Vlan configuration deleted after firmware update

[liberomic]

Hi all,

I have found an issue on the last two firmware update from 17.1.4 to 17.1.5 and now with 17.1.6 all Vlan interface after upgrade will be deleted specifically all interface "assignment".

This is a start-up
https://pastebin.com/rQpnA663

In version 17.1.5 I have reconfigured all interface assignment with the same sequence followed in the first installation for recovery all firewall rules, If I didn't follow the right order, all firewall rules would be mixed.
After this operation the network traffic coming from IPSEC was no longer associated to IPSEC interface.

At a moment we heve installed my old firewall but I would like to understand what is caused.

Note: I have tried to remove zerotier but the issue persist after the reboot.

Many thanks for the support
liberomic

[liberomic]

Hi all,

I have tried to restore the backup on another appliance and the issue persist.

Many thanks for the support
liberomic

[franco]

Hi there,

The reassignment means there is a problem with zerotier initialisation. zerotier package was bumped from 1.2.2 to 1.2.4 with 17.1.6 so that's likely the issue.

You can revert to the old zerotier to confirm:

# opnsense-revert -r 17.1.5 zerotier


Cheers,
Franco

[liberomic]

Hi Franco,

I have removed zerotier package after the upgrade 17.1.6 and now I have re-installed but the vlan are not recovered.

root@gw-firewall:~ # opnsense-revert -r 17.1.5 zerotier
Fetching zerotier.txz: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20161210... done
zerotier-1.2.4: already unlocked
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        zerotier-1.2.4

Number of packages to be removed: 1

The operation will free 1 MiB.
[1/1] Deinstalling zerotier-1.2.4...
[1/1] Deleting files for zerotier-1.2.4: 100%
Installing zerotier-1.2.2_1...
Extracting zerotier-1.2.2_1: 100%
Message from zerotier-1.2.2_1:
#################################


Note: this issue occurred in first update from 17.1.4 to 17.1.5 where I installed zerotier in 17.1.4, in the upgrade to 17.1.5 all vlan configurations are missed, and now the issue persist in the from 17.1.5 to 17.1.6.

Many thanks for the support

liberomic

[franco]

What kind of VLAN IP address configuration are you using? What is underneath the VLANs?

[liberomic]

Hi Franco,

we have assigned a private subnet on all vlan tag, and working fine to 17.1.4.

After I sent the command that you indicated , do I need to do the restore configuration function?


On startup
Starting named.
setup em1
error : interface opt1 not found
error : interface opt2 not found
error : interface opt3 not found
error : interface opt4 not found
error : interface opt5 not found
error : interface opt6 not found
error : interface opt7 not found
setup enc0


root@gw-firewall:~ # ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=52098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO>
        ether f4:90:ea:10:1f:3f
        inet6 fe80::f690:eaff:fe10:1f3f%em0 prefixlen 64 scopeid 0x1
        inet 172.16.96.1 netmask 0xffffff00 broadcast 172.16.96.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier


------------------------------------------------------------------

em0_vlan101: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether f4:90:ea:10:1f:3f
        inet6 fe80::f690:eaff:fe10:1f3f%em0_vlan101 prefixlen 64 scopeid 0xa
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
        vlan: 101 vlanpcp: 0 parent interface: em0
        groups: vlan
em0_vlan102: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether f4:90:ea:10:1f:3f
        inet6 fe80::f690:eaff:fe10:1f3f%em0_vlan102 prefixlen 64 scopeid 0xb
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
        vlan: 102 vlanpcp: 0 parent interface: em0
        groups: vlan
em0_vlan103: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether f4:90:ea:10:1f:3f
        inet6 fe80::f690:eaff:fe10:1f3f%em0_vlan103 prefixlen 64 scopeid 0xc
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
        vlan: 103 vlanpcp: 0 parent interface: em0
        groups: vlan
em0_vlan105: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether f4:90:ea:10:1f:3f
        inet6 fe80::f690:eaff:fe10:1f3f%em0_vlan105 prefixlen 64 scopeid 0xd
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
        vlan: 105 vlanpcp: 0 parent interface: em0
        groups: vlan
em0_vlan111: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether f4:90:ea:10:1f:3f
        inet6 fe80::f690:eaff:fe10:1f3f%em0_vlan111 prefixlen 64 scopeid 0xe
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
        vlan: 111 vlanpcp: 0 parent interface: em0
        groups: vlan

The IP configurations are not set.

Many thanks for the support

liberomic

[franco]

In your config.xml that causes this "reassign" there must be an interface that is not available at boot time. The VLANs are correctly ignored.

Can you grep in your config.xml that causes this behaviour...

# grep '<if>' /conf/config.xml

[liberomic]

Hi Franco,

grep '<if>' /conf/config.xml
      <if>em1</if>
      <if>em0</if>
      <if>openvpn</if>
      <if>enc0</if>
      <if>em0</if>
      <if>em0</if>
      <if>em0</if>
      <if>em0</if>
      <if>em0</if>

I have checked the file /conf/config.xml and the static IP present on VLAN interfaces are not present.

Many thanks for the support

liberomic

[franco]

Hi liberomic,

I don't see any hint why this reassign happens as all devices are hardware or virtual (openvpn, enc0, vlans don't even show here in names, just parent interface).

You can try to verify with the core package of an older version, but there weren't any suspicious changes that would cause this.

# opnsense-revert -r 17.1.5 opnsense

Or

# opnsense-revert -r 17.1.4 opnsense

A firmware upgrade from the GUI or console brings you back to the latest version.


Cheers,
Franco

[liberomic]

Hi Franco,

thanks for you support, I have followed some tests.....

In evidence: "I have installed zerotier in 17.1.4 and assigned an OPT interface... after the upgrade to 17.1.5 all VLAN will be deleted."

Now I have followed this test
1) opnsense-revert -r 17.1.4 opnsense
2) restore an old backup
3) upgrade to 17.1.6 from console
.... working fine

I tried to restore a recent backup but the issue persist, working only with the backup file before the installation of zerotier. 

Regards,
Liberomic

[liberomic]

Hi Franco,

I have upgraded this configuration to 17.1.7 (zerotier now is removed) and working fine, but we want use Zerotier on Opnsense.

Do you have checked this issue on different configurations?

Regards
Liberomic

[liberomic]

Hi All,

I have installed the zerotier plugin in the last version of opnsense after the reboot all vlan will be deleted.

Uses of zerotier on opnsense with vlan is very critical.

 

[franco]

Did you use the "lock interface" feature for each VLAN that has been in OPNsense since 17.7.1?

[liberomic]

Hi Franco,

after factory reset I have applyed the lock on all interfaces, thanks for your suggestion.

Why this option is not set as default? now I will install zerotier without issue? on zerotier interface this future is needed ?

Regards,
Liberomic