OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: FullyBorked on August 07, 2020, 07:31:57 pm
-
This isn't comprehensive by any means, but outlines what I am experiencing. I've not found any workarounds for these issues. I consider 1 and 2 more serious than the others. I'll try and keep this up to date as issues are resolved or more are encountered.
1. WAN throughput is very slow IPS on or off doesn't matter, I'm only getting about 15% of my actual WAN bandwidth. A reboot fixes the issue temporarily but at some point it will drop back to being slow. >:(
Edit: Messing with my power settings https://forum.opnsense.org/index.php?topic=18450.0 seemed to "fix" this somehow. Very confused, maybe it was stuck in a low power mode? No idea but my speed is fine now, maybe try cycling your power settings.
2. GEO IP Alias simply doesn't work, the zip file is being downloaded from maxmind.com but the alias won't populate, so any rules containing the alias fail to correctly function.
Workaround (Credit: @Goldorak92 pointed out @Julien who detailed it in https://forum.opnsense.org/index.php?topic=18628.0): Setting Firewall > Settings > Advanced > "Firewall Maximum Table Entries" set to 400,000 allows the table to fill and GeoIP filtering to function correctly.
3. Dashboard traffic graphs don't show data with IPS enabled. I'm on an Intel NIC, some have suggested it's driver related. Worked ok in 20.1.9 though maybe there is a bug in the latest driver? No workaround has resolved the issue as of yet.
Fixed in 2.1
4. Syslog-NG service doesn't start on it's own after reboot. Starting it manually does seem to work, but is inconvenient after reboot.
This appears to be fixed with 20.7.1.
4. Restarting suricata service sometimes stops the ntpd service for some reason. It can be manually started.
This appears to be fixed.
5. Bogons alias is inexplicably empty at times. Firewall > Diagnostics > pftables > bogons > "update bogons" does populate the list.
This appears to be fixed.
6. Seeing log spam just like https://forum.opnsense.org/index.php?topic=18480.msg84175#msg84175 constantly in the log. Not sure if this is cause of issue #1 or not.
kernel: pflog0: promiscuous mode enabled
kernel: pflog0: promiscuous mode disabled
-
I'm very new in OPNsense, but test installation had on 20.1 and when decided to install for real, 20.7 was released and I installed it.
As I'm new in that topic I wasnt speeding in installation, but in current situation machine didn't take its place and I'm considering to install something else - but can I install 20.1 and not upgrade to 20.7?
For me errors are:
1. If I leave Lobby/Dashboard page open (or any other page with graphs) it is very likely page will crash and will stop refreshing.
2. Two times I experiencet total freez with kernel panic- had to manually restart machine.
3. Quiet often while visiting web interface I'm getting information that there was an problem and I should send crash raport. Which mean machine did crash and restart in meantime.
I'm not using anything specific of plugins, not even Shaping configured yet - just OpenVPN and ZeroTier, and actually just through OpenVPN some data are being transfered. Installation on AMD64 architecture.
-
@FullyBorked: I'm having the issues #3 and #4 (both) too.
I've reported issue #3 some minutes ago (https://github.com/opnsense/core/issues/4272)
Regarding syslog-ng there are several reports of users which having the same or other issues (https://github.com/opnsense/core/issues/4263)
-
@FullyBorked: I'm having the issues #3 and #4 (both) too.
I've reported issue #3 some minutes ago (https://github.com/opnsense/core/issues/4272)
Regarding syslog-ng there are several reports of users which having the same or other issues (https://github.com/opnsense/core/issues/4263)
I updated my post. The syslog service issue is resolved in 20.7.1. If you haven't yet it's worth updating. Hasn't made anything worse at least.
-
Had the same issue after updating to 20.7.1, strangely 20.7.0 was OK. Here's how I got Geo IP Alias working again. delete the Alias, delete the rule. Create the alias again and then create the rule again...
syslog-ng still has a problem, it's known about and we're trying to get to the root of it.
Other issues not seen, other than syslog-ng, all working nicely.
-
This isn't comprehensive by any means, but outlines what I am experiencing. I've not found any workarounds for these issues. I consider 1 and 2 more serious than the others. I'll try and keep this up to date as issues are resolved or more are encountered.
1. WAN throughput is very slow IPS on or off doesn't matter, I'm only getting about 15% of my actual WAN bandwidth. A reboot fixes the issue temporarily but at some point it will drop back to being slow. >:(
Edit: Messing with my power settings https://forum.opnsense.org/index.php?topic=18450.0 seemed to "fix" this somehow. Very confused, maybe it was stuck in a low power mode? No idea but my speed is fine now, maybe try cycling your power settings.
2. GEO IP Alias simply doesn't work, the zip file is being downloaded from maxmind.com but the alias won't populate, so any rules containing the alias fail to correctly function.
3. Dashboard traffic graphs don't show data with IPS enabled. I'm on an Intel NIC, some have suggested it's driver related. Worked ok in 20.1.9 though maybe there is a bug in the latest driver? No workaround has resolved the issue as of yet.
4. Syslog-NG service doesn't start on it's own after reboot. Starting it manually does seem to work, but is inconvenient after reboot. This appears to be fixed with 20.7.1.
4. Restarting suricata service sometimes stops the ntpd service for some reason. It can be manually started.
5. Bogons alias is inexplicably empty at times. Firewall > Diagnostics > pftables > bogons > "update bogons" does populate the list.
6. Seeing log spam just like https://forum.opnsense.org/index.php?topic=18480.msg84175#msg84175 constantly in the log. Not sure if this is cause of issue #1 or not.
kernel: pflog0: promiscuous mode enabled
kernel: pflog0: promiscuous mode disabled
I have observed many of the same issues. #3,4,5,6 are the ones that seem to also affect my installation.
No observed issue with bandwidth slowdowns (#1), even with IPS and traffic shaping turned on. Power Saving settings have "Use PowerD" enabled and Hiadaptive set for all drop downs.
I'm not sure if I have seen a problem with GeoIPs (#2). I checked pfTables and see GeoIPs being filled in for all the Alias. Also "Firewall: Aliases > GeoIP settings tab" claims last update was 2020-08-14T20:38:26. Maybe the install I am looking at is OK, not sure how to test it.
-
This isn't comprehensive by any means, but outlines what I am experiencing. I've not found any workarounds for these issues. I consider 1 and 2 more serious than the others. I'll try and keep this up to date as issues are resolved or more are encountered.
1. WAN throughput is very slow IPS on or off doesn't matter, I'm only getting about 15% of my actual WAN bandwidth. A reboot fixes the issue temporarily but at some point it will drop back to being slow. >:(
Edit: Messing with my power settings https://forum.opnsense.org/index.php?topic=18450.0 seemed to "fix" this somehow. Very confused, maybe it was stuck in a low power mode? No idea but my speed is fine now, maybe try cycling your power settings.
2. GEO IP Alias simply doesn't work, the zip file is being downloaded from maxmind.com but the alias won't populate, so any rules containing the alias fail to correctly function.
3. Dashboard traffic graphs don't show data with IPS enabled. I'm on an Intel NIC, some have suggested it's driver related. Worked ok in 20.1.9 though maybe there is a bug in the latest driver? No workaround has resolved the issue as of yet.
4. Syslog-NG service doesn't start on it's own after reboot. Starting it manually does seem to work, but is inconvenient after reboot. This appears to be fixed with 20.7.1.
4. Restarting suricata service sometimes stops the ntpd service for some reason. It can be manually started.
5. Bogons alias is inexplicably empty at times. Firewall > Diagnostics > pftables > bogons > "update bogons" does populate the list.
6. Seeing log spam just like https://forum.opnsense.org/index.php?topic=18480.msg84175#msg84175 constantly in the log. Not sure if this is cause of issue #1 or not.
kernel: pflog0: promiscuous mode enabled
kernel: pflog0: promiscuous mode disabled
I have observed many of the same issues. #3,4,5,6 are the ones that seem to also affect my installation.
No observed issue with bandwidth slowdowns (#1), even with IPS and traffic shaping turned on. Power Saving settings have "Use PowerD" enabled and Hiadaptive set for all drop downs.
I'm not sure if I have seen a problem with GeoIPs (#2). I checked pfTables and see GeoIPs being filled in for all the Alias. Also "Firewall: Aliases > GeoIP settings tab" claims last update was 2020-08-14T20:38:26. Maybe the install I am looking at is OK, not sure how to test it.
I've seen a few folks that have been able to get GeoIP working. Really wish I could get one of the workarounds to work for me. I've deleted and recreated and even deleted rebooted and recreated to no avail. Nothing I do will fill in anything in the pftables under the alias. My download of the zip appears to be working as it should.
-
I'm not sure if I have seen a problem with GeoIPs (#2). I checked pfTables and see GeoIPs being filled in for all the Alias. Also "Firewall: Aliases > GeoIP settings tab" claims last update was 2020-08-14T20:38:26. Maybe the install I am looking at is OK, not sure how to test it.
Is it the GUI not displaying the GeoIP table or that GeoIP is not working.
Test the GUI by going to Firewall > Diagnostics > pftables and selecting the GeoIP rules to see what's there.
Test it's working by going to a site such as https://www.host-tracker.com/v3/en/check (https://www.host-tracker.com/v3/en/check) - there are many others.
-
I'm not sure if I have seen a problem with GeoIPs (#2). I checked pfTables and see GeoIPs being filled in for all the Alias. Also "Firewall: Aliases > GeoIP settings tab" claims last update was 2020-08-14T20:38:26. Maybe the install I am looking at is OK, not sure how to test it.
Is it the GUI not displaying the GeoIP table or that GeoIP is not working.
Test the GUI by going to Firewall > Diagnostics > pftables and selecting the GeoIP rules to see what's there.
Test it's working by going to a site such as https://www.host-tracker.com/v3/en/check (https://www.host-tracker.com/v3/en/check) - there are many others.
GUI not displaying GeoIP table and the GeoIP is not working. Soon as I enable it nobody can connect to anything. Remove the GeoIP rule and add any as the source and all is fine again. It doesn't work because the list is empty so there is no match on the rule and the default drop rule takes precedence.
-
Force it and then try.
https://forum.opnsense.org/index.php?topic=15409.60 (https://forum.opnsense.org/index.php?topic=15409.60) Msg #62
-
Force it and then try.
https://forum.opnsense.org/index.php?topic=15409.60 (https://forum.opnsense.org/index.php?topic=15409.60) Msg #62
Yea I've done this, I deleted everything and re-added them as mentioned in a few places. I even created a test alias with a name I'd never used with only one country. It simply refuses to work. I can't seem to find any logs to understand why though.
It's ok that it isn't working I'm sure it's just a bug that will get squashed. It worked just fine in 20.1.9 so I see no reason it won't work here soon. Maybe they'll have it squashed in the next point release.
Sent from my GM1917 using Tapatalk
-
Hi,
Have you went to firewall->params and change the max entries pfTables up to 400.000 (default is 200.000)?
Goldorak92
-
Hi,
Have you went to firewall->params and change the max entries pfTables up to 400.000 (default is 200.000)?
Goldorak92
Mine is set to 802000 by default.
Sent from my GM1917 using Tapatalk
-
@oscarr
Had the same issue two days ago. Didn't know why my master crashed and secondary didn't kick in. Had to drive about an hour/half to hard power down the master to get networking up again.
I believe leaving the dashboard opened for extended period of time was the cause, since that what happened in my case as you mentioned above.
Never had any issue like this prior.
Thanks.
Richard
-
@FullyBorked,
Not "max firewall states", which is 806000, but "max pfTables entries"...
Goldorak92
-
@FullyBorked,
Not "max firewall states", which is 806000, but "max pfTables entries"...
Goldorak92
Crap, you are right, I'm dumb and can't read apparently. And thank you very much because the fixed it. I have entries now. Awesome, so glad that filled that list now.
-
Ok cool, glad that fixed it
(and this is thanks to @Julien who detailled it in https://forum.opnsense.org/index.php?topic=18628.0)
Goldorak92
-
5. Bogons alias is inexplicably empty at times. Firewall > Diagnostics > pftables > bogons > "update bogons" does populate the list.
Sorted by @Ad, 20.7.2 will carry the fix or patch ID 77aa218
-
Is anyone having issues losing DNS? I have Unbound running and I can no longer resolve. I feel like this starts when I upgraded to 20.7.1.
I am going to fall back to 20.7 and see if DNS resolution stays steady.
-
Is anyone having issues losing DNS? I have Unbound running and I can no longer resolve. I feel like this starts when I upgraded to 20.7.1.
I am going to fall back to 20.7 and see if DNS resolution stays steady.
DNS has been solid for me. I had some issues like you describe when i was forwarding to DNSCrypt Proxy. But now I just use unbound on it's own and it seems fine so far.
-
On the GEOIP issue a few clues and tips. If you look at the GeoIP settings it is reporting as of current 395854 ranges, if the table is 200000 by default then that makes sense. I set mine to 500000 for some space as less than 5000 entries sounds too small to me.
For the easy way to know if it is working just click the apply button on the GeoIP settings page. If the table is overflowing it will report back a generic error, would be really nice if it gave some details. Once you up the table size and go back to GeoIP settings, clicking the Apply button no longer gives an error.
-
Just to revist this thread:
The following issue 6. is due to some task doing a capture task - i.e. netmap, tcpdump etc.
Its not a new issue and has been around for freebsd for a while - its not really an issue, its just telling you that packet capture is happening.
6. Seeing log spam just like https://forum.opnsense.org/index.php?topic=18480.msg84175#msg84175 constantly in the log. Not sure if this is cause of issue #1 or not.
Code: [Select]
kernel: pflog0: promiscuous mode enabled
kernel: pflog0: promiscuous mode disabled
In terms of random disconnects, having run the latest 20.7.5 version of opnsense that is based on the freebsd 12.1, there is some tweaking required for the sysctl kernel settings and nic settings.
For my router, i've disabled mostly known issues - LRO, TSO, HWCHKSUM for nics, the 'EEE' energy settings to off. Tweaked the network stack
Also be aware there is some sort of driver transition going on with intel drivers in the newer freebsd releases, so old tweaks need updating based on the latest freebsd man pages i.e. https://www.freebsd.org/cgi/man.cgi?query=iflib
Pfsense 2.5 is suffering from the same teething issues and reason its not released yet.
-
I seem to have an UI issue that I only seem to encounter on 1 of my boxes on 20.7.5. This is an upgrade and the other is a clean install.
PHP Warning: in_array() expects parameter 2 to be array, null given in /usr/local/www/system_general.php on line 434
Seems to be related to this code :
<?php
foreach (legacy_config_get_interfaces(array('virtual' => false, "enable" => true)) as $iface => $ifcfg):?>
<option value="<?=$iface;?>" <?=in_array($iface, $pconfig['dnsallowoverride_exclude']) ? "selected='selected'" : "";?>>
<?= $ifcfg['descr'] ?>
</option>
-
Thanks for bringing this back up. I bout forgot about it. I've updated it a bit to better reflect my current experience.