Messages

151

Announcements / Re: OPNsense and HardenedBSD are parting ways

« on: April 24, 2021, 09:35:46 am »

Hi,

As Shawn earlier reacted to some people, we parted in good faith and thank him for the time we worked together and wish him and the HardenedBSD project the best, there's no question about that.

Best regards,

Ad

152

20.7 Legacy Series / Re: Updated Traffic Graphs

« on: April 23, 2021, 06:45:47 pm »

didn't update? We added https://github.com/opnsense/core/issues/4724 a couple of versions ago (I think as of 21.1.3).

Best regards,

Ad

153

Dutch - Nederlands / Re: disk space 109%

« on: April 03, 2021, 09:56:07 pm »

De enige logische verklaring die ik zo snel kan bedenken is dat flowd nog draait, terwijl je de onderliggende log file verwijderd hebt. In dat geval groeit deze nog steeds, maar is er geen proces meer wat ervoor zorgt dat deze gerouleerd gaat worden (inode is er nog, maar je hebt geen referentie meer).

Als dat het geval is, zou je logischerwijs na een reboot (of `service flowd stop`) de ruimte weer terug moeten zien. In het geval het Insight aggregatie proces crashed, is er geen afnemer meer van flow.log en wordt deze ook niet meer automatisch gerouleerd. In de laatste versie zaten een aantal bugfixes voor Insight, wellicht dat dat je probleem oplost.

Netflow can vrij veel ruimte in beslag nemen, als alle onderdelen goed functioneren, dan blijft de omvang op disk binnen de perken, maar omdat flow.log als een soort "staging area" gebruikt wordt, is er wel een sterke afhankelijkheid van de insight aggregator (flowd_aggregate).

Overigens kan je vaak beter op de engelstalige fora posten om meer reacties te krijgen,

Mvg,

Ad

154

21.1 Legacy Series / Re: RADIUS Error PHP 76

« on: March 30, 2021, 08:47:17 pm »

It seems that we have a small regression in our latest release, to fix the authentication tester, can you try to patch using https://github.com/opnsense/core/commit/a7ae8c4373d66984a83ab29e2fa0db3bfe0b922d ?

On a console, just run the following command and try the tester again:

Code: [Select]

opnsense-patch a7ae8c4

Best regards,

Ad

155

21.1 Legacy Series / Re: 21.1.3 - Firmware Audit - Health - get "checksum mismatch"

« on: March 13, 2021, 10:04:54 am »

Python recompiles before startup, I'm not 100% sure why the standard package contains pyc files to be honest, usually these aren't part of the delivery as far as I know.

So at a fist glance I wouldn't be too worried, it might be something worth looking into on our end at a later moment. (either exclude from check or cleanse before packaging, the latter is likely more of an upstream question)


Best regards,

Ad

156

21.1 Legacy Series / Re: Default mirror is down

« on: March 06, 2021, 09:03:40 am »

should be fixed now, looks like a small issue with the webserver last night.

157

21.1 Legacy Series / Re: Suricata 5.0.5 use ET Open 4.0 rules

« on: February 10, 2021, 10:51:09 am »

Hi,

We're still using the suricata 4 ruleset for ET Pro telemetry (and et-open), at Proofpoint their busy migrating the Telemetry feed to the newer version. The rules in both (4 and 5) are roughly the same, but organised a bit differently and a likely a bit more performant.

The migration code was already available (https://github.com/opnsense/core/commit/41eefdd105012137d9d7db71e70847f9ea8e974), but is waiting for Proofpoint in this case.

Best regards,

Ad

158

21.1 Legacy Series / Re: Suricata IDS/IPS ~56% slower than before update

« on: February 09, 2021, 08:53:55 am »

@klamath no problem, to increase chances of gaining traction with an issue, best thing todo is to write down what you tested (exact equipment) and between which (kernel) versions you noticed a difference in performance. Like I tried to tell earlier, a lot of these issues aren't alike, so conditions matter.   Between 20.7.x and 21.1.x the number of changes are more limited, 20.1 isn't very comparable due to the upstream change to iflib (not our choice, just a fact of life).

If the number of moving parts are limited, it's easier to point to specific changes. Sometimes a simple iperf3 test with machines on both ends of the firewall is already enough to notice a difference. When the problem is "my network card worked great before iflib", I'm afraid people are really looking for voluntary kernel engineers. Maybe it helps to ask the vendor for better FreeBSD support, I don't know, realistically if it's not equipement we use, chances aren't very large people will spend a lot of time on these type of issues over here. (sometimes tracking these issues down costs many days, if the vendor doesn't really care, there aren't a lot of people spending that much of their spare time)

Best regards,

Ad

159

21.1 Legacy Series / Re: Suricata IDS/IPS ~56% slower than before update

« on: February 08, 2021, 09:07:25 pm »

@klamath I'm not sure why your quoting my message, but as said if it's purely about netmap, one could try to use bridge to pinpoint issues if they exists for their setup. It's definitely not the case that there are issues in all releases, we test the hardware we provide on periodic bases and haven't seen a lot of (major) issues ourselves.

Quite some reports about performance are related to too optimistic assumptions (e.g. expecting 1Gbps IPS on an apu board for example) or drivers which aren't very well supported (we ship what's being offered upstream, if support isn't great in FreeBSD for netmap, it highly likely isn't great on our end). IPS needs quite some computing power and isn't comparable to normal routing/firewall functions at all in terms of requirements.

When it comes to testing,  we tend to offer test kernels and release candidates on periodic bases. To help catching issues up front, please do test, document behaviour when experiencing issues, and try to track them to FreeBSD bug reports if they exists. When there are fixes available upstream, we often assess if we can backport them into our system. Quite some fixes have been merged in the last versions for various drivers (with quite some help from the Sensei people as Franco mentioned), I haven't seen side affects in terms of performance myself, but that doesn't mean they don't exist for some drivers.


Best regards,

Ad

160

21.1 Legacy Series / Re: Suricata IDS/IPS ~56% slower than before update

« on: February 08, 2021, 03:47:18 pm »

I haven't seen performance issues on my setup between these versions, but since there have been quite some fixes around netmap in different kernels, it's often a good idea to check if it's Suricata causing issues or netmap.

There is a simple "bridge" tool for netmap available in the kernel source directory, if people want to check netmap behaviour on their hardware they can always build the tool and create a bridge between the card and the host-stack to rule out certain driver issues.

To install it, you need the kernel source directory in place (/sur/src), you can use the build tools (https://github.com/opnsense/tools) to checkout all sources on your machine.

When the sources are in place, you can build the tools using the following commands (on amd64):

Code: [Select]

cd /usr/src/tools/tools/netmap/
make bridge


Next make sure netmap isn't used (no Suricata or Sensei) and create  a bridge between the physical connection and the host stack, assuming the interface in question is called vmx2, the command would look like:

Code: [Select]

/usr/obj/usr/src/amd64.amd64/tools/tools/netmap/bridge -i netmap:vmx2 -i netmap:vmx2

Wait a few seconds and start the test again with OPNsense in between. When netmap isn't interfering the test with or without bridge should show roughly the same numbers.

Best regards,

Ad

161

21.1 Legacy Series / Re: Announcement / Documentation question

« on: February 07, 2021, 01:53:40 pm »

@Ricardo We're currently in the process of moving some things around, which is why some of the links got broken last week. Usually we try to publish the docs close to the release (this time we're lagging behind a bit), the new location for the source of all these logs is https://github.com/opnsense/changelog/tree/master/community

Changelogs for the product itself are shipped to the mirror and downloaded as a single txz (changelog.txz) file when being asked by the gui.

If there are migration notes, they would normally be mentioned in the changelog, when following all upgrades you only have to read one, when migrating from an older version, there's more reading todo. An example of such a note would be the removal of mpd5 plugins in 20.7 for example (https://github.com/opnsense/changelog/blob/1663700184747c800c64f5e009bcf857718fc292/community/20.7/20.7#L41)

I guess this should answer most of your questions

Best regards,

Ad

162

21.1 Legacy Series / Re: How can I change a single rule in IDS/IPS from Drop to Alert?

« on: February 02, 2021, 08:12:00 pm »

Hi,

There was a bug in the single rule edit when a policy matched as well (https://github.com/opnsense/core/issues/4658), not sure if that's also your issue.
To witness the effect of configured policies, you do need to apply them since the rule view shows the installed actions (or single rule modifications when patched with the diff in the issue).

Best regards,

Ad

163

General Discussion / Re: Please Make a Donation to OPNsense

« on: February 01, 2021, 09:13:11 am »

You're all being too kind, thanks al lot!

Best regards,

Ad

164

General Discussion / Re: Please Make a Donation to OPNsense

« on: January 27, 2021, 09:20:02 am »

Much appreciated, thanks a lot!

165

General Discussion / Re: Plugins are not visible

« on: January 09, 2021, 10:12:37 pm »

sounds like case closed then  if it functions now, we'er probably nog going to find the cause anymore.