1
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
Intrusion Detection and Prevention / Re: Where is WAN outbound 1.1.1.1:53 coming from?
« on: April 27, 2023, 01:58:21 am »
In OPNsense, up to the right; search - "packet capture" (Interfaces > Diagnostics > Packet Capture).
Download that file and open in it Wireshark. Maybe that can help.
Perhaps something on your LAN is 'hardcoded' to use that DNS server..
For DNS, I prefer to create NAT port forward rule that redirects DNS which is not going to unbound / pi-hole:
Interface
LAN
Proto
TCP/UDP
Adress
LAN net
Ports
*
Address (Destination)
!LAN adress (IP to pi-hole)
Ports
53
IP
127.0.0.1 (or IP to pi-hole -- I have 127.0.0.1 as I am running unbound on the firewall)
Ports
53
Description
"Redirect external DNS queries to Opnsense Unbound DNS"
My Unbound DNS is configured to use DoT upstream servers.
https://1.1.1.1/help
Download that file and open in it Wireshark. Maybe that can help.
Perhaps something on your LAN is 'hardcoded' to use that DNS server..
For DNS, I prefer to create NAT port forward rule that redirects DNS which is not going to unbound / pi-hole:
Interface
LAN
Proto
TCP/UDP
Adress
LAN net
Ports
*
Address (Destination)
!LAN adress (IP to pi-hole)
Ports
53
IP
127.0.0.1 (or IP to pi-hole -- I have 127.0.0.1 as I am running unbound on the firewall)
Ports
53
Description
"Redirect external DNS queries to Opnsense Unbound DNS"
My Unbound DNS is configured to use DoT upstream servers.
https://1.1.1.1/help
3
22.1 Legacy Series / Re: questions about multiple WAN setup
« on: May 27, 2022, 10:52:02 pm »
I have no idea. I only have one WAN connection
I think you are the best one to answer this =D
I think you are the best one to answer this =D
4
22.1 Legacy Series / Re: questions about multiple WAN setup
« on: May 23, 2022, 08:41:23 am »
To get VLAN100 go over WAN_1, I would just add a pass rule on that interface which uses gateway WAN_1, on VLAN200 - make a pass rule which uses gateway WAN_2 (on the very bottom of the rule creation page).
And perhaps, when / if WAN_1 is down for VLAN100. .. You would have to disable this newly created rule, and then enable an identical rule which uses the WAN_2 gateway instead. So a manual process, I guess.
??
And perhaps, when / if WAN_1 is down for VLAN100. .. You would have to disable this newly created rule, and then enable an identical rule which uses the WAN_2 gateway instead. So a manual process, I guess.
??
5
22.1 Legacy Series / Re: DHCP Question
« on: May 04, 2022, 02:20:04 pm »
On your OPNSense Box, what does it say: Interfaces > Diagnostics > ARP Table.
Which IP does the MAC Address of the server belong to?
Which IP does the MAC Address of the server belong to?
6
21.7 Legacy Series / Re: Solved: Update problem
« on: February 13, 2022, 01:23:43 pm »
I am experiencing the same problem.
I tried to update from 21.7.7 to 21.7.8 -- clicked update, went away from the computer for a long time because I knew it had to do a reboot and that takes time.
Got back, had to log in - saw on the front page that the version was
* Versions OPNsense 21.7.8-amd64
and thought everything was OK
Installed the Realtek plugin for my Realtek NIC -- and then I tried to update to 22.1 via "Click to check for updates"; however; checking for updates I saw the firmware and the kernel was not upgraded and was waiting for 21.7.8.
Now it is just stuck on
Although I am not exactly sure what the problem is; probably the default mirror? Because internet works just fine? The default mirror stated on the System > Firmware > Status page was
* "Mirror https://pkg.opnsense.org/FreeBSD:13:amd64/22.1"
For anyone coming here, go to System > Firmware > Settings to change the Firmware Mirror setting. I have changed the mirror, did a reboot, and then I was able to upgrade to 21.7.8 prior to upgrading to 22.1
I tried to update from 21.7.7 to 21.7.8 -- clicked update, went away from the computer for a long time because I knew it had to do a reboot and that takes time.
Got back, had to log in - saw on the front page that the version was
* Versions OPNsense 21.7.8-amd64
and thought everything was OK
Installed the Realtek plugin for my Realtek NIC -- and then I tried to update to 22.1 via "Click to check for updates"; however; checking for updates I saw the firmware and the kernel was not upgraded and was waiting for 21.7.8.
Now it is just stuck on
Code: [Select]
***GOT REQUEST TO UPDATE***
Currently running OPNsense 21.7.8 (amd64/OpenSSL) at Sun Feb 13 10:29:16 CET 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (3 candidates): ... done
Processing candidates (3 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
Nothing to do.
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-21.7.8-amd64.txz: ...
Although I am not exactly sure what the problem is; probably the default mirror? Because internet works just fine? The default mirror stated on the System > Firmware > Status page was
* "Mirror https://pkg.opnsense.org/FreeBSD:13:amd64/22.1"
For anyone coming here, go to System > Firmware > Settings to change the Firmware Mirror setting. I have changed the mirror, did a reboot, and then I was able to upgrade to 21.7.8 prior to upgrading to 22.1
7
22.1 Legacy Series / Re: bring back the vendor realtek driver
« on: February 10, 2022, 12:55:46 pm »Update to 21.7.8 first?
Cheers,
Franco
Offcourse. My mistake, I did not read the update correctly. Somehow I thought pending updates was to version 22.1, but I see now 22.1 is only mentioned in the first line of the release notes and was not the actual update.
Thanks I'll try to update to 21.7.8 and then I'll try to install the plugin again before upgrading to 22.1.
8
22.1 Legacy Series / Re: bring back the vendor realtek driver
« on: February 09, 2022, 02:03:54 pm »
Hi!
I am on
* OPNsense 21.7.7-amd64
and I am using a Realtek NIC.
After reading through this, I want to make sure I use download the os-realtek-re on beforehand.
How can I do this?
Trying to install via GUI gives me:
:p
I am on
* OPNsense 21.7.7-amd64
and I am using a Realtek NIC.
After reading through this, I want to make sure I use download the os-realtek-re on beforehand.
How can I do this?
Trying to install via GUI gives me:
Code: [Select]
***GOT REQUEST TO INSTALL***
Installation out of date. The update to opnsense-21.7.8 is required.
***DONE***
:p
9
Intrusion Detection and Prevention / Re: Suricata still crashing ( please help )
« on: January 19, 2022, 09:36:47 am »
* Suricata version 6.0.4 RELEASE running in SYSTEM mode
Disabling IPS makes it start OK; front page landing says it is up and running.
Enabling IPS seems to break it; I get these errors:
I am running Suricata with an et_telemetry.token.
After trying to enable Suricata with IPS, I eventually get the following popup window:
Maybe I'll try to search for those specific signatur IDs listed above and try to disable those specific rules?
Those signatures above belonged to emerging-malware.rules and emerging-exploit.rules. Disabling those seems to do the trick!
Disabling IPS makes it start OK; front page landing says it is up and running.
Enabling IPS seems to break it; I get these errors:
Code: [Select]
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 6 other sigs
2022-01-19T09:14:48 suricata[3296] [100197] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
I am running Suricata with an et_telemetry.token.
After trying to enable Suricata with IPS, I eventually get the following popup window:
Code: [Select]
Error reconfiguring IDS
error Installing ids rules ()
Maybe I'll try to search for those specific signatur IDs listed above and try to disable those specific rules?
Those signatures above belonged to emerging-malware.rules and emerging-exploit.rules. Disabling those seems to do the trick!
10
Intrusion Detection and Prevention / Re: log4j vulnerability detection
« on: January 19, 2022, 12:04:52 am »
What dennis_u said! Having the same issue.
11
Intrusion Detection and Prevention / Re: Suricata still crashing ( please help )
« on: January 19, 2022, 12:02:31 am »
I am experiencing the same, at least in the frontpage of the GUI it is not running. And neither according to "Alerts" (nothing is showing, whereas under normal circumstances alerts are showing something, from day to day).
There is no indication in the log of Suricata that it has stopped.
* OPNsense 21.7.7-amd64
Running in promiscious mode and on VLANs. This is a small firewall, AMD GX-412TC SOC (4 cores) and 4GB of RAM - but it has worked flawlessly up until right before Christmas? or so?
There is no indication in the log of Suricata that it has stopped.
* OPNsense 21.7.7-amd64
Running in promiscious mode and on VLANs. This is a small firewall, AMD GX-412TC SOC (4 cores) and 4GB of RAM - but it has worked flawlessly up until right before Christmas? or so?
12
21.7 Legacy Series / Re: Discovery of SMB shares over Wireguard VPN not working.
« on: January 07, 2022, 11:56:44 am »
Do you know what the DNS server of the Android phone is using? How is it possible that 'internet seems to work for Android phone', but you are not able to ping any hostnames (microsoft.com / google.com)?
You have remembered to NOT use / define the "DNS server" in the WireGuard configuration (as it would break DNS settings?)
Can you ping the Local IP adress with the Peer used for laptop? e.g. the WG interface. ..
On your laptop, you are unable to access https://google.com, but https://1.1.1.1 works? Then it is a DNS issue. ..
As Greelan says, post configurations.
You have remembered to NOT use / define the "DNS server" in the WireGuard configuration (as it would break DNS settings?)
Can you ping the Local IP adress with the Peer used for laptop? e.g. the WG interface. ..
On your laptop, you are unable to access https://google.com, but https://1.1.1.1 works? Then it is a DNS issue. ..
As Greelan says, post configurations.
13
21.7 Legacy Series / Re: Discovery of SMB shares over Wireguard VPN not working.
« on: January 06, 2022, 02:10:05 pm »
Suggestion:
When you are directly connected to the LAN, are you able to see network resources then, 'by simply going to Network?
Does your DNS resolution work for hosts on the LAN (can you 'ping unraid-server', by hostname?)
Do you have static mapping of the IP Address of the Unraid server?
Which DNS service are you using? Unbound? There is a setting for 'Register DHCP static mappings' - is this checked?
I am not sure how Network Discovery in Windows works. Does it not rely on broadcast traffic? I do not think Broadcast traffic can traverse different networks / subnets. Probably you will have to make sure to enable NETBIOS or something in Unraid, and then use the OPNsense as a NETBIOS server- so that it can announce stuff on your WG interface to your 'Windows Network Discovery' devices.
Internet through the WireGuard tunnel; a quick check can be:
can you ping 1.1.1.1?
can you ping microsoft.com?
If you cannot ping microsoft.com, but 1.1.1.1- then you have a DNS issue- otherwise, as I see it, "internet" is working just fine (or, atleast the ICMP protocol is allowed ping & pong).
Do you have any rules on your WireGuard interface? Further troubleshooting on this matter I would suggest a rule where you enable logging on the interface to see whats up.
What type of Outbound NAT do you have?
When you are directly connected to the LAN, are you able to see network resources then, 'by simply going to Network?
Does your DNS resolution work for hosts on the LAN (can you 'ping unraid-server', by hostname?)
Do you have static mapping of the IP Address of the Unraid server?
Which DNS service are you using? Unbound? There is a setting for 'Register DHCP static mappings' - is this checked?
I am not sure how Network Discovery in Windows works. Does it not rely on broadcast traffic? I do not think Broadcast traffic can traverse different networks / subnets. Probably you will have to make sure to enable NETBIOS or something in Unraid, and then use the OPNsense as a NETBIOS server- so that it can announce stuff on your WG interface to your 'Windows Network Discovery' devices.
Internet through the WireGuard tunnel; a quick check can be:
can you ping 1.1.1.1?
can you ping microsoft.com?
If you cannot ping microsoft.com, but 1.1.1.1- then you have a DNS issue- otherwise, as I see it, "internet" is working just fine (or, atleast the ICMP protocol is allowed ping & pong).
Do you have any rules on your WireGuard interface? Further troubleshooting on this matter I would suggest a rule where you enable logging on the interface to see whats up.
What type of Outbound NAT do you have?
14
21.7 Legacy Series / Re: All traffic in firewall logs from WAN interface
« on: December 30, 2021, 10:34:00 pm »
Can you test the following:
Create a rule on your LAN interface which passes protocol ICMP. Move it to the top. On your LAN client, do a continuously "ping 8.8.8.8".
Does this show up in your firewall log? If not, have you remembered to tick the option to log this traffic?
Create a rule on your LAN interface which passes protocol ICMP. Move it to the top. On your LAN client, do a continuously "ping 8.8.8.8".
Does this show up in your firewall log? If not, have you remembered to tick the option to log this traffic?
15
21.7 Legacy Series / Re: How do I forward a single port with remapping?
« on: December 30, 2021, 10:28:32 pm »
If more people chime in, maybe we can convince you?
As you have an OPNsense firewall, I would also strongly suggest using a VPN to phone home. It will take you 10 minutes of configuration, and to phone home it would require you just one additional step; click connect on an app beforehand. WireGuard would be an excellent option as it has support for all major OS' and is negligble in regards to performanc drop.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Good luck anyways
As you have an OPNsense firewall, I would also strongly suggest using a VPN to phone home. It will take you 10 minutes of configuration, and to phone home it would require you just one additional step; click connect on an app beforehand. WireGuard would be an excellent option as it has support for all major OS' and is negligble in regards to performanc drop.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Good luck anyways