Recent posts

#1

25.1, 25.4 Series / Re: unable to update and openV...

Last post by aniki - Today at 04:12:31 PM

root@OPNsense:/usr/local/etc/pkg/repos # pkg update
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.1/latest/meta.txz: Authenticat ion error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.1/latest/packagesite.pkg: Auth entication error
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /CN=pkg.opnsense.org (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.1/latest/packagesite.txz: Auth entication error
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: Repository SunnyValley has a wrong packagesite, need to re-create database
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.4/15f31d87-2bb7-4 d1b-9bc1-7402cfe34a3d/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.4/15f31d87-2bb7-4 d1b-9bc1-7402cfe34a3d/packagesite.pkg: Authentication error
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
Certificate verification failed for /C=US/O=Google Trust Services/CN=WE1 (9)
002041C469260000:error:0A000086:SSL routines:tls_post_process_server_certificate :certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890 :
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.4/15f31d87-2bb7-4 d1b-9bc1-7402cfe34a3d/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!

#2

25.1, 25.4 Series / Re: unable to update and openV...

Last post by aniki - Today at 04:11:01 PM

btw version:

OPNsense 25.1.12-amd64
FreeBSD 14.2-RELEASE-p4
OpenSSL 3.0.17

#3

25.1, 25.4 Series / unable to update and openVPN n...

Last post by aniki - Today at 04:10:10 PM

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.1.12 (amd64) at Fri Jan 13 10:10:09 +08 2023
Fetching changelog information, please wait... Certificate verification failed for /CN=pkg.opnsense.org (9)
0020E16F063C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: https://pkg.opnsense.org/FreeBSD:14:amd64/25.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Waiting for another process to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: Repository SunnyValley has a wrong packagesite, need to re-create database
Waiting for another process to update repository SunnyValley
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
pkg: Repository SunnyValley has a wrong packagesite, need to re-create database
pkg: Repository SunnyValley cannot be opened. 'pkg update' required
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

OPENVPN
192.168.8.26:38490 TLS Error: TLS handshake failed
It was working before

#4

German - Deutsch / Re: VLANs antworten nicht

Last post by viragomann - Today at 03:56:20 PM

Hallo,

hast du der KI auch deinen Aufbau verraten?

Ich kenne ihn übrigens auch nicht. Er könnte aber Licht in die Sache bringen.
Habe aber mitbekommen, dass du neben der produktiven OPNsense nun eine Test-Instanz installiert hast.
Nun, wenn die so ganz parallel an beiden betroffenen Netzen hängt und du nichts getan hast, um das Routing zwischen den Netzen sicherzustellen, wäre das Fehlerbild eine logische Folge.

D.h., wenn die Geräte die Produktiv-FW als Standardgateway nutzen, schicken sie Antwortpakete da hin, auch wenn die Anfragen über die Lab-FW ankommen. Die Folge wäre asymetrisches Routing und die Pakete würden von den Firewalls abgewiesen.
Könnte das hier der Fall sein?

#5

General Discussion / Re: Why I am retiring from con...

Last post by coffeecup25 - Today at 03:52:29 PM

I've been out of IT for a long time. Your description brought back memories from those days. Back then it was common for IT 'pros' to group together like mean girls. Sad but true. You were one of them in lockstep or you were at risk of being talked about behind your back in harmful ways and being shunned if they could get away with it. I don't know if things are still the same, only with different technology, but I hope they are better today. Their loss.

#6

General Discussion / Re: Doubt about IP Scans comin...

Last post by Patrick M. Hausen - Today at 03:38:00 PM

How exactly are these attempts logged? With the "default deny" rule? If yes, how would you improve the protection? Blocked is blocked, IDS/IPS does not add any value to that.

If you are connected to the public Internet you will be scanned via IPv4 24x7. This is normal.

You can

- disable logging of the default deny rule to get less noise
- improve the security of the applications you did open to the Internet by configuring GeoIP blocking, public block lists, or paid services like Q-Feeds or Crowdsec

HTH,
Patrick

#7

General Discussion / Re: Doubt about IP Scans comin...

Last post by coffeecup25 - Today at 03:37:35 PM

Long ago I used snort because I saw similar activity. Then I researched it a bit and discovered every college kid and their mother scan the internet just for fun from all over the world. I once tracked an IP to the University of Michigan and complained about 'people trying to break into my network from there'. They nicely and politely told me what they were doing was not illegal. Scanning is not breaking in. It's frightening, but harmless if it's only scanning.

One smart person later told me that if I had no open ports then I didn't need snort. Nobody had anywhere to break into with no open ports, so I should relax. My only open port later was OpenVPN, which was protected by layers of certificates. No worries there.

You have 4 ports open. You need to analyze what they open up to and how vulnerable it is. Then figure out what to do next.

#8

General Discussion / Re: Why I am retiring from con...

Last post by Greg_E - Today at 03:34:40 PM

Well, that's a mess happening in Linux too, many a video on the subject reading out the mailing list. Too bad, their loss, and thank you for the past work.

Will OPNsense fork BSD so that they can add in the work that's important (and being ignored), or will they continue using the main branch? Are any of the current forks worth moving towards for OPNsense?

Too bad the amount of work to move to Linux is on the scale of extremely large, moving to Debian or Alma might be worth doing as BSD will continue the slow march to obscurity. Just waiting for Broadcom to buy up all of BSD, we know where that would go. If it can be done to Redhat and Centos, it can be done to BSD, and Broadcom would do Broadcom things. Remember when Oracle did part of that? Those were the days.

#9

25.7, 25.10 Series / Re: Nested scrolling on the fi...

Last post by jeremias.winter - Today at 03:12:50 PM

Hi, a bit late to the party, but a huge +1 from me for this issue.
Thanks franco for the explanation, this is important to keep in mind. And of course I don't want to criticise all the effort you guys put in to accomplish this. I just want to recommend seeing the nested scrolling as a bug that needs fixing, rather than an "icing on the cake"-style feature request.

#10

General Discussion / Doubt about IP Scans coming fr...

Last post by xmftech - Today at 03:06:51 PM

Good afternoon,

I am writing this thread in reference to the logs of my virtualized OPNsense on Proxmox, in which I am seeing in LiveView of the Firewall logs that I am having constant attempts at port scans.

I have been evaluating for days whether to incorporate measures such as IDS/IPS but first I wanted to ask (sorry if it should be obvious).

First of all, is it normal to see all these attempts or does it mean that there is something exposed externally that should not be?

I only have 4 ports open by NAT to a single device on the LAN of P2P applications, which are also open with different ports to those used by default by the application itself and which I can also deactivate and activate when I need them.

Secondly, I would like to know if I can somehow improve the protection against these scans, either with IDS or IPS or with other tools or plugins. The learning I have gained since I started my HomeLab is growing but there are concepts and ways of working of how each packet is handled by a firewall that I still have to understand and I prefer to raise the issue to guide me towards the correct solution.

I can attach screenshots if necessary.