tl;dr: This was a result of NOT enabling "prefer IPv4" without IPv6 set up correctly. One remaining question at end of post.
Hello,
I installed OPNSense on Friday, and the default options after going through the Wizard worked well enough that all the computers/phones/tablets/TVs/etc. on my home network have internet access. Success. :)
I'm following the official update documentation, and one of the first things it has you do after a successful install is run an update. I did that in the console, using a display and keyboard hooked up to the computer I installed OPNSense on. It was spectacularly slow, but it installed or updated 85 packages, so I assume it did something.
This morning I changed mirrors to one in the US.
I also made sure to clear any external DNS servers from the settings, so Unbound is acting as a resolving server and just querying the root servers directly. When I do a DNS lookup in the diagnostics, it shows the only DNS server as being localhost (127.0.0.1), so it's not consulting any external servers. Good.
IPv6 is enabled (this is default behavior), and it identified the WAN-side IPv6 address. LAN side IPv6 is on (default behavior), but not working--AT&T Uverse Fiber requires some tweaking here that I just haven't done yet. I consider IPv6 optional and got sucked into the void of trying to update the firmware and finish setting up my network first.
"Prefer IPv4" is not enabled. Maybe it should be, since IPv6 isn't properly configured yet. (None of my client devices have v6 addresses right now.) I was afraid to click this without asking about it first.
Then the fun began.
Now, when I run an update check, I see this:
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.10 (amd64/OpenSSL) at Sun Jul 24 22:13:48 CDT 2022
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/252364 bytes
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 799 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (27 candidates): .......... done
Processing candidates (27 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
I should note that it takes minutes to get from "Your packages are up to date." to "DONE." Maybe that's normal. But what concerns me is this:
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/252364 bytes
I have no idea what's causing this, or how to fix it.
Moreover, it's not letting me see any available plugins. It just tells me to check for updates to see them. I do that, and ... nothing.
And sometimes I click in to the Firmware >> Status area and there's no information at all. The rest of the interface works but it's like this times out or something.
I could really use some help. I don't know if I have some sort of corrupted install or just don't know what I'm doing, but something is clearly not working correctly. I'm really frustrated at this point; I've spent hours today working on this and can't even install a dark mode theme.
EDIT: I just did it again, and suddenly it's telling me it needs to update the "kernel" and "base" packages. I guess those didn't come through when I did the update last night. More confused and mistrustful of my system being correctly installed than ever. :(
EDIT 2: I just tried to update the system since it told me there were two packages to install. I got the below failure mode. Something is seriously wrong here, I think.
***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.10 (amd64/OpenSSL) at Sun Jul 24 23:05:05 CDT 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (27 candidates): .......... done
Processing candidates (27 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
Nothing to do.
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-22.1.9-amd64.txz: ...............................[fetch: transfer timed out
fetch: /var/cache/opnsense-update/38684/base-22.1.9-amd64.txz.sig appears to be truncated: 0/1332 bytes] failed, no signature found
***DONE***
EDIT 3: Telling it to prefer IPv4 seems to have improved the situation quite a bit--which makes sense, as upon further research it seems to be a known issue that if you have IPv6 set up incorrectly or otherwise not functional, and you try to hit an OPNSense mirror supporting IPv6, you're gonna get timeouts.
It identified missing packages AND now I can see the plugins list. Finally. :)
So, now I'm trying to update again from the console (option 19 in the menu when hooking a display up directly to the router box. Either these packages are huge, or the server it's downloading from is unspeakably slow, but it does seem to be working. Fetching new "base-22.1.9-amd64.txz" and "kernel-22.1.9-amd64.txz"--and there they go.
Installing and rebooting...
And we're back up, apparently!
New question: How hosed is my system likely to be since these two packages didn't install when I did the first system update that updated 85+ packages?
Try running a a Health Audit.
I had an issue when a firewall rebooted during a firmware upgrade and it wasn't all the correct level.
System > Firmware > Status (drop down box "Run an audit - Health")
Thanks!
I did one of these before, and it showed a misconfiguration of the base package and kernel--both were not the correct version. It also took hours.
I just ran another one. It took maybe a few minutes, and reported no issues.
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.1.10 (amd64/OpenSSL) at Mon Jul 25 00:08:06 CDT 2022
>>> Check installed kernel version
Version 22.1.9 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.1.9 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-theme-cicada 1.29
os-theme-rebellion 1.8.8
os-theme-tukan 1.25
os-theme-vicuna 1.41
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***
Amazing how much not having the "prefer IPv4" setting enabled when IPv6 isn't properly set up impacts. Wow.
So, do you think if I passed the health check that my system is okay, in spite of all those other packages getting updated BEFORE base and kernel?
I think so.
but, if you want to be a 100% safe, then the best is way is:
- backup your config
- Blow away the existing system and reload a fresh blank OPNsense at the latest level
- restore your config
it's my understanding that you can actually load up the backup'd configuration file during a clean install. Is that correct?
Correct. I forget the details but yes, the option was added about a year ago if memory is correct.