Afther Update meet issues

[rumenblg]

Hi all First thanks you all who did build this software.

 To my issues Im using Opnsense since 2020 never had any issues and always been working as is should be. Until 3 days ago, when i did the update.
I got black list with amount of IP's who are restricted to access my network mostly from ddos attacks, time to time some new network comes over.
 And as I did it before just adding in to black list to my server and OPNsence is refreshing the list after 1 min by himself so the new ip's are blocked.
Until now, so now i have to go to Firewall: Diagnostics: States: and drop this ip's then the new black list comes in force.It doest work automatic anymore.
 Also i have five Intrusion Detection: Policy for suricata and at same time they stop working mean. the small attacks to my DNS server goes true. And they have a same signature same request as before.
All logs shows no errors no issues at all, just can't figure out whats is happening. Any help thanks

EDIT: forgot to mention the ver. is
OPNsense 25.7.9-amd64
FreeBSD 14.3-RELEASE-p5

[cookiemonster]

Maybe just me but I'm unclear what is that you are saying. Can you break it up a bit?
What/where is the blacklist? You say they are restricted TO access your network. Is that they are allowed ?
If however you mean you are seeing a lot of attempts to access your network from ips in some sort of blacklist, then how is that a problem?
As I say, just all very unclear what the setup is, and what the problem is.

[rumenblg]

Sorry mate didnt understand me. so will explain the black list is running at remote server. And Firewall: Aliases has refresh interval 1 min, means every 60 sec opnsence is checking the black list for new ip's.
   

[cookiemonster]

So you have a server where you keep list or lists of ip addresses to block. Then you have OPNSense fetching them and what, update an alias with that? What is not working, the fetching, the update of the alias, something else?

[rumenblg]

yes I'm keeping the list in remote server. Firewall Aliases has a rules ( URL IP's tabele) who is checking every 60 sec for update the remote black list. from this rule i got Floating who does actual restriction to the network.

Before the update if I want restrict an IP,  just have to add it to the remote server black list.  And Firewall Aliases fetching this list automatic and blocking the new ip's.
Now this doesn't work anymore , to do so i need to go to Firewall: Diagnostics: States: find were is the new  ip or IP's  and manual drop it. And then the actual block comes in force.

Hope this helps

So you have a server where you keep list or lists of ip addresses to block. Then you have OPNSense fetching them and what, update an alias with that? What is not working, the fetching, the update of the alias, something else?

[cookiemonster]

it helps. So have you diagnosed the process ?

[rumenblg]

Yes,
its shows multiple attempts, and the same IP or IP's has secondary row with no information.

So each ip is repeating twice were the second repeat has empty information. will take a screenshot next time.  Apart of this no errors in the logs.

Also what i discovered is. because suricata and IPS, does't blocking or restricting ddos anymore, if i do manual -> Services: Intrusion Detection: Administration Update to existing rules . Its getting back to working mode for five hours mostly  1 or 2 hours.  And then same issues no restriction.

it helps. So have you diagnosed the process ?

[cookiemonster]

What I mean is that your process is perfectly valid but unknown to us here on how it works.

yes I'm keeping the list in remote server. Firewall Aliases has a rules ( URL IP's tabele) who is checking every 60 sec for update the remote black list. from this rule i got Floating who does actual restriction to the network.

Before the update if I want restrict an IP,  just have to add it to the remote server black list.  And Firewall Aliases fetching this list automatic and blocking the new ip's.
Now this doesn't work anymore , to do so i need to go to Firewall: Diagnostics: States: find were is the new  ip or IP's  and manual drop it. And then the actual block comes in force.

It is impossible to tell why "this does not work anymore", your mechanism to fetch the list I imagine is the Alias automation on OPN. But the content might not be "correct".
Maybe use the Diagnostic part of the alias in OPN, to look into the table.
Or when you say "this doesn't work anymore". Does it mean nothing is fetched or something else?

[rumenblg]

new IP's has been fetched  and has entry in to alias list . this was the first thing i did check.
When i say doesn't works anymore means the restriction  /  blocking doesn't block the new ip's automatic any more, except if i do manual removing from Firewall-> Diagnostics-> Aliases: then the new blocked ip's who are in black list comes in  force. 

What I mean is that your process is perfectly valid but unknown to us here on how it works.

yes I'm keeping the list in remote server. Firewall Aliases has a rules ( URL IP's tabele) who is checking every 60 sec for update the remote black list. from this rule i got Floating who does actual restriction to the network.

Before the update if I want restrict an IP,  just have to add it to the remote server black list.  And Firewall Aliases fetching this list automatic and blocking the new ip's.
Now this doesn't work anymore , to do so i need to go to Firewall: Diagnostics: States: find were is the new  ip or IP's  and manual drop it. And then the actual block comes in force.

It is impossible to tell why "this does not work anymore", your mechanism to fetch the list I imagine is the Alias automation on OPN. But the content might not be "correct".
Maybe use the Diagnostic part of the alias in OPN, to look into the table.
Or when you say "this doesn't work anymore". Does it mean nothing is fetched or something else?