Topics

1

23.1 Legacy Series / DEC740 reinstall 23.1 stuck - interface flapping

« on: March 03, 2023, 09:34:14 pm »

Hi,
I need to reinstall OPNsense on my DEC740. For that I downloaded:
OPNsense-23.1-OpenSSL-serial-amd64.img
Flashing it onto USB and then booting from it. So far no problem.
Then it seems to be bringing up the NICs and that's when the Installer gets stuck.

Every minute or so the interface goes Down and Up again, but the installer won't continue. I tried several flash drives -> No change.
I reset the UEFI settings to default -> No change.

Does someone have an idea what's happening here? Should I try an older version of OPNsense?

junicast

2

22.1 Legacy Series / ntopng listens IPv4 only

« on: February 23, 2022, 02:59:43 pm »

I just installed ntopng and sadly it's only listening on tcp4:

Code: [Select]

root@myhost:~ # sockstat -l | grep 3000
ntopng   ntopng     2666  61 tcp4   *:3000                *:*

There doesn't seem to be a way to change this, is it?
I have no route to my box for the legacy protocol.

3

22.1 Legacy Series / DNS Rebind Attack - IP used

« on: January 29, 2022, 09:09:32 pm »

Hi,

I run an OPNsense device virtualized on proxmox and I try to connect to it via IPv6 address. When I do it shows the following message.

Code: [Select]

Warning: array_pop() expects parameter 1 to be array, null given in /usr/local/etc/inc/authgui.inc on line 74

A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration.
As I'm accessing the device by IP I wonder what this is about.

4

General Discussion / filter.log flooded with pass messages for ntp

« on: April 10, 2021, 02:34:46 pm »

Hi,

I'm running a virtualized (proxmox) OPNsense 21.1.4-amd64 and my filter.log is being flooded with forwarding packets coming from some Internet host to my public NTP server in the DMZ zone (vtnet3). As you might have guessed there there are PLENTY of log entries, because every connection results in one log record.
Example:

Code: [Select]

Apr 10 14:17:25 fwrx1 filterlog[76179]: 96,,,0,vtnet3,match,pass,out,4,0x0,,53,0,0,DF,17,udp,76,100.8.111.177,5.111.222.89,36028,123,56The filter rule allowing packets from WAN to my NTP host does not have logging enabled. Since I have public IPs for IPv4 as well as IPv6 I don't have to make use of NAT.

I walked over every single filter rule allowing traffc, making sure logging is disabled.
When I look into the WebGUI's Live View, every of those records has the label "let out anything from firewall host itself".
I click on the little "i" sign a more detailed view opens up where I can try to resolve the rule (rid).
When I hit the link it doesn't work and just gets me back to the details page I'm currently on.

On the console I try via

Code: [Select]

pfctl -v -s rulesI search for the label ID and what I get is this line:

Code: [Select]

pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
  [ Evaluations: 2080083   Packets: 4026693   Bytes: 311644102   States: 32599 ]
  [ Inserted: uid 0 pid 85607 State Creations: 986670]
It looks like this is a rule for every communication that originates from the firewall but clearly this communication does NOT originate from the firewall but from a host on the internet to my ntp host.

Am I overllooking something but I can't find the clue to this problem.

5

20.7 Legacy Series / DHCP6 sometimes needs restart

« on: August 19, 2020, 05:35:39 pm »

Hi,

sometimes I need to restart DHCPv6 service. A client sends a dhcp6 solicitation but there will be no answer whatsoever from opnsense. When I just restart the service everything is going back to normal again.
Someone else whitnessed that behaviour?

I'm on 20.7.1 AMD64 on a PCEngline APU4. Very nice device though.

Thx

6

20.1 Legacy Series / DHCP service fails if interface subnet is changed

« on: June 28, 2020, 09:44:40 am »

Hi,

this topic might sound a bit obvious but I think opnsense would be able to handle such scenarios a litte bit better:

There's a opnsense firewall, let's say with plenty of interfaces and you need to change the subnet of a specific interface. This interface uses the DHCP service as well as most of the other ones.

If you now forget to adjust the DHCP server range it will take some time when the following happens: Every single subnet will stop working DHCP wise. One might say: of course, you should have changed the dhcp service range for the modified interface.

In my opinion the system should be a little bit more error tolerant. opnsense could for example automatically deactivate the dhcp service for a modified interface if it detects that the dhcp service IP range isn't within the new given subnet.

What do you think?
impish