Private IP PPPOE -OPNSense get Hacked

Started by nicholaswkc, March 25, 2026, 07:13:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 25, 2026, 07:13:01 AM Last Edit: March 25, 2026, 07:35:12 AM by nicholaswkc
Dear all forumers,

I had set the firewall adaptive timeout using 80 and 200 state and firewall schedule in 22:00pm but these settings are lost after 1 day.

I suspect the firewall get hacke by my ISP using private IP PPPOE (CNGA Double NAT) because during my usage of Linux end point, My two folders windows are close simutaneously.  I had strengthen the kernel using tunnable values.

No SSH, No remote desktop/open ports.

Please help me to strengthen the security.
March 25, 2026, 10:40:25 AM #1
As far as I can remember, there's already a similar thread regarding the suspected hacking attack on your OPNsense. Making such claims about your internet service provider is a pretty bold statement.

If you're right, I'd switch internet service providers. But you should definitely have proof that holds up in court regarding the suspected hacking.

Based on what you've written, I don't think you were hacked. Why would a hacker waste their time or use special exploits?
I want all services to run with wirespeed and therefore run this dedicated hardware configuration. Suricata is very demanding.

AMD Ryzen 9 9950X3D
ASUS Pro WS B850M-ACE SE
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror

private user, no business use
March 25, 2026, 11:19:09 AM #2
This is the second time (at least under this current profile) you opened a topic with "I got hacked/OPNsense got hacked" without any proofs and with very weird reasoning.

What you even describe does not give sense.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
N355 - i226-V | AQC113C | 16G | 500G - PROD

PRXMX
N5105 - i226-V | 2x8G | 512G - NODE #1
N100 - i226-V | 16G | 1T - NODE #2
March 25, 2026, 12:02:13 PM #3 Last Edit: March 25, 2026, 12:05:27 PM by meyergru
Yeah, that all sounds too familiar. Considering the style, the claims and even the profil name, I suspect that @peterwkc is the same person, so it is now the bazillionth time, see: https://forum.opnsense.org/index.php?topic=44259.0

@nicholaswkc: I suggest you to find a new hobby besides IT. The way you argue shows that you do not know what you are talking about. It seems like a mix of not understanding why specific things go wrong for lack of technical skill, mixed with a paranoid fear that the problems are not caused by your own mistakes, but by some evil hackers/ISPs/whomever.

You have been advised multiple times now, that your claims (which I cannot even comprehend) do not match reality.

However, remembering the old saying "just because you are paranoid does not mean that they are not after you.", maybe you are right. Are you living in Russia by any chance?
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
March 25, 2026, 06:43:08 PM #4
I'm surprised, it uses Opnsense behind CNGA Double NAT, I don't understand
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
March 26, 2026, 08:37:06 AM #5 Last Edit: March 26, 2026, 10:06:56 AM by nicholaswkc Reason: Add more information.
My claim is valid n not over panaroid about security. I cannot disclose the country I live in. 
I added RESET WAN interface every 10 min using cron job.

March 26, 2026, 11:17:06 AM #6
Quote from: nicholaswkc on March 26, 2026, 08:37:06 AMMy claim is valid n not over panaroid about security. I cannot disclose the country I live in. 
I added RESET WAN interface every 10 min using cron job.



Well, hate to be that guy but from an external perspective it does indeed look pretty paranoid. Especially considering the duration of those posts spanning over years...

Do you have any proof to backup your claims of it being valid? Like do you have any IDS/IPS/SIEM logs to show?

Otherwise I would start there, it might even be a good exercise for you in order to strengthen your own cybersecurity.

Wazuh agent is available in OPNsense community plugins. Install it together with Suricata, spend some time configuring it. Install a Wazuh server on another host and ship the data from the Wazuh agent on OPNsense to the server.

If you hardware supports it I would also extend it with SPAN/Mirror for your WAN interface. You can use another host with Zeek for that.

At least try to bring some proofs to prove your point, otherwise you risk ending up sounding like a madman or a troll spreading FUD.
26.1.5|Intel N150|4x3.6GHz|8GB|256GB NVMe
Cisco L3 switch OSPF + FRR
Chrony|DoT|HAProxy+NAXSI|Suricata+Wazuh|NetFlow->Akvorado
IPSec|OpenVPN|Wireguard
MultiWAN: 1Gbit fiber dual stack + 4G failover

--
Available for private support.
Today at 06:42:58 AM #7 Last Edit: Today at 10:12:14 AM by nicholaswkc
One of my LAN - almalinux cannot ping gateway IP. Very strange, it can ping one of the android tv box only. Not others Window Lan as well. I try to disable the firewalld n look the ip route show and found nothing.

 It cannot browser internet anymore. I can browser intenet yesterday. This is proof. Something is broke. I have Wazuh agent install but don't know how to see all the data.

ip route show table all
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.100 metric 100
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.100 metric 100
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.1.100 dev eth0 table local proto kernel scope host src 192.168.1.100
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.100
fe80::/64 dev eth0 proto kernel metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::96b1:914d:f21d:1e01 dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium

nicholaswkc@localhost:~$ netstat -r | more
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0


nicholaswkc@localhost:~$ arp -a
? (192.168.1.102) at 5c:e9:31:82:02:a0 [ether] on eth0
? (192.168.1.101) at ec:f7:2c:17:a8:69 [ether] on eth0
? (192.168.1.104) at 98:90:96:9b:bf:08 [ether] on eth0
? (192.168.1.106) at <incomplete> on eth0
? (192.168.1.103) at 70:b5:e8:28:70:19 [ether] on eth0
_gateway (192.168.1.1) at 80:61:5f:08:2a:d8 [ether] on eth0

Poosible the hacker assign different vlan?
Today at 08:40:53 AM #8 Last Edit: Today at 08:53:19 AM by meyergru
A fine example of how you misinterpret things according to your confirmation bias:

Quote from: nicholaswkc on Today at 06:42:58 AMOne of my LAN - almalinux cannot ping gateway IP. Very strange, it can ping one of the android tv box only. Not others Window Lan as well. I try to disable the firewalld n look the ip route show and found nothing.

 It cannot browser internet anymore. I can browser intenet yesterday. This is proof. Something is broke.


"This proof" means only:

1. You can ping at least one device on your LAN 192.168.1.0/24, so obviously your Linux PC is connected to some network.
2. Not being able to ping Windows PCs on your LAN is perfectly normal, depending on what kind of network connection (private or public) is selected. The Windows firewall does not allow incoming pings.
3. Not being able to ping the gateway can be because of many reasons, most of which are simple misconfigurations:

- Having selected the wrong port to connect to because physical ports are numbered differently than logical NICs
- Using multiple ports as a bridge without having them configured as per docs
- Using another subnet or differrent VLAN
- Cabling problems
- Not having opened the firewall for such kind of traffic (or having blocked such traffic by error in trying to "strengthen security"

For example: Did you try the other way around, namely to ping the Linux PC from your OpnSense?
4. Together with not being able to reach the internet (because of what? Can you resolve DNS names?) it suggests missing connectivity to your firewall for any kind of traffic.

You see: None of "this" is "proof" - only a hint at some kind of misconfiguration. Nobody questions "something is broke", but there is no grounds to suggest any hacker being involved.

Altogether this means:

a. unproven claims of hacker attacks
b. random tries to "strengthen security"
c. (only after asking for facts) connection problems of some kind
d. not enough useable facts for us to start with

Instead of jumping to (false) conclusions, you would be better off to state the facts, like in this case: "I do not get internet connection and I cannot reach my gateway", together with helpful facts about what you have done, including:

- network topology
- firewall rules
- positive and negative results of tests you have conducted to identify the exact problem

Also, stop messing around with random measures like:

Quote from: nicholaswkc on March 26, 2026, 08:37:06 AMI added RESET WAN interface every 10 min using cron job.

Those will do more harm than good if you do not know what you are doing. This alone might account for missing internet access...


P.S.: Your network configuration looks right and the fact that the gateway is in the arp table suggests a blocking firewall rule, no physical or VLAN problem.

Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 08:27:19 PM #9
I think it is the right time to change the thread title to the fact what it is.
Something like "problems configuring opnsense network details".
Print
Go Up Pages1
User actions