OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of GOCE »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - GOCE

Pages: 1 [2]
16
19.1 Legacy Series / Bytes/KB/MB processed by firewall rule
« on: May 28, 2019, 06:06:27 pm »
Is there a way in OPNsense to see how many bytes where processed by a firewall rule? If not locally, can anybody recommend an open source solution to monitor the traffic by rule?

Regards, GOCE

17
18.1 Legacy Series / Re: kernel: sa6_recoverscope: embedded scope mismatch:
« on: July 19, 2018, 04:48:26 pm »
Hi,

maybe a bit more context is usefull. So here we go:

From /var/log/system.log
Jul 19 16:24:00 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:6::6231:97ff:fe84:44ac%5. sin6_scope_id was overridden
Jul 19 16:24:00 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:6::6231:97ff:fe84:44ac%5. sin6_scope_id was overridden
Jul 19 16:24:00 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:24:00 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:24:45 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:24:45 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:24:45 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:24:45 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:25:28 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:25:28 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:25:28 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 19 16:25:28 fw02-tie-de kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
^C
root@fw2:~ # ping6 fe80:6::6231:97ff:fe84:44ac
PING6(56=40+8+8 bytes) fe80::225:90ff:fef4:7517%igb5 --> fe80:6::6231:97ff:fe84:44ac
16 bytes from fe80::6231:97ff:fe84:44ac%igb5, icmp_seq=0 hlim=64 time=1.582 ms
16 bytes from fe80::6231:97ff:fe84:44ac%igb5, icmp_seq=1 hlim=64 time=1.392 ms
16 bytes from fe80::6231:97ff:fe84:44ac%igb5, icmp_seq=2 hlim=64 time=3.048 ms
^C
--- fe80:6::6231:97ff:fe84:44ac ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.392/2.007/3.048/0.740 ms
root@fw2:~ # ping6 fe80:5::6231:97ff:fe84:158f
PING6(56=40+8+8 bytes) fe80::225:90ff:fef4:7516%igb4 --> fe80:5::6231:97ff:fe84:158f
16 bytes from fe80::6231:97ff:fe84:158f%igb4, icmp_seq=0 hlim=64 time=1.535 ms
16 bytes from fe80::6231:97ff:fe84:158f%igb4, icmp_seq=1 hlim=64 time=1.781 ms
16 bytes from fe80::6231:97ff:fe84:158f%igb4, icmp_seq=2 hlim=64 time=1.292 ms
^C
--- fe80:5::6231:97ff:fe84:158f ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.292/1.536/1.781/0.200 ms


The firewall fw2 connects on igb4 to router1 and on igb5 to router2. The output is from the second
firewall so CARP will show BACKUP in the ifconfig output.

igb4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=5400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,NETMAP,TXCSUM_IPV6>
        ether 00:25:90:f4:75:16
        hwaddr 00:25:90:f4:75:16
        inet6 fe80::225:90ff:fef4:7516%igb4 prefixlen 64 scopeid 0x5
        inet6 2a01:598:8880:113b:225:90ff:fef4:7516 prefixlen 64 autoconf
        inet 172.16.1.242 netmask 0xffffff00 broadcast 172.16.1.255
        inet 172.16.1.250 netmask 0xffffff00 broadcast 172.16.1.255 vhid 2
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: BACKUP vhid 2 advbase 1 advskew 100
igb5: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=5400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,NETMAP,TXCSUM_IPV6>
        ether 00:25:90:f4:75:17
        hwaddr 00:25:90:f4:75:17
        inet6 fe80::225:90ff:fef4:7517%igb5 prefixlen 64 scopeid 0x6
        inet6 2a01:598:b906:14ec:225:90ff:fef4:7517 prefixlen 64 autoconf
        inet 172.16.2.242 netmask 0xffffff00 broadcast 172.16.2.255
        inet 172.16.2.250 netmask 0xffffff00 broadcast 172.16.2.255 vhid 9
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: BACKUP vhid 9 advbase 1 advskew 100

Regards, GOCE

18
18.1 Legacy Series / kernel: sa6_recoverscope: embedded scope mismatch:
« on: July 18, 2018, 05:13:27 pm »
Hi,

I keep getting a lot of the following entries in the firewall logs:

Jul 18 17:06:51   kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 18 17:06:51   kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden
Jul 18 17:06:51   kernel: sa6_recoverscope: embedded scope mismatch: fe80:5::6231:97ff:fe84:158f%6. sin6_scope_id was overridden

Has anybody an idea what is going wrong here?

Regards, GOCE

19
18.1 Legacy Series / Re: 18.1.12 suricata crash
« on: July 17, 2018, 06:23:02 pm »
Same here on both HA firewalls after update to 18.1.12.

20
18.1 Legacy Series / QoS on LTE (4G)
« on: July 08, 2018, 09:09:42 pm »
Hi,

I have an OPNsense firewall behind a LTE router with no real constant speed. It can be between 20-50 MBit depending on weekday and daytime. I would like to do some traffic shaping on the WAN interface but how should I configure the Pipes if there is no absolute bandwith for uploads and downloads?

Regards, GOCE

21
18.1 Legacy Series / Re: SOLVED cannot define table bogonsv6: Cannot allocate memory
« on: April 13, 2018, 08:12:39 pm »
Thanks franco, that solved it for me.

Regards

22
18.1 Legacy Series / [SOLVED] cannot define table bogonsv6: Cannot allocate memory
« on: April 11, 2018, 05:32:42 pm »
Since updating to 18.1.5 I got a lot of these errors (see attached screenshot).

My only workaround was to disable the "Block bogon networks" checkbox on my WAN interfaces.
The "Block bogon networks" rule was only applied to WAN interfaces.

The firewalls have 16GB RAM with default (10%) setting for "Firewall Maximum States".
Tried it also with 4000000 (25%) for "Firewall Maximum States" without any positive change.

Don"t know what could have caused these errors and would be thankful if anybody could help
me debug the root cause for these errors.

Regards

23
17.7 Legacy Series / Re: Persistent apinger issues
« on: December 06, 2017, 03:36:09 am »
Add me to the list, apinger is really a pain. Please replace it with something that works.

24
German - Deutsch / Re: TOTP Server
« on: October 28, 2017, 11:54:59 am »
Hallo Franco,

hatte viel um die Ohren, aber jetzt komme ich wieder zu dem Thema :-). Nach meiner Erfahrung in den letzten Tagen kann man sich auch mit dem TOTP Server aussperren, wenn der Service aus irgend einem Grund nicht richtig startet. Hatte zum Glueck SSH mit pubkey Auth aktiv und konnte so alle Services neustarten lassen.

Wie waere es mit der Moeglichkeit das auth Backend pro Service konfigurieren zu koennen? So moechte ich vielleicht den TOTP Server fuer Web Logins oder VPN, jedoch nicht fuer serielle oder lokale logins.

Wie waere es uebrigens auch System: Access: Tester nach System: Access: Settings zu packen? Das ist besonders interessant wenn auch der Fallback mitgetestet werden wuerde, falls er aktiv ist. Fand es verwirrend das der Test mit System: Access: Tester fuer den TOTP Server funktionierte, es jedoch keine Auswirkung (OTP war optional) bei der Anmeldung hatte. In der Doku hab ich dann gesehen, dass der Fallback ausgeschaltet werden muss.

Gruss,
GOCE

25
German - Deutsch / Re: TOTP Server
« on: October 21, 2017, 08:06:35 am »
OK, aber irgend wie ist das seltsam implementiert.

1. der TOTP Server kann nur fuer die lokale Benutzerdatenbank verwendet werden
2. um den TOTP Server ueberhaupt verwenden zu koennen, also lokaler Account + (PW+OTP) muss der Fallback zur lokalen Benutzerdatenbank deaktiviert werden

Wenn es also nur um die lokale Benuterdatenbank geht, warum ist die Aktivierung des TOTP Servers keine Konfigurationsoption der "Local Database" unter System: Access: Servers?

26
German - Deutsch / TOTP Server
« on: October 21, 2017, 07:15:11 am »
Wie ist eigentlich die Nutzung des TOTP Servers gedacht?

Welche Use-Cases sollen damit abgedeckt werden oder ist es eindach nur eine Spielerei?

Pages: 1 [2]
OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2