Topics

I was having a lot of problems with old firewall instance and so I was setting up a new firewall instance from scratch. After some initial configuration I was about to setup IPS on the firewall and it seems like the option to add new rulesets (ET Telemetry, Cisco, etc) are missing. I had these rulesets in the old instance but I am unable to add them to the new, does anyone know where these options reside on 22.7?

Please see the attached screenshot.

TIA

Hi OPNsense team,

Not sure if this is the right place for feature requests. I recently come across Lokinet (onion routing) platform which is somewhat similar to TOR but it's more decentralised and optimised and seems more secure. Although there is no release currently available for FreeBSD it can be built from source see https://github.com/oxen-io/loki-network. Unlike Tor, Lokinet can tunnel all IP traffic over their low latency onion network. Is there anyway we can develop a plugin for Lokinet?

Note: Session IM app (alternative to Whatsapp/Signal/Telegram) uses Lokinet.

Thank you,
Regards,
Bobby Thomas

Hi All,

I have upgraded my Opnsense instance to 21.1.4 from 21.1.2 and since then Wireguard is not working, I think the service is not running or some other issue. I see WG handshake timing out on the client side, but there is no traffic seen on the firewall end. I tried capturing packets on the WAN side on port udp 51820 (default port) but it's not even showing any hits. I can see other traffic from same IP and IPSec vpn is also working fine. Was there any changes in 1.5? Do I need to reconfigure WG from scratch after this upgrade?

Thanks in advance.

Regards,
Bobby Thomas

Hi there,

This may not be much related to OPNsense but I would like to get some guidance in moving SWAP to a new partition/disk. Currently I am running OPNsense VM on Proxmox with SSD, I would just like to move the SWAP partition to another HDD, is it possible?

Thanks in Advance,

Regards,
Bobby Thomas

Hi Team,

Hope everyone enjoying the holidays.

Well it seems like my holidays are going from bad to worse. Coming to the point I have an OPNsense firewall setup in a VM in Proxmox and it has been working great, couple of weeks back my ISP replaced my Docsis 3 ethernet cable modem with a wifi one, since then I was facing issues. I have disabled the wifi on the new Wifi Docsis modem and configured Bridge mode (as I need public IP terminating on my OPNsense firewall). I got public ip on the modem for some time then it started causing issues, I started getting IP address from 192.168.5.0/24 range even though I have disabled DHCP service on the wifi modem. What ever I do, I only receive an IP address from the range 192.168.5.0/24 on my OPNsense firewall, while if I connect a PC to the modem I am hetting a public IP issued by ISP DHCP server. I am scratching my head to understand why it's happening like this.

I also tried a different approach by assigning the MAC address of the PC to the OPNsense WAN interface and then it gets the public IP but it cannot communicate with anything in WAN (cannot ping gateway or it seems no traffic passing through). Any idea how I can get this issue fixed? I think there is some issue with OPNsense DHCP client service.

Thanks in advance,
Regards,
Bobby Thomas

Hi OPNSensers,

I am a bit confused here, trying to think of a method to implement a solution. Here are some details about the issue I am currently facing. I have an Openhab server for automation in the inside and I have access to it over http/https only from inside. There are some android apps which require https and public ca signed certificate for api access (as from Android 10 they have those restrictions). I have Letsencrypt service running for CA cert which signs my ddns domain. I previously had pi-hole where I have created a static DNS A record for my ddns domain pointing to Openhab and then I imported the Letsencrypt certificate to openhab from OPNSense, after this android app worked well. Now I have moved away from pi-hole as I am now using Unbound and Bind for dns filtering. Also it's very hectic to manually import the certificate to the openhab every three months, so I want to know if I can use HA proxy for this purpose. I only need to access this server from inside and vpn networks and not from outside but I need it to use the Letsencrypt cert for ssl.

It maybe a little confusing to you to follow, but let me know if you require any additional details.

Thanks in advance
Regards,
Bobby Thomas

Hi All,

I just upgraded my firewall from 20.1.9 to 20.7, the upgrade went smooth. The only issue I am seeing is with the wireguard vpn. After the upgrade the wireguard vpn service was showing down, but when I tried to start the service it's not starting. So I went through the logs and I found below.

Code Select Expand


root@firewall:~ # cat /var/log/system.log | grep wg
Aug  2 20:52:13 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:52:13 firewall kernel: wg0: deletion failed: 3
Aug  2 20:52:13 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:56:30 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:56:30 firewall kernel: wg0: deletion failed: 3
Aug  2 20:56:30 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:58:07 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:58:08 firewall kernel: wg0: deletion failed: 3
Aug  2 20:58:08 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:12:08 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:12:09 firewall kernel: wg0: deletion failed: 3
Aug  2 21:12:09 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:13:46 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:13:46 firewall kernel: wg0: deletion failed: 3
Aug  2 21:13:46 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:01:26 firewall kernel: ifa_maintain_loopback_route: deletion failed for interface wg0: 3
Aug  2 20:01:26 firewall kernel: wg0: link state changed to DOWN


Is this some kind of bug? It seems to me like the system is unable to rename the tunnel interface.

Any help is appreciated.

Thank you,
Regards,
Bobby Thomas

Hi All,

I have been using Wireguard dev for a while and recently mived to the stable build but after moving to the stable build wireguard has become unstable. Most of the times it won't establish the connection with the server only in one occasion it was able to establish the connection there were no changes in the config and I have even tried uninstalling and doing a fresh install, still thar didn't work. How can view the Wireguard logs? It's seems really hard to troubleshoot Wireguard connectivity issues.

Thanks in advance.

Regards,
Bobby Thomas

Hi All,

The issue started yesterday evening and there were no recent config changes. It started all of a sudden and I lost connectivity to the network while I was working from home. I have a MultiWAN setup and both of the WAN links works fine and I can access the firewall through VPN. But the issue is with LAN interface and it seems like it's totally down even though the interface status shows up in Firewall. I tried rebooting the firewall and the interface comes up and stay active for couple of minutes then it goes down. After that I cannot ping the firewall from LAN or the other way. All I get is host down (if I ping from forewall). All the WAN links are working fine and the dpinger shows up.

The issue I am guessing seems to be something with firewall rules or NAT or routing, but it's really hard to identify that, I have Zero tier and Wireguard running on the box and when I lose LAN connectivity the routing shows the LAN network gateway as a Zerotier interface or lo0 interface. Since I am running it as a VM, I tried rolling back it to an old 19.1 snapshot and it worked, but when I tried restoring the config backups the issue started happening once again.

Any help is highly appreciated.

Thank you,
Regards,
Bobby Thomas

Hi,

I was trying to edit the default mail-format on the monitrc file but it seems like it reverts to the default after re-initializing. Is there anyway to edit and keep the mail-format?

Thank you,
Bobby Thomas

Hi All,

I have a MultiWAN setup and I have configured monit to monitor my primary link status. Monit working fine but the email notification is not as I expected. I am receiving receiving ICMP success notifications but not failure notifications. There is no problem with standby internet connectivity and it was working previously with "CHANGED STATUS" condition, but now after the upgrade when I put that I get syntax error. Any suggestions?

Here is the alert settings config from the monitrc:

set alert abc@gmail.com  { icmp,instance } mail-format { Subject:$SERVICE on $HOST $EVENT (ISP LINK STATE CHANGE) } reminder on 10 cycles

And here is the service and service test settings config:

check host ISP-Link-status address xxx.xxx.xxx.xxx
   if failed ping then alert

Thanks in advance,
Regards,
Bobby Thomas

I am facing issues with Multiwan routing. My primary ISP link is not stable and it goes offline quite often, so I planned using my 3G data plan as a backup link. I bought a Huawei LTE modem and it works perfectly, it has an ethernet interface which connects to my OPNsense as a WAN2 Gateway. I have assigned a weight of 1 while I kept the the weight of the primary gateway at 5. I have set Gateway priority of Primary WAN link to 1 and other WAN gateway priority to tier 5. I have created a LAN rule to use Gateway group as the new gateway.

Our Wan link has been down since today evening and since then it's working on the LTE link. But it seems like there is some issue with routing. In the Gateway groups both are showing as active and LTE gateway is being used for all the traffic regardless where the traffic originates. I have created a policy based routing config and based on that all ICMP traffic to 8.8.8.8 should go through WAN gateway 1 and ICMP traffic to 8.8.4.4 should go through WAN gateway 2, even if I have that configured the traffic is sent to WAN gateway 2. Can someone help me identify the issue with Multiwan setup?

Thank you,
Regards,
Bobby Thomas

Sent from my ONEPLUS A5000 using Tapatalk

Hi Everyone,

I have tried upgrading my OPNsense firewall to 18.7.9 twice from 18.7.8, both of the time after the upgrade DNS doesn't work. So the only way to get this fixed is by rolling back to 18.7.8, as I am running it as a VM I can roll back to 18.7.8 and everything works  after that. Any changes in DNS structure from 18.7.9? Any help highly appreciated.

Thank you,
Regards,
Bobby Thomas

Hi,

I am connecting to my office network using openconnect and it's really a nice plugin to have. But my only concern is that the anyconnect vpn to my office is configured with Tunnel-all dns in ASA anyconnect option which inserts my corporate DNS server as the default DNS server for the OPNsense. Is it anyway possible to override the tunnel all dns option, so that Firewall perform the name server lookup based on locally configured dns servers?

Thanks in advance.

Regards,
Bobby Thomas

 Hi Team,

It was a smooth transition from 18.1 to 18.7 everything went well but after the upgrade I started noticing issues with my PPPoE connection, if the connection goes down it doesn't come back automatically, I have to login to firewall and issue connect option or reload the interface to bring back the connection. I have a multiwan setup and I don't see any specific logs. Anyone else experienced this?

Thank you,
Regards,
Bobby Thomas

Hi,

I am seeing a large number of parsing errors in the Surricata logs and most of these are related to the snort_vrt rules. It looks like Surricata is not able to parse snort rules, how can we fix this?

Code Select Expand


19/1/2018 -- 03:55:14 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
19/1/2018 -- 03:55:14 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop  tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-samba.rules at line 53
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
19/1/2018 -- 03:55:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.server-webapp.rules at line 278
19/1/2018 -- 03:55:55 - <Notice> - rule reload complete


Thank you,
Regards,
Bobby Thomas

It looks like we can only add one LAN segment to the encryption domain, even if I add a new phase 2 entry for second LAN interface it's not showing up in IPSec status. I cannot access the 2nd LAN network. Is it possible to add subnets instead of Interface network in IPSec VPN.

Thank you,
Regards,
Bobby Thomas

Hi All,

This is the second time I am posting this in the forum. I am facing issues accessing Opnsense Web GUI from the LAN interface. If I use the dynamic dns it's working. If I disable HTTPS I can access the web console. I created a new internal certificate and used it for https without any success. Changed from LibreSSL to openSSL, no success and it doesn't work. Tried different web browsers, but nothing worked. The same access is working over ZeroTier VPN. I can access web console using the same browser but using the ZeroTier interface IP. If I use LAN IP browser doesn't respond.

When I run wireshark capture, I can see that my PC is trying to start a TLS session (TLS hello message) and 3 way handshaking completes, and then my PC sends a TCP RST, I was wondering that this could be some issue related to SSL parameters. But I tried this on different devices and the results are same. Just wondering how I can fix this.

Thanks in advance.

Regards,
Bobby Thomas

Hi,

I have recently configured a new DMZ interface to host my BitTorrent client. Previously this was on my inside network and Multi WAN loadbalancing was working without any issues, but since I moved it to DMZ multi WAN load balancing is not working. When my primary link goes down it loses internet connectivity, while I have internet access on the LAN interface through secondary link. I am able to ping the gateway and monitoring IP from the DMZ host when the primary link is down and it's able to resolve DNS, but whenever I try to ping any other host I am getting destination host unreachable from the firewall DMZ interface.

Any solution?

Thank you,
Regards,
Bobby Thomas

Is it possible to load balance the gateways based on the link utilization?

Thank you,
Regards,
Bobby Thomas