"Recent posts
#91
26.1 Series / Re: Imported redirect/associat...
Last post by franco - Today at 08:45:35 AMI checked legacy associated rules in the config.xml and they appear to have source and destination. I export them and the CSV has source and destination.
Can you check on your end where the data goes missing? I don't see a lot of potential for losing the values since the CSV is the same structure for all rules.
Cheers,
Franco
Can you check on your end where the data goes missing? I don't see a lot of potential for losing the values since the CSV is the same structure for all rules.
Cheers,
Franco
#92
26.1 Series / Re: Suricata - Divert (IPS)
Last post by franco - Today at 08:37:35 AMMy understanding is no. No application on divert socket = no traffic passing through.
Cheers,
Franco
Cheers,
Franco
#93
26.1 Series / Re: Possible issue importing o...
Last post by franco - Today at 08:36:46 AMHistorically "lo0" hasn't been an interface to put any rules on. I'd simply discard it.
Cheers,
Franco
Cheers,
Franco
#94
26.1 Series / Re: Anti-Lockout Rule (Destina...
Last post by franco - Today at 08:27:16 AMMakes no sense to me. What does this dump?
# pluginctl -g filter.rule
Cheers,
Franco
# pluginctl -g filter.rule
Cheers,
Franco
#95
General Discussion / Re: btop install?
Last post by mimugmail - Today at 07:22:03 AMI can have a look to add it to community repo
#96
26.1 Series / Re: Anti-Lockout Rule (Destina...
Last post by RamSense - Today at 06:34:26 AMThis looks related also:
https://forum.opnsense.org/index.php?topic=50651.0
https://forum.opnsense.org/index.php?topic=50651.0
#97
25.7, 25.10 Series / Re: Hosts imported into Dnsmas...
Last post by nray - Today at 05:04:01 AMI think this might be a case sensitivity issue causing the functionally static reservations to not be recognized as such. Specifically:
- My imported reservations have MAC addresses with uppercase letters. The leases page shows MAC addresses only with lowercase letters in the MAC, even for the reservations with uppercase letters in the MAC.
- If I click the "Add Reservation" + button on the leases page to try and create a reservation for a lease with uppercase letters in the MAC address, it complains that "'[ip address]' is already used in another DHCP host entry." This indicates that it doesn't recognize the MAC address as being the same due to case differences and only sees a collision of the IP.
- If I go to my Hosts page and edit a host reservation which has uppercase letters in the MAC and replace it with the same MAC but with lowercase letters, hit Apply and go back to the leases page, then the lease instantly changes from "dynamic" to "static" (even though it was technically static before) and the "Add reservation" button changes to the "Find reservation".
So either there needs to be case insensitivity added to how MAC addresses are handled in the GUI, or there needs to be a conversion process added somewhere to the section where DHCP reservations are added/imported to Hosts that makes all the letters in MAC addresses lowercase.
- My imported reservations have MAC addresses with uppercase letters. The leases page shows MAC addresses only with lowercase letters in the MAC, even for the reservations with uppercase letters in the MAC.
- If I click the "Add Reservation" + button on the leases page to try and create a reservation for a lease with uppercase letters in the MAC address, it complains that "'[ip address]' is already used in another DHCP host entry." This indicates that it doesn't recognize the MAC address as being the same due to case differences and only sees a collision of the IP.
- If I go to my Hosts page and edit a host reservation which has uppercase letters in the MAC and replace it with the same MAC but with lowercase letters, hit Apply and go back to the leases page, then the lease instantly changes from "dynamic" to "static" (even though it was technically static before) and the "Add reservation" button changes to the "Find reservation".
So either there needs to be case insensitivity added to how MAC addresses are handled in the GUI, or there needs to be a conversion process added somewhere to the section where DHCP reservations are added/imported to Hosts that makes all the letters in MAC addresses lowercase.
#98
High availability / Automatic XMLRPC Sync not trig...
Last post by Luke - Today at 04:51:01 AMHello all,
This is my first post, so I'll apologise in advance if I am being dumb.
I have searched the forums but I haven't found anything related (just people with no sync at all).
I'm in the process of prepping a new HA pair of OPNsense firewalls in my home network. Each is running on an identical Proxmox host with PCI-passthrough for the 2 NICs (WAN/LAN). They are currently not live as the plan is to replace my existing firewall when they are ready.
I've just reinstalled both firewalls from scratch using the 26.1 ISO, and applied updates to 26.1_4, and the problem persists.
Both have been set up with minimal configuration:
- WAN, LAN, and a few vlans configured (including one for PFSYNC) and attached to new interfaces; these are identical on each firewall.
- A floating firewall rule allowing ICMP on all interfaces for testing
- An any/any rule on the PFSYNC interface to allow PFSYNC and XMLRPC sync
I've checked the firewalls can ping each other on each interface (including the PFSYNC one).
Finally, I have set up the high-availability settings according to the documentation:
- PFSYNC interface for the sync
- Peer IP is the PFSYNC IP of the other firewall
- XMLRPC Sync configured only on the master
- Username and password are still default, just in case it was a complex password typo issue
- All services selected for sync
If I use the synchronise and reconfigure all button on the status page, the sync works beautifully as expected; I can see this in the log files on both firewalls:
Master:
Backup:
However, if I change anything on the master firewall (a new firewall rule, a new Virtual IP), I can see the configuration change in the log, but it does not trigger a sync to the backup firewall
As I understand it, this configctl event should trigger an automatic sync to the backup, but I do not see that in the logs and the changes are not synchronised. If I run another manual sync from the high-availability status page, any changes since the last manual sync are successfully synced as expected.
Am I doing something wrong? Is this a Layer8 issue?
How do I go about diagnosing this further to see why the sync is not triggering on a configuration change?
Any assistance would be greatly appreciated.
This is my first post, so I'll apologise in advance if I am being dumb.
I have searched the forums but I haven't found anything related (just people with no sync at all).
I'm in the process of prepping a new HA pair of OPNsense firewalls in my home network. Each is running on an identical Proxmox host with PCI-passthrough for the 2 NICs (WAN/LAN). They are currently not live as the plan is to replace my existing firewall when they are ready.
I've just reinstalled both firewalls from scratch using the 26.1 ISO, and applied updates to 26.1_4, and the problem persists.
Both have been set up with minimal configuration:
- WAN, LAN, and a few vlans configured (including one for PFSYNC) and attached to new interfaces; these are identical on each firewall.
- A floating firewall rule allowing ICMP on all interfaces for testing
- An any/any rule on the PFSYNC interface to allow PFSYNC and XMLRPC sync
I've checked the firewalls can ping each other on each interface (including the PFSYNC one).
Finally, I have set up the high-availability settings according to the documentation:
- PFSYNC interface for the sync
- Peer IP is the PFSYNC IP of the other firewall
- XMLRPC Sync configured only on the master
- Username and password are still default, just in case it was a complex password typo issue
- All services selected for sync
If I use the synchronise and reconfigure all button on the status page, the sync works beautifully as expected; I can see this in the log files on both firewalls:
Master:
Code Select
Notice opnsense /usr/local/etc/rc.filter_synchronize: Filter sync successfully completed with https://172.16.0.3/xmlrpc.php.Backup:
Code Select
Notice syslog-ng Configuration reload finished;
Notice syslog-ng Configuration reload request received, reloading configuration;
Notice opnsense /xmlrpc.php: plugins_configure monitor (execute task : dpinger_configure_do(,null))
Notice opnsense /xmlrpc.php: plugins_configure monitor (,null)
Notice opnsense /xmlrpc.php: ROUTING: keeping inet default route to 192.168.1.1
Notice opnsense /xmlrpc.php: ROUTING: configuring inet default gateway on lan
Notice opnsense /xmlrpc.php: ROUTING: entering configure using defaults
Notice configctl event @ 1770003384.80 exec: system event config_changed response: OK
Notice configctl event @ 1770003384.80 msg: Feb 2 03:36:24 OPNsense02.internal config[51995]: config-event: new_config /conf/backup/config-1770003384.7952.xml
Notice opnsense /xmlrpc.php: plugins_configure monitor (execute task : dpinger_configure_do(,null))
Notice opnsense /xmlrpc.php: plugins_configure monitor (,null)
Notice opnsense /xmlrpc.php: ROUTING: keeping inet default route to 192.168.1.1
Notice opnsense /xmlrpc.php: ROUTING: configuring inet default gateway on lan
Notice kernel <6>[1613] carp: demoted by 240 to 240 (pfsync bulk start)
Notice kernel <6>[1613] carp: 1@ixl0: INIT -> BACKUP (initialization complete)
Notice kernel <6>[1613] ixl0: promiscuous mode enabled
Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (1)
Notice opnsense /xmlrpc.php: ROUTING: entering configure using defaults
Notice opnsense /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "VIP - LAN (192.168.1.250) (1@ixl0)" has resumed the state "BACKUP" for vhid 1However, if I change anything on the master firewall (a new firewall rule, a new Virtual IP), I can see the configuration change in the log, but it does not trigger a sync to the backup firewall
Code Select
Notice configctl event @ 1770003822.21 exec: system event config_changed response: OK
Notice configctl event @ 1770003822.21 msg: Feb 2 03:43:42 OPNsense01.internal config[80873]: config-event: new_config /conf/backup/config-1770003822.2062.xmlAs I understand it, this configctl event should trigger an automatic sync to the backup, but I do not see that in the logs and the changes are not synchronised. If I run another manual sync from the high-availability status page, any changes since the last manual sync are successfully synced as expected.
Am I doing something wrong? Is this a Layer8 issue?
How do I go about diagnosing this further to see why the sync is not triggering on a configuration change?
Any assistance would be greatly appreciated.
#99
26.1 Series / Possible issue importing old r...
Last post by awshirley - Today at 04:47:32 AMI'm getting this error message when I tried to import my old rules csv:
e1e633f9-c53c-4391-b640-adc9c7b82d65,1,keep,,451,pass,1,0,lo0,in,inet,any,,,,,0,0,0,0,0,,,,,,,,,,,,,,,,,,,,,,,,0,any,,0,any,
[interface] Option [lo0] not in list.
It looks like the other rules imported expect this one. I'm not exactly sure what the problem is. I've reviewed all the old rules and I don't have an lo0 interface.
Thanks!
e1e633f9-c53c-4391-b640-adc9c7b82d65,1,keep,,451,pass,1,0,lo0,in,inet,any,,,,,0,0,0,0,0,,,,,,,,,,,,,,,,,,,,,,,,0,any,,0,any,
[interface] Option [lo0] not in list.
It looks like the other rules imported expect this one. I'm not exactly sure what the problem is. I've reviewed all the old rules and I don't have an lo0 interface.
Thanks!
#100
General Discussion / btop install?
Last post by Lucid1010 - Today at 04:08:19 AMhttps://github.com/aristocratos/btop
Do I need to compile and install it myself?
Pre binary for opnsense?
Code Select
# pkg install btop
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100% 179 B 0.2kB/s 00:01
mimugmail repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'btop' have been found in the repositoriesDo I need to compile and install it myself?
Pre binary for opnsense?
