Messages

I switched from a mellanox card to an intel x520. I was able to get full 10gb using perf between opnsense and my unraid server, after switching to X520 I am getting less than 2 from unraid to opnsense but full 10gb between opnsense to unraid, telling me that I have something misconfigured. Any ideas? Anyone else with an X520 getting line speed?

Edit: I found the issue, sorry! I just didn't look hard enough at the forums.  I found this which helped ALOT.

https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet/

From here: https://forum.opnsense.org/index.php?topic=18754.150

Thanks!

Reviving this thread instead of starting a new one. I am trying to install pfELK on a machine on my LAN (following the how-to for docker-compose) and have a couple of questions:

1. My machine has modest hardware so I'd like to maximise performance. I thought that it would be a good idea to run pfELK on a single-node setup, so I wanted to modify the docker-compose.yml file accordingly. The only instruction I found on Github was to modify /etc/elasticsearch/elasticsearch.yml, but a) that file does not exist before you start the install and b) I would have thought that docker-compose.yml also needs to be modified. Do I need to change the create certs and environment sections, and if so how? Alternatively, if running three nodes does not consume more resources than a single node, please let me know.

2. Also, I'd like to set up MaxMind, and I'd like to do it on Docker since my machine is running Alpine Linux and I don't think there is a repository for MaxMind available. I have found a Docker container for the purpose, but I am not sure exactly how pfElk speaks to MaxMind so I need some more info to make sure the two can communicate. The pfELK how-to for MaxMind does not mention the required interface with MaxMind so I don't know what the prerequisite is when not installing MaxMind in the standard way.

Just use this:

https://github.com/pfelk/pfelk

Note that under 16gb of ram you could crash the entire system.  You need a min 8gb just for ELK, 16 would be better, plus whatever overhead the host system needs.  You don't want to do this if you don't have the resources as it will not be a fun time for you...

Disregard. This problem is occurring due to Suricata 6.0.9 issues found by others. If I just restart Suricata then Unbound I dont need to do a full reboot.
In the interim Ive downgraded Suricata to 6.0.8 from Opnsense 22.7.8 release.

Interesting! I actually saw some issues and completely wiped suricata which helped. Good data point.

Yes any modern SSH implementation does password then 2fa prompt, I think we need this as appending is not that useful

Don't use floating rules unless you absolutely have to.
Put the rules where they belong, on the actual interface.

Interface groups would be the better way to go if you have multiple interfaces that need the same rules

The update rebooted very weirdly, there were processes it did not shut down and I had to do a manual reboot as the update did not properly reboot. Unbound is fine here, though, I just updated verbosity in logging so I'll monitor it.

Hello, I get the below error spammed in the log when using vnstat, I do not get any stats though.

[00acf906-9459-4683-964d-7bab56a4b5c1] Script action failed with Command '/usr/local/bin/vnstat -y ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 482, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/bin/vnstat -y ' returned non-zero exit status 1.

Awesome thank you for confirming.

Does 1.12 support Mellanox nic's yet?

22.7.5 that was released today finally fixed the firewall log issue, I can confirm it shows all blocks properly! Nice work Crowdsec!

Any updates on this? Live logging is still broken in 22.7 :( I'm sure it works great but something is still messed up.

Hi!

I do not know where to write, so I write here.

In my Firewall:Log Files:Live View, when blocking IP using CrowdSec, a line is displayed indicating only the date and time without any details, and only this is reflected in the details:

__timestamp__   2022-08-10T12:25:00
action   0x0
anchorname   match
dir   
interface   in
interface_name   in
ipversion   240
label   
reason   4
rid   
rulenr   crowdsec
subrulenr   em1

At the same time, it is not clear whether the IP address is blocked or not (action   0x0).

bumping this - anything blocked via a rule should show up in the firewall logs properly, is this something crowdsec needs to fix? Currently you just have to take its word that its blocking anything.

@somebod3983 all you need to do to use the WireGuard kernel module is run the command below at the OPNsense cli. No need to uninstall go. May need to restart the service to reestablish any ongoing connections. All current peers and setting in the WireGuard settings gui will be used without any others action needed.

Code Select Expand

pkg install wireguard-kmod

Im assuming the FW needs rebooted after this? Also wireguard go service fails to start, assuming that's OK as kmod is running and everything works just fine.

I know you could be correct but the fact that suricate works means that my mellanox cards do indeed work with netmap, so maybe more of an issue in zenarmor? I couldnt find too much on the bsd side that would indicate mlx drivers were broken.

Edit: I should have specified, Suricate in IPS mode works with mellanox so netmap should be fine

Hello!

I suppose you are running the 1.0 version (crowdsec 1.3.4), with opnsense 22.7

> Enable Firewall Bouncer (IPS)
> When this is enabled I get no alerts for blocks in the firewall logs.

You mean you don't see anything in /ui/diagnostics/log/core/filter ?

or with

Code Select Expand

# cat /var/log/filter/latest.log  | grep 'blocked by crowdsec'

Is the process "crowdsec-firewall-bouncer" running?

What's in /var/log/crowdsec/crowdsec-firewall-bouncer.log ? If you enable verbose debug in the settings tab, you should see the calls to pfctl there too.

Another thing to try (for ipv4):

Code Select Expand

# pfctl -t crowdsec_blacklists -T show

Interesting, so expected behavior is instead of showing up in the firewall logs you have to use terminal and tail the actual log? Thats good to know, I may need to disable the bouncer then, and just use the v4/6 blocklists manually so I can properly audit them without needing a custom solution.  Im assuming the IDS part is enough to track and report the rogue IPs, so that should work fine.