Messages

Ever since the last couple updates (I think it started with 17.1.6) the firewall keeps crashing on my while I use the WebGUI or do anything on the command line. If I don't touch the firewall, it seems to be stable.

Today it is extremely bad, firewall crashes every couple of minutes.

The only weird things I can find in the system log are these:

Code Select Expand


Jun  7 21:40:45 gw1 configd.py: [599ea6f1-628c-4e00-a675-d586418490a4] Inline action failed with OPNsense/HAProxy OPNsense/HAProxy/haproxy.conf 'collections.OrderedDict object' has no attribute 'HAProxy' at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute     return ph_inline_actions.execute(self, inline_act_parameters)   File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 50, in execute     filenames = tmpl.generate(parameters)   File "/usr/local/opnsense/service/modules/template.py", line 309, in generate     raise render_exception Exception: OPNsense/HAProxy OPNsense/HAProxy/haproxy.conf 'collections.OrderedDict object' has no attribute 'HAProxy'


and this:

Code Select Expand


Jun  7 21:48:09 gw1 flowd_aggregate.py: flowd aggregate died with message Traceback (most recent call last):   File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 148, in run     aggregate_flowd(do_vacuum)   File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 79, in aggregate_flowd     stream_agg_object.add(flow_record_cpy)   File "/usr/local/opnsense/scripts/netflow/lib/aggregates/source.py", line 105, in add     super(FlowSourceAddrDetails, self).add(flow)   File "/usr/local/opnsense/scripts/netflow/lib/aggregate.py", line 258, in add     self._update_cur.execute(self._update_stmt, flow) DatabaseError: database disk image is malformed


Regarding the last one, I disabled Netflow but that doesn't seem to help. The HAProxy log entry appears more often than the netflow one.

Any ideas?

I have no clue. The log file doesen't have anything that would hint at an issue. It basically just repeats these two lines over and over again:

Code Select Expand

Mar 24 10:02:50 dnsmasq[24990]: read /var/etc/dnsmasq-hosts - 13 addresses
Mar 24 10:02:57 dnsmasq[24990]: read /etc/hosts - 2 addresses

And occassionaly prints this:

Code Select Expand


Mar 24 11:41:23 dnsmasq[66225]: using nameserver 80.69.96.12#53
Mar 24 11:41:23 dnsmasq[66225]: using nameserver 81.210.129.4#53

Mar 24 11:41:23 dnsmasq[66225]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect no-inotify

Mar 24 11:41:23 dnsmasq[66225]: DNS service limited to local subnets


Yea, they are both on. Doesn't work.

Hi,

I enabled UPnP service, left the "default deny" unchecked. However, nothing seems to work. Tried various devices here that all use UPNP but the status of the UPNP service shows zero entries and the devices complain they can't set up port forwarding.

Not sure where to look for logs for this.

Any clues?

None of this seems to be working for me. I have a NAT rule with static port mapping and UPNP enabled, but my PS4 still shows as NAT Type 3 and no ports opened in UPNP.

Tried everything.

I don't have an answer for you, but why are you trying to reach your internal hosts from internal through their public IPs?

You could set up host overrides in your DNS Forwarder so that it resolves the internal IP of your server from the internal network. No need to go through the firewall.

Yes, it also happens when I ping or use the host command. I have set to bind to LAN interface. I just changed it back to the default (all interfaces) but it makes no difference.

I tried both, with and without custom DNS servers. Neither seems to work. I do get DNS servers through DHCP (WAN link) and I have the option enabled to pass this through to my downstream DHCP clients.

I simply added a host as override, like "host.xyz.it -> 10.10.10.1". When I do a nslookup from computers behind the firewall for that host, it resolves to the 10.10.10.1 address. If I do it from the firewall, I get the public IP for that host (we're running a split DNS setup here). The option you are referring to is unchecked. Do I need to have 127.0.0.1 as nameserver configured somewhere for this to work?

makes sense. Thank you! :)

Just checked, it's turned off (and was turned off). I even tried giving it 127.0.0.1 as a nameserver but no joy.

Hi,

I configured DNS Forwarder and added a few host overrides, which works great from any client using the firewall as a DNS server. However, it is not working from the firewall itself, e.g. if I do a nslookup from the firewall shell, it sends the request to the forwarders instead of resolving through the host overrides.

Am I missing something here?

Thanks

I can't seem to find an option to restrict access to the firewall GUI and SSH. I can only enable or disable the options. How is this done?

Hi,

I am not sure if this is the right place to drop feature requests, but I'll give it a try:

Currently, when you add a new port forwarding rule and let it automatically create a corresponding firewall rule, that firewall rule has logging disabled and the rule can't be edited. So if I want logging, I would have to add the firewall rule manually and disable automatic rule creation.

Why not give me an option to enable logging on these auto-created rules?

Thanks

I got it figured out. It was probably my mistake. I've used the serial image but ran the installation through a VGA connected monitor. Apparently only the first bits of the boot process are shown on the monitor and then it seems to switch over to serial console. I was able to SSH into it (SSH headless install).

All good now. Thank you!