"
*Not* fixed on 11.0-RELEASE. 11-STABLE is, but with a very long patch from Microsoft basically updating Hyper-V support, but who knows what problems are in there then... ;)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#15991
17.1 Legacy Series / Re: Upgrade from 16.7.14: First boot failed with Error 19 in Hyper-V VM
February 03, 2017, 11:00:06 AM #15992
17.1 Legacy Series / Re: Upgrade to 17.1 fails due to "bad signature" [SOLVED]
February 03, 2017, 10:57:39 AM
Thank you for the kind words! Let us know if the error reappears so we look into it in more detail. :)
Cheers,
Franco
Cheers,
Franco
#15993
General Discussion / Re: Cant Connect SSH Access on OPNSense Server
February 03, 2017, 10:56:47 AM
Which version are you on? opnsense_pam.so not installed makes me think your 17.1 upgrade went bad.
Go to System: Settings: Administration, unlock the console menu via option.
Go to the console, choose option 8, and type:
# opnsense-update -f
# /usr/local/etc/rc.reboot
Go to System: Settings: Administration, unlock the console menu via option.
Go to the console, choose option 8, and type:
# opnsense-update -f
# /usr/local/etc/rc.reboot
#15994
17.1 Legacy Series / Re: 16.7.14 -> upgrade to 17.1 - VPN multiwan broken
February 02, 2017, 11:54:45 PM
This is strange, OpenVPN gets the traffic, tries to bind the client but is rejected by the system.
Something similar happened with the move from MPD4 to MPD5, when the old way of binding to the system no longer worked, being more strict to be precise.
Is the xx.xx.xx.xx a local subnet? Is it properly configured in the secondary WAN?
EDIT: Did you guys try "any" instead of "localhost"?
Cheers,
Franco
Something similar happened with the move from MPD4 to MPD5, when the old way of binding to the system no longer worked, being more strict to be precise.
Is the xx.xx.xx.xx a local subnet? Is it properly configured in the secondary WAN?
EDIT: Did you guys try "any" instead of "localhost"?
Cheers,
Franco
#15995
General Discussion / Re: Emergency revert to saved config
February 02, 2017, 11:13:49 PM
The basic rule is you can always trash your configuration, no matter how clever the system.
The things that help in my experience:
1) Quick console access, even for VMs using Remote Clients to the VM Hosts.
2) Unlock the console menu. If its hard for you to get to the console it's safe enough to be unlocked. ;)
3) There's a revert tool in the console menu or manually edit /conf/config.xml or skim through the backups at /conf/backups
4) SSH over GUI, GUI via VPN is nice, but only SSH should be going out "raw".
5) Reboot just to be safe.
I realise none of this is relevant to HA, but if HA doesn't work this is what it comes down to.
Cheers,
Franco
The things that help in my experience:
1) Quick console access, even for VMs using Remote Clients to the VM Hosts.
2) Unlock the console menu. If its hard for you to get to the console it's safe enough to be unlocked. ;)
3) There's a revert tool in the console menu or manually edit /conf/config.xml or skim through the backups at /conf/backups
4) SSH over GUI, GUI via VPN is nice, but only SSH should be going out "raw".
5) Reboot just to be safe.
I realise none of this is relevant to HA, but if HA doesn't work this is what it comes down to.
Cheers,
Franco
#15996
German - Deutsch / Re: Wie kann ich auf einen früheren Stand "downgraden"
February 02, 2017, 11:08:26 PM
Hi Martinez,
Ich würde einen Export / Backup empfehlen, dann per 16.7 Image das System neu installieren (Import Configuration + Guided Installation) und danach sofort auf die 16.7.14 updaten. Wenn die Konfiguration nicht in Ordnung ist, noch einmal das Backup einspielen und dann sollte wieder alles laufen.
Es gibt zwar einen weg eines Downgrades über opnsense-update, aber das ist bislang nicht getestet und kann fehlschlagen, weil 17.1 die erste Version ist die native Upgrades kann über FreeBSD Versionen hinweg. Für 17.7 wird das hoffentlich ein praktikables zusätzliches Mittel sein.
Grüsse
Franco
Ich würde einen Export / Backup empfehlen, dann per 16.7 Image das System neu installieren (Import Configuration + Guided Installation) und danach sofort auf die 16.7.14 updaten. Wenn die Konfiguration nicht in Ordnung ist, noch einmal das Backup einspielen und dann sollte wieder alles laufen.
Es gibt zwar einen weg eines Downgrades über opnsense-update, aber das ist bislang nicht getestet und kann fehlschlagen, weil 17.1 die erste Version ist die native Upgrades kann über FreeBSD Versionen hinweg. Für 17.7 wird das hoffentlich ein praktikables zusätzliches Mittel sein.
Grüsse
Franco
#15997
17.1 Legacy Series / Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
February 02, 2017, 11:04:06 PM
For IPsec TCP session interruption, you guys should try the following as per indication of a FreeBSD developer:
# sysctl net.inet.ipsec.filtertunnel=1
# sysctl net.inet.ipsec.filtertunnel=1
#15998
17.1 Legacy Series / 17.1 Migration Notes and Help
February 02, 2017, 11:01:25 PM
Hi all,
We're putting together this thread with the initial migration notes and updates / workarounds for known problems.
Please keep in mind that changing from a major OS version to another that we do not maintain ourselves is challenging and has occasional surprises in the world of networking. We are in this just as much as you, so let's get through this together. :)
o The integrated authentication framework is now used as a system-wide default including login(1), su(1) and sudo(8). This means that e.g. when 2FA is enabled for the GUI it will be used for low-level password prompts as well and plain passwords are disabled by default. If this behaviour is undesired, set the "Disable integrated authentication" option under System: Settings: Administration.
o Disabled Gateway entries are now always honoured instead of being set up as a default gateway.
o The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to "Serial" due to a wrong GUI default.
o FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc(4) as the default. You can change this after installation by enabling the virtual terminal driver under System: Settings: Administration.
o EFI boots may not yield a console anymore, the setting for VGA is wrong now and should be switched to "EFI" under System: Settings: Administration.
o The access privileges for "Lobby: Login / Logout / Dashboard" and "Diagnostics: Backup / Restore" have been remapped internally and need to be reapplied when they have been assigned explicitly.
o The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The state of 6rd is possibly broken. We ask for volunteers to pick up the work if 6rd is still a requirement, as we do not have access to such setups.
o Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall operability. Please let us know about these right away.
o The following services moved to individual plugins and need to be reinstalled in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and Play, IGMP Proxy. Their respective configurations will be preserved by the system even if these plugins are not installed.
o The Intel e1000 driver plugin has been removed due to an incompatibility with FreeBSD 11.0. All previously known bugs of the FreeBSD 11.0 e1000 driver have been fixed in OPNsense 17.1 and reported to FreeBSD.
Cheers,
Franco on behalf of the OPNsense team
We're putting together this thread with the initial migration notes and updates / workarounds for known problems.
Please keep in mind that changing from a major OS version to another that we do not maintain ourselves is challenging and has occasional surprises in the world of networking. We are in this just as much as you, so let's get through this together. :)
o The integrated authentication framework is now used as a system-wide default including login(1), su(1) and sudo(8). This means that e.g. when 2FA is enabled for the GUI it will be used for low-level password prompts as well and plain passwords are disabled by default. If this behaviour is undesired, set the "Disable integrated authentication" option under System: Settings: Administration.
o Disabled Gateway entries are now always honoured instead of being set up as a default gateway.
o The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to "Serial" due to a wrong GUI default.
o FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc(4) as the default. You can change this after installation by enabling the virtual terminal driver under System: Settings: Administration.
o EFI boots may not yield a console anymore, the setting for VGA is wrong now and should be switched to "EFI" under System: Settings: Administration.
o The access privileges for "Lobby: Login / Logout / Dashboard" and "Diagnostics: Backup / Restore" have been remapped internally and need to be reapplied when they have been assigned explicitly.
o The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The state of 6rd is possibly broken. We ask for volunteers to pick up the work if 6rd is still a requirement, as we do not have access to such setups.
o Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall operability. Please let us know about these right away.
o The following services moved to individual plugins and need to be reinstalled in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and Play, IGMP Proxy. Their respective configurations will be preserved by the system even if these plugins are not installed.
o The Intel e1000 driver plugin has been removed due to an incompatibility with FreeBSD 11.0. All previously known bugs of the FreeBSD 11.0 e1000 driver have been fixed in OPNsense 17.1 and reported to FreeBSD.
Cheers,
Franco on behalf of the OPNsense team
#15999
German - Deutsch / Re: 17.1 Nano i386 hängt nach Installation
February 02, 2017, 10:56:05 PM
Das klingt nach einem Problem in den Einstellungen unter System: Settings: Administration. Primary Console ist bestimmt falsch.
Grüsse
Franco
Grüsse
Franco
#16000
17.1 Legacy Series / Re: Upgrade 16.7 to 17.1 success.
February 02, 2017, 10:41:01 PM
Hi Kevin,
Delightful, thank you very much! :)
Cheers,
Franco
Delightful, thank you very much! :)
Cheers,
Franco
#16001
17.1 Legacy Series / Re: Upgrade from 16.7.14: Firewall rules doesn't works as before
February 02, 2017, 10:40:27 PM
Alright, policy routing problems are like this:
Make sure your gateway policies are no-overlapping floating rules with "non-quick" and/or direction "in" (for non-floating all of these already apply). Changes in our kernel allow the two FreeBSD firewalls to share forwarding decisions, but that also means that previous routing decisions can be overruled.
If that doesn't help, we are going to need more details about the rules/gateway setups in order to be of help.
Thanks,
Franco
Make sure your gateway policies are no-overlapping floating rules with "non-quick" and/or direction "in" (for non-floating all of these already apply). Changes in our kernel allow the two FreeBSD firewalls to share forwarding decisions, but that also means that previous routing decisions can be overruled.
If that doesn't help, we are going to need more details about the rules/gateway setups in order to be of help.
Thanks,
Franco
#16002
16.7 Legacy Series / Re: OPNsense UI login problem
February 02, 2017, 10:05:24 PM
Took a while, but now with 17.1.1 we're switching to a token per session, so unless your session is expired or the box is rebooted it will work: https://github.com/opnsense/core/commit/f20640d0b69113
#16004
17.1 Legacy Series / Re: Firewall hang and odd console
February 02, 2017, 09:30:04 PM
Try setting the "vt" driver and primary console to "efi". FreeBSD flipped their the default on 11.0, and the old defaults that worked for EFI are not working so well anymore (we kept our settings to minimise impact, ironic).
Cheers,
Franco
Cheers,
Franco
#16005
17.1 Legacy Series / Re: Update 16.7 to 17.1 does not start
February 02, 2017, 09:27:38 PM
System: Settings: Administration, change your primary console to "efi", save and reboot.
You may have to switch to the "vt" driver there too (try which works better).
Cheers,
Franco
You may have to switch to the "vt" driver there too (try which works better).
Cheers,
Franco
