}
    8 root        -16    -     0B    48K psleep   4   0:00   0.03% pagedaemon{dom0}
    2 root        -60    -     0B   128K WAIT     0   0:00   0.03% clock{clock (0)}
23582 root         20    0    20M  8860K select   2   0:00   0.02% sshd-session
18091 root         20    0    45M    16M kqread   7   0:01   0.02% syslog-ng{syslog-ng}
11076 root         20    0    10G  6631M select   2   0:00   0.02% suricata{W#04-igc0^}
54398 root         20    0    14M  2616K bpf      4   0:00   0.02% filterlog
11076 root         20    0    10G  6631M select   4   0:00   0.02% suricata{W#01-igc0^}
11076 root         20    0    10G  6631M select   0   0:00   0.02% suricata{W#03-igc0^}
    6 root        -16    -     0B    16K pftm     4   0:00   0.02% pf purge
11076 root         20    0    10G  6631M select   4   0:00   0.02% suricata{W#02-igc0^}
    0 root        -60    -     0B  1296K -        7   0:00   0.02% kernel{if_io_tqg_7}
   17 root         20    -     0B   144K sdflus   4   0:00   0.01% bufdaemon{/ worker}
    0 root        -60    -     0B  1296K -        5   0:00   0.01% kernel{if_io_tqg_5}
18091 root         20    0    45M    16M kqread   6   0:01   0.01% syslog-ng{syslog-ng}
    7 root        -16    -     0B    16K -        6   0:00   0.01% rand_harvestq
69544 root         20    0    27M    14M select   2   0:00   0.01% python3.11
30866              20    0    13M  2180K select   4                powerd

I thought it was maybe the Zenarmour and Suricata, but this has only started happening once I upgraded to latest firmware.

Anyone else running into this problem?

Do the devs know of how to correct this issue?
#2
25.1, 25.4 Legacy Series / MFA for OPNsense GUI
June 01, 2025, 05:29:03 PM
Hello,

Is there a way right now to enable MFA for the OPNsense GUI or is there plans for MFA for the GUI in future firmware releases?

Like I'm looking for a way to enable Microsoft Authenticator, Google Authenticator, Duo MFA, or if all else fails Yubikey (but would require physical access to firewall - hard for remote firewalls so hopefully the 1st 3 options).
#3
Intrusion Detection and Prevention / Suricata alerts view set to 5000 but now hung on processing request
February 28, 2025, 10:17:58 AM
Hello,

does anyone know how to reset the Suricata alerts page if I curiously changed the view to 5000 but now its been hung on "processing request". I can't seem to do it in the interface by setting it back to the default 7 results or even 1000 (it seems stable in 1000), and I'm not finding a setting in google on how to reset it via command line.

Have others run into this issue in the past and gotten around it?
#4
Intrusion Detection and Prevention / Dedicated IPS box: how to get the default deny policy to not block all traffic
February 15, 2025, 05:13:52 PM
Hello,

I've deployed OPNsense 25.1.1 to a Protectli 2 port vault (I'm using a persistently configured USB 3.0 NIC for management), and I placed the LAN and WAN in a bridge. I've enabled promiscious mode and set IPv4 & IPv6 to none.

I've set the firewall to have an 'inbound any any any any rule' and also placed a 'inbound udp any to 255.255.255.255 over port 67' for DHCP leases from Arris modem. I've placed the DHCP rule above the any any any any rule.

Right now, even with enabling allot of the Advanced firewall setting (Static route filtering, Disable reply-to, and Firewall Optimization set to conservative) minus disabling the firewall itself, I still cant get the OPNsense to simply be in 'inline' mode and to simply 'monitor' the traffic that flows thru the bridge as the default deny rule blocks everything.

Does anyone know how to effectively stop the firewall from using the default deny firewall rule and only let the Suricata IPS block based on detection(s) defined in the rulesets while allowing DHCP traffic to issue an IP to an upstream OPNsense firewall and for non-nefarious traffic to otherwise flow from the ISP modem to the 1st tier firewall without restrictions?

One key setting I found in past deployments of OPNsense that I can't seem to find in 25.1.1 is: "Disable stateful filtering for bridge interfaces"; does anyone know where this moved or morphed into?

I did find two tunables called "net.link.bridge.pfil_bridge set to 0 && net.link.bridge.pfill_member set to 0" but it seems the default deny, as mentioned is still blocking, so what gives? O.o

Goal: get Suricata on this 2 port vault in transparent IPS mode, and then on the upstream firewall enable Zenarmor on the WAN port. Effectively offloading the IPS to a dedicated box.
#5
25.1, 25.4 Legacy Series / OSPF won't form a relationship from the OPNsense on 25.1
February 01, 2025, 06:31:20 PM
Hello all,

Introduction: I've been in IT for 15 years, but doing tinkering with networking since I was 8 years old in the 1990's. I'm a MCSE x4, CCNA, CCNP, VCAP5-DCA, VCP5-DCV/NV, VCP6-DCV/NV, VCP7-DCV, CompTIA: A+, N+, Sec+, Stor+, Linux+, CySA+, CASP+; AZ-103/104, AZ-305, AZ-500, AZ-700, MS-203, MS-100/101, MS-500, SC-200, SC-300, SC-400, SC-100, CISSP, CISM. I have an extensive 42U server rack for all my hobbies and toys. I admit to being a life learner that knows nothing and even with all that I know, I know that I still know nothing. I will happily admit to not knowing something. I'm hoping one of you can find an error in my configs that I'm missing for this problem. Thank you again for helping me. ^_^

The problem has been resolved.

#6
General Discussion / FRR plugin is at version 1.42..
February 01, 2025, 08:01:35 AM
Hello,

New to OPNsense.

I've been running into OPSF neighbor relationship problems for over a week and been hammering at this right to get this to work with a Netgear and Cisco switch topology.

I've been a CCNA since 2005, and nearly all of my networking at home is based on the Cisco-CLI.

I presently have a Sophos XG firewall as my edge connected to a Netgear M4300 switch that is dishing out OSFP for layer 3. Right now its working correctly and has been for the past 5+ years.

I recently purchased a Protectli VP6630 firewall and deployed OPNsense on the vault.

Right now, I can not for the death of me get the OPNsense to form a OSPF neighbor relationship with the Netgear M4300. I know its not the switch cause it forms correctly to the Sophos XG firewall.

My M4300 on all of the interfaces sent from the OPNsense show up, but they settle on 'Init/BACKUP-DR' for the native vLAN and 'Ex Start/DR-OTHER' on the other vlans.

I've set the MTU on the OPNsense side to 1500 and also forced a MTU of 1500 on the Netgear side via CLI. The Netgear is presenting the vLAN's to the OPNsense via "switchport mode trunk | switchport trunk allow vlan 1, 200, 300 | ip mtu 1500 | ip ospf area 0".

The Hello intervals are 10, an dead intervals are 40 on both ends. The interface for OSPF is set to broadcast, and i've tried all of the AAA types, and just using none for AAA right now.

I'm using the auto-deployed OSPF rules, but I did trying to disable the auto rules and manually create a OSPF Multicast, UDP, IGMP Multicast (all 3 of them as inbound/bound) so 6 rules in total for all OSPF-enable interfaces on the OPNsense.

I'm honestly stumped right now and not sure why the FRR is not working.

If anyone has had this problem and knows how to get around it, please let me know.

Note: I tried to disable the firewall under the Advanced setting as I found in a OPNsense forum article, but it didn't fix the problem under the latest build.

I noticed on the FRR website they manage a Github, the latest stable build of FRR is 10.2.1 but the plugin the OPNsense can fetch is 1.42 from March 4th 2017; is there any reason the OPNsense is using an 8 year old plugin for routing?
Pages1