OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: franco on March 31, 2020, 07:53:30 pm

Title: 20.7-BETA images with HBSD 12.1
Post by: franco on March 31, 2020, 07:53:30 pm
Hi all,

We are pleased to announce that we hereby provide 20.7-BETA images with the following features and caveats:

* HardenedBSD 12.1
* Logging issues after major version change fixed
* Traffic shaper statistics API and GUI page
* Firewall API plugin
* Missing plugin GUI install/dismiss feature
* Suricata 5 and optimized ET Pro Telemetry rules plugin
* Images are amd64 only as we jump the major OS version and leave i386 behind
* Nano images probably have a defunct growfs feature, but already fixed on master

Please note these images are development snapshots which will be provided with further updates, but as of yet there is no production track of 20.7.

Last but not least, images can be found here:

https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/

Please keep all general feedback in this thread or create 20.7 forum posts for specific issues / discussions.


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 01, 2020, 09:35:21 am
Hi,

I do not get it installed, after dumping to usb or card, it just writes the boot to disk (25M) - the rest is empty.

Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on April 01, 2020, 09:40:17 am
It really can't be this bad. ;) Which image did you try?


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: dinguz on April 01, 2020, 09:40:59 am
Just switching a 20.1.3 install from production to development doesn't work to do the full upgrade, right? You need to reinstall from an image?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on April 01, 2020, 09:53:01 am
Image only. We're not ready for inline upgrades as they haven't been tested and are mostly irrelevant at this stage as we do not want people to upgrade their systems because we are not in RC mode yet.


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 01, 2020, 11:28:56 am
Hi Franco,

This one here:

https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/OPNsense-devel-20.7.b-OpenSSL-serial-amd64.img.bz2

dd'ing onto a usb-stick and a sdcard, both with the same result.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: banym on April 01, 2020, 01:20:13 pm
Well did you have decompressed it? It comes compressed as .bz2 ?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 01, 2020, 01:23:03 pm
yes, yes, i bunzipped2 it  ;)

otherwise, it wouldn't have installed the boot partition, i think.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: dinguz on April 01, 2020, 05:18:56 pm
How is the beta image so much larger than the current production image? Does it have debugging enabled?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 02, 2020, 09:15:39 am
strange, i started by minicom instead putty and just rebooted on error - it worked.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: dinguz on April 02, 2020, 10:15:45 am
Yesterday evening I installed 20.7-beta from an image, and restored the configuration from 20.1. This basic install seemed to work fine. I then proceeded to install plugins (acme-client, cache, dyndns, ftp-proxy, smart, unbound-extras or whatsitsname, upnp). After this my router started bootlooping. I kind of suspect upnp as this was the last plugin I installed, but I'm not sure.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: mimugmail on April 02, 2020, 10:37:50 am
Anything weird in the console while booting?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 02, 2020, 10:46:38 am
mine is extrem slow after restoring from a backup - i reset to factory defaults, install the plugins first and will then restore the backup again. Will let you know.

Confirmed: this way, it works well.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 02, 2020, 11:30:28 am
Errors on boot after that:

(install apuled-plugin): /usr/local/etc/rc.syshook.d/early/30-apuled: cannot create /dev/led/led3: No such file or directory
...for all 3 led

Comment: does not work in Freebsd on APU according to the BIOS-Notes for the latest BIOS: https://pcengines.github.io/

Known issues:

    apuled driver doesn't work in FreeBSD. Check the GPIOs document for workaround.
Title: Re: 20.7-BETA images with HBSD 12.1: Firewall Logging
Post by: ruggerio on April 02, 2020, 11:40:15 am
Testing, all Logs for the firewall leave empty. According my backup, i am logging a lot, so there should be something.

But Live View as Original Protocols are empty

SSH'ing to console shows entries either.

Confirmed: Works again after several reboots...
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 02, 2020, 12:41:38 pm
Question to Suricata 5: is it still necessary to disable all hardware offloading?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: Supermule on April 02, 2020, 01:03:54 pm
I think so. :)

Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 02, 2020, 01:49:09 pm
GUI says, that there exist updates, but if doing so, the following occurs:

***GOT REQUEST FOR TYPE: opnsense***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg-static: No packages matching 'opnsense' have been found in the repositories

Number of packages to be fetched: 1
No packages are required to be fetched.
Integrity check was successful.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg-static: No packages available to install matching 'opnsense' have been found in the repositories
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

you can do that the whole day long :)
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: lattera on April 02, 2020, 02:50:17 pm
How is the beta image so much larger than the current production image? Does it have debugging enabled?

At least part of the growth would be the introduction of a new exploit mitigation: Non-Cross-DSO Control Flow Integrity (CFI). More information about CFI can be found in HardenedBSD's wiki: https://git-01.md.hardenedbsd.org/HardenedBSD/HardenedBSD/wiki#control-flow-integrity-cfi
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on April 02, 2020, 03:35:08 pm
@ruggerio: what version are you running? it looks like you found an older image that's not supposed to be 20.7-BETA, at least the log issue and the firmware warning are telltale clues.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 02, 2020, 09:23:21 pm
OPNsense 20.7.b_3-amd64
FreeBSD 12.1-RELEASE-p3-HBSD

The one i downloaded yesterday
Title: USB Ethernet Dongle ***NOW WORKING***
Post by: Bluewind on April 04, 2020, 03:05:47 pm
Early in the beta I reported that during the install, OPNSense would not detect a USB Ethernet connection. I also  could not manually install the adapter (UE0). My USB Ethernet connector would not work with that beta.

I just again installed the beta via ISO. No surprise it would not detect the adapter. However since the WAN adapter was working, after completing install I updated the software from the console. After the update to the latest beta, I started the console process and install the adapters. This time the USB Ethernet adapter was detected by the auto detection process and I was able to install it as UE0 adapter.

Thanks for the fix.

------------------------------------

I tried to install OPNsense-devel-20.7.b-OpenSSL-serial-amd64 from a USB Memory Stick. It would not detect my USB Ethernet dongle during the "auto detection" of the LAN/WAN connections. When I plugged in the USB dongle I would see an OS message but OPNsense would not detect that an interface was added.

I removed the dongle and tried again with the same results.

I continued with the install. When the webGUI was available, I tried to add the interface but it would not show the USB interface.

I then installed FreeBSD 11.2-RELEASE-p17-HBSD  b0b3393e380(stable/20.1) amd64 from a USB Memory Stick. During install, the "auto detection" worked fine showing the USB dongle as UE0. The dongle worked fine.

Below is data from the working "stable/20.1" using the Reporter to show the enumeration of the USB devices.

What other info can I provide?

Thanks.

usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0

usbus1: EHCI version 1.0
usbus1 on ehci0
usbus1: 480Mbps High Speed USB v2.0

uhub1: 13 ports with 13 removable, self powered
uhub0: 2 ports with 2 removable, self powered
ugen0.2:  at usbus0
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 07, 2020, 08:06:33 am
What hardware do you have?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: Bluewind on April 08, 2020, 04:05:04 am
The PC is a mini-PC from ASUS with one gigabit Ethernet port. The USB port the Ethernet dongle plugs into is USB 3.0. The dongle is a generic Ethernet/USB dongle.

https://www.amazon.com/UGREEN-Ethernet-Adapter-Nintendo-Chromebook/dp/B00MYT481C/ref=sr_1_3?crid=Q2X0HBPNW010&dchild=1&keywords=ethernet+usb+adapter&qid=1586311410&sprefix=ethernet+usb+%2Caps%2C158&sr=8-3

Specs for the PC.
https://www.asus.com/us/Mini-PCs/VivoMini_UN42/specifications/
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 08, 2020, 06:21:01 am
Have you tried installing it in the shell, using the manual method of assigning interfaces?

In this version, just my lan interface was recognized fine, but e.g. neither lan nor dmz, which both have been connected. With manual assignment, it worked.

Title: Re: 20.7-BETA images with HBSD 12.1
Post by: kuleszdl on April 10, 2020, 12:46:36 am
Thank you for providing this first build! I was keen to see how HBSD 12.1 would perform, so I tried the image on a APU 1D4 that was running the latest stable (currently 20.1.4) before. I am using the base unit with only the stock 16G msata card (no wifi installed, no USB addons). With the switch to HBSD 12.1 I was hoping for better throughput (due to newer Realtek drivers) and lower power consumption.

The good news is that the 20.7 version seems to be working without  regressions in this very simple test so far. However, I could not observe any improvements regarding throughput or power consumption. I am still limited to around 350 Mbps of my Gigabit line in various speed tests and the box consumes around 9.5-10 Watts in idle. In comparison, Linux-based systems consume only around 5.5-6 Watts and deliver gigabit speed on the very same hardware.

I noticed some python3 and php processes that are keeping both cpu cores quite busy all the time. But this has been already the case in the 20.1 series.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on April 10, 2020, 01:52:55 pm
Thanks for testing. On the Realtek side the driver isn't newer, not sure where you read this.

If all goes well next week there will be an online update with PHP 7.3 included and some bugs fixed. :)


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: marjohn56 on April 11, 2020, 09:47:43 am
Happy to say all good on my test unit, green lights across the board. Nice also to note that my dhcp6 multiwan patches all applied and working too. On furlough here so have some time to play.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 14, 2020, 12:06:44 pm
works well now in daily usage. Only thing is logging on postfix. All the rest i could not find any errors.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: Kali on April 14, 2020, 02:19:18 pm
I did a test on kvm with virtio net driver, and a quick test shows a big performance improvement 2/3 times faster than 20.1 (I guess is the driver update from 11.2 to 12.1) 
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on April 17, 2020, 01:21:36 pm
We've found some small errors which we'd like to fix with an update and new images (you will be able to update your current BETA installs online no problem), switch to PHP 7.3 and migrate radvd daemon from version 1.x to 2.x now that it is fixed in FreeBSD ports for our use case.

Postfix logging is still pending, but we are fairly sure it is an issue with the current log parsing approach as 12.1 changed the standard logging output and relatively easy to solve in another update.


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on April 17, 2020, 07:12:23 pm
great! :)
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: tofaz on April 21, 2020, 02:51:05 pm
* Traffic shaper statistics API and GUI page

Hi Franco,

Could you please detail what are the changes to the Traffic Shaper statistics GUI page? I have installed the 20.7 beta but found that the Traffic Shaper looks the same. I am really interested in the Shaping feature and I always found confusion with the current GUI/statistics compared to other solutions. I really love OPNsense and I would like to know if any improvements are planned on this front.

Thank you for the great work!

Cheers
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on April 21, 2020, 05:39:38 pm
Wait for update please, we're still working on the next BETA release but 20.1.5 will come first.

Shaper statistics were always just dumping a command line utility output... now they are parsed in queue, pipe, and rule structures which can be inspected "drill down" style. And there is an API along with it if the GUI page is not for you. ;)


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: tofaz on April 21, 2020, 06:35:22 pm
That's a great news for Mr. Shaper! :)

Thank you for the confirmation and I will wait for the next update then! Any possible unofficial target date?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: TParker31 on April 22, 2020, 07:54:24 pm
I'm new to opnsense, but can someone please confirm if dchp static mapping for vlans is working in this version? I have no issues with this working on the LAN interface, but have cannot get this is working on any vlan. If I'm missing something basic, any help would be appreciated.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on April 23, 2020, 07:57:00 am
We have no understanding that there would be a change in behaviour for "VLANs with DHCP static mappings". Are you referring to a specific issue on GitHub?

Unofficial release date, well, early next week. Stuff keeps coming up, but on the bright side 20.1.5 will have all the new traffic shaper stats already... that will come out later today.


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: mimugmail on April 23, 2020, 09:34:20 am
VLAN and DHCP reminds me on Suriciata or Sensei running on internal interface?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: tofaz on April 24, 2020, 05:07:32 am
Unofficial release date, well, early next week. Stuff keeps coming up, but on the bright side 20.1.5 will have all the new traffic shaper stats already... that will come out later today.

Awesome! I thought the feature was coming with 20.7 so tonight's update has been a cool surprise! Really great job and thank you for all of your work!

Are you planning to have an automatic refresh of the status page or at least an option within the page to enable/disable it?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: spetrillo on May 05, 2020, 06:42:56 pm
Hello all,

Looking forward to testing this tonight. One quick question about the image. Will this be updated on a go forward basis, and will you be letting us know when a new image is available for testing?

Thanks,
Steve
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: ruggerio on May 06, 2020, 07:49:13 am
@spetrillo

We've found some small errors which we'd like to fix with an update and new images (you will be able to update your current BETA installs online no problem), switch to PHP 7.3 and migrate radvd daemon from version 1.x to 2.x now that it is fixed in FreeBSD ports for our use case.

Postfix logging is still pending, but we are fairly sure it is an issue with the current log parsing approach as 12.1 changed the standard logging output and relatively easy to solve in another update.


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: spetrillo on May 06, 2020, 04:07:01 pm
@ruggerio

Thanks!
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on May 07, 2020, 12:00:34 pm
We pushed the online update just now, relevant highlights:

* Switched to PHP 7.3
* Latest FreeBSD security patches on 12.1
* New Traffic Shaper API
* Unbound-plus core integration
* Unbound DNS64 support
* Interfaces ordering by defined groups
* Fixes missing user on 12.1 base

Also includes assorted changes and bugfixes in core to be summarised when the first release candidate, which is when new images will also be available.


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: Werner Fischer on May 07, 2020, 01:41:29 pm
Thank you for the online update. I will check it today/tomorrow. With the first beta I've run into an issue with a LTE modem connection. I have tried https://www.thomas-krenn.com/de/wiki/OPNsense_LTE_Verbindung with a Quectel Modem, and got a crash with an automated reboot afterwards. I will re-check this after applying the online update.

In case I still encounter the issue with the LTE connection: should I report it here or should I open an issue on GitHub?

Best Regards,
Werner
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on May 07, 2020, 02:06:08 pm
I would expect the same outcome. We can look at the crash, but if it works on 11.2 / 20.1 it may be due to new OS code. :(
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: l0rdraiden on May 07, 2020, 10:47:42 pm
* Suricata 5 and optimized ET Pro Telemetry rules plugin

What has changed in the "optimized ET Pro Telemetry rules plugin"? or what's new?

How easy is to switch from beta/RC to stable once is relased? can be done in the web ui changing the release branch or something?

Thanks
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: Werner Fischer on May 26, 2020, 02:36:20 pm
Hi Franco,

> I would expect the same outcome. We can look at the crash, but if it works on 11.2 / 20.1 it may be due to new OS code.

regarding this LTE issue I have opened a new topic: https://forum.opnsense.org/index.php?topic=17417.0

Please let me know in case I should do any further testing.

Best regards, Werner
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: bimmerdriver on May 28, 2020, 07:26:20 am
I installed it in a generation 2 vm on a windows 2019 hyper-v server. The installer hung a couple of times at the same places as have been reported before. Like before, I was able to get past by interrupting it using CTRL-C and re-logging in.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: marjohn56 on May 28, 2020, 09:20:57 am
Remember to install the new dhcp6c...
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: bimmerdriver on May 29, 2020, 06:46:49 am
Remember to install the new dhcp6c...
I didn't update anything. dhcp6c seems to be working fine as-is.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: marjohn56 on May 29, 2020, 07:48:14 am
Did you do a code core update?
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on May 29, 2020, 09:11:58 am
I'm trying to provide 20.7-BETA2 today. I'm currently struggling with increased workload at my day job...

Please remember that we provide supervised snapshots, not nightly builds. Both have their ups and downs and personally I think nightly breakage is much harder to troubleshoot.


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: marjohn56 on May 29, 2020, 10:45:48 am
Thanks Franco... your doing your best, as always. We can ask no more.
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: franco on May 29, 2020, 01:58:06 pm
Update has been published. Images to go along with it will follow next week.


Cheers,
Franco
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: wget on June 09, 2020, 01:15:30 pm
Update has been published. Images to go along with it will follow next week.

Hi Franco,

Do you have a link to that new update?

Will it be available here? https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/

I only see the version dating back from 2020-03-24 :/
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: mimugmail on June 09, 2020, 04:56:20 pm
Grab the ISO and update in there ...
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: wget on June 10, 2020, 12:19:47 am
Grab the ISO and update in there ...


Ok. After I have upgraded my APU firmware (since I was at it), I reinstalled the system with the aforementioned iso and am now on 20.7.

This is the version I got after having run the update process:
Code: [Select]
OPNsense 20.7.b_181-amd64
FreeBSD 12.1-RELEASE-p5-HBSD
OpenSSL 1.1.1g 21 Apr 2020

The update checker asked me to switch to dev as "the release type needs to be updated" (this is the message I got). But switch to dev didn't get me any further updates.

Note to myself for the future: install the plugins I used BEFORE importing the config. At first I didn't install the plugins which required me to reset to defaults the device, install the plugin and reimport.

In IPv6, my LAN is broken as hell. While the machine received a prefix delegation on WAN, which is well installed on the LAN interface, the OPNsense router is not able to communicate to the outside in IPv6 nor are the machines from the LAN. It seems like a radvd issue (regression). The same config using OpenWRT is working like a charm. I'm on cable modem. Playing around with MTU override, prefix hints or even disabling the firewall (pfctl -d) to ensure ICMPv6 wasn't blocked are all the steps I performed without much results. :/
Title: Re: 20.7-BETA images with HBSD 12.1
Post by: wget on July 15, 2020, 06:04:15 pm
For those falling on this thread using a search engine, the fact that you are not on HardenedBSD 12 and are still on HardenedBSD 11 (FreeBSD 11 based) when you try to upgrade from 20.1 to a dev version of 20.7 is intended.

Like specified on Twitter (https://twitter.com/opnsense/status/1280872478529728514), due to early showstoppers (https://github.com/opnsense/core/commit/2efdcf51fcb12) in the 11.2 -> 12.1 upgrade process, the devs missed the deadline when they froze the code base.

According to that same tweet, the ability to upgrade to a HardenedBSD 12 kernel will be offered with the next RC expected this week or the next ones.