OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: franco on March 31, 2020, 07:53:30 pm
-
Hi all,
We are pleased to announce that we hereby provide 20.7-BETA images with the following features and caveats:
* HardenedBSD 12.1
* Logging issues after major version change fixed
* Traffic shaper statistics API and GUI page
* Firewall API plugin
* Missing plugin GUI install/dismiss feature
* Suricata 5 and optimized ET Pro Telemetry rules plugin
* Images are amd64 only as we jump the major OS version and leave i386 behind
* Nano images probably have a defunct growfs feature, but already fixed on master
Please note these images are development snapshots which will be provided with further updates, but as of yet there is no production track of 20.7.
Last but not least, images can be found here:
https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/
Please keep all general feedback in this thread or create 20.7 forum posts for specific issues / discussions.
Cheers,
Franco
-
Hi,
I do not get it installed, after dumping to usb or card, it just writes the boot to disk (25M) - the rest is empty.
-
It really can't be this bad. ;) Which image did you try?
Cheers,
Franco
-
Just switching a 20.1.3 install from production to development doesn't work to do the full upgrade, right? You need to reinstall from an image?
-
Image only. We're not ready for inline upgrades as they haven't been tested and are mostly irrelevant at this stage as we do not want people to upgrade their systems because we are not in RC mode yet.
Cheers,
Franco
-
Hi Franco,
This one here:
https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/OPNsense-devel-20.7.b-OpenSSL-serial-amd64.img.bz2
dd'ing onto a usb-stick and a sdcard, both with the same result.
-
Well did you have decompressed it? It comes compressed as .bz2 ?
-
yes, yes, i bunzipped2 it ;)
otherwise, it wouldn't have installed the boot partition, i think.
-
How is the beta image so much larger than the current production image? Does it have debugging enabled?
-
strange, i started by minicom instead putty and just rebooted on error - it worked.
-
Yesterday evening I installed 20.7-beta from an image, and restored the configuration from 20.1. This basic install seemed to work fine. I then proceeded to install plugins (acme-client, cache, dyndns, ftp-proxy, smart, unbound-extras or whatsitsname, upnp). After this my router started bootlooping. I kind of suspect upnp as this was the last plugin I installed, but I'm not sure.
-
Anything weird in the console while booting?
-
mine is extrem slow after restoring from a backup - i reset to factory defaults, install the plugins first and will then restore the backup again. Will let you know.
Confirmed: this way, it works well.
-
Errors on boot after that:
(install apuled-plugin): /usr/local/etc/rc.syshook.d/early/30-apuled: cannot create /dev/led/led3: No such file or directory
...for all 3 led
Comment: does not work in Freebsd on APU according to the BIOS-Notes for the latest BIOS: https://pcengines.github.io/
Known issues:
apuled driver doesn't work in FreeBSD. Check the GPIOs document for workaround.
-
Testing, all Logs for the firewall leave empty. According my backup, i am logging a lot, so there should be something.
But Live View as Original Protocols are empty
SSH'ing to console shows entries either.
Confirmed: Works again after several reboots...
-
Question to Suricata 5: is it still necessary to disable all hardware offloading?
-
I think so. :)
-
GUI says, that there exist updates, but if doing so, the following occurs:
***GOT REQUEST FOR TYPE: opnsense***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg-static: No packages matching 'opnsense' have been found in the repositories
Number of packages to be fetched: 1
No packages are required to be fetched.
Integrity check was successful.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg-static: No packages available to install matching 'opnsense' have been found in the repositories
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***
you can do that the whole day long :)
-
How is the beta image so much larger than the current production image? Does it have debugging enabled?
At least part of the growth would be the introduction of a new exploit mitigation: Non-Cross-DSO Control Flow Integrity (CFI). More information about CFI can be found in HardenedBSD's wiki: https://git-01.md.hardenedbsd.org/HardenedBSD/HardenedBSD/wiki#control-flow-integrity-cfi
-
@ruggerio: what version are you running? it looks like you found an older image that's not supposed to be 20.7-BETA, at least the log issue and the firmware warning are telltale clues.
-
OPNsense 20.7.b_3-amd64
FreeBSD 12.1-RELEASE-p3-HBSD
The one i downloaded yesterday
-
Early in the beta I reported that during the install, OPNSense would not detect a USB Ethernet connection. I also could not manually install the adapter (UE0). My USB Ethernet connector would not work with that beta.
I just again installed the beta via ISO. No surprise it would not detect the adapter. However since the WAN adapter was working, after completing install I updated the software from the console. After the update to the latest beta, I started the console process and install the adapters. This time the USB Ethernet adapter was detected by the auto detection process and I was able to install it as UE0 adapter.
Thanks for the fix.
------------------------------------
I tried to install OPNsense-devel-20.7.b-OpenSSL-serial-amd64 from a USB Memory Stick. It would not detect my USB Ethernet dongle during the "auto detection" of the LAN/WAN connections. When I plugged in the USB dongle I would see an OS message but OPNsense would not detect that an interface was added.
I removed the dongle and tried again with the same results.
I continued with the install. When the webGUI was available, I tried to add the interface but it would not show the USB interface.
I then installed FreeBSD 11.2-RELEASE-p17-HBSD b0b3393e380(stable/20.1) amd64 from a USB Memory Stick. During install, the "auto detection" worked fine showing the USB dongle as UE0. The dongle worked fine.
Below is data from the working "stable/20.1" using the Reporter to show the enumeration of the USB devices.
What other info can I provide?
Thanks.
usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0
usbus1: EHCI version 1.0
usbus1 on ehci0
usbus1: 480Mbps High Speed USB v2.0
uhub1: 13 ports with 13 removable, self powered
uhub0: 2 ports with 2 removable, self powered
ugen0.2: at usbus0
-
What hardware do you have?
-
The PC is a mini-PC from ASUS with one gigabit Ethernet port. The USB port the Ethernet dongle plugs into is USB 3.0. The dongle is a generic Ethernet/USB dongle.
https://www.amazon.com/UGREEN-Ethernet-Adapter-Nintendo-Chromebook/dp/B00MYT481C/ref=sr_1_3?crid=Q2X0HBPNW010&dchild=1&keywords=ethernet+usb+adapter&qid=1586311410&sprefix=ethernet+usb+%2Caps%2C158&sr=8-3
Specs for the PC.
https://www.asus.com/us/Mini-PCs/VivoMini_UN42/specifications/
-
Have you tried installing it in the shell, using the manual method of assigning interfaces?
In this version, just my lan interface was recognized fine, but e.g. neither lan nor dmz, which both have been connected. With manual assignment, it worked.
-
Thank you for providing this first build! I was keen to see how HBSD 12.1 would perform, so I tried the image on a APU 1D4 that was running the latest stable (currently 20.1.4) before. I am using the base unit with only the stock 16G msata card (no wifi installed, no USB addons). With the switch to HBSD 12.1 I was hoping for better throughput (due to newer Realtek drivers) and lower power consumption.
The good news is that the 20.7 version seems to be working without regressions in this very simple test so far. However, I could not observe any improvements regarding throughput or power consumption. I am still limited to around 350 Mbps of my Gigabit line in various speed tests and the box consumes around 9.5-10 Watts in idle. In comparison, Linux-based systems consume only around 5.5-6 Watts and deliver gigabit speed on the very same hardware.
I noticed some python3 and php processes that are keeping both cpu cores quite busy all the time. But this has been already the case in the 20.1 series.
-
Thanks for testing. On the Realtek side the driver isn't newer, not sure where you read this.
If all goes well next week there will be an online update with PHP 7.3 included and some bugs fixed. :)
Cheers,
Franco
-
Happy to say all good on my test unit, green lights across the board. Nice also to note that my dhcp6 multiwan patches all applied and working too. On furlough here so have some time to play.
-
works well now in daily usage. Only thing is logging on postfix. All the rest i could not find any errors.
-
I did a test on kvm with virtio net driver, and a quick test shows a big performance improvement 2/3 times faster than 20.1 (I guess is the driver update from 11.2 to 12.1)
-
We've found some small errors which we'd like to fix with an update and new images (you will be able to update your current BETA installs online no problem), switch to PHP 7.3 and migrate radvd daemon from version 1.x to 2.x now that it is fixed in FreeBSD ports for our use case.
Postfix logging is still pending, but we are fairly sure it is an issue with the current log parsing approach as 12.1 changed the standard logging output and relatively easy to solve in another update.
Cheers,
Franco
-
great! :)
-
* Traffic shaper statistics API and GUI page
Hi Franco,
Could you please detail what are the changes to the Traffic Shaper statistics GUI page? I have installed the 20.7 beta but found that the Traffic Shaper looks the same. I am really interested in the Shaping feature and I always found confusion with the current GUI/statistics compared to other solutions. I really love OPNsense and I would like to know if any improvements are planned on this front.
Thank you for the great work!
Cheers
-
Wait for update please, we're still working on the next BETA release but 20.1.5 will come first.
Shaper statistics were always just dumping a command line utility output... now they are parsed in queue, pipe, and rule structures which can be inspected "drill down" style. And there is an API along with it if the GUI page is not for you. ;)
Cheers,
Franco
-
That's a great news for Mr. Shaper! :)
Thank you for the confirmation and I will wait for the next update then! Any possible unofficial target date?
-
I'm new to opnsense, but can someone please confirm if dchp static mapping for vlans is working in this version? I have no issues with this working on the LAN interface, but have cannot get this is working on any vlan. If I'm missing something basic, any help would be appreciated.
-
We have no understanding that there would be a change in behaviour for "VLANs with DHCP static mappings". Are you referring to a specific issue on GitHub?
Unofficial release date, well, early next week. Stuff keeps coming up, but on the bright side 20.1.5 will have all the new traffic shaper stats already... that will come out later today.
Cheers,
Franco
-
VLAN and DHCP reminds me on Suriciata or Sensei running on internal interface?
-
Unofficial release date, well, early next week. Stuff keeps coming up, but on the bright side 20.1.5 will have all the new traffic shaper stats already... that will come out later today.
Awesome! I thought the feature was coming with 20.7 so tonight's update has been a cool surprise! Really great job and thank you for all of your work!
Are you planning to have an automatic refresh of the status page or at least an option within the page to enable/disable it?
-
Hello all,
Looking forward to testing this tonight. One quick question about the image. Will this be updated on a go forward basis, and will you be letting us know when a new image is available for testing?
Thanks,
Steve
-
@spetrillo
We've found some small errors which we'd like to fix with an update and new images (you will be able to update your current BETA installs online no problem), switch to PHP 7.3 and migrate radvd daemon from version 1.x to 2.x now that it is fixed in FreeBSD ports for our use case.
Postfix logging is still pending, but we are fairly sure it is an issue with the current log parsing approach as 12.1 changed the standard logging output and relatively easy to solve in another update.
Cheers,
Franco
-
@ruggerio
Thanks!
-
We pushed the online update just now, relevant highlights:
* Switched to PHP 7.3
* Latest FreeBSD security patches on 12.1
* New Traffic Shaper API
* Unbound-plus core integration
* Unbound DNS64 support
* Interfaces ordering by defined groups
* Fixes missing user on 12.1 base
Also includes assorted changes and bugfixes in core to be summarised when the first release candidate, which is when new images will also be available.
Cheers,
Franco
-
Thank you for the online update. I will check it today/tomorrow. With the first beta I've run into an issue with a LTE modem connection. I have tried https://www.thomas-krenn.com/de/wiki/OPNsense_LTE_Verbindung with a Quectel Modem, and got a crash with an automated reboot afterwards. I will re-check this after applying the online update.
In case I still encounter the issue with the LTE connection: should I report it here or should I open an issue on GitHub?
Best Regards,
Werner
-
I would expect the same outcome. We can look at the crash, but if it works on 11.2 / 20.1 it may be due to new OS code. :(
-
* Suricata 5 and optimized ET Pro Telemetry rules plugin
What has changed in the "optimized ET Pro Telemetry rules plugin"? or what's new?
How easy is to switch from beta/RC to stable once is relased? can be done in the web ui changing the release branch or something?
Thanks
-
Hi Franco,
> I would expect the same outcome. We can look at the crash, but if it works on 11.2 / 20.1 it may be due to new OS code.
regarding this LTE issue I have opened a new topic: https://forum.opnsense.org/index.php?topic=17417.0
Please let me know in case I should do any further testing.
Best regards, Werner
-
I installed it in a generation 2 vm on a windows 2019 hyper-v server. The installer hung a couple of times at the same places as have been reported before. Like before, I was able to get past by interrupting it using CTRL-C and re-logging in.
-
Remember to install the new dhcp6c...
-
Remember to install the new dhcp6c...
I didn't update anything. dhcp6c seems to be working fine as-is.
-
Did you do a code core update?
-
I'm trying to provide 20.7-BETA2 today. I'm currently struggling with increased workload at my day job...
Please remember that we provide supervised snapshots, not nightly builds. Both have their ups and downs and personally I think nightly breakage is much harder to troubleshoot.
Cheers,
Franco
-
Thanks Franco... your doing your best, as always. We can ask no more.
-
Update has been published. Images to go along with it will follow next week.
Cheers,
Franco
-
Update has been published. Images to go along with it will follow next week.
Hi Franco,
Do you have a link to that new update?
Will it be available here? https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/
I only see the version dating back from 2020-03-24 :/
-
Grab the ISO and update in there ...
-
Grab the ISO and update in there ...
Ok. After I have upgraded my APU firmware (since I was at it), I reinstalled the system with the aforementioned iso and am now on 20.7.
This is the version I got after having run the update process:
OPNsense 20.7.b_181-amd64
FreeBSD 12.1-RELEASE-p5-HBSD
OpenSSL 1.1.1g 21 Apr 2020
The update checker asked me to switch to dev as "the release type needs to be updated" (this is the message I got). But switch to dev didn't get me any further updates.
Note to myself for the future: install the plugins I used BEFORE importing the config. At first I didn't install the plugins which required me to reset to defaults the device, install the plugin and reimport.
In IPv6, my LAN is broken as hell. While the machine received a prefix delegation on WAN, which is well installed on the LAN interface, the OPNsense router is not able to communicate to the outside in IPv6 nor are the machines from the LAN. It seems like a radvd issue (regression). The same config using OpenWRT is working like a charm. I'm on cable modem. Playing around with MTU override, prefix hints or even disabling the firewall (pfctl -d) to ensure ICMPv6 wasn't blocked are all the steps I performed without much results. :/
-
For those falling on this thread using a search engine, the fact that you are not on HardenedBSD 12 and are still on HardenedBSD 11 (FreeBSD 11 based) when you try to upgrade from 20.1 to a dev version of 20.7 is intended.
Like specified on Twitter (https://twitter.com/opnsense/status/1280872478529728514), due to early showstoppers (https://github.com/opnsense/core/commit/2efdcf51fcb12) in the 11.2 -> 12.1 upgrade process, the devs missed the deadline when they froze the code base.
According to that same tweet, the ability to upgrade to a HardenedBSD 12 kernel will be offered with the next RC expected this week or the next ones.