Messages

I agree when looking at this thread in isolation, but in general there's documentation for this.

https://docs.opnsense.org/troubleshooting.html


Cheers,
Franco

i feel like i hijacked someone else post. i am sorry about this.

[To run the audit:]

You could say "here's my health audit output" and attach the health audit output.

Then I can say: look, there's no problem there.

And then we can both move on?


Cheers,
Franco

i already moved on bro,
i've been asking i dont know to find the logs and you anser is 

Code Select Expand

That's as far as I'm willing to go.
if i knew how i would of done it without bothering you with my questions.
i remember pfsense start showing this attitude like those answer on theirs forum,
we support the project from day one, we buy the hardware / we call for support and we pay to support the project.


the below is a normal and polite answer.

Feel like we are gatekeeping somewhat.  No instructions for performing the audit.  No big deal some folks are new and just don't know yet.  Please run this audit and post the results to this thread. 

To run the audit:

• System > Firmware > Status
• Run an audit (buttom at bottom)
• Select health from dropdown.

Thank you Fully

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7.6 (amd64/OpenSSL) at Tue Dec 14 17:32:33 CET 2021
>>> Check installed kernel version
Version 21.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Hi Guys,
i would appreciate if someone can give a bit info about those new Policies on the new interface.
some idea how to would be appreciate it.

I'm neither seeing the author's results nor yours. I'm assuming the author doesn't have libnetmap libraries installed (partial update) and for you it's all there. That's as far as I'm willing to go.


Cheers,
Franco

well what can i say,
thanks anyway

It's not the same issue. If the author would post the health audit result you could compare.


Cheers,
Franco

thank you for your answer.

where can i find those health audit result ?

i've seen this video. the only think i see two dudes talking about IDS but no tutorial or whatsoever.
i hope someone would pop up with a tutorial

i have no log or what so ever to check this.
its just crashes and i have to enable it manually.


from time to time i see those on the log

Code Select Expand

2021-12-14T00:01:49 suricata[28934] [100135] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
2021-12-14T00:01:47 suricata[28934] [100135] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-worm.rules:48 uses unknown classtype: "command-and-control", using default priority 3. This message won't be shown again for this classtype
2021-12-14T00:01:47 suricata[59787] [100397] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2021-12-14T00:01:46 suricata[53460] [100420] <Notice> -- Signal Received. Stopping engine.
2021-12-14T00:01:37 suricata[53460] [100420] <Notice> -- rule reload complete
2021-12-14T00:01:33 suricata[53460] [100420] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-worm.rules:48 uses unknown classtype: "command-and-control", using default priority 3. This message won't be shown again for this classtype
2021-12-14T00:01:33 suricata[53460] [100420] <Notice> -- rule reload starting

I suspect health audit will tell you the base/kernel versions are incorrect.


Cheer,
Franco

Hi Franco. for me the same its crashes and i have to start it manually from time to time.
how can i troubleshoot it ?

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.

> those are request on your WAN side, does your clients really encrypt the DNS?

Clients don't magically encrypt traffic when you set DoT upstream servers in Unbound GUI.

Maybe you can start by how you enabled the DoT server on OPNsense if you want LAN traffic to be encrypted. Your setup is entirely unclear.


Cheers,
Franco

Client sent the DNS request to the DNS server, DNS server is using the Opnsense as it DNS server, OPNSENSe encrypt the DNS request.
isnt it the way how Dot works?
i see plenty of those request on the WAN side but the DNS is not working , i cannot seems to browse to the internt.

Yep. I have Suricata on LAN side interfaces.

After upgrade to 21.7.6 i was facing issues where some interfaces became unreachable, also via setting a static ip. Gateway did not respond at all, dhcp did seem to reach the server. verified by the log. But thats was all. There seemed to be, something stuck. :o

I  noticed this on my management interface.

After removing the management interface from suricata it worked again.
After putting the interface back in the config, it worked like it did before, but did not survive a reboot. 

Yesterday i removed all rules from suricata and disabled suricata for ids/ips.
After downloading all rules and enabling ids/ips my issue has been solved!

i have this behaivor too, IDS crashes from time to time didnt know the cause.
i've followed your steps seems to works for 30 min and after it crashes.

i am back to the old version.

[works for meTM]

Hi,

DoT with unbound on OPNsense 21.7.6 works for me^TM  ;)

Code Select Expand

2021-11-27T19:21:06 unbound[47763] [47763:3] debug: tcp error for address ip4 1.0.0.1 port 853 (len 16)
Seems like your unbound is not able to reach the server 1.0.0.1 on port 853.
Can you ping 1.0.0.1?
Do you get errors with openssl s_client -connect 1.0.0.1:853 on the OPNsense?

KH

Thank you for your answer.
those are request on your WAN side, does your clients really encrypt the DNS?

i dont know the previous version yet.
unfortunately no one from the opnsense either denied or not if this release cause the DNS issue.

How can i reverst back to the previous version?
this has become a serious issue.

just casually, its just stops and when monit sent a email i log in to turn it on.
for now i've disabled both IDS and Dot which is crashes after the new new update.

i get pain in my stomach when those updates keeps showing up and quickly without testing them.