eno2001's Journal: Hello All: OPNSense

Note sure who from the old group is left here. I haven't posted in over a decade and I'm here with a question. :) If anyone is using OPNSense or PFSense, you might be able to weigh in. Story time... I started using OPNSense (based on PFSense) as my internet gateway at home in January of this year because I had a need for speed. My WRT54G with ddwrt wasn't up to the task of my new gigabit internet connection since it only has 100 Mb/s ports. I had an old PC lying around and an extra gigabit PCIe card, so I did what any Slashdotter worth his salt would do: I built a gateway. (Heheh, actually about as prefab as ddwrt).

I chose OPNSense over PFSense since PFSense wouldn't boot on that machine (an old 64-bit AMD CPU) no matter what I tried, and I tried a LOT. Things were fine until something in early September. One morning I woke up to no internet access. I checked a bunch of other things first because I had literally built a new DHCP/DNS/NTP server a day and a half earlier. Eventually I realized there really was no internet access and when I checked out the PC, it was off.

This happened one more time two days later, and with what appear to be missing syslog entries (I just don't know enough about BSD and OPNSense to know if that is OK or not), I started wondering if the box was compromised somehow. I doubted that since FreeBSD is supposed to be about as safe as you can get for a internet facing machine and I've NEVER had a Linux box get compromised out in the wild in the 25+ years I've been using it. As a result I'm really leaning towards the idea that this is a hardware bug or potentially failing hardware. The PC is at least ten years old. Given that PFSense wouldn't boot on it at all (it would lock up from the boot DVD once it attempted to load the kernel), it's likely there is something about my PC that just doesn't work well with FreeBSD.

Given that, since I still had a slight suspicion that someone might have been messing with the machine, I connected to it from another machine using a GNU screen multiplexer session so that if I got disconnected, I'd have a logged, searchable history even if the syslog got wiped. I was watching the syslog with 'clog'. It sat there for 13 days without shutting down and nary a new syslog entry in sight. I didn't check it daily and given that it had been up for over a week I stopped checking the screen session. Yesterday, I connected to the screen session to take a peek, and there was a disconnect message just after the syslog which still had no new entries in it. What's interesting to me is that this time it wasn't off, it was a reboot while I was at work. Since I'm working from home and use a different part of the network for work, I didn't notice the outage. Neither did my wife and kid since they were both not using the internet connection at 9:20 in the morning that day.

So I connected to see what the logs showed. This time the log picked up from where it was before the reboot, It just showed standard boot stuff starting at 9:20 AM, a redundant disk rebuild and that's it. It's been like that since last Tuesday. I've run the updates and audits on it, and there is only one vulnerability in an XML library that's been in FreeBSD since January and is not fixed yet.

I'm still leaning pretty hard on hardware failure or a CPU bug that didn't cause issues with booting the OPNSense installer DVD like PFSense, but those are both just guesses. I don't know if a normal syslog would show shutdown info on FreeBSD, but I assume it would. If that's true, then it's possible a hard crash would explain the missing shutdown info in the logs. Otherwise, I'm still in the dark.

As a side note, I've also confirmed that there were no power blips at any of these times. My Linux laptops showed no change to battery during the days these shutdowns and the reboot occurred. The only other item that I noticed that seemed odd was that after I powered on after the first shutdown, a few hours later there were some messages on the console from a service (can't remember the name) that slows down the restart of a process if it continually segfaults. This is supposed to discourage attackers. I think the process that was segfaulting repeatedly was flowd (for netflow).

So anyone here familiar with this and have any recommendations? Agree that this is likely a hardware issue since it should theoretically be harder to compromise a internet facing BSD box than a Linux box? Or have I been h4x0r3d by a 1337 d00d and should I kill this system with fire and get a new fanless PC to start over with?

What I'd do

[spaceman375]

I know it can be frustrating, and a bit fun, to track down an intermittent bug. Nonetheless, I suggest you bite the bullet and buy a fairly recent router. You can get a really good home router with built-in wifi for less than $50 these days. A little research and you can get one that runs dd-wrt; routers that run OPNSense will need to be x86-64 which will cost more. Use the old hardware for something less critical. It can save your boxen that have SSD or SD cards (raspberry pi's?) from doing so many writes;

Re:

[Jeremiah Cornelius]

I have OpenWRT kicking ass on an RPi-4 2GB, booting 64-bit from SSD, and passing traffic between the Gig-E and a USB-3 Gig-E.

Keeps up with my DOCSIS-3 cable modem. The RPi-3 had compromised Ethernet on shared USB channel, but that's over.