Crowdsec banned private ip on opnsense

[DenuxPlays]

What happened?

I have a crowdsec agnet & firewall blocker installed on my opsense.
I noticed that crowdsec banned a private ipv4 address.

this never happend before and I use crowdsec in this setup a few months and in general a year.
Also the traffic is high but it was high since day 1 from this ip.

What did you expect to happen?

Crowdsec should not ban private ip ranges and I thought the default whitelist has entries for private ip ranges?

How can we reproduce it (as minimally and precisely as possible)?

I am not sure how to reproduce it as I personally see no anomaly in traffic for this server.

Anything else we need to know?

No response

Crowdsec version

version: v1.7.3-c8aad699
Codename: alphaga
BuildDate: 2025-11-06_03:40:58
GoVersion: 1.25.3
Platform: freebsd
libre2: C++
User-Agent: crowdsec/v1.7.3-c8aad699-freebsd
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

OS version

OPNSense: 25.7.7_4-amd64
FreeBSD: 14.3-RELEASE-p4

Enabled collections and parsers

Loaded: 156 parsers, 11 postoverflows, 770 scenarios, 9 contexts, 5 appsec-configs, 161 appsec-rules, 156 collections
name,status,version,description,type
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/opnsense-gui-logs,enabled,0.1,Parse OPNSense web auth logs,parsers
crowdsecurity/public-dns-allowlist,enabled,0.1,Allow events from public DNS servers,parsers
crowdsecurity/sshd-logs,enabled,3.1,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,1.0,,parsers
firewallservices/pf-logs,enabled,0.7,Parse packet filter logs,parsers
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
crowdsecurity/opnsense-gui-bf,enabled,0.3,Detect bruteforce on opnsense web interface,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: SSH brute force trigger,scenarios
crowdsecurity/ssh-refused-conn,enabled,0.1,Detect sshd refused connections,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
firewallservices/pf-scan-multi_ports,enabled,0.5,Detect aggressive portscans (pf),scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/firewall_base,enabled,0.2,,contexts
crowdsecurity/freebsd,enabled,0.4,core freebsd support : syslog+geoip+ssh,collections
crowdsecurity/opnsense,enabled,0.4,core opnsense support,collections
crowdsecurity/opnsense-gui,enabled,0.1,OPNSense web authentication support,collections
crowdsecurity/sshd,enabled,0.7,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.2,Good actors whitelists,collections
firewallservices/pf,enabled,0.2,Parser and scenario for Packet Filter logs,collections```

</details>


### Acquisition config

<details>

filenames:

• /var/log/nginx/*.log
• ./tests/nginx/nginx.log
  #this is not a syslog log, indicate which kind of logs it is
  labels:
  type: nginx

---

filenames:

• /var/log/auth.log
• /var/log/syslog
  labels:
  type: syslog

---

filenames:

• /var/log/httpd-access.log
• /var/log/httpd-error.log
  labels:
  type: apache2

Before 22.1, OPNsense used circular logs under /var/log/*.log that

can still be around. They are old, in binary format and are not needed by crowdsec.

For this reason we don't scan /var/log/*.log, but some plugins can write

their (plaintext) logs in that location, in such case add their pathnames too.

filenames:

DO NOT EDIT - to add new datasources (log locations),

create new files in /usr/local/etc/crowdsec/acquis.d/

collection: crowdsecurity/sshd

• /var/log/audit/latest.log

collection: crowdsecurity/opnsense-gui (web admin)

• /var/log/lighttpd/latest.log

collection: firewallservices/pf

• /var/log/filter/latest.log

When OPNsense is configured with /var/log in a RAM disk,

the log directories are created after crowdsec is run.

We force crowdsec to watch over directory creation as well

as file creation. FreeBSD has kqueue instead of inotify

but the option works with both.

force_inotify: true

this option is required from crowdsec v1.5.0 to follow

changes in symlinks

poll_without_inotify: true

labels:
type: syslog

</details>


### Config show

<details>

```console
Global:
   - Configuration Folder   : /usr/local/etc/crowdsec
   - Data Folder            : /var/db/crowdsec/data
   - Hub Folder             : /usr/local/etc/crowdsec/hub
   - Notification Folder    : /usr/local/etc/crowdsec/notifications
   - Simulation File        : /usr/local/etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log/crowdsec
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /usr/local/etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /usr/local/etc/crowdsec/acquis.d/
cscli:
  - Output                  : human
  - Hub Branch              : 
API Client:
  - URL                     : http://192.168.2.102:60225/
  - Login                   : gateway
  - Credentials File        : /usr/local/etc/crowdsec/local_api_credentials.yaml
Local API Server (disabled):
  - Listen URL              : 127.0.0.1:8080
  - Listen Socket           : 
  - Profile File            : /usr/local/etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/db/crowdsec/data/crowdsec.db
      - Flush age           : 168h0m0s
      - Flush size          : 5000

Prometheus metrics

╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                         │
├───────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                            │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/var/log/audit/latest.log    │ 45.73k     │ -            │ 45.73k         │ -                      │ -                 │
│ file:/var/log/filter/latest.log   │ 6.29M      │ 343.47k      │ 5.95M          │ 254.29k                │ 76                │
│ file:/var/log/lighttpd/latest.log │ 50         │ -            │ 50             │ -                      │ -                 │
╰───────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭───────────────────────────────────────────────────────────────────╮
│ Parser Metrics                                                    │
├────────────────────────────────────┬─────────┬─────────┬──────────┤
│ Parsers                            │ Hits    │ Parsed  │ Unparsed │
├────────────────────────────────────┼─────────┼─────────┼──────────┤
│ child-crowdsecurity/sshd-logs      │ 96      │ -       │ 96       │
│ child-crowdsecurity/syslog-logs    │ 12.68M  │ 6.34M   │ 6.34M    │
│ crowdsecurity/cdn-whitelist        │ 303     │ 303     │ -        │
│ crowdsecurity/dateparse-enrich     │ 343.47k │ 343.47k │ -        │
│ crowdsecurity/geoip-enrich         │ 326.76k │ 326.76k │ -        │
│ crowdsecurity/opnsense-gui-logs    │ 99      │ -       │ 99       │
│ crowdsecurity/public-dns-allowlist │ 343.47k │ 343.47k │ -        │
│ crowdsecurity/rdns                 │ 303     │ 303     │ -        │
│ crowdsecurity/seo-bots-whitelist   │ 303     │ 303     │ -        │
│ crowdsecurity/sshd-logs            │ 6       │ -       │ 6        │
│ crowdsecurity/syslog-logs          │ 6.34M   │ 6.34M   │ -        │
│ firewallservices/pf-logs           │ 6.29M   │ 4.80M   │ 1.49M    │
│ firewallservices/pf-logs-drop      │ 343.47k │ 343.47k │ -        │
╰────────────────────────────────────┴─────────┴─────────┴──────────╯
╭─────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scenario Metrics                                                                                    │
├──────────────────────────────────────┬───────────────┬───────────┬──────────────┬─────────┬─────────┤
│ Scenario                             │ Current Count │ Overflows │ Instantiated │ Poured  │ Expired │
├──────────────────────────────────────┼───────────────┼───────────┼──────────────┼─────────┼─────────┤
│ firewallservices/pf-scan-multi_ports │ 14            │ 526       │ 211.05k      │ 254.29k │ 210.44k │
╰──────────────────────────────────────┴───────────────┴───────────┴──────────────┴─────────┴─────────╯
╭────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Whitelist Metrics                                                                              │
├────────────────────────────────────┬────────────────────────────────────┬────────┬─────────────┤
│ Whitelist                          │ Reason                             │ Hits   │ Whitelisted │
├────────────────────────────────────┼────────────────────────────────────┼────────┼─────────────┤
│ crowdsecurity/cdn-whitelist        │ CDN provider                       │ 303    │ -           │
│ crowdsecurity/public-dns-allowlist │ public DNS server                  │ 343465 │ 76          │
│ crowdsecurity/seo-bots-whitelist   │ good bots (search engine crawlers) │ 303    │ -           │
╰────────────────────────────────────┴────────────────────────────────────┴────────┴─────────────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions]

@DenuxPlays: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Hey @DenuxPlays I believe opnsense might not install the default private ips whitelist by design since tracking bruteforce attempts on opnsense login panel may only happen from within your network, and you may want to be alerted at that.

Could you install it https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/whitelists then this should not happen anymore.

[DenuxPlays]

Ah ok I am confused but that worked.
I had it not installed but I installed Crowdsec 1.7.0 and then later just updated to 1.7.3.

From the documentation¹:

Since crowdsec 1.6.3, private IP networks are whitelisted by default as well. This means for example an IP from a LAN or WAN which is on 192.168.x.y won't get blocked by a local decision (community blocklists don't contain private IPs).

So I think this is still a bug or the documentation is not up to date.

Footnotes

1. https://doc.crowdsec.net/docs/next/getting_started/install_crowdsec_opnsense ↩