1
Intrusion Detection and Prevention / Re: IPS mode destroying IPv6
« on: August 19, 2022, 12:15:45 pm »
Anyone else that still has issues? Hopefully someone has been able to fix it.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
Hardware and Performance / Re: Possible hardware issue any suggestions?
« on: August 19, 2022, 12:12:58 pm »
Switching to ZFS did not help and the power supply seems fine when I monitor voltage levels. I ended up swapping the SSD, which up until now has worked! 
Hopefully that was the issue.
Hopefully that was the issue.
3
Intrusion Detection and Prevention / Re: IPS mode destroying IPv6
« on: August 10, 2022, 08:16:26 am »
Hi Sunmast,
I'm wondering if you ever found a solution. I'm still experiencing the same problem. I used to use IPS on my LAN interface (with vlan's) but this broke when upgraded. I switched off IPS, since I did not have the time to troubleshoot at the time. As soon as I turn it on the interface switches off. I also hardware offloading disabled and selected the physical interface. Hopefully you managed to solve this!
I'm wondering if you ever found a solution. I'm still experiencing the same problem. I used to use IPS on my LAN interface (with vlan's) but this broke when upgraded. I switched off IPS, since I did not have the time to troubleshoot at the time. As soon as I turn it on the interface switches off. I also hardware offloading disabled and selected the physical interface. Hopefully you managed to solve this!
4
Hardware and Performance / Re: Possible hardware issue any suggestions?
« on: August 09, 2022, 11:35:21 am »
Thanks for the suggestion. I installed with UFS. After talking to some friends I reinstalled with ZFS and replaced the UPS. Lets see if it was a power issue. If that does not work I'll check the power supply.
5
Hardware and Performance / Possible hardware issue any suggestions?
« on: August 07, 2022, 07:38:15 pm »
Hi,
I'm currently experiencing (I think) some hardware issues. My machine freezes and is fine after a reboot. Since everything is frozen the only error messages I get are whats on screen when the machine dies (there is nothing in the logs.)
At first I thought it was the SSD, but SMART statistics look fine.
Since I thought it could be the sata cable I replaced the sata cable and used a different connection on the motherboard. But the problem only seems to be getting worse. At first the machine only froze once a week, now I'm down to daily issues. These are the error messages from two different occasions:
The specs of my software and machine
Software version:
OPNsense 22.4.3_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1q 5 Jul 2022
Hardware:
Motherboard: Asrock Rack X470D4U
Processor: AMD Ryzen 5 3500X
RAM: Kingston KSM26ED8/16ME
SSD: Intel DC S3520 2,5" 480GB
All suggestions are welcome since I find the issue really hard to troubleshoot.
I'm currently experiencing (I think) some hardware issues. My machine freezes and is fine after a reboot. Since everything is frozen the only error messages I get are whats on screen when the machine dies (there is nothing in the logs.)
At first I thought it was the SSD, but SMART statistics look fine.
Since I thought it could be the sata cable I replaced the sata cable and used a different connection on the motherboard. But the problem only seems to be getting worse. At first the machine only froze once a week, now I'm down to daily issues. These are the error messages from two different occasions:
The specs of my software and machine
Software version:
OPNsense 22.4.3_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1q 5 Jul 2022
Hardware:
Motherboard: Asrock Rack X470D4U
Processor: AMD Ryzen 5 3500X
RAM: Kingston KSM26ED8/16ME
SSD: Intel DC S3520 2,5" 480GB
All suggestions are welcome since I find the issue really hard to troubleshoot.
6
21.7 Legacy Series / Re: 4G fallback fails once a day
« on: January 24, 2022, 04:15:24 pm »
The issue seems solved! The combination of using the supersede subnet-mask option with the correct netmask for my provider and connecting the modem directly to the router (instead of the switch with a seprate VLAN) solved all issues.
7
21.7 Legacy Series / Re: 4G fallback fails once a day
« on: January 22, 2022, 05:08:29 pm »
Hi,
Sure! First log in to your LB2120 (default IP is 192.168.5.1 and password is located on the back). Go to Settings -> Advanced -> LAN and select bridge.
I had a horrible time when I connected the device to the wrong port of my switch and created a DHCP battle between my router and this modem
So connect the LB2120 to a port of your router (or switch if you know what your doing) that is not in use.
Then (in OPNSense) go to Interfaces -> Assignments and select the port you connected the LB2120 to. Give it a name, for example WANfailover. Press the plus sign.
Next click on the new interface. Enable the interface and check the Prevent interface removal option. In my case (I use T-Mobile NL) my provider does not use CGNAT (thank god), so I can also block private and bogon ranges. I then select DHCP and save the interface.
Your interface should get a public IP assigned. And you can test if it works at Interfaces -> diagnostics -> ping and select the new interface and ping 8.8.8.8 for example.
Finally under system -> gateways -> single -> I selected the new gateway and changed the monitoring address to something useful. I also changed the priority to 255 so my router will not select this gateway over my regular one with priority 254).
Thats it! depending on how you want to use the new connection you now have to create a gatewaygroup etc.
PS: Today I added a networkcard to my router in order to connect the modem directly to my router. Before it was on a seperate VLAN via the switch I'm hoping this will solve my issue...
Sure! First log in to your LB2120 (default IP is 192.168.5.1 and password is located on the back). Go to Settings -> Advanced -> LAN and select bridge.
I had a horrible time when I connected the device to the wrong port of my switch and created a DHCP battle between my router and this modem
So connect the LB2120 to a port of your router (or switch if you know what your doing) that is not in use. Then (in OPNSense) go to Interfaces -> Assignments and select the port you connected the LB2120 to. Give it a name, for example WANfailover. Press the plus sign.
Next click on the new interface. Enable the interface and check the Prevent interface removal option. In my case (I use T-Mobile NL) my provider does not use CGNAT (thank god), so I can also block private and bogon ranges. I then select DHCP and save the interface.
Your interface should get a public IP assigned. And you can test if it works at Interfaces -> diagnostics -> ping and select the new interface and ping 8.8.8.8 for example.
Finally under system -> gateways -> single -> I selected the new gateway and changed the monitoring address to something useful. I also changed the priority to 255 so my router will not select this gateway over my regular one with priority 254).
Thats it! depending on how you want to use the new connection you now have to create a gatewaygroup etc.
PS: Today I added a networkcard to my router in order to connect the modem directly to my router. Before it was on a seperate VLAN via the switch I'm hoping this will solve my issue...
8
Tutorials and FAQs / Re: [HowTo] - PPPoE, VLAN & RFC4638
« on: January 21, 2022, 01:52:01 pm »
Thanks! This post made me realize I needed to enable the phisical interface in order to change the MTU to 1508 (in my case). I thought I already implemented rfc4638 by changing the settings on the WAN interface (vlan). Thanks again!
9
21.7 Legacy Series / Re: OPNsense Security vulnerabilities site
« on: January 11, 2022, 06:52:36 pm »
My guess (because I don't actually know) is that they just cross reference the installed packages with the publicly available CVE database and that they don't run a server themselves. But maybe someone else can enlighten us
10
21.7 Legacy Series / Re: OPNsense Security vulnerabilities site
« on: January 11, 2022, 05:58:11 pm »
You can run a security scan on any OPNsense system under sytem -> firmware -> status -> run an audit -> Security. It will tell you the CVE's affecting your current system. For example mine gave me the follwing output:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.10.1 (amd64/OpenSSL) at Tue Jan 11 17:57:29 CET 2022
vulnxml file up-to-date
nss-3.72 is vulnerable:
NSS -- Memory corruption
CVE: CVE-2021-43527
WWW: https://vuxml.FreeBSD.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html
ruby-2.7.4,1 is vulnerable:
rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
CVE: CVE-2021-41817
WWW: https://vuxml.FreeBSD.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html
rubygem-cgi -- buffer overrun in CGI.escape_html
CVE: CVE-2021-41816
WWW: https://vuxml.FreeBSD.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html
rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
CVE: CVE-2021-41819
WWW: https://vuxml.FreeBSD.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html
4 problem(s) in 2 installed package(s) found.
***DONE***
Is this what you are looking for?
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.10.1 (amd64/OpenSSL) at Tue Jan 11 17:57:29 CET 2022
vulnxml file up-to-date
nss-3.72 is vulnerable:
NSS -- Memory corruption
CVE: CVE-2021-43527
WWW: https://vuxml.FreeBSD.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html
ruby-2.7.4,1 is vulnerable:
rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
CVE: CVE-2021-41817
WWW: https://vuxml.FreeBSD.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html
rubygem-cgi -- buffer overrun in CGI.escape_html
CVE: CVE-2021-41816
WWW: https://vuxml.FreeBSD.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html
rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
CVE: CVE-2021-41819
WWW: https://vuxml.FreeBSD.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html
4 problem(s) in 2 installed package(s) found.
***DONE***
Is this what you are looking for?
11
21.7 Legacy Series / Re: ACME Client Drops WAN Connection
« on: January 06, 2022, 08:33:33 am »
Hi,
I've managed to solve the issue by reinstalling the plugin and adding everything in same way I did last time. So no idear why it broke in the first place. It instantly worked again. I used this guide: https://www.youtube.com/watch?v=IR41duTqN6Y
I changed nothing to the external DNS records, so it defitnly was a problem on the local system.
I've managed to solve the issue by reinstalling the plugin and adding everything in same way I did last time. So no idear why it broke in the first place. It instantly worked again. I used this guide: https://www.youtube.com/watch?v=IR41duTqN6Y
I changed nothing to the external DNS records, so it defitnly was a problem on the local system.
12
21.7 Legacy Series / Re: ACME Client Drops WAN Connection
« on: December 28, 2021, 08:21:50 am »
Hi @Fright,
In shell this returns:
{
"DFkTnKbE2ms": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
So that seems to be also working fine. I tried forcefully renewing already through the GUI, this resulted in the same problem.
so if you tryCode: [Select]curl https://acme-v02.api.letsencrypt.org/directoryin shell it works?
can you try "Forcefully issue or renew" in this case?
In shell this returns:
{
"DFkTnKbE2ms": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
So that seems to be also working fine. I tried forcefully renewing already through the GUI, this resulted in the same problem.
13
21.7 Legacy Series / Re: ACME Client Drops WAN Connection
« on: December 19, 2021, 08:53:10 pm »
Hi @fright
DNS is set correctly and propagated.
DNS is set correctly and propagated.
14
21.7 Legacy Series / Re: ACME Client Drops WAN Connection
« on: December 19, 2021, 11:35:13 am »
Hi,
Same issue here on:
OPNsense 21.10.1-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021
ACME Client plugin: 3.4
During cert renewal the timeout causes all connections to be dropped. So there seem to be two issues. Cert not properly renewing and connections being dropped during the process.
ACME log:
2021-12-19T11:11:29 acme.sh[44099] Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
2021-12-19T11:11:28 acme.sh[58460] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2021-12-19T11:11:10 acme.sh[68125] Sleep 10 and retry.
2021-12-19T11:11:10 acme.sh[36103] Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
2021-12-19T11:11:09 acme.sh[2756] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2021-12-19T11:10:51 acme.sh[76135] Sleep 10 and retry.
System Log:
2021-12-19T03:07:21 opnsense-business[73486] AcmeClient: validation for certificate failed: REDACTED
2021-12-19T03:07:21 opnsense-business[73486] AcmeClient: domain validation failed (http01)
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: using challenge type: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: using IPv4 address: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: using IPv4 address: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: account is registered: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: using CA: letsencrypt
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: renew certificate: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: certificate must be issued/renewed: REDACTED
This seems to be the reason it drops the connection every night (it tries to renew the cert). It happens both when trying to manually renew or via cron.
Same issue here on:
OPNsense 21.10.1-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021
ACME Client plugin: 3.4
During cert renewal the timeout causes all connections to be dropped. So there seem to be two issues. Cert not properly renewing and connections being dropped during the process.
ACME log:
2021-12-19T11:11:29 acme.sh[44099] Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
2021-12-19T11:11:28 acme.sh[58460] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2021-12-19T11:11:10 acme.sh[68125] Sleep 10 and retry.
2021-12-19T11:11:10 acme.sh[36103] Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
2021-12-19T11:11:09 acme.sh[2756] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2021-12-19T11:10:51 acme.sh[76135] Sleep 10 and retry.
System Log:
2021-12-19T03:07:21 opnsense-business[73486] AcmeClient: validation for certificate failed: REDACTED
2021-12-19T03:07:21 opnsense-business[73486] AcmeClient: domain validation failed (http01)
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: using challenge type: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: using IPv4 address: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: using IPv4 address: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: account is registered: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: using CA: letsencrypt
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: renew certificate: REDACTED
2021-12-19T03:00:00 opnsense-business[73486] AcmeClient: certificate must be issued/renewed: REDACTED
This seems to be the reason it drops the connection every night (it tries to renew the cert). It happens both when trying to manually renew or via cron.
15
21.7 Legacy Series / Re: 4G fallback fails once a day
« on: November 26, 2021, 12:21:05 pm »
After a bit more searching I found this Reddit post https://www.reddit.com/r/PFSENSE/comments/gxzs42/review_of_netgear_lb2120_4g_lte_and_pfsense/
It states "Netgear created a non-standard TCP/IP implementation. For example, mobile ISP sends DHCP IP of 110.65.12.76, gateway of 110.65.12.1, subnet mask of /24. Netgear then modifies the subnet mask to /32 !!"
I think this is the problem! I changed my subnet with supersede subnet-mask option in the Option modifiers field of the advanced setting of the interface DHCP settings. Let's wait 24 hours and see
It states "Netgear created a non-standard TCP/IP implementation. For example, mobile ISP sends DHCP IP of 110.65.12.76, gateway of 110.65.12.1, subnet mask of /24. Netgear then modifies the subnet mask to /32 !!"
I think this is the problem! I changed my subnet with supersede subnet-mask option in the Option modifiers field of the advanced setting of the interface DHCP settings. Let's wait 24 hours and see