Topics

1

Intrusion Detection and Prevention / Suricata keeps crashing after last update

« on: June 21, 2021, 01:36:12 am »

Hi guys,
i hope someone can point me to the right directions, ive been using IDS for over 2 years,
last day we updated the box to the 21.1.7 sinds than Suricata keeps crashing with the below log.
it stops the service and have to start it manually


thank you

Code: [Select]

2021-06-21T01:34:42
suricata[35325]
[100280] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
 
2021-06-21T01:34:42
suricata[35325]
[101369] <Notice> -- opened netmap:em0/T from em0: 0x3e8cf080300
 
2021-06-21T01:34:42
suricata[35325]
[101369] <Notice> -- opened netmap:em0^ from em0^: 0x3e8cf080000
 
2021-06-21T01:34:42
suricata[35325]
[100225] <Notice> -- opened netmap:em0^ from em0^: 0x3e8ce0af300
 
2021-06-21T01:34:41
suricata[35325]
[100225] <Notice> -- opened netmap:em0/R from em0: 0x3e8ce0af000
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2820208 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.certutilhttp' is checked but not set. Checked in 2833774 and 0 other sigs
 
2021-06-21T01:33:42
suricata[35325]
[100280] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 2 other sigs
 
2021-06-21T01:33:13
suricata[21102]
[100286] <Notice> -- This is Suricata version 5.0.6 RELEASE running in SYSTEM mode
 
2021-06-20T03:01:09
suricata[29540]
[100253] <Notice> -- rule reload complete
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2820208 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.certutilhttp' is checked but not set. Checked in 2833774 and 0 other sigs
 
2021-06-20T03:00:39
suricata[29540]
[100253] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 2 other sigs
 
2021-06-20T03:00:08
suricata[29540]
[100253] <Notice> -- rule reload starting

2

21.1 Legacy Series / ERR_SSL_PROTOCOL_ERROR GUI

« on: January 30, 2021, 01:34:35 am »

Hi guys,
after updating one box I lost access to the gui as to the ssh.
the error keep showing

Code: [Select]

ERR_SSL_PROTOCOL_ERRORusually It was fixed with this command to reverse back

Code: [Select]

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart
but it appear it failed to revert to 20.7.6 on 21.1

hope someone has a idea how to restore the gui.

thank you

3

General Discussion / LACP is not working

« on: November 22, 2020, 12:30:48 am »

Dear all,
We have been using OPNsense for sometimes now, one our customer has two ISP switch Layer 3, each Switch provides 1GB NIC with 1Gbps speed to the opnsense
this configuration has been working excellent before with pfsense.
Switches are configured to do LACP on interfaces ( as I mentioned it been working for long ).

Switch 1 >>>> Port 1 >>>>> Pfsense Port 1 ( now is Opnsense )
Switch 2 >>>> Port 1 >>>>> Pfsense Port 2 ( now is opnsense)

Both switches are stacked and are Brocade ICX7250.

as I mentioned this config been working with pfsense for long time until we convince the customer to move to OPNsens.

the issue is:

We have created LAGG see attacked this LAG is em2 and em3 as LAN LAGG. so whenever we connect the cables to the switch the error pops on the console of the OPNS and keeps popping ups.

Code: [Select]

interface stopped distributing possible flapping

after I tried a pfsense installation clean installation and I create the LAGG everything works as expected.

Can someone please help clear things to me, is it the OPNsens? configuration ? what am I doing wrong?

appreciate any help/ideas.

4

Intrusion Detection and Prevention / IDS OVER VPN

« on: November 20, 2020, 02:27:56 am »

Dear All,

we have been using OPNsense for over 4 years, we have happy with it, and big thank you the developers for this great software.
I have a couple of concerns.

1- IDS/IPS enabled in the WAN.
we have IPS /IDS enabled on the WAN,i've attend a online training of suricata they advise to run the IDS/IPS on the LAN because OPNsense blocks anything on the WAN already.

we have site to site VPN from Office 1 to Office 2 when I apply the IDS/IPS on the LAN Interface I cannot connect using RDP/https/ ect... I even cannot ping.
on the IDS alert there is nothing there about those connections been blocked. when I switch to WAN stuff start working.

What am I doing wrong?

appreciate each support.

5

20.7 Legacy Series / 2 Switch 1 WAN

« on: November 02, 2020, 11:19:01 pm »

Dear all,

i am trying to archive some setup and dont know how to do it.
the situation as next :
our ISP have two switch for us which configured to act as one. switches are layer 3.
We have one opnsense hardware behind "OPNsense A10 Dual Core SSD rack Gen2" a opnsense hardware which we are happy with.
So i want to have two WAN cables from each switch, so Switch 1 to WAN1 and Switch 2 to WAN2 and configure WAN1 and WAN2 as LACP.
is this even possible in opnsense ?

Thank you

6

20.7 Legacy Series / Opnsense 20.X wont boot

« on: September 06, 2020, 08:11:13 pm »

Hi guys,
ive been fighting with a hardware box it doesn't wanna boot. i managed to get up to boot by doing the next

first command during the boot

set kern.vty=sc
boot

when it boot i disabled the option  Use the virtual terminal driver (vt) at System >> Settings >> Administration

my question is, would a update overight those settings of  Use the virtual terminal driver (vt) or not ?

Can i priciest those settings somehow at System: Settings: Tunables ?

Thank you

PS : i've installed the opnsense at a Sophos Hardware

7

20.7 Legacy Series / GeoIP 20.7 solution

« on: August 17, 2020, 03:56:15 pm »

Hi Guys,

If your GEOIP seems not to works after the last uptate, the issue is easy and simple
your firewall Firewall Maximum Table Entries is Limited to 100k.
So Go to your firewall>>>Settings>>>Advanced and change the value of Firewall Maximum Table Entries to 200k and save.
i have mine at 400k as ive got a powerfull hardware.

after i've done that the GEOIP start working and loading IPS.

8

20.1 Legacy Series / How to Configure Wireguard for Remote users

« on: June 03, 2020, 07:41:58 pm »

Dear all,
couple of weeks i've strugeling on getting wireguard configured and working,
today i am going to explain how to do with screenshots.
Step 1, Go to plugin and install wireguard


Step 2
go to VPN >> Wireguard >>> and Enable it


Step 3
Go to VPN WireGuard Local, and create a Local connection.
Chose a tunnel IP.
please notte: do not enter private or public key, they will be generate automatically



Step 4
open the created local connection and save the public key / private key on a notepad you gonna need it.


Step 5
go to VPN >> Wireguard >>Endpoints and create a Endpoint " Endpoint is like a user", we will use Julien as my name for this Endpoint.


Step 6
Install Wireguard on Windows/Mac OSX, this methode works for both Windows and Mac OSX
after the installation Chose add tunnel and than Add a empty Tunnel


Step 7
copy the Public key from the Windows Client and save it at the Endpoint of the user as showed below on the picture




Step 8

Go To VPN >>> WireGuard>>> Local and add Julien to the Peer so the Endpoint would be permited to connect using the Peer " see screenshot"


Click Save, and Go back up General and Click on Save Again " see screenshot"


Step 9

Go to Interfaces >> Assigmenet and add WG0 " Wiregaurd" interface, Call it " Remote Users" or whatever you want.



PS: Dont change anything on the settings, leave it as it IPV4/IPV6 on NONE, Wireguard will take care of that part. after it done, restart wireguard service and you should see it will detect it new IP " see below picture.


Step 10,

Go to the Firewall >> Rules > And find the interface you created, mine call Remote Users and create a firewall looks like the one on the screenshot.


Go To Firewall >> Rules >> WAN and create incoming connections on the WAN Side.
PS: this rule is not restricted yet, when the connection is up you can restricted to ip/port/ect...




the Windows Client connection should looks like this.

Code: [Select]

[Interface]
Address = 10.171.1.2/31
PrivateKey = LaptopPrivKey
DNS = 10.10.1.20

[Peer]
PublicKey = OpnsensePUBLICkey
AllowedIPs = 0.0.0.0/0
Endpoint = my.ddns.example.com:51820
like this you should the connection is set up and active.



if you have a remote users using 4G/ UMTS connection maybe is smart though to use MTU

Code: [Select]

[Interface]
Address = 10.171.1.2/31
PrivateKey = LaptopPrivKey
MTU = 1380
DNS = 10.10.1.20

[Peer]
PublicKey = OpnsensePUBLICkey
AllowedIPs = 0.0.0.0/0
Endpoint = my.ddns.example.com:51820

I hope the Admin will PIN the post,

this week i will create a new tutorial how to do site to site using wireguard.

9

19.7 Legacy Series / Route OPENVPN Multi WAN

« on: August 12, 2019, 01:31:59 pm »

Dear All,
i hope someone can route me as i cannot route my VPN lol.
the situation as next, we have two WAN ( WAN1 / WAN2 ) see screenshot

WAN1 GW 192.168.30.254
WAN2 GW 192.168.1.254

i have created GW group with Trigger Level Packet Loss and Made WAN2 as tier1 and WAN1 as Tier 2
on the opnsense i have configured WAN1 as default GW

what i am trying to archieve is to have WAN1 route the VPN to the remote office and WAN2 to be as default internet on the office.
WAN2 is Fiber connectiong which is 200/200MB and want to keep using as main internet however WAN1 is a ADSL which is 10/2 we want it to use the VPN to RDP to the extern server.

the tunnel is i can access from the remote office back but from the office i cannot connect to the remote site.
my routing

Code: [Select]

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.30.254     UGS         em1
10.7.0.1           link#13            UH       ovpnc1
10.7.0.2           link#13            UHS         lo0
20.1.1.0/24        link#11            U      em0_vlan
20.1.1.1           link#11            UHS         lo0
30.0.0.0/24        link#12            U      em0_vlan
30.0.0.1           link#12            UHS         lo0
127.0.0.1          link#7             UH          lo0
192.168.1.0/24     link#3             U           em2
192.168.1.67       link#3             UHS         lo0
192.168.4.0/24     10.7.0.1           UGS      ovpnc1
192.168.24.0/24    link#1             U           em0
192.168.24.1       link#1             UHS         lo0
192.168.30.0/24    link#2             U           em1
192.168.30.10      link#2             UHS         lo0
192.168.99.0/24    10.7.0.1           UGS      ovpnc1

what am i doing wrong ?

Thank you
 

10

19.7 Legacy Series / Site to Site openVPN DUAL WAN

« on: August 07, 2019, 02:07:03 pm »

Dear all,
ive been searching for a  very long time for the solution to have openvpn routing over the WAN1 instead of default WAN2.Let's start from a very basic situation.

Office has two WAN ( WAN1 and WAN2). Office has been configured as Dual WAN , and WAN2 is the default WAN interface with it Gateway.
Remote Office withonly one WAN.
So we have created site to site openvpn from office to the remote office and the tunnel is up.
Remote Office is the OPENVPN server and Office with two is the Client.

Office ip info ( Client OPENVPN)
WAN1   192.168.30.20
WAN2    192.168.1.20   ( Default Gateway for the subnet)
LAN       192.168.24.0/24

Remote Office ( Server OPENVPN )
WAN1 ISP IP
LAN     192.168.99.0./24


the tunnel is up and running only from one side. so from the server side subnet 192.168.99.0/04 i can ping and connect to 192.168.24.0/24
but from the client side 192.168.24.0/24 i cannot connect to 192.168.99.0/24.

on the Client site OpenvVPN tunnel is reconfigured to use WAN1 as it Gateway.
i beleive this a routing issue on the Client site, so i want to tell the box when i wanna go to 192.168.99.0/24 please use WAN1 instead.

on the firewall>>> outbound Rules . i've created a Manual rules on the WAN1 sending a traffic to host 192.168.99.0/24 to use WAN1 but its not working.

What am i doing wrong ?

Thank you

11

19.1 Legacy Series / SSL acme.sh not renewing

« on: April 26, 2019, 01:48:43 pm »

Hi guys,
today one of our box did not update the ssl, the box is on the latest 19.1.6 and the error

Code: [Select]

[Fri Apr 26 13:43:30 CEST 2019] code='400'
[Fri Apr 26 13:43:30 CEST 2019] _ret='0'
[Fri Apr 26 13:43:29 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Fri Apr 26 13:43:29 CEST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4DMKwJeRXfLY-x9xS3kdr3DCv-dn7ArcFsVRRO63iY/15188266849'
[Fri Apr 26 13:43:29 CEST 2019] POST
[Fri Apr 26 13:43:29 CEST 2019] payload='{"resource": "challenge", "type": "", "keyAuthorization": "lJ_wTNXzdXDNMS1lgR4b0vl5f5DUQn7kppJvAS6AnX0.32so50xaPXcmog6OgZZYPYbheGhgZAvN-dlCiRtTScQ0"}'
[Fri Apr 26 13:43:29 CEST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4wJeRXfLY-x9xS543kdr3DCv-dn7ArcFsVRRO63iY/15188266849'
[Fri Apr 26 13:43:29 CEST 2019] Please check log file for more details: /var/log/acme.sh.log
[Fri Apr 26 13:43:29 CEST 2019] _on_issue_err
[Fri Apr 26 13:43:29 CEST 2019] skip dns.
[Fri Apr 26 13:43:29 CEST 2019] vlist='Firewall.gislaved.org#lJ_wTNXzdXDNMS1lgR4b0vl5f5DUMQn7kppJvACFS6AnX0.32so5xaPXcmog6OgZZYPYbheGhgZAvN-dlCiRtTScQ0#https://acme-v01.api.letsencrypt.org/acme/challenge/3YVe4wJeRXfLY-x9xS3kdr3DCv-dn7ArcFsVRRO63iY/15188266849#http-01#/var/etc/acme-client/challenges,'
[Fri Apr 26 13:43:29 CEST 2019] dnsadded
[Fri Apr 26 13:43:29 CEST 2019] _clearupdns
[Fri Apr 26 13:43:29 CEST 2019] No need to restore nginx, skip.
[Fri Apr 26 13:43:29 CEST 2019] pid
however older box has renew their certificate fine,

12

19.1 Legacy Series / outbound after update

« on: February 01, 2019, 02:20:38 pm »

Dear all,
afterupdating the 19.1 my outbound is broke, i cannot conenct to the extern website, sometimes it does open the page but most of time it does not works, outgoing connection is blocked.

our intern connection to the FTP/SSH are blocked.
i've checked the outbound is Automatic outbound NAT rule generation (no manual rules can be used)
on the LAN we have any to any rules but nothing works.

Can someone please advies ?

13

18.7 Legacy Series / Manual Outbound Spam fitler

« on: January 20, 2019, 04:00:58 am »

Dear all,
Our scenario is as next

Internet >>>> OPNSENSE>>>>> SPAM FILTER >>>> MAIL SERVER
MAIL SERVER IS using spam filter as it smarthost to send out emails.
SPAM filter has it own VIP which configured on the virtual ip 20.344.55.56
Default WAN of the OPNSESNE is . 20.344.55.50
Outbount is automatically.
whenever we send out email using spam filter as smarthost of the mail server it still uses the Default WAN IP of the OPNsense 20.344.55.50.
i tried to change outbount from automatically to manually and created a rules for this

Code: [Select]

WAN1  summitgrid_relay  *  *  *  20.344.55.50 *   Outbound NAT Rule for Email Relay
the internet stops working. i thought the rules will remain created when i change from auto to manual.
also the email still delevered from the default opnsese ip and not spam filter.

Can someone please advies how to get this fixed ?

Thank you

14

18.7 Legacy Series / Change Default IP

« on: November 30, 2018, 01:07:28 am »

Dear all,
We do have WAN1 Configured with Gateway up and running.
We have second WAN2 added as a physical interface.
We want to change our default WAN1 to be WAN2 as we wanna keep WAN1 for different service.

We do have one single Gateway.
can someone adviese how to do this ?

15

18.7 Legacy Series / ( Solved ) Site to Site after OPNsense and pfsense

« on: November 28, 2018, 11:17:51 pm »

Dear all,
I have been struggling to route traffic and running between opnsense and pfsense.
Opnsense is running 17.7.8
Pfsense is running 2.4.4
both box are running openvpn version 2.4.6_3
the tunnel is up on both sides, the issue is we cannot connect from location A to B and otherway arround.
this issue is mostly if the tunnel or remote ip are differents but i've checked them like 100 time.

Can someone please advies me how to get ths routing correctly set up.

Thank you so much