"Recent posts
#21
25.7, 25.10 Series / Re: 25.7.8 Unbound blocklist s...
Last post by Monviech (Cedrik) - December 02, 2025, 09:10:20 PMThe issue is if you implement outside scripting that is not natively supported by the application, your only chance is to restart it all the time whwn the environment changes.
If applications would support more features like dnsmasq (which can track IPv6 addresses on interfaces, partial ones as well) it would be better. But it speaks books even KEA cannot work with dynamic prefixes (Lol btw).
If applications would support more features like dnsmasq (which can track IPv6 addresses on interfaces, partial ones as well) it would be better. But it speaks books even KEA cannot work with dynamic prefixes (Lol btw).
#22
Intrusion Detection and Prevention / Re: Alot of SSH Traffic
Last post by chemlud - December 02, 2025, 08:49:35 PMSkip ssh rules in your config for Suricata. Done.
#23
Intrusion Detection and Prevention / Re: Alot of SSH Traffic
Last post by spetrillo - December 02, 2025, 08:33:26 PMYes there are a number of web servers in this instance. Yes the Internet is a bad place...but I'd rather drop the traffic and not worry about it. I use Maxmind to provide country IP blocks inbound, and so the only thing left is to see what traffic is coming my way from approved countries and filter out the potentially bad traffic. I do not allow normal SSH over the Internet...we use our VPN for that kind of work.
#24
25.7, 25.10 Series / Re: 25.7.8 Unbound blocklist s...
Last post by OPNenthu - December 02, 2025, 08:30:23 PMQuote from: franco on December 02, 2025, 09:54:59 AMFor one you'd need to invent a suffix notation that includes the interface and the netmask:
::123:0:0:0:0/64%lan
Hmm... but if I'm not concerned with hosts and instead I want to just specify a network to the Unbound config, could we not have a syntax to reference that information from either Track Interface or a network Alias on the back end?
I was imagining that the Unbound form could take something like this for input:
"192.168.1.0/24, [LAN/64]"
Of course there would need to be accompanying code to interpret that... somewhere. :-(
Or, better, expose an option to select an interface (no IPs needed).
If not then, are we already at an impasse with IPv6 PD as a viable migration path from IPv4?
#25
Intrusion Detection and Prevention / Re: Alot of SSH Traffic
Last post by chemlud - December 02, 2025, 08:21:17 PMAre you exposing ports on WAN?
If not: why run Suricata on that interface in the first place? To watch and see that the internet is a bad, bad place? :-D
Or at least disabel SSH rules, if no ssh port open...
If not: why run Suricata on that interface in the first place? To watch and see that the internet is a bad, bad place? :-D
Or at least disabel SSH rules, if no ssh port open...
#26
Intrusion Detection and Prevention / Alot of SSH Traffic
Last post by spetrillo - December 02, 2025, 08:08:16 PMHello all,
I am noticing that Suricata is blocking alot of SSH traffic that is not coming from any valid IPs. If ppl want to use SSH they have to be on my VPN. Here is a snippet of what I am seeing in the alert log:
2001219 blocked Prod 134.199.195.142 54062 10.0.2.21 22 ET SCAN Potential SSH Scan
Could I just add an inbound rule that drops any traffic destined to the IP using port 22? I would prefer to drop the traffic at the front door rather than letting it get to my IDS for processing.
Thanks,
Steve
I am noticing that Suricata is blocking alot of SSH traffic that is not coming from any valid IPs. If ppl want to use SSH they have to be on my VPN. Here is a snippet of what I am seeing in the alert log:
2001219 blocked Prod 134.199.195.142 54062 10.0.2.21 22 ET SCAN Potential SSH Scan
Could I just add an inbound rule that drops any traffic destined to the IP using port 22? I would prefer to drop the traffic at the front door rather than letting it get to my IDS for processing.
Thanks,
Steve
#27
25.7, 25.10 Series / Re: Create local DNS host entr...
Last post by cinergi - December 02, 2025, 08:07:20 PMThanks both. I looked at the link from @meyergru, point #3 specifically: Using the interface's link-local address which does not change. This achieves my purpose, thank you!
Cheers!
Cheers!
#28
25.7, 25.10 Series / Re: 25.7.8 Unbound blocklist s...
Last post by gpfountz - December 02, 2025, 06:56:21 PMQuote from: OPNenthu on November 30, 2025, 09:30:29 PMI haven't enabled the per-network DNSBL on my end as of yet, but for those who are seeing this- are you using dynamic IPv6 prefixes? I'm looking at the Source Nets field and I don't know how you would even configure it for e.g. IA_PD.
AFAIK, we don't (yet) have any mechanism to track those for use in form fields like this. Am I misinformed, or is this feature presently limited to IPv4 and IPv6 networks where the prefixes are not changing?
In any case: https://github.com/opnsense/core/issues/9474
I have applied the patch for issue 9474 and can confirm the fix is working properly.
Thanks to the developers for making this change!!
#29
General Discussion / Re: Problems with NRPE
Last post by Patrick M. Hausen - December 02, 2025, 06:25:03 PMAFAIK NRPE does log locally. So trigger an execution from the Nagios server, then check the NRPE log files on OPNsense.
#30
Hardware and Performance / Re: Suggestion for Bufferbloat...
Last post by cookiemonster - December 02, 2025, 06:14:28 PMHey. I've been using a windows laptop for testing the bufferbloat so far. Normally I use linux but had a need to stay booted on Win last few days. This one is connected via a Wi-Fi 6 (802.11ax) Wifi network using a Intel(R) Wi-Fi 6E AX210 160MHz adapter. Depending on location I can get as little as 480/721 (Mbps) agregated link speed (rec/tran) so I have a bottleneck there at times. Wired connections are only one for a PC but I can't get to it most of the time.
For OPN's CPU I'm using an AMD Ryzen 5 5600U on Proxmox with two vCPUs. Just did a ubench run on it and gives: Ubench Single CPU: 910759 (0.41s). So I think that is Ok.
I've now reset the shaper to docs defaults. This time also the upload side. I need to reboot (had limit and flows on the pipe), I'll update the post.
For OPN's CPU I'm using an AMD Ryzen 5 5600U on Proxmox with two vCPUs. Just did a ubench run on it and gives: Ubench Single CPU: 910759 (0.41s). So I think that is Ok.
I've now reset the shaper to docs defaults. This time also the upload side. I need to reboot (had limit and flows on the pipe), I'll update the post.
