Messages

Proxmox 9/Debian 13.

Hello all,

I am in the middle of building a Proxmox 9 server, with an Intel E610 10 gig card. I have an existing OPNsense server running with an Intel x550 10 gig card and I could roast hot dogs on the heat sink. It is blistering hot...so hot that I left the cover off the PC. I may have to retrofit the cover, to install a fan! As of right now the E610 is slightly hot to the touch but nowhere as hot as the X550. If you feel the need to get a cooler 10 gig card these can be had for about $300. As of right now OPNsense/FreeBSD do not support the E610 out of the box. Proxmox 9 does and thats why I figured I could start putting the card through its paces.

Thanks,
Steve

How do you have WG configured on the client side? I thought you had to tell it that no IPs are local IPs, so it just routes via OPNsense to the WAN.

Hello all,

For all my OPNsense deployments I used VLAN 1 as the LAN interface. In VLAN 1 I used to put all my network mgmt connections, so if my firewall was breached the hacker would have access to my network mgmt ports. Not good in my opinion. What I would like to do is configure OPNsense so that the LAN interface is set to a static IP but the subnet is /32. I will move my network mgmt connections to VLAN 2, and so on from there.

If this works should I setup static routes to the rest of the subnets being used or just let OPNsense handle it via layer 2? In my mind it should work but then I have never done it and wanted to check with the community.

Thanks,
Steve

Hello all,

Once upon a time I was able to use Monit to monitor and report on Suricata block events. With the update to 25.1 this seems to no longer work. Does someone have Monit doing this now? I would like to get that monitor back in place.

Thanks,
Steve

Thanks you for that!

Hello all,

On my dashboard it tells me I am running FreeBSD 14.3-RELEASE-p4 but when I look this up they tell me there is no p4 and the latest is p2, with the latest patches being released on 10/22/25. Can someone tell how to interpret this?

Thanks,
Steve

I am not sure of my problem...but here is what I have. I hope you can point me in the right direction!

I have a Lenovo M720q PC with a 4 port Intel I350 network adapter. I am going to use the onboard NIC for other VMs, as we as Proxmox mgmt. VLANs are configured on 3 of the 4 I350 ports, with the 4th port going to the Internet. The Proxmox config to support this is in attachment 1. The OPNsense config in Proxmox is in attachment 2.

I have a connection from my PC directly to port 1 of the I350. I have setup the VLAN on my PC connection to VLAN 1, which matches the OPNsense config for port 1. How am supposed to get to the GUI, so I can continue my config efforts? I am completely lost here.

[Content match Service Suricata_alert Date: Sat, 30 Aug 2025 14:41:04 Action: alert Host: opnsfwpr01.petrillo.home Description: content match:{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201...]

Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??

Content match Service Suricata_alert

        Date:        Sat, 30 Aug 2025 14:41:04
        Action:      alert
        Host:        opnsfwpr01.petrillo.home
        Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...

The Suricata alert indicates a network event captured on August 30, 2025, at 14:39:03 EDT, with the following details:

Timestamp: 2025-08-30T14:39:03.101552-0400
Flow ID: 2125015740515061 (unique identifier for the network flow)
Interface: igb3^ (network interface where traffic was captured)
Event Type: Alert (triggered by Suricata's intrusion detection system)
Source IP/Port: 172.16.2.2:31511 (private IP, likely internal network device)
Destination IP/Port: 185.136.96.98:53 (public IP, port 53 used for DNS)
Protocol: UDP (typical for DNS queries)
Packet Source: wire/pcap (captured from live network traffic or pcap file)
Transaction ID: 0 (tx_id for the specific transaction in the flow)

Alert Details:

Action: Allowed (traffic was not blocked)
GID: 1 (group ID for the rule)
Signature ID: 2027758 (unique ID for the rule triggered)
Revision: 5 (rule version)
Signature: ET DNS Query for .cc TLD (Emerging Threats rule for DNS query to .cc top-level domain)
Category: Potentially Bad Traffic (indicates suspicious but not necessarily malicious activity)
Severity: 2 (moderate severity, on a scale where 1 is critical, 3 is low)

Metadata:

Affected Product: Any (applies to any system)
Attack Target: Client_Endpoint (likely targeting a client device)
Confidence: High (high confidence in the rule's accuracy)
Created At: 2013 (rule creation date)

Summary: The alert was triggered by a DNS query from 172.16.2.2 to 185.136.96.98 for a .cc domain, flagged as potentially suspicious by Suricata's Emerging Threats ruleset. The .cc TLD is sometimes associated with malicious activity, but the traffic was allowed. Further investigation into the destination IP and domain context is recommended to assess risk. If you check out what this host has been reported for causing it to be flagged, you can look here. I like to use AbuseIPDB for further IP/host investigation.

Thank you for clarifying this!

Has anyone hit the problem with enabling Suricata when your network interface settings are enabled? It seems this combination, on my server, crushes DNS bc I lose all resolution to the Internet. If I go back and disable the network interface settings then DNS comes back.

Has anyone seen this combination?

Steve

I am using vlans, so all my interfaces are the vlans themselves. Is there another way to amend it?

[ifconfig ix0 mtu 9000]

Hello all,

I have an Intel X550 2 port network adapter. I would like to change the MTU of the ports first, which in turn will allow me to change the MTU on the OPNsense interaces that are supported by this 2 port adapter. I have tested that ifconfig ix0 mtu 9000 works when I SSH to the firewall. Now I wanted this to persist through reboots and I added ifconfig ix0 mtu to the tunables section but it does not persist. I am back to 1500. Am I doing something wrong with this?

Thanks,
Steve

So some interesting driver info for FreeBSD. If I look at the Intel website it tells me the latest FreeBSD driver version is 3.4.31, however when I run sysctl -a | grep dev.ix.0.iflib.driver_version it tells me I am running 4.0.1-k on my OPNsense server. Not sure where this driver came from bc the Intel 30.4.2 pkg only shows the 3.4.31 version.

I just did a standard OPNsense install. Its just running 25.7. I ran sysctl -a | grep dev.ix.0.iflib.driver_version. It shows the version as 4.0.1-k. I thought this was the driver version for ix.

Well, the ix ko shows 4.0.1-k
How it's loaded in? It's not in as klm
strings /boot/kernel/if_ix.ko | grep "4.0.1"

kldstat -v |grep ix
it's #146 on my OPNsense.
ix is in the kernel, I suspect the ko is the same code that's in the kernel. Edit: which is the case, v14.3 src code ID's ix driver as 4.0.1-k. Version numbers between freeBSD code and Intel code will be different, because it's different vendors numbering in different ways.

Why have a ko and in the kernel? Well, it is possible to unbind the static ix and then kldload the ko, which gives you flexibility, and ability to load your own compiled ko driver.

So then dont worry about this for my build.

Yes swapping the cables fixed the issue. The switch log shows the connection and negotiation to 100M. Nothing abnormal.

If the switch is fully 802.3bz compliant it could have ran next/fext for alien noise and decided to accept the lower speed. I wonder what the switch would accept of 100M was not available from the x550? If say 2.5G was the only speed allowed in auto-neg would it accept that or not link at all? For me I would be curious and test it, but since your setup is working that's up to you.

Were your bad cables new and labeled as CAT6?

They were labeled as Cat6 and prolly no more than a year old. I am going to end up swapping out all cables for new ones, when I build my mini rack.

So the real answer for me is I am SOL until next year. That's ok.

The E610 is a very low wattage adapter, so when its supported it will be ready to replace my X550.

Your patience needs to match "community" of OPNsense product. ;)
Unless there are others who are will to test a new ko, you are the testor.

Trusting compiled stuff from anonymous is not the best, and not acceptable for critical stuff.
Once the process is somewhat well-documented you can then do it yourself, this was if there are issues, it's on you.

Or if you prefer, shelve the 610 for now and wait.
Or, be community oriented, try test fix try test fix, report your findings, etc.

I am patient when I need to patient.

I am happy to be the testor. I have a spare machine that I can put the E610 into and setup a dev environment. I have never compiled anything on this platform, so if I do go down this path I will need some help in setting up the dev environment properly.

For now I am going to open a Git request and see if there is any appetite to port E610 support into the 14.3 software.