"Recent posts
#1
Intrusion Detection and Prevention / Issues with Divert (IPS)
Last post by dubbz - Today at 03:02:24 AMAlright I've been troubleshooting this for two days now and I'm completely out of ideas as to what could be wrong at this point. I've tried various Youtube videos, guides on the internet, searches through this forum(nothing quite fit this issue), and LLM chats. I'll dump as much info as I can remember but if there's anything extra I can show/provide, just let me know and I'll be happy to add it. The issue is that I am using the Divert(IPS) capture mode through Intrusion Detection, however even with settings enabled and my particular test method set to drop in the rules, it simply refuses to drop. To note, the IDS aspect seems to be working as I go into Intrusion Detection > Administration > Alerts and I find alerts from Steam and Discord from my computer on my LAN network so it just seems to be the IPS aspect that is failing.
I do not know if this is happening because of my specific test method or because something else is wrong and at this point I'm at a loss. I will preface that I used Google and ChatGPT in the set up and troubleshooting process when I stopped getting results in normal search and am not experienced with Opnsense so it's pretty likely that I've just configured something wrong. I initially configured based on videos and manual documents, had some initial issues with general networking that I resolved and some configuration issues on the IDS side but most of that seems to be straightened out. I'll add as much as I can think of for my set up and specs below but if there's anything else that would help, I'm happy to provide.
Hardware:
Sophos XG 210 Rev. 3, upgraded to i5-6500 CPU, 8GB RAM, factory Intel interface for the ports.
ISP:
Spectrum
Firmware:
OPNsense 26.1.8_5-amd64
FreeBSD 14.3-RELEASE-p12
OpenSSL 3.0.20
LAN connection:
-Wired through a Netgear SG108 8 port unmanaged switch for traffic to my PC, Synology NAS and Proxmox server, subnet 192.168.1.0/24
WAN connection:
-Direct from my Arris Surfboard SBG7400AC2 running in bridge mode so it doesn't handle anything but Coax to ethernet
OPT1/Wifi:
-Being used to run dedicated WIFI on a different subnet, will work on VLAN options for IoT later but for now, just WIFI and no VLAN anywhere else in the network. Ethernet running to WAN port on a Netgear R6900v2 router, handling DHCP for connected devices, subnet 192.168.2.0/24
-Remaining ports not yet configured.
System configuration:
Firewall:
Services:
I've done configurations to CrowdSec, Dynamic DNS, Kea DHCP, and Unbound DNS in addition to the Intrusion Detection but I'm not certain that is relevant so I'll spare you the clutter. Let me know if it is and I can provide any relevant info.
-Intrusion Detection>Settings:
I believe that is all the relevant firewall info but let me know if I can add anything else to help. From here, ChatGPT and Google had me testing through SSH a lot, particularly with these three curl commands:
curl http://testmynids.org/
curl http://testmynids.org/uid/eicar.com
curl http://testmynids.org/uid/index.html
I was using those to monitor the eve.json(tail -f /var/log/suricata/eve.json) through SSH to see if Eicar would be flagged. I confirmed Suricata was running, rules loaded, the policies were enabled, PF was stable, and the divert rules existed but eve.json never caught the test traffic and every attempt to curl succeeded. Notably, there were even times where the curl for eicar.com and index.html would hang for about 7 seconds, I would hear the fan on my firewall spin up, then it would return the info so it appears it was actively inspecting the traffic but never stopping it.
I think I'm about out of info to dump but I do want to point out something about the rules too. I ended up testing a lot of different rule settings and primarily with just the LAN and WAN interfaces to eliminate any possible problems from the Netgear router. I tried Quick checked and unchecked, protocol as any and TCP, TCP flags any checked and unchecked, state type as keep, sloppy, and none, disable reply-to checked and unchecked, and the interfaces set to the individual interfaces as well as fresh floating rule with WAN and LAN so it would be at the top as well as all the above setting changes to the floating as well. I never created a rule under the old Rules section but I do see some present so I presume it generates them in both places. I think that's all I have right now but again, anything else that can help you in helping me, just let me know
Thanks for any help you can give,
Dubbz
I do not know if this is happening because of my specific test method or because something else is wrong and at this point I'm at a loss. I will preface that I used Google and ChatGPT in the set up and troubleshooting process when I stopped getting results in normal search and am not experienced with Opnsense so it's pretty likely that I've just configured something wrong. I initially configured based on videos and manual documents, had some initial issues with general networking that I resolved and some configuration issues on the IDS side but most of that seems to be straightened out. I'll add as much as I can think of for my set up and specs below but if there's anything else that would help, I'm happy to provide.
Hardware:
Sophos XG 210 Rev. 3, upgraded to i5-6500 CPU, 8GB RAM, factory Intel interface for the ports.
ISP:
Spectrum
Firmware:
OPNsense 26.1.8_5-amd64
FreeBSD 14.3-RELEASE-p12
OpenSSL 3.0.20
LAN connection:
-Wired through a Netgear SG108 8 port unmanaged switch for traffic to my PC, Synology NAS and Proxmox server, subnet 192.168.1.0/24
WAN connection:
-Direct from my Arris Surfboard SBG7400AC2 running in bridge mode so it doesn't handle anything but Coax to ethernet
OPT1/Wifi:
-Being used to run dedicated WIFI on a different subnet, will work on VLAN options for IoT later but for now, just WIFI and no VLAN anywhere else in the network. Ethernet running to WAN port on a Netgear R6900v2 router, handling DHCP for connected devices, subnet 192.168.2.0/24
-Remaining ports not yet configured.
System configuration:
- -System is mostly default, I do have two gateways though. I believe the first which is WAN_DHCP gateway was configured with the wizard during initial setup since my ISP does DHCP. Second is a gateway configured for the Netgear router and configured at 192.168.3.2.
- -I've also got a single route configured for the WIFI using 192.168.2.0/24 as the network address and the above gateway for the configured gateway.
- -I also have SSH, root login, and password login enabled for testing purposes but once fully deployed, those will be disabled. Probably not relevant but just throwing it out there.
- -I do have some cron jobs set up as well to keep my GeoIP database and Unbound DNS blocklists updated as well as one to update and reload IDS rules.
- -LAN: Only changes from default are IPv4 Configuration Type: Static IPv4 and IPv4 Address: 192.168.1.1/24, DHCP is being handled by Kea DHCP.
- -WAN: Block private networks: enabled, Block bogon networks: enabled, IPv4 Configuration Type: DHCP so it can be assigned by ISP.
- -WIFI: IPv4 Configuration Type: Static IPv4, IPv4 address: 192.168.3.1/24, static for route and gateway so it can handle its own DHCP.
- -Settings: Disabled hardware checksum offload: checked, Disabled hardware TCP segmentation offload: checked, Disable hardware large receive offload: checked, VLAN hardware filtering: Disabled
Firewall:
- -Aliases: I have some aliases set up to forward ports to some of my servers since one of the Proxmox containers is a game server host and occasionally needs new ports forwarded. This also handles my GeoIP blocked countries and port forwarding to my Nginx Proxy Manager container. I don't think these will be relevant but if so, let me know and I'll provide detailed settings.
- -NAT>Destination NAT: I have some NAT rules here to route ports to the appropriate servers(Jellyfin, Synology NAS, Game server, Element-Synapse, Nginx)
- -Rules[new]: If I had to guess, this is probably where my problem is, I'll provide my rule order below.
-----TOP-----
LAN UDP Rule: Special rule sending syslog from my Nginx server to the firewall on port 5140 for blocking purposes
DROP>WAN>SOURCE:Blocked_Countries
- Interface: WAN, Quick: checked, Action: Block, Direction: In, Protocol: any, Source: Blocked_Countries, Destination: any, Divert-to: none, State type: Keep, all else: default.
DROP>WAN>SOURCE:CrowdSec_Blocklists
- Interface: WAN, Quick: checked, Action: Block, Direction: In, Protocol: any, Source: CrowdSec_Blocklists, Destination: any, Divert-to: none, State type: Keep, all else: default.
PASS>WIFI>SOURCE: 192.168.3.0/24>WIFI IPS Rule
- Interface: WIFI, Quick: Unchecked, Action: Pass, Direction: In, Protocol: TCP, Source: Single Network:192.168.3.0/24, Destination: any, TCP flags any: Checked, Divert-to: Intrusion Detection, State type: Sloppy, all else: default.
PASS>WIFI>SOURCE: 192.168.3.0/24>WIFI Inbound Rule
- Interface: WIFI, Quick: Checked, Action: Pass, Direction: In, Protocol: Any, Source: Single Network:192.168.3.0/24, Destination: any, TCP flags any: Unchecked, Divert-to: None, State type: Keep, all else: default.
PASS>LAN>SOURCE: LAN network>LAN IPS Rule
- Interface: LAN, Quick: Checked, Action: Pass, Direction: In, Protocol: TCP, Source: LAN network, Destination: any, TCP flags any: Checked, Divert-to: Intrusion Detection, State type: No state, Disable reply-to: Checked, all else: default.
PASS>LAN>SOURCE: 192.168.1.0/24>LAN Inbound Rule
- Interface: LAN, Quick: Checked, Action: Pass, Direction: In, Protocol: TCP, Source: Single Network:192.168.1.0/24, Destination: any, TCP flags any: Unchecked, Divert-to: None, State type: Keep, all else: default.
Services:
I've done configurations to CrowdSec, Dynamic DNS, Kea DHCP, and Unbound DNS in addition to the Intrusion Detection but I'm not certain that is relevant so I'll spare you the clutter. Let me know if it is and I can provide any relevant info.
-Intrusion Detection>Settings:
- Enabled: Checked, Capture mode: Divert(IPS), Listeners: 1, Pattern matcher: Hyperscan, Home networks: 1.0/24 and 2.0/24 on top of the defaults it adds, All else: default
- Abuse.ch/SSL fingerprint and IP blacklists: Enabled + Installed, ET Open lists: Enabled + Installed, OPNsense-App-detect: Enabled + Installed
- Currently only 4 set to drop, all others set to alert only. Drop: Emerging-malware.rules, opnsense.test.rules(OPNsense test eicar virus), local.rules(BLOCK TESTMYNIDS)
- Empty
- This part tells me it is at least working in IDS as it has been detecting Steam and Discord from my main PC, Alert: ET USER_AGENTS Steam HTTP Client User-Agent, ET INFO Observed Discord Domain (discord .com in TLS SNI), ET INFO Observed UA-CPU Header, ET INFO GNU/Linux APT User-Agent Outbound likely related to package management, GPL ATTACK_RESPONSE id check returned root
- all default
I believe that is all the relevant firewall info but let me know if I can add anything else to help. From here, ChatGPT and Google had me testing through SSH a lot, particularly with these three curl commands:
curl http://testmynids.org/
curl http://testmynids.org/uid/eicar.com
curl http://testmynids.org/uid/index.html
I was using those to monitor the eve.json(tail -f /var/log/suricata/eve.json) through SSH to see if Eicar would be flagged. I confirmed Suricata was running, rules loaded, the policies were enabled, PF was stable, and the divert rules existed but eve.json never caught the test traffic and every attempt to curl succeeded. Notably, there were even times where the curl for eicar.com and index.html would hang for about 7 seconds, I would hear the fan on my firewall spin up, then it would return the info so it appears it was actively inspecting the traffic but never stopping it.
I think I'm about out of info to dump but I do want to point out something about the rules too. I ended up testing a lot of different rule settings and primarily with just the LAN and WAN interfaces to eliminate any possible problems from the Netgear router. I tried Quick checked and unchecked, protocol as any and TCP, TCP flags any checked and unchecked, state type as keep, sloppy, and none, disable reply-to checked and unchecked, and the interfaces set to the individual interfaces as well as fresh floating rule with WAN and LAN so it would be at the top as well as all the above setting changes to the floating as well. I never created a rule under the old Rules section but I do see some present so I presume it generates them in both places. I think that's all I have right now but again, anything else that can help you in helping me, just let me know
Thanks for any help you can give,
Dubbz
#2
General Discussion / Packet received by interface b...
Last post by Somnolus - Today at 01:54:32 AMI'm trying to pass a very specific UDP packet from one interface to another on different networks on the same router. I've run a packet capture on both interfaces, I can see the packet coming in on the input interface but it just disappears after that. There are no firewall logs indicating the packet was blocked. I've tried sending the packet through with the firewall and NAT disabled but it still doesn't get processed. I'm convinced its either the interface or Kernel blocking the packet before the firewall can process it.
If anyone has any tips on where I can look to see why the packet is being blocked that would be great. Any help would be appreciated here as I'm at a complete loss on where to troubleshoot next.
If anyone has any tips on where I can look to see why the packet is being blocked that would be great. Any help would be appreciated here as I'm at a complete loss on where to troubleshoot next.
#3
General Discussion / IDS Home Networks - IPv6 Prefi...
Last post by MrHappyHippo - May 29, 2026, 11:13:20 PMHi everyone,
I have a question regarding the IDS configuration in OPNsense when using IPv6 with dynamic prefix delegation from the ISP.
Under:
Services → Intrusion Detection → Administration
there is the setting:
Home networks
Current default value:
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
The hint says:
"Networks to interpret as local"
For IPv4 this is straightforward, but I am unsure how this should properly be configured for IPv6 when the ISP delegated prefix changes dynamically.
Example:
LAN currently receives a delegated /64
Prefix may change after reconnect/reboot
Questions:
Should the current delegated IPv6 LAN subnet be manually added here?
Is there a recommended way to handle dynamic IPv6 prefixes?
Can interface macros/variables like $LAN_NET be used in this field?
What is the recommended best practice for IDS Home Networks with IPv6 PD?
I would appreciate clarification on the intended/recommended configuration.
Thanks!
I have a question regarding the IDS configuration in OPNsense when using IPv6 with dynamic prefix delegation from the ISP.
Under:
Services → Intrusion Detection → Administration
there is the setting:
Home networks
Current default value:
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
The hint says:
"Networks to interpret as local"
For IPv4 this is straightforward, but I am unsure how this should properly be configured for IPv6 when the ISP delegated prefix changes dynamically.
Example:
LAN currently receives a delegated /64
Prefix may change after reconnect/reboot
Questions:
Should the current delegated IPv6 LAN subnet be manually added here?
Is there a recommended way to handle dynamic IPv6 prefixes?
Can interface macros/variables like $LAN_NET be used in this field?
What is the recommended best practice for IDS Home Networks with IPv6 PD?
I would appreciate clarification on the intended/recommended configuration.
Thanks!
#4
26.1, 26,4 Series / DNSCrypt service had a red ico...
Last post by MrHappyHippo - May 29, 2026, 08:10:15 PMHi everyone,
I recently configured a cron job to reboot my OPNsense firewall every 3 days.
After this morning's reboot, I noticed I had no internet connectivity. The DNSCrypt service had a red icon and wasn't running. I had to manually start DNSCrypt and then restart Unbound to restore DNS resolution.
I suspect the issue may have been related to IP assignment: the firewall might not have received an IPv6 address (or even an IPv4 address) immediately after reboot, which could have caused DNSCrypt to fail or exit. However, I couldn't find any logs indicating the process was killed or why it didn't start automatically.
My setup:
Destination NAT redirecting all LAN DNS traffic to Unbound
Unbound configured to forward queries to DNSCrypt
Questions:
Should DNSCrypt normally start automatically after reboot?
Is additional configuration needed to ensure the proper startup order?
Could this have been a one-time startup failure?
Is there a recommended way to ensure Unbound waits for DNSCrypt before starting?
Any tips or troubleshooting suggestions would be greatly appreciated.
Note: I've attached the relevant logs for reference. For some reason, the attachments are only visible when you are logged in. The reboot occurred at 4:00 AM, and I manually fixed the issue by restarting DNSCrypt and Unbound around 8:20 AM.
Service start order:
DNSCrypt starts at 04:01:23
Unbound starts at 04:01:24
Then Unbound starts again at 04:01:41
DNSCrypt wasn't fully ready when Unbound started:
Unbound depends on DNSCrypt upstream
Large DNSBL list load:
DNSBL module has 968,522 entries.
I recently configured a cron job to reboot my OPNsense firewall every 3 days.
After this morning's reboot, I noticed I had no internet connectivity. The DNSCrypt service had a red icon and wasn't running. I had to manually start DNSCrypt and then restart Unbound to restore DNS resolution.
I suspect the issue may have been related to IP assignment: the firewall might not have received an IPv6 address (or even an IPv4 address) immediately after reboot, which could have caused DNSCrypt to fail or exit. However, I couldn't find any logs indicating the process was killed or why it didn't start automatically.
My setup:
Destination NAT redirecting all LAN DNS traffic to Unbound
Unbound configured to forward queries to DNSCrypt
Questions:
Should DNSCrypt normally start automatically after reboot?
Is additional configuration needed to ensure the proper startup order?
Could this have been a one-time startup failure?
Is there a recommended way to ensure Unbound waits for DNSCrypt before starting?
Any tips or troubleshooting suggestions would be greatly appreciated.
Note: I've attached the relevant logs for reference. For some reason, the attachments are only visible when you are logged in. The reboot occurred at 4:00 AM, and I manually fixed the issue by restarting DNSCrypt and Unbound around 8:20 AM.
Service start order:
DNSCrypt starts at 04:01:23
Unbound starts at 04:01:24
Then Unbound starts again at 04:01:41
DNSCrypt wasn't fully ready when Unbound started:
Unbound depends on DNSCrypt upstream
Large DNSBL list load:
DNSBL module has 968,522 entries.
#5
Q-Feeds (Threat intelligence) / blocking https://internet.nl/
Last post by RamSense - May 29, 2026, 07:13:06 PManother false positive. you seem to block https://internet.nl/ their ip.
As soon when I disable Q-feeds it is working.
As soon when I disable Q-feeds it is working.
#6
Q-Feeds (Threat intelligence) / Re: False positives, probably ...
Last post by wirehire - May 29, 2026, 06:31:21 PMThere are still a lot of Vodafone numbers on the list. can you share why?
#7
26.1, 26,4 Series / Re: Intel ucode Plugin vs Pack...
Last post by BrandyWine - May 29, 2026, 05:50:54 PMQuote from: dseven on May 29, 2026, 01:51:48 PMIf you install the package on FreeBSD, there is a manual step required to effect loading of the microcode on boot.OPNsense is an installer. No manual step needed. Just sayin.
Side-note: stock FreeBSD 14.3 currently installs Intel microcode version 20260227 too..
It (std freeBSD ucode pkg) can be activated during the install, or, the package can be there installed but the option for user to activate it can be a checkbox in the webgui, and handled via .py. ;)
There's no need to have an additional pkg installed ("plugin") if cpucontrol handles ucode.bin.
What comes with the OPNsense installer is what they bundle into the installer. Having the ucode packages there makes sense to me.
#8
General Discussion / Crash Reporter on syslog ?
Last post by nono - May 29, 2026, 05:45:37 PMIs there a way to have the information on syslog when a crash reporter is available following an issue ?
#9
General Discussion / Re: IPv6 ND proxy for multi-LA...
Last post by georgeman - May 29, 2026, 05:07:26 PMThat's awesome, thanks! I will give it a try next week and will report back.
#10
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by Patrick M. Hausen - May 29, 2026, 04:59:05 PMSource or destination invert used to be allowed for multiple entries, but lead to undesired effects confusion because the underlying logic created "not this OR not that" which essentially applied to anything.
Since the logic cannot easily be changed, the check and error message was created and the solution for your requirement is to create a group alias and use that with invert.
Since the logic cannot easily be changed, the check and error message was created and the solution for your requirement is to create a group alias and use that with invert.
