Messages

1

German - Deutsch / Re: silent drop rule

« on: November 12, 2017, 09:32:34 pm »

Hallo!

Ja natuerlich, der bogon ist ja auch noch aktiv.

selbst genaue definition mit src 0.0.0.0 srcport 68 dst 255.255.255.255 dstport 67 hilft nix. auch schon alle anderen varianten durchgespielt. Naja, und der bogon sitzt ja auch in jedem fall davor ...

werd mich mal noch ein wenig herumspielen. upgrade wird sich ja eh nicht mehr lange aufschieben lassen ohne das man zumindest mit einem bein in schieflage geraet. aber ich halte es da mit dem grundsatz: "never touch a running system". 

Danke und lg,
pah

2

German - Deutsch / silent drop rule

« on: November 12, 2017, 08:58:34 pm »

Hallo!

Verwende noch OPNsense 15.1.9-amd64 bin aber bisher recht zufrieden (nutze auch nicht alle Features).

Ich fange am WAN-Interface regelmaeszig Bootp-Broadcasts (DHCP) ein (u.a. weil Kabel-Provider UPC) die ich aber natuerlich blockiere was aber unnoetigerweise im Log steht. Was mich dabei nervt ist der Umstand das das per Firewall Rule nicht "silenty unterdruecken" kann.

Sprich:
SRC: * (ANY)
DST: 255.255.255.255 (single Host or Alias)
SVC: UDP67-68
Action: Drop
Log: NO

Problem wird wohl sein das ich auf dem Interface DHCP aktiviert haben "muss" um die selbe IP immer wieder zugewiesen zu bekommen bzw. ich frage diese ja vom DHCP als renew an. Die ist als Alias gesetzt (Alias IPv4 address). Da ja UDP macht es dem Provider nichts aus wenn ich das reply weg schmeisse.

Gibt es da viell. einen besonderen Trick?

Danke!
pah

3

General Discussion / [FIXED] Config restore doesn't work!

« on: June 08, 2017, 01:32:10 pm »

Hello!

This days I'm really unhappy! I hope some of you can help me!

What happened: 2 days ago power interruption during normal operation (since 04/2015) on my APU (AMD, 2GB, 3LAN, ...) with OPNsense 15.1.9 (i think so) from "PC Engineers" like this I bought here:
https://shop.tronico.net/Embedded-Computer/PC-Engines/APU-Mainboards/APU-2C0-system-board.html
(also see attachment, only 2 cores)

As power was OK again the device booted up and nearly everything was fine, only one vlan didn't come up anyway. So I decided to upgrade because I had time.

Started upgrade and it ran and ran and ran. After 2,5h I gave up (CPU Load was 1 but nothing more happened) and rebooted via WebGUI.

After this the device didn't come up anyway! :-(

OK. I took the SD and copied the original image on it to restore the last config and have a second try to upgrade or not because everything worked fine for 2 years.

After bootig up OPNsense I tried to restore my configuration backup from April this year. The APU rebooted and OPNsense came up again with the initialitaion installation. I tried again and again, didn't work.

Then I tried to manually setup a basic configruation. After reboot the initialitaion installation came again.
I also tried a 2nd SD card as I thought the original card may be was damaged by the power outage. But also no configuration can be restored or saved! :-(

In short words: I'm not able to restore my configuration now!? What can be the problem?

Is there may an other hardware error (memory) way the restore can not be saved? In the console output I didn't see any errors. And during manual configuration everything works fine.

Isn't it possible to save the configuration directly as /usr/local/etc/config.xml ?

Please give me a hint what issue that could be or what I may have forgotten during restore.

Unfortunely it seems that I also destroyed my private laptop during copying the OPNsense image to the SD so I have to take my laptop from work to do this and so I may can not answer quickly to questions but I will do this asap!

UPDATE: fixed! In shot words: a config can not be stored without an installation and installation needs a related storage.

Thanks and best regards!

pah

4

15.1 Legacy Series / Re: Problem with VLAN

« on: May 09, 2015, 01:45:31 pm »

Looks like the MAC doesn´t disapear on vlan1 and is only incomplete in vlan99. So it could be the vlan configuration in the clients port.

But port 4 is configured for vlan1 & vlan4:

System Configuration:
    Name: sw01
    S/W Version: PA.03.10
    CVS Tag: $Name$
    Compile Date: Nov 15 2012 11:05:53
    H/W Version: R01

    MAC address: 00-18-71-49-40-b0
    SNMP:  enabled
    Trap IP: 0.0.0.0
    Readcommunity: public
    Trapcommunity: public

VLAN Configuration:
    Port  Aware    PVID  Ingress Filtering  Frame Type
     1:   enabled     1           disabled  All                      # OPNsense
     2:   enabled     1           disabled  All                      # Portchannel
     3:   enabled     1           disabled  All                      # Portchannel
     4:   enabled     1           disabled  All                      # Client
     5:   enabled     1           disabled  All
     6:   enabled     1           disabled  All
     7:   enabled     1           disabled  All
     8:   enabled     1           disabled  All

    Entries in permanent table:
       1:  1,2,3,4,5,6,7,8
      11:  1,4,5,6,7,8
      99:  1,2,3,4

5

15.1 Legacy Series / Problem with VLAN

« on: May 09, 2015, 01:07:01 pm »

Hello,

I´m running now for 2 weeks OPNsense 15.1.9-amd64 on a PCengines APU1D. One week ago I setup vlan for the management stuff like switches etc. It is called vlan99 placed on interface re1 ("LAN", vlan1):

re1_vlan99: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=3<RXCSUM,TXCSUM>
   ether 00:0d:b9:3a:15:c9
   inet6 fe80::20d:b9ff:fe3a:15c9%re1_vlan99 prefixlen 64 scopeid 0xb
   inet 192.168.99.1 netmask 0xffffff00 broadcast 192.168.99.255
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
   vlan: 99 vlanpcp: 0 parent interface: re1

re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
   ether 00:0d:b9:3a:15:c9
   inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active

Everything was ok - vlan99 was accessible from vlan1 and backwards. Now I tried to move my Managment-Client from vlan1 ("LAN") into this vlan99 by changing IP-Adresse of the client. I also checked the vlan-configuration on the switch for it´s port. Didn´t work, so I changed the IP back to vlan1.

Everything was ok again but devices in vlan99 aren´t accessible any more from vlan1. From the OPNsense-box I can access devices in vlan99 with source re1_vlan99 but not any other. From vlan1 I only can see SYN/requests to vlan99, on vlan99 I can see requests and reply´s. The firewall doesn´t block. Devices also do not block. But packets from vlan99 could not be seen on vlan1. The vlan interface 192.168.99.1 (the WebUI and ssh) is still accessible althought.

tcpdump -ni re1 host 192.168.99.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re1, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
12:00:19.164739 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 15, length 64
12:00:20.164665 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 16, length 64
12:00:21.164959 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 17, length 64
12:00:22.164908 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 18, length 64

tcpdump -ni re1_vlan99 host 192.168.99.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re1_vlan99, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
12:00:10.163495 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 6, length 64
12:00:10.168680 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 6, length 64
12:00:11.163511 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 7, length 64
12:00:11.168393 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 7, length 64
12:00:12.163468 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 8, length 64
12:00:12.168372 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 8, length 64
12:00:13.165096 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 9, length 64
12:00:13.169983 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 9, length 64
12:00:14.165067 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 10, length 64
12:00:14.169965 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 10, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

I restarted the box and the devices in vlan99, still the same problem. What´s wrong?

Further information: I´m using 3x "ProCurve Switch 1800-8G" Switches connected like this:

sw01 <=Portchannel=> sw02 <-1uplink-> sw03

Best regards,
Herbert P.

6

German - Deutsch / Re: [GELÖST] Hardware: Was ist möglich? Requirements gelesen

« on: April 26, 2015, 10:45:10 am »

Hallo!

Habe eben eine APU1D (1Ghz, 4G RAM) von PCengines mit OPsense aufgesetzt und laeuft gut! Einzig aufpassen sollte man bei WLAN (nur wle200nx) und das noetige Zubehoer nicht vergessen (Pigtail cable, I-PEX to SMA female reverse connector + Antenne/n).

Spannend fand ich, das ein UMTS-Modul ebenfalls schon onboard ist. Konnte es aber noch nicht ausprobieren. Hat hier schon jemand Erfahrungen?

Lg,
pah