Messages

1

22.1 Production Series / Intrusion detection filter logs are filling disk.

« on: June 15, 2022, 05:00:50 pm »

Hi.

How can I manage filter logs from IDS (those written at /var/log/filter directory)?
Is any possibility to add some gzip or bzip2 function to log rotation? At my installation, every daily file has around 5GB of size and this quickly fills up entire disk. I've now limited to keep only 3 files, but it's not comfortable. Compressing those files would save a lot of space, are they are simple txt files...

Thanks a lot in advance for any hint I coudn't find any configuration for this :/

2

22.1 Production Series / Re: 22.1.6 failed to check updates.

« on: June 01, 2022, 04:57:26 pm »

Ok, nevermind - resolved by myself.

It was something with Let's Encrypt CA certificates.
I have removed all their CA from trust settings, then inserted ISRG Root X1 ca cert (cross-signed by DST Root CA X3), then added Let's Encrypt's R3 root CA (cross-signed by ISRG X1) and re-issued webgui cert.

Now pkg update works fine

Cheers!

3

22.1 Production Series / 22.1.6 failed to check updates.

« on: June 01, 2022, 12:15:06 pm »

Hi.

I'm trying to check updates on my setup running 22.1.6 version, but it fails:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.6 (amd64/OpenSSL) at Wed Jun  1 12:05:57 CEST 2022
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Anyone can assist to help resolve the issue?
Many thanks in advance

Martin.

4

20.7 Legacy Series / Re: VMWare vmxnet3 drivers and VLANs...

« on: November 03, 2020, 07:11:23 pm »

Have this settings:

Properties
    Network label    vpnHubTrunk
    VLAN ID    All (4095)

Security
    Promiscuous mode    Accept
    MAC address changes    Accept
    Forged transmits    Accept

Traffic shaping
    Average bandwidth    --
    Peak bandwidth    --
    Burst size    --

Teaming and failover
    Load balancing    Route based on IP hash 

vSwitch have 3 bonded interfaces to Cisco switch (C2690) as etherchannel.

5

20.7 Legacy Series / Re: IPSec keepalive

« on: November 03, 2020, 11:59:55 am »

Well... not helping at all :/

The problem is only with phase2 channels - phase 1 and one of phase2 (this, which OpnSesne is a part of local network) is working nicely.

6

20.7 Legacy Series / Re: VMWare vmxnet3 drivers and VLANs...

« on: November 03, 2020, 09:27:41 am »

What's Your vswitch settings for this interface? Do You pass all vlans to this VM?

I can create vlans as well, but they do not pass any traffic over that vlan. Only the first created one is working. None of later created are passing the traffic: I can't ping this interface from other hosts using same vlan. Even after reboot.

I have ESXi 6.7 for this hypervisor, if that matters... But I have other setup, where is the same hypervisor version, the OpnSense machine have E1000E interface and VLANs are working fine...

7

20.7 Legacy Series / Re: IPSec keepalive

« on: November 03, 2020, 09:20:25 am »

Will try that, thanks... I'll let You know

8

20.7 Legacy Series / VMWare vmxnet3 drivers and VLANs...

« on: November 02, 2020, 09:54:23 am »

Hi

I saw last time, that there is some issue with VLANs using VMXNET3 network interface.
Only the first created VLAN is working. Next vlan's aren't detected at all, even after reboots.
Hardware offload is disabled.

For now, I've bypassed this by creating physical interfaces instead, but this is not the way I want, because I can't add new network interfaces on-line to OpnSense and adding them offline can destroy all previous network assignements.
I know, that I can use E1000E adapter type, but this limits the traffic to 1Gbps.

What is current status of vmxnet3 drivers for OpnSense? Is there any work in progress for them?
Thanks in advance for any reply

9

20.7 Legacy Series / IPSec keepalive

« on: November 02, 2020, 09:46:24 am »

Hi

Is it possible to keep alive IPSec tunels for networks, that OpnSense is not a member (means: have no network interface in it)...
Or something that forces to restart the IPSec tunnel, when SP is expired due to no traffic.
I have one site-to-site tunnel with 3 different "local" networks being routed over to 1 common remote.
2 of those "locals" are in fact remote for this OpnSense router and I can't assign new interface so the opnsense is a part of those networks. On the other side is a FortiGate router, which is requiring each 2nd phase tunel isolation and we had a lot of problems to configure those tunels. Now they are working, but only as long as the 2nd phase lifetime is defined (3600 sec). After that time SP expires and is removed from the list, so the network is not routeable anymore...

 Is there any way to keep those tunells alive?

10

18.1 Legacy Series / Schedule activation of inactive firewall rule.

« on: April 27, 2018, 04:01:52 pm »

Hello

Long time no words from me... But now I've facing a problem - how big, this is the question

Little background:
My company is serving an internet access to some clients. Clients are changing, so the agreements are starting and ending.

Problem:
Sometimes, the end date is in some weird date, which colides with my holidays plan in example

Question is:
- is there any way to schedule the activation of an inactive rule in firewall? This would allow me to create in advance for example a rule to drop packets from that client  and start my holidays without disturbing

Thanks for any hint or clue in this matter

Cheers,

Martin.

11

17.1 Legacy Series / Re: Using acme.sh

« on: February 14, 2017, 11:29:53 am »

Working like a charm Thanks a lot!

12

17.1 Legacy Series / flowd.log location.

« on: February 09, 2017, 11:53:29 am »

Hello

Is it possible to parametrize  flowd.log location in the upcoming versions of OpnSense?

This will allow user to move it to own location (ie. to bigger disk), as it is growing constantly and can fulfill whose available space on disk...

Thanks in advance

Best regards,

Martin.

13

17.1 Legacy Series / Re: Using acme.sh

« on: February 09, 2017, 10:52:46 am »

I'm using Firefox 51.0

Here You have a statement from Mozilla Authority:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

Here is info from Apple Authority:
https://support.apple.com/en-us/HT204132

Google also supports this decision in Chrome browser:
http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html

Regards

14

17.1 Legacy Series / Re: Using acme.sh

« on: February 07, 2017, 09:07:08 pm »

No, they don't

Google and Mozilla Authorities revoked their CA certificate due to conflict with one of the investors owned StartSSL. StartSSL is trying to solve this asap, but it takes them at least half year in my opinion to create new CA.

So I'll wait for fix in acme implementation better

Best regards,

Martin.

15

17.1 Legacy Series / Re: Using acme.sh

« on: February 06, 2017, 02:06:22 pm »

Ok, so I found a "bug" too... Name of the certificate cannot contain "-" sign (ie. something-strange.domain.com).
Saddly, I do have - in the name. Can You please make something with this?

Thanks in advance.

Bests...

Martin.