Topics

1

23.1 Legacy Series / No connection to OPNSense over tagged VLAN interface

« on: April 03, 2023, 08:00:19 am »

A bit of a strange issue here that I fail to understand.

Client is a MacBook which I mainly use for all kinds of admin stuff.
Client is connected via a switch port that has untagged/native VLAN 10 and tagged VLAN 99 configured.

OPNsense admin web-gui and SSH are configured to listen on all interfaces and of course OPNsense has interfaces configured in VLAN 10 and in VLAN 99. Firewall rules allow the relevant connections.

Client can reach OPNsense on VLAN 10: no problem, web-gui and SSH access working fine.
Client fails to reach OPNsense on VLAN 99: no access to web-gui and SSH.
Client can however reach other devices on VLAN 99 perfectly fine, just not OPNsense, so generally VLAN 99 connectivity seems to be working.

Now I switch the client to a native/untagged VLAN 99 switch port for verifying and connection immediately works fine.
Client can reach OPNsense on VLAN 99: web-gui and SSH access working fine.

In the first scenario with VLAN 10 untagged and VLAN 99 tagged, a packet capture on the OPNsense side sees a lot of TCP retransmissions. It looks like there is some kind of connectivity between the devices (TLS handshake), but something seems to fail.
I have attached an image of the packet capture and the pcap file from the session, if that helps.

The VLAN 99 interface on the client side is a virtual interface on the adapter that also holds the VLAN 10 connection - so both will share the same MAC address. Would that be an issue? I'd think switches can tell that apart and shouldn't have an issue with same MAC addresses in different VLANs and as connections to other devices on VLAN 99 work fine, I'd not think that would be an issue here?

2

Zenarmor (Sensei) / Sensei ipdrstreamer.py memory usage

« on: July 04, 2021, 08:45:33 am »

On my "Home" install with remote Elasticsearch I see ipdrstreamer.py consuming increasing amounts of memory (in the order of >4 GB) until it is finally OOM-killed and starts over. I've already increased my OPNsense VM memory to 8 GB, but that still doesn't seem to be enough and I see ipdrstreamer.py being oom-killed about once every day.
Looks more like a memory leak to me than normal usage to be honest.
Is Sensei supposed to be using that much memory if the Elasticsearch is actually remote on another VM?

Sensei has observed 76 unique devices on my network and I have a 100Mbit connection which however is barely utilized to max as you would expect from a home network.

3

21.1 Legacy Series / Massive spike in states every day around 00:15am killing WAN connection

« on: June 24, 2021, 07:23:40 am »

I've recently switched from pfSense to OPNsense, running 21.1.7_1-amd64.
For the last days, every night at 00:15am I see a huge spike in state entries (like hundreds of thousands) which kills the connection to my DSL modem and hence causes WAN connectivity to go dark until I reboot the firewall in the morning.
Currently struggling to find out what causes this, as there is no corresponding traffic spike on any interface, the only other indication is a spike of outpass6 packets on WAN. From what I can see it looks like these connections are coming from the firewall itself, which makes sense given nothing else has changed on my network in terms of services, so there's no reason there should be more traffic from any of the running clients now that I switched to OPNsense, as with pfSense this never happened.

For what it's worth, I run sensei on LAN and suricata on LAN (but not in IPS mode) and as I see a huge number of DNS related connections outgoing during the concerning time, it might be worth mentioning that I also have some DNSBL lists configured in Unbound. No custom ones though, just selected a couple of the blocklist.site pre-configured ones. The DNS queries are inconclusive though, it seems to be mostly unbound contacting various root-servers, so maybe it is just trying to resolve a great amount of queries, for which however I have not seen any client-queries coming through. I have query log enabled and pipe the whole stuff into pfElk, so at least I have some visibility, but there's no real indicator of what would be going on.

In pfElk I can see a spike of firewall events between 00:15 and 00:16 which are all "pass" events, so nothing is getting blocked. Looking up the IP addresses, it is a large amount of IPv6 destination IPs (which explains the outpass6 packets spike) and if I search for these, it is all *.root-servers.net, so I guess it's really unbound related, the question is however what triggers it.
Within the time window where Unbound seems to generate 18.000 firewall entries for various root servers, I only see 180 client-side DNS requests in the query log, so those numbers don't match up, unless Unbound is querying root-servers for a completely different reason.
The firewall is running smooth throughout the whole day otherwise, just shortly after midnight it seems to go haywire.

Anyone have any ideas?