Recent Posts

11

24.7 Production Series / Re: Double NAT, IPV6 Issue

« Last post by stefan00 on Today at 09:23:56 am »

It sounds like the ASUS router is your first problem. But that is just a guess without knowing this piece of hardware.

1. ISP prefix length

I have a WAN prefix length of 56.

good thing. Where can you see this? in the ASUS router? Let's assume YES.

2. ASUS DHCPv6 / Router advertisment setup

The uplink router has a lan prefix of 64 ... The ASUS Router LAN is set to 64 and can't be changed.

The most important prerequisite for a IPv6 router chain is prefix delegation. Your ASUS router must be able to delegate a part of its available /56 network down to the next router in the chain (OPNsense).

Assigning addresses to clients is not the same as delegating a subnet (prefix) to another router. As I understand from what you write, the ASUS router is assigning addresses to its connected clients on its LAN ports.

3. "second prefix" does not exist

Thus I won't be able to do a second prefix length of 64 with opnsense.

There is no such thing as a "second /64" prefix. The client router (OPNsense) can only request 1 prefix. That's why, it must be bigger than /64, at the minimum /63

4. summary

You must find a setting in your ASUS box to delegate a prefix down to OPNsense. In your current configuration, your OPNsense only gets an address. Please try to find some documentation on the ASUS router or post a link here.

Thank of it this way: Let's assume you can convince the ASUS router to delegate a /58 block down. The OPNsense box then simply asks "Hey Asus, give me a /58 subnet which I can handle. Not you, me". That's prefix delegation.

The OPNsense box then grabs the prefix and divides it into smaller chunks to assign it to its own clients. That's the /64 address assignment as you see it on the ASUS router too.

The bad news: If your ASUS router can not delegate subnets (=prefixes) to downstream routers, IPv6 will not work the right way. But honestly, I doubt it.

12

24.7 Production Series / Re: 24.7.9 - Can't login WebGUI with 2FA

« Last post by franco on Today at 09:21:14 am »

> So I assume that there is a difference in how the web UI detects if a reboot is neccessary vs. the CLI.

None that I can think of. It's probably right, minus locks on base or kernel set. But the GUI behaves the same: locks are ignored for the check so it says it likes to reboot but if the kernel or base is locked then it will not reboot later on as per user request.


Cheers,
Franco

13

24.7 Production Series / Re: Requesting help with One-to-One NAT setup

« Last post by joursin on Today at 09:12:26 am »

Yes, I have these rules active on the WAN interface:

1. Allow Traffic from PiKVM (from WAN) to Firewall Web interface
2. Floating Rule: Block Traffic to Management Lan unless coming from Management Lan (sn 10.10.0.0/24)
3. Block mDNS and netBIOS traffic from Uplink router to oLAN network 10.10.0.0/16. (unnecessary traffic)

The last rule is just for experimentation, but disabling it had not effect on the issue discussed.

14

24.7 Production Series / Re: Double NAT, IPV6 Issue

« Last post by Patrick M. Hausen on Today at 09:08:34 am »

The Asus router must delegate a prefix to OPNsense. You need to check with the vendor documentation if it can do that and how to configure.

15

24.7 Production Series / Re: 24.7 does not restore backup like 24.1 used to

« Last post by hakuna on Today at 08:59:33 am »

Yes, I have checked the backup files and all the rules are there but 24.7 refuses to restore them all.

16

24.7 Production Series / 24.7 does not restore backup like 24.1 used to

« Last post by hakuna on Today at 08:53:38 am »

I thought I was going crazy after 24.7 clean install but there are indeed 2 bugs.
Clean install due to it being a major release and to avoid problems, I noticed that:

1. WireGuard crashes for no reason without error. I have a cron job to restart the WireGuard every 0:00AM.
2. Backups aren't restored like 24.1 used to.

This post will cover backups only.

When I restored the backup from 24.1 to 24.7, I picked section by section to be restored, NIC name and a few things won't be the same if swapping to another hardware so why.

Restore from 24.1 to 24.7:


1. Does not recognize "Firewall Groups" with error messages.
2. All the Outbound rules were not imported with no error. I had to manually enable "automatically generated rules are applied after manual rules" and create them.

I got a new box to clean install and as usual, restore section by section, DHCP, VPN and Firewall since these are the only ones I care.
I have done this process countless times with the previous version as I have tested 2 boxes and Proxmox, it always worked, no issue, no dramas.

Restore from 24.7 to 24.7:


1. The entire Firewall section does not restore no matter what.

I have so many rules and NAT to force all my devices to both DNS ( Pi-Hole + Unbound ) and block DoT and DoH among other rules, and hard coded DNS on IoT.
I had to put the older box back because I am not screenshotting all those rules to manually create them haha

Has anybody else who have performed a clean 24.7 install noticed that their backups were not imported in full??

Thank you

17

Intrusion Detection and Prevention / Re: Suricata rule modifications via suricata-update

« Last post by jonny5 on Today at 08:14:13 am »

In short OPNSense's rule management has got me quite far... but I might be ready for a rather larger logic/control application.

See here:
https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules

https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-modify-rules-modify-conf

OPNSense has suricata-update already, and if we can safely mod away/quite the OPNSense SID management, and/or, somehow in-between-mod the rule set. Huge win! There are a few hosts that trip rules that if I could filter that rule away from that host, it would be the best win.

On a few rules replacing $HOME_NET with [$HOME_NET, ![192.168.0.20,192.168.0.21]] (for example) would make thing great ^_^

18

24.7 Production Series / Re: OpenVPN - Client specific overrides

« Last post by kozistan on Today at 08:09:11 am »

got it, 1st address server, 2nd broadcast so that's why +2

19

Intrusion Detection and Prevention / Re: Suricata rule modifications via suricata-update

« Last post by jonny5 on Today at 08:07:22 am »

If you were to make a file such as:

Code: [Select]

/usr/local/opnsense/service/conf/actions.d/actions_homelab.conf
You could add this code to it:

Code: [Select]

[configreload]                                                                 
command: /root/suricatamod.sh; exit 0                                           
parameters:                                                                     
type:script                                                                     
message:copy over and reload intrusion detection custom conf                   
description:Copy over and reload intrusion detection custom conf
The shell script would now be able to be scheduled by OPNSense's Web GUI Cron menu

Code: [Select]

/root/suricatamod.shFurther, let's say that script does a thing:

Code: [Select]

#!/bin/sh

# Get current date and time
TIMESTAMP=$(date +"%Y-%m-%d %H:%M:%S")

# Define file paths
ROOT_CUSTOM="/root/custom.yaml"
SURICATA_CUSTOM="/usr/local/etc/suricata/custom.yaml"
SURICATA_TEMPLATE="/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml" # do not replace, breaks things
echo "$TIMESTAMP: Checking for configuration updates..." > /root/suricatasame.log

script_name="rule-updater.py"

# Check if the script is running using ps
ps aux | grep "$script_name" | grep -v grep > /dev/null

if [ $? -eq 0 ]; then
  echo "$TIMESTAMP: Script '$script_name' is already running." >> /root/suricatarestart.log
  exit 0 # Exit with a 0
else
  echo "$TIMESTAMP: Script '$script_name' is not running. Proceeding..." >> /root/suricatasame.log
fi

script_name="installRules.py"

# Check if the script is running using ps
ps aux | grep "$script_name" | grep -v grep > /dev/null

if [ $? -eq 0 ]; then
  echo "$TIMESTAMP: Script '$script_name' is already running." >> /root/suricatarestart.log
  exit 0 # Exit with a 0
else
  echo "$TIMESTAMP: Script '$script_name' is not running. Proceeding..." >> /root/suricatasame.log
fi

# Check if files are identical
if cmp -s "$ROOT_CUSTOM" "$SURICATA_CUSTOM"; then
  echo "$TIMESTAMP: Files are identical." >> suricatasame.log
else
  echo "$TIMESTAMP: Files are different, copying $ROOT_CUSTOM to $SURICATA_CUSTOM" >> /root/suricatarestart.log
  cp "$ROOT_CUSTOM" "$SURICATA_CUSTOM"
  # cp "$ROOT_CUSTOM" "$SURICATA_TEMPLATE"
  # Restart Suricata service (adjust command as needed for your system)
  service suricata restart
  echo "$TIMESTAMP: Suricata service restarted." >> /root/suricatarestart.log
fi

exit 0
Now, the result is you get a Suricata installation that can use a (and keeps using) very expressive custom.yaml file, such as this one where I have new vars address-groups and the like:
https://www.nova-labs.net/homelab-opnsense-crowdsec-multi-server/

20

24.7 Production Series / Re: Issue with UnboundDNS not answering DNS requests for local hostnames

« Last post by gyrex on Today at 07:45:48 am »

This sounds like the same issue: https://github.com/opnsense/core/issues/7376

and possibly this: https://github.com/opnsense/core/issues/6982

Also, apparently the registered leases should have entries in the

Code: [Select]

/var/unbound/dhcpleases.conf file, so I will check that next time the issue occurs.

I've created a new github issue here: https://github.com/opnsense/core/issues/8075

Can you please add to the issue so that the devs know it's not just one person experiencing this issue?