"
What version are we talking about? If I look for "trust_cpu" in the kernel I get nothing for 21.7 or 22.1.
Cheers,
Franco
Cheers,
Franco
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#8026
Hardware and Performance / Re: 'Intel Secure Key RNG' returned no entropy on Sophos XG 135 Rev 3 hardware
January 13, 2022, 03:55:00 PM #8027
22.1 Legacy Series / Re: Any performance chnages in 22.1?
January 13, 2022, 03:50:39 PM
Speaking for the core part only the boot sequence should be quicker now since we moved interface configuration tasks into the background.
Cheers,
Franco
Cheers,
Franco
#8028
22.1 Legacy Series / Re: Strange Gateway hopping
January 13, 2022, 03:49:20 PM
Relevant entries from System: Log Files: General and System: Gateways: Log File.
Something needs to trigger the change in (default?) gateway... assuming you have default gateway switching turned on.
Cheers,
Franco
Something needs to trigger the change in (default?) gateway... assuming you have default gateway switching turned on.
Cheers,
Franco
#8029
22.1 Legacy Series / Re: Strange Gateway hopping
January 13, 2022, 03:25:50 PM
Is this a gateway monitoring issue or something else? Can you give use some logs to trace the code with?
The gateway code didn't change vs. 21.7.x but much of the interface handling was scrubbed from excess complexity especially during the boot sequence.
Thanks,
Franco
The gateway code didn't change vs. 21.7.x but much of the interface handling was scrubbed from excess complexity especially during the boot sequence.
Thanks,
Franco
#8030
21.7 Legacy Series / Re: PPPoE WAN (IGB0) max speed 250 MBits APU4D4
January 13, 2022, 01:41:18 PM
Because PPPoE is effectively single-threaded due to added PPPoE header and no appropriate mitigation for it exists in FreeBSD.
Cheers,
Franco
Cheers,
Franco
#8031
General Discussion / Re: Intrusion Detection stops itself
January 13, 2022, 11:59:07 AM
You need more memory for whatever you try to do. Check "dmesg" output for out of memory kills...
Cheers,
Franco
Cheers,
Franco
#8032
22.1 Legacy Series / Re: 22.1rc1 - a few notes
January 13, 2022, 11:54:47 AM
In such cases running a health audit would be beneficial. :)
Cheers,
Franco
Cheers,
Franco
#8033
22.1 Legacy Series / Re: 22.1rc1 - a few notes
January 13, 2022, 11:46:45 AM
On second thought this might already work? https://github.com/opnsense/core/commit/61e0b950cc
# opnsense-patch 61e0b950cc
FWIW, looks like this has been hiding in there for a number of years.
Cheers,
Franco
# opnsense-patch 61e0b950cc
FWIW, looks like this has been hiding in there for a number of years.
Cheers,
Franco
#8034
22.1 Legacy Series / Re: 22.1rc1 - a few notes
January 13, 2022, 11:41:11 AM
Thanks, I'm seeing the way it tries to scan the xml and you need to excuse me I need to facepalm for a bit...
Will fix this today.
Cheers,
Franco
Code Select
!stristr($data, "<" . $_POST['restorearea'] . ">")Will fix this today.
Cheers,
Franco
#8035
22.1 Legacy Series / Re: 22.1 beta - 100% CPU - How to resolve?
January 13, 2022, 11:36:19 AM
Well disk seems damaged for one thing, not sure if beyond repair. The other captures look normal. A broken disk could cause slowness.
Cheers,
Franco
Cheers,
Franco
#8036
Announcements / OPNsense business edition 21.10.2 released
January 13, 2022, 11:31:11 AM
This business release is based on the OPNsense 21.7.7 community version
with additional reliability improvements.
A new plugin called OPNWAF[1] is being added to this release to offer Apache
web server for simple setup of load balancing and reverse proxy scenarios.
It also offers ACME protocol support for Let's Encrypt with a single click.
Here are the full patch notes:
o system: move logging remnants of Relayd/HAProxy to plugin code
o system: support XMLRPC authentication using API keys
o system: system log widget auto-refresh (contributed by kulikov-a)
o system: fix /etc/ssl/cert.pem permission on backend call
o interfaces: make is_linklocal() properly detect all link-local addresses (contributed by Per von Zweigbergk)
o firewall: properly translate "any" port to upper or lower port bound
o firewall: support any-to-X ranges for rules port input (contributed by kulikov-a)
o firewall: drop policy based routing validation on interface rules
o firewall: typo in direction for session diagnostics (contributed by kulikov-a)
o firewall: fix address direction for states diagnostics (contributed by kulikov-a)
o firmware: added generic configuration support via opnsense-update.conf
o firmware: modify the launcher to support -r and -s options
o firmware: fix upgrade prompt hint
o firmware: simplify repo file flush
o captive portal: missing tooltip in session window
o captive portal: "connected since" malformed due to datetime already being converted
o dhcp: add current IPv4 address to static lease creation (contributed by Taneli Leppa)
o intrusion detection: switch to ET-Open Suricata 5 rulesets
o intrusion detection: support multiple policy property in metadata
o intrusion detection: update severity of ruleset download skipped log message (contributed by kulikov-a)
o intrusion detection: update embedded classification.config
o ipsec: inline only caller of get_configured_vips_list()
o ipsec: avoid VTI device recreation when using hostnames
o backend: add configctl "-d" and "-q" options for future use
o backend: configd profiler call fix
o ui: prevent browser auto-fill for username/password (contributed by NOYB)
o src: axgbe: fix I2C timeouts by reissuing command on errors
o src: axgbe: fix possbile link instabilities
o src: axgbe: log GPIO signals on EEPROM read fails
o plugins: os-OPNWAF 1.0[1]
o plugins: os-acme-client 3.6[2]
o plugins: os-dyndns 1.27[3]
o plugins: os-etpro-telemetry 1.6 switches to Suricata 5 rulesets
o plugins: os-fetchmail removed due to licensing restrictions
o plugins: os-firewall 1.1 adds "Do not NAT" option
o plugins: os-frr 1.24[4]
o plugins: os-haproxy 3.8[5]
o plugins: os-nginx 1.24[6]
o plugins: os-telegraf 1.12.3[7]
o plugins: os-wireguard 1.9[8]
o plugins: os-zabbix-agent 1.10[9]
o plugins: os-zabbix-proxy 1.6[10]
o ports: curl 7.80.0[11]
o ports: dnsmasq fixes multiple regressions
o ports: nss 3.73[12]
o ports: php 7.4.26[13]
o ports: phpseclib 2.0.35[14]
o ports: suricata 6.0.4[15]
Stay safe,
Your OPNsense team
--
[1] https://docs.opnsense.org/vendor/deciso/opnwaf.html
[2] https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.7/dns/dyndns/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.7/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/zabbix-agent/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/zabbix-proxy/pkg-descr
[11] https://curl.se/changes.html#7_80_0
[12] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.73_release_notes
[13] https://www.php.net/ChangeLog-7.php#7.4.26
[14] https://github.com/phpseclib/phpseclib/releases/tag/2.0.35
[15] https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
with additional reliability improvements.
A new plugin called OPNWAF[1] is being added to this release to offer Apache
web server for simple setup of load balancing and reverse proxy scenarios.
It also offers ACME protocol support for Let's Encrypt with a single click.
Here are the full patch notes:
o system: move logging remnants of Relayd/HAProxy to plugin code
o system: support XMLRPC authentication using API keys
o system: system log widget auto-refresh (contributed by kulikov-a)
o system: fix /etc/ssl/cert.pem permission on backend call
o interfaces: make is_linklocal() properly detect all link-local addresses (contributed by Per von Zweigbergk)
o firewall: properly translate "any" port to upper or lower port bound
o firewall: support any-to-X ranges for rules port input (contributed by kulikov-a)
o firewall: drop policy based routing validation on interface rules
o firewall: typo in direction for session diagnostics (contributed by kulikov-a)
o firewall: fix address direction for states diagnostics (contributed by kulikov-a)
o firmware: added generic configuration support via opnsense-update.conf
o firmware: modify the launcher to support -r and -s options
o firmware: fix upgrade prompt hint
o firmware: simplify repo file flush
o captive portal: missing tooltip in session window
o captive portal: "connected since" malformed due to datetime already being converted
o dhcp: add current IPv4 address to static lease creation (contributed by Taneli Leppa)
o intrusion detection: switch to ET-Open Suricata 5 rulesets
o intrusion detection: support multiple policy property in metadata
o intrusion detection: update severity of ruleset download skipped log message (contributed by kulikov-a)
o intrusion detection: update embedded classification.config
o ipsec: inline only caller of get_configured_vips_list()
o ipsec: avoid VTI device recreation when using hostnames
o backend: add configctl "-d" and "-q" options for future use
o backend: configd profiler call fix
o ui: prevent browser auto-fill for username/password (contributed by NOYB)
o src: axgbe: fix I2C timeouts by reissuing command on errors
o src: axgbe: fix possbile link instabilities
o src: axgbe: log GPIO signals on EEPROM read fails
o plugins: os-OPNWAF 1.0[1]
o plugins: os-acme-client 3.6[2]
o plugins: os-dyndns 1.27[3]
o plugins: os-etpro-telemetry 1.6 switches to Suricata 5 rulesets
o plugins: os-fetchmail removed due to licensing restrictions
o plugins: os-firewall 1.1 adds "Do not NAT" option
o plugins: os-frr 1.24[4]
o plugins: os-haproxy 3.8[5]
o plugins: os-nginx 1.24[6]
o plugins: os-telegraf 1.12.3[7]
o plugins: os-wireguard 1.9[8]
o plugins: os-zabbix-agent 1.10[9]
o plugins: os-zabbix-proxy 1.6[10]
o ports: curl 7.80.0[11]
o ports: dnsmasq fixes multiple regressions
o ports: nss 3.73[12]
o ports: php 7.4.26[13]
o ports: phpseclib 2.0.35[14]
o ports: suricata 6.0.4[15]
Stay safe,
Your OPNsense team
--
[1] https://docs.opnsense.org/vendor/deciso/opnwaf.html
[2] https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.7/dns/dyndns/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.7/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/zabbix-agent/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/zabbix-proxy/pkg-descr
[11] https://curl.se/changes.html#7_80_0
[12] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.73_release_notes
[13] https://www.php.net/ChangeLog-7.php#7.4.26
[14] https://github.com/phpseclib/phpseclib/releases/tag/2.0.35
[15] https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
#8037
21.7 Legacy Series / Re: PPPoE WAN (IGB0) max speed 250 MBits APU4D4
January 13, 2022, 11:04:22 AM
Ok, thanks. For RSS I meant this one: https://forum.opnsense.org/index.php?topic=24409.0
Cheers,
Franco
Cheers,
Franco
#8038
21.7 Legacy Series / Re: Link local address PPPoE WAN interface and Link local LAN adddress
January 13, 2022, 10:46:34 AM
Ok, since addresses are just 2 digits apart and your NICS probably also have close addressing due to MAC address being close I think something just calculates from an offset and hits the other offset of the physical odering.
But as said the duplicated addresses are no problem going from scope to scope. Why it has 2 link-locals I do not know. I don't believe we are doing that.
Cheers,
Franco
But as said the duplicated addresses are no problem going from scope to scope. Why it has 2 link-locals I do not know. I don't believe we are doing that.
Cheers,
Franco
#8039
21.7 Legacy Series / Re: Can't Add Rules
January 13, 2022, 10:42:22 AM
Ok, happy to hear it works :)
Cheers,
Franco
Cheers,
Franco
#8040
22.1 Legacy Series / Re: 22.1rc1 - a few notes
January 13, 2022, 10:41:35 AM
Are you sure <wol> tag is in the config.xml? Haven't heard of this oddity before.
Cheers,
Franco
Cheers,
Franco
