virusprot overload table: how to set settings?

Started by fwRookie, August 17, 2025, 09:43:55 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 17, 2025, 09:43:55 AM
The automatically generated rule <virusprot> seems to block internal IP's from going to the WAN when a threshold of connections is reached for the internal IP address.

In my case this happened when a server wanted to get update packages and triggered the threshold apparently.

But I have no clue where I can unblock this specific client nor where i can increase the rules that contain the trigger values.
Any manually created rule is inserted after the automatically created rules so will never overrule the automatics.

OPNsense 25.7.1_1-amd64
FreeBSD 14.3-RELEASE-p1

November 18, 2025, 03:38:26 AM #1
New to OPNsense.  I just updated to 25.7.7_4.  I am attempting to use Watchguard SSL VPN to connect to a remote location.  This application worked without any issues on 25.7.6 and previous versions.  I attempted to use it after going to 25.7.7_4 and it fails every time.  OF COURSE, (lesson learned) I need to backup/get a snapshot before upgrading.  In the firewall logs, it appears to me it is showing the "virusprot overload table" rule is preventing me from connecting with VPN software.  Any suggestions?
November 18, 2025, 01:55:30 PM #2
Do y'all have "Firewall: Rules: [interface]" -> "Advanced features" -> "Max new connections" configured?
November 18, 2025, 03:04:10 PM #3 Last Edit: November 18, 2025, 06:40:22 PM by TJL
I don't seem to have an "Advanced features" under rules.  I have Floating, LAN, WAN, WireGuard (Group), WIreGuard_VPN, and my vlans.

A clarification/question: on the Firewall:Log view, I click on the far right button to show the rule that is blocking the VPN connection.  It is showing "rulenr 11" and when I count down on the rules, it appears to be the "virusprot" rule.
November 18, 2025, 08:12:43 PM #4
I'm using a bit of a shorthand representation of the field location, and I missed a step. It should be "Firewall: Rules: [interface]" -> [rule] -> "Advanced features" -> "Max new connections". In other words, on the (normally) left hand menu, select "Firewall", then "Rules", then an interface, then select the edit button for a rule, then select "Show/Hide" next to "Advanced features" at the bottom, then scroll down to "Max new connections". Whew. But you can use this setting to populate the virusprot alias. I do not, for instance, as it can be tough to come up with a reasonable rate against the Internet, especially on modern high-speed services.
November 18, 2025, 09:01:26 PM #5
Thanks for the assistance.  That didn't resolve my issue.  I might need to contact Watchguard and get guidance from them on which end is closing the connection.  Is there an "easy" way for a newbie to view detailed logs, other than in the gui?  I think I have checked all the "log" buttons on the gui and none are giving me any information.  Thanks!
November 18, 2025, 09:38:02 PM #6
Logging settings for (most of) the automatic rules is under "Firewall: Settings: Advanced" -> "Logging". If you enable those, you should see logs in "Firewall: Log Files: Live View" and "Firewall: Log Files: Plain View". Depending on traffic, these can be a little busy.
Print
Go Up Pages1
User actions