I upgraded to OPNSense 23.1 and I get this errors in audit connectivity.
Suricata emerging rules not updating
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.1_6 at Tue Mar 21 08:13:21 CET 2023
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=50 time=59.467 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=50 time=62.226 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=50 time=59.678 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=50 time=59.301 ms
--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 59.301/60.168/62.226/1.196 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***
I can ping to pkg.opnsense.org from console.
ping pkg.opnsense.org
PING pkg.opnsense.org (89.149.211.205): 56 data bytes
64 bytes from 89.149.211.205: icmp_seq=0 ttl=50 time=58.724 ms
64 bytes from 89.149.211.205: icmp_seq=1 ttl=50 time=59.299 ms
64 bytes from 89.149.211.205: icmp_seq=2 ttl=50 time=59.112 ms
64 bytes from 89.149.211.205: icmp_seq=3 ttl=50 time=58.237 ms
64 bytes from 89.149.211.205: icmp_seq=4 ttl=50 time=58.720 ms
64 bytes from 89.149.211.205: icmp_seq=5 ttl=50 time=59.095 ms
64 bytes from 89.149.211.205: icmp_seq=6 ttl=50 time=58.481 ms
64 bytes from 89.149.211.205: icmp_seq=7 ttl=50 time=58.477 ms
64 bytes from 89.149.211.205: icmp_seq=8 ttl=50 time=59.455 ms
64 bytes from 89.149.211.205: icmp_seq=9 ttl=50 time=58.424 ms
64 bytes from 89.149.211.205: icmp_seq=10 ttl=50 time=58.432 ms
64 bytes from 89.149.211.205: icmp_seq=11 ttl=50 time=58.549 ms
64 bytes from 89.149.211.205: icmp_seq=12 ttl=50 time=65.933 ms
64 bytes from 89.149.211.205: icmp_seq=13 ttl=50 time=58.496 ms
64 bytes from 89.149.211.205: icmp_seq=14 ttl=50 time=58.185 ms
64 bytes from 89.149.211.205: icmp_seq=15 ttl=50 time=59.128 ms
64 bytes from 89.149.211.205: icmp_seq=16 ttl=50 time=59.122 ms
64 bytes from 89.149.211.205: icmp_seq=17 ttl=50 time=59.091 ms
64 bytes from 89.149.211.205: icmp_seq=18 ttl=50 time=58.743 ms
^C
--- pkg.opnsense.org ping statistics ---
19 packets transmitted, 19 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 58.185/59.142/65.933/1.641 ms
System: Firmware
Status
Settings
Changelog
Updates
Plugins
Packages
Type opnsense
Version 23.1_6
Architecture amd64
Flavour OpenSSL
Commit 6621e1999
Mirror https://pkg.opnsense.org/FreeBSD:13:amd64/23.1
Repositories OPNsense
Updated on Tue Mar 21 06:57:11 CET 2023
Checked on N/A
More info from Health Audit
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.1_6 at Tue Mar 21 08:54:39 CET 2023
>>> Check installed kernel version
Version 23.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-clamav 1.8
os-ddclient 1.9_2
os-dmidecode 1.1_1
os-dyndns 1.27_3
os-net-snmp 1.5_2
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.87 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dnsmasq-2.88_1,1 has no upstream equivalent
Checking packages: .
dpinger-3.2 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10_5 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.3P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.3P1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.67 has no upstream equivalent
Checking packages: .
monit-5.32.0 has no upstream equivalent
Checking packages: .
mpd5-5.9_13 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_5 has no upstream equivalent
Checking packages: .
openssh-portable-8.9.p1_4,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1s,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.8 has no upstream equivalent
Checking packages: .
opnsense-23.1_6 has no upstream equivalent
Checking packages: .
opnsense-installer-23.1 has no upstream equivalent
Checking packages: .
opnsense-lang-22.7.3 has no upstream equivalent
Checking packages: .
opnsense-update-23.1 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.8_2 has no upstream equivalent
Checking packages: .
php81-ctype-8.1.14 has no upstream equivalent
Checking packages: .
php81-curl-8.1.14 has no upstream equivalent
Checking packages: .
php81-dom-8.1.14 has no upstream equivalent
Checking packages: .
php81-filter-8.1.14 has no upstream equivalent
Checking packages: .
php81-gettext-8.1.14 has no upstream equivalent
Checking packages: .
php81-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php81-ldap-8.1.14 has no upstream equivalent
Checking packages: .
php81-pdo-8.1.14 has no upstream equivalent
Checking packages: .
php81-pecl-radius-1.4.0b1_2 has no upstream equivalent
Checking packages: .
php81-phalcon-5.1.4 has no upstream equivalent
Checking packages: .
php81-phpseclib-3.0.18 has no upstream equivalent
Checking packages: .
php81-session-8.1.14 has no upstream equivalent
Checking packages: .
php81-simplexml-8.1.14 has no upstream equivalent
Checking packages: .
php81-sockets-8.1.14 has no upstream equivalent
Checking packages: .
php81-sqlite3-8.1.14 has no upstream equivalent
Checking packages: .
php81-xml-8.1.14 has no upstream equivalent
Checking packages: .
php81-zlib-8.1.14 has no upstream equivalent
Checking packages: .
pkg-1.19.1_1 has no upstream equivalent
Checking packages: .
py39-Jinja2-3.1.2 has no upstream equivalent
Checking packages: .
py39-dnspython-2.2.1_1,1 has no upstream equivalent
Checking packages: .
py39-duckdb-0.6.1 has no upstream equivalent
Checking packages: .
py39-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py39-numpy-1.23.5_1,1 has no upstream equivalent
Checking packages: .
py39-pandas-1.5.1,1 has no upstream equivalent
Checking packages: .
py39-requests-2.28.1_1 has no upstream equivalent
Checking packages: .
py39-sqlite3-3.9.16_7 has no upstream equivalent
Checking packages: .
py39-ujson-5.0.0 has no upstream equivalent
Checking packages: .
py39-vici-5.9.9 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.8.0_2 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-5.7 has no upstream equivalent
Checking packages: .
strongswan-5.9.9_1 has no upstream equivalent
Checking packages: .
sudo-1.9.12p2 has no upstream equivalent
Checking packages: .
suricata-6.0.9_1 has no upstream equivalent
Checking packages: .
syslog-ng-3.38.1 has no upstream equivalent
Checking packages: .
unbound-1.17.1_1 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10_6 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***
The ping works but the fetch of the information fails? There is something wrong on your end for sure.
Might be firewall / network policy (ICMP is not TCP) / proxy screwup / etc.
Cheers,
Franco
I stopped Intrusion detection and updates seems to work now. Enabling Intrusion detections with IPS Mode disabled seems to work too.
I'll try to upgrade later.
I was missing this config as explained in this topic https://forum.opnsense.org/index.php?topic=32539.msg158377#msg158377
I had to disable HW Offload checkboxes and re-enable IPS mode and it now works. Tomorrow morning I'll do the pending updates.
Makes sense as some of these only affect TCP (and UDP) traffic and your ping is fine. :)
Cheers,
Franco
I just upgraded the OPNSense box to 23.1.4 and it seems that all is working as expected for now.
Many thaks Franco
No problem, glad to hear :)