Messages

[set]

Hello,

I got around the issue of the api URI.
Now its a new one. I can't get to set an alias via API:

# curl -s --insecure -u megakey:megapass -X POST https://172.16.0.254:8443/api/firewall/alias/setItem/896eaff6-edfb-4b03-9dca-c2e240681dc0 -H 'Content-Type: application/json' -d '{
  "name": "TESTEALIAS",
  "type": "host",
  "content": "172.16.9.9",
  "descr": ""
}'

I get as a response an {"result":"failed"} message and no alias update.
Note that the UUID for that alias is correct and is visible if i do a get of it.

The httpd daemon log states:

Dec 11 17:58:44 blabla lighttpd[26287]: 172.16.0.30 172.16.0.254:8443 - [11/Dec/2024:17:58:44 +0000] "POST /api/firewall/alias/setItem/896eaff6-edfb-4b03-9dca-c2e240681dc0 HTTP/2.0" 200 19 "-" "curl/7.61.1"
Dec 11 17:58:44 blabla lighttpd[26287]: 172.16.0.30 172.16.0.254:8443 - [11/Dec/2024:17:58:44 +0000] "POST /api/firewall/alias/setItem/896eaff6-edfb-4b03-9dca-c2e240681dc0 HTTP/2.0" 200 19 "-" "curl/7.61.1"


If i set the url to set instead of setItem i get an success message but there is no change of the alias itself.

The http log for that operation is:

Dec 11 17:56:03 blabla lighttpd[26287]: 172.16.0.30 172.16.0.254:8443 - [11/Dec/2024:17:56:03 +0000] "POST /api/firewall/alias/set/896eaff6-edfb-4b03?9dca-c2e240681dc0 HTTP/2.0" 200 18 "-" "curl/7.61.1"
Dec 11 17:56:03 blabla lighttpd[26287]: 172.16.0.30 172.16.0.254:8443 - [11/Dec/2024:17:56:03 +0000] "POST /api/firewall/alias/set/896eaff6-edfb-4b03?9dca-c2e240681dc0 HTTP/2.0" 200 18 "-" "curl/7.61.1"

What am i missing? Thanks so much for your help

Found what i was looking inside the code:

https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Interfaces/ACL/ACL.xml

Hi all,

First, let me apologize because i am not very versatile at using apis.

My question is, i have a user, that is properly authenticating, and i am able to get information from curl --insecure -u "$API_KEY:$API_SECRET" -X GET "$OPNSENSE_URL/api/core/menu/search" as expected.


[
  {
    "Id": "Dashboard",
    "Order": "0",
    "VisibleName": "Dashboard",
    "CssClass": "fa fa-dashboard fa-fw",
    "Url": "/ui/core/dashboard",
    "IsExternal": "N",
    "Visibility": "all",
    "Selected": false,
    "isVisible": true,
    "breadcrumb": "Lobby / Dashboard",
    "depth": 2
  },
  {
    "Id": "License",
    "Order": "1",
    "VisibleName": "License",
    "CssClass": "fa fa-balance-scale fa-fw",
    "Url": "/ui/core/license",
    "IsExternal": "N",
    "Visibility": "all",
    "Selected": false,
    "isVisible": true,
    "breadcrumb": "Lobby / License",
    "depth": 2
  },
  {
    "Id": "Password",
    "Order": "2",
    "VisibleName": "Password",
    "CssClass": "fa fa-key fa-fw",
    "Url": "/system_usermanager_passwordmg.php",
    "IsExternal": "N",
    "Visibility": "all",
    "Selected": false,
    "isVisible": true,
    "breadcrumb": "Lobby / Password",
    "depth": 2
  },


... the list goes on and on, so i assume that authentication is working.

However, if i try to access any of the items via postman, and yes i am basic authenticating, i keep getting the auth login page as i was not authenticated.
For example: /ui/core/license i get a login page as i was not authenticated.
The user that is performing the operations has at the user page, the effective permission of  GUI/All pages set.

Also i have tried with curl and got the same results.

What am i missing?

Thanks for your help

@Franco

Thanks. I can delete the widget now. Thanks so much.
I added again the ones that would not work, and some are still dead, for example the CPU and OpenVPN connections.

But at least i can have a clean screen. 

Thanks for your help! I will wait for the others when the team has time to address them.

Kindly,
Nuno

Hi @Franco. Do you have any idea on how i can reset the entire widget configuration so i dont have any widgets loaded?
See what happens on my previous reply to this thread when i try to delete the ones that are hanged.

@Franco

That error i pasted... is what i get when i try to remove the widget. It will not allow me to remove it. I press the X on the top right corner of the widget and it throws that error i pasted and it will not delete the widget.

Code Select Expand

Uncaught TypeError: this.charts.trafficIn is null
    onWidgetClose https://pfsense01.net.xpto/ui/js/widgets/Traffic.js?t=1722259354715:243
    _onWidgetClose https://pfsense01.net.xpto/ui/js/opnsense_widget_manager.js?v=1aa4420ce0d0b23e:693
    _onMarkupRendered https://pfsense01.net.xpto/ui/js/opnsense_widget_manager.js?v=1aa4420ce0d0b23e:412
    jQuery 2

Is there a configuration file that i can delete/truncate on the server so all the widgets are reset and i have an empty and clear homepage and go from there?

Thanks for your help.
Cheers.

Hi @Franco.

Just updated to 24.7_9 and the problem for me at least is getting worst. Now i lost also some widgets regarding vpn (openvpn and ipsec).
Also, the widget that will not die (traffic report), still refuses to close with the following error:

Code Select Expand

Uncaught TypeError: this.charts.trafficIn is null
    onWidgetClose https://pfsense01.net.xpto/ui/js/widgets/Traffic.js?t=1722259354715:243
    _onWidgetClose https://pfsense01.net.xpto/ui/js/opnsense_widget_manager.js?v=1aa4420ce0d0b23e:693
    _onMarkupRendered https://pfsense01.net.xpto/ui/js/opnsense_widget_manager.js?v=1aa4420ce0d0b23e:412
    jQuery 2

Thanks for your help!

For me, i also found that there are widgets that i cant edit or delete, for example the traffic graph one.

After updating to 24.7_5 its the same. I have some functioning widgets, some not, and the weird part is that i cant delete at least the  Traffic Graph if i press the X to close it.
I cant get any cpu reading, and this a beefy boy: Ryzen 5 3600X

Ps: i am running opnsense inside a VM. I can see traffic inside of Report --> Traffic.

PS2: with debugging enabled what i am mostly getting is Failed to load content for widget: XXXXXXXX, Error: TypeError: selector.replace is not a function

Solved my issue:

I reconfigured my openvpn client like this:



My redirection started working again as expected.

@Franco, do you have any idea on why is that? What does that flag do that breaks RDR?

Thanks so much for your help

Hi @Franco.

Installed a new vanilla opnsense and the results are the same.

I see the package coming thru from the openvpn, passing the firewall, reaching the VM, getting returned to the firewall but not leaving the FW via the openvpn.

One thing i did not remember saying before, but the VM that is the recipient of the portfwrd has the gw forcefully set on opnsense to the gateway provided by the openvpn and i am reaching the internet with the exit IP from that openvpn connection.

Will continue to dig on this.

Thanks for your help

Hi Franco

I think that there is a mix between the openvpn configuration and something nat related with bsd itself of even with what is building the rules on the background and then feeding them into pf. I have now noticed that i have the a similar issue with another wireguard connection (so no openvpn here).

HTTP request nated ip --> internal ip (sinkhole) --> porfrwrd to transparent SQUID --> Wireguard --> destination.

I am getting many RST on the portfrwd part. And the request never reaches the entrance the wireguard tunnel. The corruption appears to be happening in the NAT part of this configuration.

I have also noticed that there are reports on github regarding this:

https://github.com/opnsense/core/issues/6662
https://github.com/opnsense/core/issues/6650

Do you know if this is a bug and will be fixed on the next release?
Also, asking a dumb question, i am having issues understanding regarding the workaround proposed. What needs to be done with the snat configuration. Do you have anything (or know a post) where there is a picture of an snat example configuration?

I am really struggling here to understand how this solve my issue.
I presently have this enabled on firewall advanced settings:

Use sticky connections
Use shared forwarding between packet filter, traffic shaper and captive portal


And all the return ip paths from the portfwrds, have an outbound rule from the destination (in this case the vm) via the interface from where the requests originated and nated with the ip of said interface

Thanks for your help!

Edit: been testing some different configurations on advanced settings, and i want my text to reflect what i have presently

Hi @Franco.

Any ideas on where the problem might me?

Kindly,
Nuno

Hi

I was running version 23.1.8.

Thanks

Hi Franco,

This started with the latest production version of opnsense:    OPNsense 23.1.11-amd64
The versions are the ones bundled with that:

openvpn:

OpenVPN 2.6.5 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
library versions: OpenSSL 1.1.1u  30 May 2023, LZO 2.10