Messages

1

19.7 Legacy Series / Re: Traffic from backup node getting "No route to host" after upgrading to 19.7.x

« on: September 01, 2019, 03:55:51 am »

!!! I FOUND THE PROBLEM !!!

It is 03:37, and I just wanted to let everybody know that I found the problem! 

So I just finished re-watch Interstellar, so I was feeling clever as it was, and I decided to look over the release notes for 19.7 and 19.7.3, and this time round the following items struck a cord they had not previously:

"Gateways influence default switching order by weight"

"o system: add defunct gateways to GUI in disabled state"

"o firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic"

So I thought, "Wait a minute, I am getting 'No route to host' and here it says there were significant changes to something to do with gateways, I better investigate that part specifically".

And so I opened up the Web GUI on my backup node, and then I went into System --> Gateways --> Single.

I only have a single gateway and my ISP uses IPv4, and so it immediately struck me as odd that the gateway was saying "IPv6" in the "Protocol" column (See the first screenshot).

What I then did was that I simply went to edit the gateway, and the "Protocol" field had autoselected IPv4, so all I had to do was to click the save button. Now the gateway configuration went to say "IPv4" in the "Protocol" column, the "Status" column now said "Online" in green, and the "Name" column had "(active)" (See the second screenshot).

Voila! Now when I go to do a ping test, traffic goes out perfectly fine, DNS worked and updates check out!

Other than my redundant setup, I have two other OPNsense firewalls which are, rather average router configurations, one being my home firewall, and the upgrade to 19.7 and 19.7.3 did not produce this problem on either of those.

So in summary, it would appear that, somehow, when 19.7 booted up and looked at the configuration file, it somehow managed to interpret the gateway as being IPv6. As can be seen from the screenshot, the gateway was seemingly disabled. This seems rather odd, because it was working on 19.1.10, so why it was deemed to be defunct, and, according to the release notes added "in disabled state" makes no sense to me.

2

19.7 Legacy Series / Traffic from backup node getting "No route to host" after upgrading to 19.7.x

« on: August 29, 2019, 12:11:54 pm »

I run a high availability setup with two OPNsense firewalls in failover mode. Each node only has a single WAN interface.

Yesterday, I decided to upgrade to 19.7.x (I was on 19.1.10), and like I usually do I start with the backup node. The first jump to 19.7 went fine, but when the upgrade was finished and the system had rebooted, and I tried to do the minor update to 19.7.3, I got "No address record found for the selected mirror.". I tried multiple different mirrors but with the same result. I eventually discovered that the system could not resolve DNS, and I then tried pinging 8.8.8.8 and I got "No route to host".

On Twitter @opnsense hinting at it being a multi-WAN issue that was fixed in 19.7.3, so eventually I ended up setting up a local OPNsense mirror, and having my backup node get the update from there, which installed fine. But after it had finished and rebooted, the problem persisted.

I have not yet upgraded the primary node, because if this problem were to also occur on that one, then I would bring myself into deep doo-doo.

What could be causing this? I saw something about gateway issues in other posts, and I tried enabling the option "Disable Force Gateway" under Firewall > Settings, but that did not resolve the issue.

3

Hardware and Performance / Re: Changing NIC card without messing up configuration

« on: April 06, 2019, 04:16:21 pm »

Hmmmm, but where does it store the MAC addresses of the interfaces? Because when I look through the configuration file, I only see interface names (like "ix0"), but not any related MAC addresses?

4

Hardware and Performance / Re: Changing NIC card without messing up configuration

« on: April 06, 2019, 01:50:57 am »

It would want you to configure the replacement NICs. The hard part will new knowing which one is which.

Sent from my SM-G935V using Tapatalk

At the moment I have ix0 as the WAN, and several VLANs on ix1, but "ix1" itself remains unconfigured. So I would need to alter both the VLANs and the interfaces, hmmm. Perhaps it might be easier to just export the configuration, and do search+replace for "ix0" with "mlxen0", and "ix1" with "mlxen1" etc. and then just import this edited configuration.

5

Hardware and Performance / Changing NIC card without messing up configuration

« on: April 06, 2019, 12:31:50 am »

At the moment, I have a couple of redundant OPNsense firewalls using a 2-port Intel NIC card, which has been causing be problems since last August, and I am considering replacing it with a functionally identical Mellanox card. Thus I was thinking, how would OPNsense react to the NICs being changed, and would it mess up the configuration? Or would it simply say "Hmmm, the previous NICs are gone, where should I put the LAN and WAN interfaces?" and be on its merry way?

6

18.7 Legacy Series / Re: Urgent problem with VLAN interfaces saying "no carrier" after upgrading to 18.7

« on: August 02, 2018, 08:26:51 am »

You can try to downgrade the kernel (please note to unplug power, reboot is not enough):

https://github.com/opnsense/core/issues/2591

Thanks a lot for pointing me to that page on Github, I tried just simply booting kernel.old via the bootloader menu, and that solved the problem. So I would say this is an issue with the backported drivers. Also, no power cycling was necessary, just kernel.old in my case, however since my ix device is in a PCI-E card, then rebooting might have a slightly different effect than if it was an onboard device.

7

18.7 Legacy Series / Urgent problem with VLAN interfaces saying "no carrier" after upgrading to 18.7

« on: August 02, 2018, 01:03:50 am »

With it being stated that 18.7 has focused on stability, I decided to not wait for two or three point releases as I normally do before upgrading my company firewalls (A high availability setup of two firewalls).

However, the result was that none of my VLAN "interfaces" activate properly. On the main page, they are marked with red saying "Ethernet autoselect", and under System --> Interfaces --> Overview their status says "no carrier".

All of my physical interfaces activate without a problem, and I have WAN access (Which is through a physical interface), but none of my VLANs seem to work.

I have tried re-jiggering the interface assignments, so that the system would, I assume, re-write the VLAN configuration, but that did not fix things at all.

The VLANs are configured on an ix interface, and my switch reports that the ports going to the VLAN NICs are not active. Could this have something to do with the backported Intel NIC drivers of 18.7? Was the ix driver backported?

Does anybody have any suggestion as to what I can do to resolve this problem?

8

18.1 Legacy Series / Re: 18.1 development milestones

« on: December 26, 2017, 07:07:50 pm »

Will LibreSSL also be updated in 18.1 or will it be sticking with 2.5.x?

9

17.1 Legacy Series / XMLRPC sync and HTTPS

« on: July 26, 2017, 08:17:12 pm »

I am configuring two OPNsense systems in a high availability setup with CARP, pfSync, XMLRPC etc. for full redundancy. I have also installed my own self-signed certificates for the WebGUI.

When configuring things I noticed something that I am rather curious about. On screen in the sync settings it mentions to specify the full URL for the secondary firewall, and it gives an HTTPS sample URL. That got me to wonder, does XMLRPC ignore any certificate validation when sync the configuration or does it fail if it cannot validate the certificate of the other machine?