OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: StellaTelecom on January 28, 2019, 06:20:30 am
-
Hello Everyone,
I have been stuck with this issue for the last 3 months. The last successful update was in November 2018.
Basically, whenever I try to update my OPN firewall through the WebUI, I get the message:
Timeout while connecting to the selected mirror.
Below are some tests that I have done:
-Ping mirror from firewall - KO
-Ping mirror IP from firewall - KO
-Ping mirror from workstation - OK
-Ping mirror IP from workstation - OK
I have a default route to the internet on the firewall. I have tried to add specific routes to the mirror (as suggested in other posts) but its still KO.
Updating through the CLI is only a temporary solution for me, since company policy is to disable SSH login.
Firewall version is OPNsense 18.7.8-amd64
The firewall a Virtual Machine, installed on ProxMox 5.2-12.
While going through the forum, I have come across someone having the same issue:
https://forum.opnsense.org/index.php?topic=10201.0
I have tried to apply their solution, but to no avail; I still get the same error message.
Can anyone help me on this?
Thanks.
-
So, which mirror does this? Have you tried a different one?
Cheers,
Franco
-
Hi,
Just registered here to say that I have same problem on v19.1 x64 on ESXi 6.5.
I read the other topic, and for me adding a static route to 212.32.245.132/32 through my ISP gateway solve the problem.
But this behavior sounds very strange, for me this workaround is like DIY stuff... :o
-
Hi,
Since I added in the web GUI a static route 0.0.0.0/0 to my ISP WAN gateway, all web GUI wizards/tools who connect to internet seems to work well.
It seems that some web GUI tools don't use the existing system routes table...
-
In 19.7 still this isn't fixed... :-[
-
In 19.7 still this isn't fixed... :-[
Did someone open a bug report via github?
I have around 20 OPNsense Firewalls on most common versions of ESX, HV, KVM, also Hardware. Never had such an issue.
-
The only time I saw this where ping worked but the mirror didn't there was a MTU issue somewhere in the network. So you are essentially deceiving yourself into saying OPNsense or HTTP or TCP or the Internet itself is broken, whichever you prefer really. ;)
# ping -s 1500 212.32.245.132
Cheers,
Franco
-
In 19.7 still this isn't fixed... :-[
Did someone open a bug report via github?
I have around 20 OPNsense Firewalls on most common versions of ESX, HV, KVM, also Hardware. Never had such an issue.
I have the same issue here but with a PCE APU2 Board, everything vanilla expect the new coreboot 4.10.0.1 Bios.
I'm running OPNsense 19.7.4_1-amd64. But this issue only happens on the WebGUI if I use opnsense-update via ssh everything works fine!
Best Regards
-
I have the same/ similar problem, I am stuck on 19.1 version and cannot update, while testing I first got dns erros, by adding 0.0.0.0/0 route per sugestions on this forum https://forum.opnsense.org/index.php?topic=11341.msg56947#msg56947 (https://forum.opnsense.org/index.php?topic=11341.msg56947#msg56947), ping can now resolve hosts from firewall localhost, but fetch, curl all stall/freeze after connecting, fetch with -vvv options stalls at resolving github.com:433, curl with -vvv option can connect to correct address (firewall log shows connection) but will stall after that.
# curl --tcp-nodelay -4 -vvvvv -o kernel-19.7.3-amd64.txz -k https://pkg.opnsense.org/FreeBSD:11:amd64/19.7/sets/kernel-19.7.3-amd64.txz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 212.32.245.132...
* TCP_NODELAY set
0 0 0 0 0 0 0 0 --:--:-- 0:01:14 --:--:-- 0* connect to 212.32.245.132 port 443 failed: Operation timed out
* Failed to connect to pkg.opnsense.org port 443: Operation timed out
* Closing connection 0
curl: (7) Failed to connect to pkg.opnsense.org port 443: Operation timed out
# fetch -vvv https://pkg.opnsense.org/FreeBSD:11:amd64/19.7/sets/kernel-19.7.3-amd64.txz
resolving server address: pkg.opnsense.org:443
failed to connect to pkg.opnsense.org:443
fetch: https://pkg.opnsense.org/FreeBSD:11:amd64/19.7/sets/kernel-19.7.3-amd64.txz: No route to host
Ping to both host (opnsense pkg mirror and github, google etc.) is working but tcp connection stalls, no log in firewall...
# ping github.com
PING github.com (140.82.118.3): 56 data bytes
64 bytes from 140.82.118.3: icmp_seq=0 ttl=53 time=33.061 ms
64 bytes from 140.82.118.3: icmp_seq=1 ttl=53 time=33.093 ms
^C
--- github.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 33.061/33.077/33.093/0.016 ms
# ping pkg.opnsense.org
PING pkg.opnsense.org (212.32.245.132): 56 data bytes
64 bytes from 212.32.245.132: icmp_seq=0 ttl=53 time=42.606 ms
64 bytes from 212.32.245.132: icmp_seq=1 ttl=53 time=43.134 ms
64 bytes from 212.32.245.132: icmp_seq=2 ttl=53 time=42.611 ms
^C
--- pkg.opnsense.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 42.606/42.784/43.134/0.248 ms
At first I tried the bootstrap script (https://github.com/opnsense/update/blob/master/bootstrap/opnsense-bootstrap.sh (https://github.com/opnsense/update/blob/master/bootstrap/opnsense-bootstrap.sh)), but after connection problems the script deleted my pkg config...without verifying if download succeded...
-
OK, after clean install of 19.7.4 and importing my backuped config the issue reappears, so I did factory reset, and manual basic setup for WAN and LAN to get internet going, and now i can update my firewall...
After update i tried reimporting my old config - statis dhcp leasis, certs, vpn wg config etc and after full working setup i didd diff of those conf file, see below
Lines from original nonfuncional are shown as - (minus)
--- ./config-OPNsense.local-orig_nefunkcna.xml 2019-10-11 19:34:03.087841648 +0200
+++ ./config-OPNsense.local-openvpn_a_wg_certificates_rules.xml 2019-10-11 20:33:40.980630000 +0200
@@ -1,5 +1,6 @@
<?xml version="1.0"?>
<opnsense>
+ <trigger_initial_wizard/>
<theme>opnsense</theme>
<sysctl>
<item>
@@ -52,15 +53,6 @@
</item>
<item>
<descr>
- Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
- to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
- packets without returning a response.
- </descr>
- <tunable>net.inet.icmp.drop_redirect</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
@@ -73,11 +65,6 @@
<value>default</value>
</item>
<item>
- <descr>Enable sending IPv4 redirects</descr>
- <tunable>net.inet.ip.redirect</tunable>
- <value>default</value>
- </item>
- <item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
@@ -193,20 +180,37 @@
<value>default</value>
</item>
<item>
- <tunable>hint.sdhci_pci.0.disabled</tunable>
- <value>1</value>
- <descr>hint.sdhci_pci.0.disabled</descr>
+ <descr>Hide processes running as other groups</descr>
+ <tunable>security.bsd.see_other_gids</tunable>
+ <value>default</value>
+ </item>
+ <item>
+ <descr>Hide processes running as other users</descr>
+ <tunable>security.bsd.see_other_uids</tunable>
+ <value>default</value>
+ </item>
+ <item>
+ <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
+ and for the sender directly reachable, route and next hop is known.
+ </descr>
+ <tunable>net.inet.ip.redirect</tunable>
+ <value>0</value>
</item>
<item>
- <tunable>hint.sdhci_pci.1.disabled</tunable>
+ <descr>
+ Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
+ to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
+ packets without returning a response.
+ </descr>
+ <tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
- <descr>hint.sdhci_pci.1.disabled</descr>
</item>
</sysctl>
<system>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>
<domain>local</domain>
+ <dnsallowoverride>1</dnsallowoverride>
<group>
<name>admins</name>
<description>System Administrators</description>
@@ -251,13 +255,18 @@
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu>1</disableconsolemenu>
+ <disablevlanhwfilter>2</disablevlanhwfilter>
+ <disablechecksumoffloading>1</disablechecksumoffloading>
+ <disablesegmentationoffloading>1</disablesegmentationoffloading>
+ <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
+ <ipv6allow/>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
- <kill_states>1</kill_states>
+ <kill_states/>
<backupcount>60</backupcount>
<crypto_hardware>aesni</crypto_hardware>
<pf_share_forward>1</pf_share_forward>
@@ -294,14 +303,10 @@
<dns6gw>none</dns6gw>
<dns7gw>none</dns7gw>
<dns8gw>none</dns8gw>
- <rulesetoptimization>basic</rulesetoptimization>
- <maximumstates/>
- <maximumfrags/>
- <aliasesresolveinterval/>
- <maximumtableentries>500000</maximumtableentries>
- <prefer_ipv4>1</prefer_ipv4>
+ <serialspeed>115200</serialspeed>
+ <primaryconsole>video</primaryconsole>
<firmware>
- <mirror>https://opnsense.ieji.de</mirror>
+ <plugins>os-debug,os-clamav,os-iperf,os-telegraf,os-wireguard</plugins>
</firmware>
</system>
<interfaces>
@@ -546,28 +551,7 @@
</lan>
</dhcpd>
<unbound>
- <dnssecstripped>1</dnssecstripped>
- <domainoverrides/>
- <custom_options/>
<enable>1</enable>
- <regdhcp>1</regdhcp>
- <noreglladdr6>1</noreglladdr6>
- <regdhcpstatic>1</regdhcpstatic>
- <txtsupport>1</txtsupport>
- <cache_max_ttl/>
- <cache_min_ttl/>
- <incoming_num_tcp>10</incoming_num_tcp>
- <infra_cache_numhosts>10000</infra_cache_numhosts>
- <infra_host_ttl>900</infra_host_ttl>
- <jostle_timeout>200</jostle_timeout>
- <log_verbosity>3</log_verbosity>
- <msgcachesize>4</msgcachesize>
- <num_queries_per_thread>4096</num_queries_per_thread>
- <outgoing_num_tcp>10</outgoing_num_tcp>
- <unwanted_reply_threshold/>
- <dnssec>1</dnssec>
- <prefetch>1</prefetch>
- <forwarding>1</forwarding>
</unbound>
<snmpd>
<syslocation/>
@@ -2223,92 +1955,16 @@
<IDS version="1.0.3">
<rules/>
<userDefinedRules/>
- <files>
- <file uuid="2715ab15-1bbd-4ee8-bd0f-dd8cbac2726d">
- <filename>emerging-current_events.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="ca45d589-ab2e-44ba-9756-f6d0d87bcaeb">
- <filename>emerging-chat.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="72335001-da84-4663-803f-45b4c30205f4">
- <filename>emerging-attack_response.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="6e68401f-2b7e-4b0b-bb6f-8188375371a3">
- <filename>emerging-activex.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="9c37c3c8-e587-4687-8a22-a5a718c1c052">
- <filename>dshield.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="4f2ac0d7-799d-4dbe-bc63-e7fa0d269d37">
- <filename>drop.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="518b9785-c982-40ee-b089-0b21c75a913e">
- <filename>compromised.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="1e13ef1d-a5f1-4310-9acd-167e92a72276">
- <filename>ciarmy.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="73080d3d-f9c6-407d-87e4-c08b7b1278d9">
- <filename>botcc.portgrouped.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="089d519e-58db-476c-b014-7d970c3d30d1">
- <filename>botcc.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="5d6d7f89-2c2d-40f9-9bbd-28f7d379a7b0">
- <filename>abuse.ch.urlhaus.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="ac3b3cda-f06b-418e-92b2-64f58964abc5">
- <filename>abuse.ch.sslipblacklist.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="4af3e6b8-96e5-4075-9b3d-bc5a35f91e64">
- <filename>abuse.ch.sslblacklist.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="710adde0-f7c4-4414-9f26-2a4f87b97709">
- <filename>abuse.ch.feodotracker.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- <file uuid="f6a857d4-f674-43bd-b6dc-209c3d1de498">
- <filename>abuse.ch.dyre_sslipblacklist.rules</filename>
- <filter/>
- <enabled>1</enabled>
- </file>
- </files>
+ <files/>
<fileTags/>
<general>
- <enabled>1</enabled>
- <ips>1</ips>
- <promisc>1</promisc>
+ <enabled>0</enabled>
+ <ips>0</ips>
+ <promisc>0</promisc>
<interfaces>wan</interfaces>
<homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
<defaultPacketSize/>
- <UpdateCron>aefe4747-196a-4558-bb1a-50aed2436c0d</UpdateCron>
+ <UpdateCron/>
<AlertLogrotate>W0D23</AlertLogrotate>
<AlertSaveLogs>4</AlertSaveLogs>
<MPMAlgo>ac</MPMAlgo>
- <crl/>
- <staticroutes version="1.0.0">
- <route uuid="5a1145ee-7c5a-4cc2-8099-028324c0b997">
- <network>1.1.1.1/0</network>
- <gateway>WAN_DHCP</gateway>
- <descr>check firmware workaround</descr>
- <disabled>1</disabled>
- </route>
- <route uuid="0694bc6c-eea2-4a3b-b917-eb455cf5bd5f">
- <network>1.1.1.1/0</network>
- <gateway>LAN_GWv4</gateway>
- <descr>check firmware workaround</descr>
- <disabled>1</disabled>
- </route>
- <route uuid="080a2466-96d5-4cc4-a61d-0e5a203fb475">
- <network>8.8.8.8/0</network>
- <gateway>LAN_GWv4</gateway>
- <descr>check firmware workaround</descr>
- <disabled>1</disabled>
- </route>
- <route uuid="26c5234b-3f89-4b72-a62c-d8df3e49af55">
- <network>8.8.8.8/0</network>
- <gateway>WAN_DHCP</gateway>
- <descr>check firmware workaround</descr>
- <disabled>1</disabled>
- </route>
- <route uuid="75b0d450-e839-4a57-95cd-13345480f017">
- <network>0.0.0.0/0</network>
- <gateway>WAN_DHCP</gateway>
- <descr/>
- <disabled>0</disabled>
- </route>
+ <staticroutes>
+ <route/>
</staticroutes>
</opnsense>