OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: abraxxa on March 26, 2018, 07:25:25 pm

Title: [SOLVED] 18.1.5 IPv6 bogons invalid after update
Post by: abraxxa on March 26, 2018, 07:25:25 pm
After updating today to 18.1.5 no through-the-firewall connection worked, the error I've found in the log was:
Code: [Select]
Mar 26 18:47:01 firewall opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: no IP address found for <!DOCTYPE
The number of states also remained at zero.
After disabling my spamhaus.org deny rules which are using a downloaded IP list via an alias, the error still remained.

A reboot didn't solve the issue either.

I then remembered that OPNsense has a checkbox for blocking bogons, after I've disabled it everything worked again.

I've checked /usr/loca/etc/bogons which was fine, but /usr/local/etc/bogonsv6 contained HTML!

I've further found:
Quote
Mar 21 03:01:00 firewall root: rc.update_bogons is starting up
Mar 21 03:01:00 firewall root: rc.update_bogons is sleeping for 86 seconds
Mar 21 03:02:26 firewall root: rc.update_bogons is beginning the update cycle
Mar 21 03:02:26 firewall root: Not updating IPv4 bogons (increase table-entries limit)
Mar 21 03:02:26 firewall root: Not saving or updating IPv6 bogons (increase table-entries limit)
Mar 21 03:02:26 firewall root: rc.update_bogons is ending the update cycle

From which URL are the bogons downloaded? Can you implement a safety check which validates the received list?
Thanks, Alex
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: abraxxa on March 26, 2018, 07:28:56 pm
I've run rc.update_bogons manually twice.
Deleting /usr/local/etc/bogonsv6 doesn't help, the same HTML is in the file after the update has run.

screen output:
Quote
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled

clog system.log output:

Quote
Mar 26 19:25:57 firewall root: rc.update_bogons is starting up
Mar 26 19:25:57 firewall root: rc.update_bogons is beginning the update cycle
Mar 26 19:25:57 firewall root: Bogons V4 file downloaded: 77 addresses added.
Mar 26 19:25:57 firewall root: Bogons V4 file downloaded: 27 addresses deleted.
Mar 26 19:25:57 firewall root: Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off
Mar 26 19:25:57 firewall root: rc.update_bogons is ending the update cycle
Mar 26 19:26:43 firewall root: rc.update_bogons is starting up
Mar 26 19:26:43 firewall root: rc.update_bogons is beginning the update cycle
Mar 26 19:26:43 firewall root: Bogons V4 file downloaded: no changes.
Mar 26 19:26:43 firewall root: Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off
Mar 26 19:26:43 firewall root: rc.update_bogons is ending the update cycle
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: abraxxa on March 26, 2018, 07:32:24 pm
I found the url in rc.update_bogons and it seems to be hosted by OPNsense itself, seems you backend needs the filter too.
Deleting /tmp/bogons/* and rerunning rc.update_bogons leads to the same HTML content.
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: Bode on March 27, 2018, 09:30:17 am
Here the same after Update 18.1.5:
"There were error(s) loading the rules: no IP address found for <!DOCTYPE"

The IPv6 Bogonscript is broken. The only way to get a working system is to disable the bogon rule on the WAN interface.

Thank you for your analysis abraxxa.
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: franco on March 27, 2018, 10:00:29 am
Should be back to normal. This never happened before, but we made sure to review the files before pushing updates in the future.

Ticket for reference: https://github.com/opnsense/core/issues/2298

Please run:

# /usr/local/etc/rc.update_bogons

And report back if ok...


Thanks,
Franco
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: kug1977 on March 27, 2018, 10:52:40 am
Hi,

following these steps, I have now a working WAN connection, but I see in the system logs:

opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: /tmp/rules.debug:16: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [16]: table <bogonsv6> persist file "/usr/local/etc/bogonsv6"

while the bogonsv6 table is filled and the /usr/local/etc/bogonsv6 is recreated / filled with # last updated 1522126201 (Tue Mar 27 04:50:01 2018 GMT) content.

It's a bit strange.

Kind regards,
kug1977
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: abraxxa on March 27, 2018, 09:07:47 pm
I get the same error message and disabled the bogon blocking again.
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: Reiter der OPNsense on March 29, 2018, 06:57:37 pm
Hi,
I had the same problem. Try this:

# pfctl -t bogonsv6 -T flush
# rm /usr/local/etc/bogonsv6
# /usr/local/etc/rc.update_bogons

Edit: Sorry, too soon. Just got that message again:

There were error(s) loading the rules: /tmp/rules.debug:15: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [15]: table <bogonsv6> persist file "/usr/local/etc/bogonsv6"
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: Reiter der OPNsense on April 06, 2018, 12:18:11 pm
Solved. This inspiration solved my problem on two boxes:
https://forum.opnsense.org/index.php?topic=7194.msg32261#msg32261

Firewall --> Settings --> Advanced --> Firewall Maximum Table Entries: 500'000
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: Itow on April 10, 2018, 06:16:01 pm
i had the error since 18.1.5 update
no problems so far
today morning the Firewall installed 18.1.6 and from this point i had no connection through the firewall

i follow the instruction above and now it's working again (i deleted the bogons file change the Firewall Maximum Table Entries)

big thanks @ Reiter der OPNsense and abraxxa

please excuse my bad English

Itow
Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: Kofl on May 05, 2018, 01:43:16 pm
Thanks, also solved the issue for me:

Firewall --> Settings --> Advanced --> Firewall Maximum Table Entries: 500'000

Code: [Select]
pfctl -t bogonsv6 -T flush
rm /usr/local/etc/bogonsv6
/usr/local/etc/rc.update_bogons

Title: Re: 18.1.5 IPv6 bogons invalid after update
Post by: franco on May 05, 2018, 07:52:35 pm
18.1.7 + filter reload (or a reboot) sets this automatically now if bogonsv6 is used.


Cheers,
Franco