OPNsense Forum

Hello, upgraded from 22.1.10 to 22.7 and firmware updates no longer working
Default mirror can be pinged successfully

# /sbin/ping -4 -S '<WAN_IP>'  -c '3' 'pkg.opnsense.org'
PING pkg.opnsense.org (89.149.211.205) from <WAN_IP>: 56 data bytes
64 bytes from 89.149.211.205: icmp_seq=0 ttl=52 time=28.732 ms
64 bytes from 89.149.211.205: icmp_seq=1 ttl=52 time=28.761 ms
64 bytes from 89.149.211.205: icmp_seq=2 ttl=52 time=28.721 ms

--- pkg.opnsense.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 28.721/28.738/28.761/0.017 ms

checking for updates result in

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7 (amd64/OpenSSL) at Mon Aug  8 12:07:33 CEST 2022
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...

Any advice ?

Why not post the full connectivity audit. The fetch could still use IPv6 and fail.


Cheers,
Franco

Quote from: franco on August 08, 2022, 02:53:46 PM
Why not post the full connectivity audit. The fetch could still use IPv6 and fail.

I have no IPv6 connectivity and IPv6 is disabled in OPNsense

Please find below connectivity audit, it took lots of time because of the timeouts

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.7 (amd64/OpenSSL) at Mon Aug  8 15:55:58 CEST 2022
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Operation timed out
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: Operation timed out
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: Operation timed out
Unable to update repository SunnyValley
Error updating repositories!
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Non-recoverable resolver failure
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository SunnyValley
Error updating repositories!
***DONE***

I was investigating further this issue and after setting up a new server with 22.1.10 and imported the latest backup taken before upgrading to 22.7 everything is working fine on the same network.
The issue with 22.7 is still persisting so the upgrade from 22.1.10 to 22.7 is broken somewhere as there are no changes in the configuration and the network is the same.
Any help in sorting out this issue would be appreciated.

Quote from: Nadir22 on August 10, 2022, 07:19:57 AM
I was investigating further this issue and after setting up a new server with 22.1.10 and imported the latest backup taken before upgrading to 22.7 everything is working fine on the same network.
The issue with 22.7 is still persisting so the upgrade from 22.1.10 to 22.7 is broken somewhere as there are no changes in the configuration and the network is the same.
Any help in sorting out this issue would be appreciated.

Sorry, I had a bit of an issue understanding what you are saying here... are you saying that the restoration of the latest backup corrected the issue? Or are you saying that it failed to correct the issue?

Also, this seems to be pretty similar to what I described in https://forum.opnsense.org/index.php?topic=29776.0 ... did you have similar findings throughout the course of your investigation?

same situation as above.
before upgrading everything was ok
please help Mr Franco
thanks a lot for opnsense
best regerds


upgraded from 22.1.10 to 22.7
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7_4 (amd64/OpenSSL) at Wed Aug 10 07:54:30 CEST 2022
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: No address record
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: No address record
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: No address record
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: No address record
Unable to update repository SunnyValley
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.7_4 (amd64/OpenSSL) at Wed Aug 10 08:22:32 CEST 2022
No IPv4 address could be found for host: pkg.opnsense.org
No IPv6 address could be found for host: pkg.opnsense.org
***DONE***

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7_4 (amd64/OpenSSL) at Wed Aug 10 08:23:16 CEST 2022
>>> Check installed kernel version
Version 22.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
SunnyValley
OPNsense
>>> Check installed plugins
os-dnscrypt-proxy 1.12
os-dyndns 1.27_3
os-etpro-telemetry 1.6_1
os-intrusion-detection-content-snort-vrt 1.1_1
os-nextcloud-backup 1.0_1
os-sensei 1.11.4
os-sensei-updater 1.11
os-sunnyvalley 1.2_2
os-wireguard 1.11
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.80 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dnsmasq-2.86_4,1 has no upstream equivalent
Checking packages: .
dpinger-3.2 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10_5 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.2P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.2P1_1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.65 has no upstream equivalent
Checking packages: .
monit-5.32.0 has no upstream equivalent
Checking packages: .
mpd5-5.9_9 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_5 has no upstream equivalent
Checking packages: .
openssh-portable-8.9.p1_4,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1q,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.7 has no upstream equivalent
Checking packages: .
opnsense-22.7_4 has no upstream equivalent
Checking packages: .
opnsense-installer-22.1 has no upstream equivalent
Checking packages: .
opnsense-lang-22.7 has no upstream equivalent
Checking packages: .
opnsense-update-22.7 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.8 has no upstream equivalent
Checking packages: .
php80-ctype-8.0.20 has no upstream equivalent
Checking packages: .
php80-curl-8.0.20 has no upstream equivalent
Checking packages: .
php80-dom-8.0.20 has no upstream equivalent
Checking packages: .
php80-filter-8.0.20 has no upstream equivalent
Checking packages: .
php80-gettext-8.0.20 has no upstream equivalent
Checking packages: .
php80-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php80-ldap-8.0.20 has no upstream equivalent
Checking packages: .
php80-pdo-8.0.20 has no upstream equivalent
Checking packages: .
php80-pecl-radius-1.4.0b1_2 has no upstream equivalent
Checking packages: .
php80-phalcon-5.0.0.r2 has no upstream equivalent
Checking packages: .
php80-phpseclib-2.0.37 has no upstream equivalent
Checking packages: .
php80-session-8.0.20 has no upstream equivalent
Checking packages: .
php80-simplexml-8.0.20 has no upstream equivalent
Checking packages: .
php80-sockets-8.0.20 has no upstream equivalent
Checking packages: .
php80-sqlite3-8.0.20 has no upstream equivalent
Checking packages: .
php80-xml-8.0.20 has no upstream equivalent
Checking packages: .
php80-zlib-8.0.20 has no upstream equivalent
Checking packages: .
pkg-1.17.5_1 has no upstream equivalent
Checking packages: .
py39-Jinja2-3.0.1 has no upstream equivalent
Checking packages: .
py39-dnspython-2.2.1_1,1 has no upstream equivalent
Checking packages: .
py39-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py39-requests-2.28.1 has no upstream equivalent
Checking packages: .
py39-sqlite3-3.9.13_7 has no upstream equivalent
Checking packages: .
py39-ujson-5.0.0 has no upstream equivalent
Checking packages: .
py39-vici-5.9.3 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.7.2_6 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-4.15 has no upstream equivalent
Checking packages: .
strongswan-5.9.6_2 has no upstream equivalent
Checking packages: .
sudo-1.9.11p3 has no upstream equivalent
Checking packages: .
suricata-6.0.6 has no upstream equivalent
Checking packages: .
syslog-ng-3.37.1 has no upstream equivalent
Checking packages: .
unbound-1.16.1 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10_6 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***



Same for me.

From a browser https://pkg.opnsense.org/FreeBSD:13:amd64/22.7 works fine.


***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.7_4 (amd64/OpenSSL) at Tue Aug  9 17:11:20 CEST 2022
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***


ping from OpnSense box isn't working, from a PC connecting through this box it does work however.

# /sbin/ping -4 -c '3' 'pkg.opnsense.org'
PING pkg.opnsense.org (89.149.211.205): 56 data bytes

--- pkg.opnsense.org ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


other hints:

# /sbin/ping -4 -c '3' 'google.com'
ping: cannot resolve google.com: Host name lookup failure

# /sbin/ping -4 -c '3' 'pkg.opnsense.org'
ping: cannot resolve pkg.opnsense.org: Host name lookup failure

# /sbin/ping -4 -c '3' '89.149.211.205'
PING 89.149.211.205 (89.149.211.205): 56 data bytes

--- 89.149.211.205 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

behind the firewall, ping seems ok

# /sbin/ping -4 -c '3' '192.168.x0.y0y'
PING 192.168.x0.y0y (192.168.x0.y0y): 56 data bytes
64 bytes from 192.168.x0.y0y: icmp_seq=0 ttl=255 time=0.321 ms
64 bytes from 192.168.x0.y0y: icmp_seq=1 ttl=255 time=0.436 ms
64 bytes from 192.168.x0.y0y: icmp_seq=2 ttl=255 time=0.448 ms

--- 192.168.x0.y0y ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.321/0.402/0.448/0.057 ms

inside lan, dmz, ... we can reach everything

I have what appears to be a similar problem, but had noticed this behaviour since 22.1.4 on an apu4 router.  I was hoping 22.7 would have resolved it, but it is still there.  This has made me stick with 22.1.2_2 which works fine without any such problem.

There seems to be some connectivity problem specifically over https.  Most https websites, e.g. https://forum.opnsense.org time out.  Same with happens with any attempt to run an opnsense update after initial installation.  I can ping the domains I am attempting to connect to, but cannot connect over https due to timeouts.  Starting with a basic configuration and looking at the live firewall logs, there are no indications of default rules causing blocking on the affected websites.  I don't think I have a DNS issue, because names can be resolved.  Some https websites can connect, but with huge latency.  This is what I got from a PC on the LAN as I was trying to get 22.7 to work with a website which did NOT time out:
~ $ httping -l -g https://www.bbc.co.uk/
PING www.bbc.co.uk:443 (/):
connected to 212.58.233.254:443 (3592 bytes), seq=0 time=3414.96 ms
connected to 212.58.233.254:443 (3592 bytes), seq=1 time=3429.68 ms
connected to 212.58.237.254:443 (3593 bytes), seq=2 time=3411.07 ms
--- https://www.bbc.co.uk/ ping statistics ---
3 connects, 3 ok, 0.00% failed, time 12257ms
round-trip min/avg/max = 3411.1/3418.6/3429.7 ms
~ $ ping -c 4 212.58.233.254
PING 212.58.233.254 (212.58.233.254) 56(84) bytes of data.
64 bytes from 212.58.233.254: icmp_seq=1 ttl=54 time=17.7 ms
64 bytes from 212.58.233.254: icmp_seq=2 ttl=54 time=16.8 ms

This is the result when connecting with 22.1.2_2:
~ $ httping -l -g https://www.bbc.co.uk/
PING www.bbc.co.uk:443 (/):
connected to 212.58.233.252:443 (3592 bytes), seq=0 time= 73.40 ms
connected to 212.58.233.252:443 (3592 bytes), seq=1 time= 71.60 ms
--- https://www.bbc.co.uk/ ping statistics ---
2 connects, 2 ok, 0.00% failed, time 2099ms
round-trip min/avg/max = 71.6/72.5/73.4 ms
~ $ ping -c 4 212.58.237.252
PING 212.58.237.252 (212.58.237.252) 56(84) bytes of data.
64 bytes from 212.58.237.252: icmp_seq=1 ttl=55 time=16.7 ms
64 bytes from 212.58.237.252: icmp_seq=2 ttl=55 time=17.2 ms
--- 212.58.237.252 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 16.690/16.963/17.237/0.273 ms
If you need particular logs to help troubleshoot this, please let me know how/where I could get them - I'm new on opnsense.

is it normal i see 22.7.1, 22.7 (installed) with changelog instead of 22.7_4 ?
is it discrepancy?

Lobby.dashboard
Versions   OPNsense 22.7_4-amd64
FreeBSD 13.1-RELEASE
OpenSSL 1.1.1q 5 Jul 2022
Updates   Click to view pending updates.
CPU type   Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (4 cores, 8 threads)
Memory usage  18 % ( 2953/16244 MB )
Disk usage 1% / [ufs] (4.2G/424G)

System:Firmware:status
Type   opnsense   
Version   22.7_4   
Architecture   amd64   
Flavour   OpenSSL   
Commit   909dcabd5   
Mirror   https://pkg.opnsense.org/FreeBSD:13:amd64/22.7   
Repositories   OPNsense, SunnyValley   
Updated on   Wed Aug 10 00:21:08 CEST 2022   
Checked on   Wed Aug 10 10:48:45 CEST 2022

System:Firmware: changelog
Version   Date   
22.7.1   2022-08-09   
22.7 (installed)   2022-07-28   
22.1.10   2022-07-07

Also getting the exact same problem.  Protectli VP2410 - 4 Port Intel.  Previous responded ping tests fail, timeouts when updating with 3 different mirrors.

Quote from: cpower on August 10, 2022, 08:13:15 AM

Quote from: Nadir22 on August 10, 2022, 07:19:57 AM
I was investigating further this issue and after setting up a new server with 22.1.10 and imported the latest backup taken before upgrading to 22.7 everything is working fine on the same network.
The issue with 22.7 is still persisting so the upgrade from 22.1.10 to 22.7 is broken somewhere as there are no changes in the configuration and the network is the same.
Any help in sorting out this issue would be appreciated.

Sorry, I had a bit of an issue understanding what you are saying here... are you saying that the restoration of the latest backup corrected the issue? Or are you saying that it failed to correct the issue?

Also, this seems to be pretty similar to what I described in https://forum.opnsense.org/index.php?topic=29776.0 ... did you have similar findings throughout the course of your investigation?

I was just saying that I installed a new 22.1.10 server and restored the latest backup of the 22.1.10 taken just before upgrading the other node to 22.7 and everything is working fine with updates, so the issue reported here is caused by the upgrade to 22.7

Quote from: SCSi on August 11, 2022, 02:55:45 AM
Also getting the exact same problem.  Protectli VP2410 - 4 Port Intel.  Previous responded ping tests fail, timeouts when updating with 3 different mirrors.

The upgrade to 22.7 is definitely broken, probably something has been corrected in newer 22.7 updates however I am unable to move forward after upgrading to 22.7, the newer updates can't be installed anymore because all mirrors are unreachable.

I have updated a handful of firewalls to 22.1 and two to 22.7 and I have never seen this problem.

The key issue seems to revolve around IPv6 connectivity in my opinion. I have working IPv6 everywhere.

Do your setups possibly have no IPv6 routing? The error messages look like the OPNsense tries to communicate via IPv6 for "reasons" without having a proper IPv6 uplink.

HTH,
Patrick

small lan (pcs linuxmint or win, mac, microservers ubuntu/linuxmint - ufw no ipv6,  managed switch -no ipv6, wifi) -> firewall (no ipv6 in initial setup-> box internet provider (no ipv6).

The initial setup was made without ipv6.

No change was made recently (without exception regular update)

If somebody tells me where I can can double check the config, i will...

Other  facts:

system logfiles bakend
2022-08-10T08:16:46   Error   configd.py   [d5095e33-7fea-4571-bb7e-c463be8a315e] Script action failed with Command 'pkg update -q && pkg rquery -U "%n|||%v|||%c|||%sh|||0|||0|||%L|||%R|||%o" ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 482, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command 'pkg update -q && pkg rquery -U "%n|||%v|||%c|||%sh|||0|||0|||%L|||%R|||%o" ' returned non-zero exit status 1.   
2022-08-10T07:56:30   Error   configd.py   Timeout (120) executing : firmware remote   
2022-08-10T01:50:22   Error   configd.py   [677b51f3-0277-4d8d-a4ce-d568a1b36010] Script action stderr returned "b'pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: No address record\npkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: No address record\npkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz'"

system logfiles general
2022-08-11T00:22:32   Error   opnsense   /usr/local/etc/rc.newwanip: On (IP address: 192.168.2.131) (interface: WAN[wan]) (real interface: igb1).   
2022-08-11T00:22:32   Error   opnsense   /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'   
2022-08-11T00:22:32   Error   dhclient   unknown dhcp option value 0x7d   
2022-08-11T00:19:42   Error   send_heartbeat.py   connection error sending heartbeat to https://opnsense.emergingthreats.net/api/v1/telemetry

Quote from: pmhausen on August 11, 2022, 09:42:40 AM
I have updated a handful of firewalls to 22.1 and two to 22.7 and I have never seen this problem.

The key issue seems to revolve around IPv6 connectivity in my opinion. I have working IPv6 everywhere.

Do your setups possibly have no IPv6 routing? The error messages look like the OPNsense tries to communicate via IPv6 for "reasons" without having a proper IPv6 uplink.

HTH,
Patrick

I think you figured out what was wrong.  I'm on a ipv4 network only (no ipv6). 

Since the upgrade remote syslog stopped working (Syslog connection failed; fd='33', server='AF_INET(ip.v4.addy.here:514)', error='Operation timed out (60)', time_reopen='60')

Behind the OPNSense I can hit the syslog port fine on TCP and UDP.

NTP gives no active peers.  I havent changed any settings with those 2 service since the upgrade.


Edit: On my install at home on a VM + full ipv6, the upgrade went flawlessly and everything works.

I don't think this is an IPv4 Vs IPv6 problem, at least this is not the problem with my apu box.  I tried again today, clean install of 22.7 and loaded up the 22.1 config.  After booting I tried an update and it hangs for ever, unable to connect to the server over https, although I can ping pkg.opnsense.org from the router and a PC on the LAN.
~ $ ping -c 3 pkg.opnsense.org
PING pkg.opnsense.org(2001:1af8:4f00:a005:5:: (2001:1af8:4f00:a005:5::)) 56 data bytes
64 bytes from 2001:1af8:4f00:a005:5:: (2001:1af8:4f00:a005:5::): icmp_seq=1 ttl=55 time=23.2 ms
64 bytes from 2001:1af8:4f00:a005:5:: (2001:1af8:4f00:a005:5::): icmp_seq=2 ttl=55 time=23.1 ms
64 bytes from 2001:1af8:4f00:a005:5:: (2001:1af8:4f00:a005:5::): icmp_seq=3 ttl=55 time=23.5 ms

--- pkg.opnsense.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 23.064/23.263/23.506/0.183 ms
~ $ ping -4 -c 3 pkg.opnsense.org
PING  (89.149.211.205) 56(84) bytes of data.
64 bytes from 89.149.211.205 (89.149.211.205): icmp_seq=1 ttl=57 time=24.4 ms
64 bytes from 89.149.211.205 (89.149.211.205): icmp_seq=2 ttl=57 time=25.6 ms
64 bytes from 89.149.211.205 (89.149.211.205): icmp_seq=3 ttl=57 time=25.6 ms

---  ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 24.445/25.217/25.629/0.546 ms

Connecting over http works:
~ $ httping -c 3 -g http://pkg.opnsense.org
PING pkg.opnsense.org:80 (/):
connected to 89.149.211.205:80 (134 bytes), seq=0 time= 47.72 ms
connected to 89.149.211.205:80 (134 bytes), seq=1 time= 47.72 ms
connected to 89.149.211.205:80 (134 bytes), seq=2 time= 50.31 ms
--- http://pkg.opnsense.org/ ping statistics ---
3 connects, 3 ok, 0.00% failed, time 3147ms
round-trip min/avg/max = 47.7/48.6/50.3 ms
~ $ httping -6 -c 3 -g http://pkg.opnsense.org
PING pkg.opnsense.org:80 (/):
connected to [2001:1af8:4f00:a005:5::]:80 (134 bytes), seq=0 time= 55.21 ms
connected to [2001:1af8:4f00:a005:5::]:80 (134 bytes), seq=1 time= 54.93 ms
connected to [2001:1af8:4f00:a005:5::]:80 (134 bytes), seq=2 time= 50.28 ms
--- http://pkg.opnsense.org/ ping statistics ---
3 connects, 3 ok, 0.00% failed, time 3162ms
round-trip min/avg/max = 50.3/53.5/55.2 ms

Over https fails no matter how long I wait:
~ $ httping -c 3 -l -g https://pkg.opnsense.org
PING pkg.opnsense.org:443 (/):
^CGot signal 2


What could be causing this problem?

tcpdump on WAN and look at the packets ...

Disabling gateway switching worked for me.

See my post in another thread here: https://forum.opnsense.org/index.php?topic=29776.msg143957#msg143957

So more info:

1. ipv4 only, but gateway-switching disabled (it was enabled): it kept on erroring UNTIL a reboot.  After a reboot everything started working again.

So it looks like if you disable gateway-switching like previous posts said, you need to reboot.

Dear all,

I faced similar issues. I activated "Do not use the local DNS service as a nameserver for this system" and I worked. Switching back to the previous setting (Deactivated the setting again) and still fine.

br

Quote from: pmhausen on August 11, 2022, 08:47:10 PM
tcpdump on WAN and look at the packets ...

Thank you pmhausen.  I had some time today, so I looked into it with tcpdump and discovered it had to do with my MTU setting.  I should have thought of this sooner! ::)  I had set MTU 1508 on WAN so that I get 1500 on PPPoE.  This worked with 22.1.2, but not thereafter.  Leaving the WAN MTU setting empty in the Wizard meant I was able to connect to the update server, setting it to 1508 caused it to fail.

So I ran 'ifconfig igb0 mtu 1508' to set it on the port, restarted the WAN interface and it now works as expected.

PS. I had checked the gateway switching setting earlier which was also recommended, but I always had this disabled.

None of the options worked for me
- Disabling gateway switching (wasn't on before but enabled and disabled with restarts after each change)
- Do not use the local DNS service as a nameserver for this system
- MTU is using default 1500

This breaks opensense update and Lets Encrypt certificate update.

# /sbin/ping -4 -c '3' 'example.com'
PING example.com (93.184.216.34): 56 data bytes

--- example.com ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

When I set the source for the ping it works


# /sbin/ping -4 -S '185.151.22.135'  -c '3' '93.184.216.34'
PING 93.184.216.34 (93.184.216.34) from 185.151.22.135: 56 data bytes
64 bytes from 93.184.216.34: icmp_seq=0 ttl=58 time=92.916 ms
64 bytes from 93.184.216.34: icmp_seq=1 ttl=58 time=92.944 ms
64 bytes from 93.184.216.34: icmp_seq=2 ttl=58 time=92.844 ms

--- 93.184.216.34 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 92.844/92.901/92.944/0.042 ms


Any ideas what I can do next?

I finally have a fix for my problem.

Found it in topic "All traffic not bound to specific interface leaves firewall as 0.0.0.0" -> https://forum.opnsense.org/index.php?topic=29992.0