OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of securid »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - securid

Pages: [1] 2 3 ... 5
1
Tutorials and FAQs / Re: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: September 11, 2024, 03:15:07 pm »
Perhaps someone can help me out.

Have a setup following the guide, with 2 internal sites with ssl termination and wildcard cert. I had a public site as well also setup via the guide using local and public mappings. I no longer use the public site but it worked well.

I have an internal gitea (alternative to gitlab) server with its own certificate. It listens on 22,80,443. 22 is for SSH and 80 is redirected to 443.

I've been reading up and changed the 0_sni_public to listen on LAN ip instead of 0.0.0.0, and attempted to add a new public service listening on wan ip and a backend server on tcp. A real server added with the ip of the internal host.

I can see traffic is allowed in firewall logging but the ha proxy logs arent showing me anything useful, even on debug.

Would appreciate the help!
Thanks.

Edit: solved! The reason HAproxy wasnt showing any relevant logging was becuase I overlooked a port forward rule. once disabled things started working.

2
24.1 Legacy Series / Re: updates never finish
« on: June 13, 2024, 07:32:28 am »
I figured I could help you with those questions but my issue is gone, I'm not sure what it was to be honest. The connectivity audit showed IPv6 wasn't working properly yesterday and I ticked to prefer IPv4 over IPv6. It didn't help and updates still hanged, the connectivity audit showed no change. I left it as I had no time to spend on that, and this morning it actually worked.

I just got the kernel and core update to 24.1.8 coming from 24.1.5 and I no longer see the truncated message, it downloads, installs and reboots without delay. After the reboot another check is fast, and shows everything is up to date.

Sorry, wish I could help you with the questions they are simple enough.

3
24.1 Legacy Series / Re: updates never finish
« on: June 12, 2024, 07:43:58 am »
Thanks but this comes too late for me unfortunately. I should have made a snapshot  :-[

I tried the opnsense bootstrap command but the same thing happened and now its dead.

I need to reinstall and restore the backup. That will have to wait until next week.

Correction: it didn't die. I don't know how it survived but it came back up after a reboot. The problem still persists so i can have another look at it later today.

4
24.1 Legacy Series / Re: Can I use LAN-WAN-LAN to change a destination port?
« on: June 10, 2024, 06:57:17 am »
You can simply make a NAT rule on your LAN interface and redirect to whatever you want.

5
24.1 Legacy Series / updates never finish
« on: June 09, 2024, 04:45:54 pm »
I have one install running in KVM (on Arch Linux if that matters) that has always updated fine but the last time when I clicked to check it said waiting for another process to finish, a little bit later it started to update but it seemed really, really slow. Eventually all it did was just output dots and never finished. I kind of forgot about that and updated the Arch Linux server and rebooted. Luckily, opnSense did come back up but it is still not updating properly. It still seems like it is really slow for some reason even though I don't think that's the root cause.

From the CLI it says this:
Code: [Select]
root@opnsense:~ # opnsense-update -c
root@opnsense:~ #
root@opnsense:~ # opnsense-update
Nothing to do.
root@opnsense:~ # opnsense-update -p
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
Nothing to do.

But the GUI is still outputting dots ... its working on something.

Code: [Select]
***GOT REQUEST TO UPDATE***
Currently running OPNsense 24.1.8 at Sun Jun  9 14:26:19 CEST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
Nothing to do.
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-24.1.8-amd64.txz: ...100 or more rows of dots ....
...

Any ideas? Do I need to run some checks to see whether something has been corrupted?

Thanks!

6
24.1 Legacy Series / Re: KEA DHCP - Reservation DNS Server Override
« on: April 19, 2024, 05:13:13 pm »
Another one here.

After reading the release notes saying ISC DHCP removal, I looked into moving the DHCP ranges. Manual moving is a bitch with more than a few interfaces and custom DHCP settings like DNS servers, domain names, etc.

In addition, I am also using DHCPv6 which KEA does not yet have. I certainly hope ICS will not be removed before DHCPv6 is implemented.

7
Tutorials and FAQs / Re: Tutorial 2023/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: February 03, 2024, 05:22:25 pm »
I have 2 domains, public and internal seperated and its been working fine. Needed the patches of course after the updates which bugged out SNI on haproxy, but fortunately that was an easy fix (thanks!  8)).

I actually have more internal domains in different subnets. Is it possible to add new certificates for each one and then add these to the list the same way as the first internal domain? I would need to setup a map for each one too and I am thinking that as long as they are before the public map this should work?

I don't wanna bork things up so I figured I'd ask first  :D .

Has anyone done this and is it as straightforward as I think it is?

Thanks!

8
24.1 Legacy Series / Re: Wireguard S2S down after upgrade
« on: February 03, 2024, 04:46:19 pm »
Solved it!

Don't ask why but the gateway was gone and on the interface it was set to "automatic".

I had to recreate the gateway and reconfigure it on the interface and things started working again.

9
24.1 Legacy Series / [solved] Wireguard S2S down after upgrade
« on: February 03, 2024, 04:09:28 pm »
I don't know if it happened after upgrading Site A or Site B. I should have checked before upgrading Site B but I forgot after chasing this wild goose for a few hours.

In any case, Site A has several peers in a "road warrior" setup. These work without a hitch. There is a peer for another OPNsense box (Site B) for a S2S which is down.

I have a backdoor via SSH and port forward, so I'm still able to access the OPNsense interface on Site B that way.

I checked firewall rules on both ends, no changes here.
I checked and verified public keys between instance B and its peer on A and vice versa. Pasted them to be sure and confirmed, restarted Wireguard. No change.

I can see one error in the logging on both ends and it has been there since forever. It still appears:
Code: [Select]
2024-02-03T15:34:17 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid interface gateway address: ''
I doubt that has anything to do with todays' issues.

Tcpdump shows packets on both sites on their outside interfaces but the handshake never completes.

What else can I do? I see nothing in the logging, keys are correct, packets are flowing?

10
24.1 Legacy Series / Re: GUI and traffic incredibly slow after upgrade
« on: February 03, 2024, 11:48:57 am »
Ah cool. Thank you.

11
24.1 Legacy Series / Re: GUI and traffic incredibly slow after upgrade
« on: February 03, 2024, 11:39:11 am »
Thanks. I should probably do that as well, Ive never reset it and I dont need long term historical data.

What is the proper way to do that? I cant really find it in the gui?

12
24.1 Legacy Series / Re: GUI and traffic incredibly slow after upgrade
« on: February 03, 2024, 11:10:31 am »
I haven't, but I do look at it occasionally (like this morning).

However, it's gone ....  :o

Mysteriously disappeared  :-[

I really don't mind an occasional problem and do some troubleshooting but I hate it when this happens and I have no clue what caused it let alone solved it :-X

In any case, thanks @newsense for taking the time. Appreciate the help!

13
24.1 Legacy Series / Re: GUI and traffic incredibly slow after upgrade
« on: February 03, 2024, 10:59:30 am »
Quote from: newsense on February 03, 2024, 10:55:02 am
Then you didn't press a as instructed in top before taking the screenshot. That was the info I was asking for.

Correct, I missed that. Here it is:
Code: [Select]
last pid: 21770;  load averages:  0.17,  0.38,  0.33                                                                                                   up 0+00:13:10  10:57:59
64 processes:  2 running, 62 sleeping
CPU:  0.3% user,  0.0% nice,  0.1% system,  0.7% interrupt, 98.9% idle
Mem: 849M Active, 491M Inact, 1437M Wired, 40K Buf, 4937M Free
ARC: 556M Total, 186M MFU, 316M MRU, 13M Anon, 3777K Header, 37M Other
     443M Compressed, 1137M Uncompressed, 2.57:1 Ratio
Swap: 10G Total, 10G Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
19343 root          4  20    0    51M    15M kqread   1   0:18   0.11% /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -p /var/run/syslog-ng.pid
49188 root          1  20    0    14M  3864K CPU1     1   0:00   0.08% top
46041 root          1  20    0    12M  2276K select   1   0:00   0.05% /usr/sbin/powerd -b hadp -a hadp -n hadp
15719 unbound       4  20    0  1096M   878M kqread   2   0:25   0.05% /usr/local/sbin/unbound -c /var/unbound/unbound.conf
16059 root          1  20    0    13M  2776K bpf      1   0:00   0.03% /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
17140 root          1  20    0    25M    15M select   0   0:00   0.02% /usr/local/bin/python3 /usr/local/opnsense/scripts/dhcp/unbound_watcher.py --domain internal.privatebit
18271 root          8  21    0   187M   118M kqread   0   0:05   0.01% /usr/local/bin/python3 /usr/local/opnsense/scripts/unbound/logger.py (python3.9)
 3791 root          1  20    0    23M    12M select   3   0:00   0.01% /usr/local/bin/python3 /usr/local/sbin/configctl -e -t 0.5 system event config_changed (python3.9)
 5028 root          1  20    0    23M    12M select   3   0:00   0.01% /usr/local/bin/python3 /usr/local/opnsense/scripts/syslog/lockout_handler (python3.9)
 6996 ingemar       1  20    0    19M  9032K select   3   0:00   0.01% sshd: ingemar@pts/0 (sshd)
71197 root          2  20    0    23M  8208K select   0   0:00   0.01% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf
77439 root          1  20    0    54M    36M select   0   0:46   0.01% /usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py (python3.9)
21694 root          1  23    0    13M  2744K wait     3   0:00   0.01% /bin/sh /var/db/rrd/updaterrd.sh
34546 root          1  20    0    23M  8232K select   2   0:00   0.01% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf
73692 _flowd        1  20    0    12M  2468K select   1   0:00   0.00% flowd: net (flowd)
11971 ingemar       1  20    0    20M  9300K select   0   0:00   0.00% sudo -i
10690 root          1  20    0    22M  9828K kqread   1   0:00   0.00% /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
21714 nobody        1  20    0    12M  2172K sbwait   1   0:00   0.00% /usr/local/bin/samplicate -s 127.0.0.1 -p 2055 127.0.0.1/2056
67403 root          1  20    0    14M  4084K kqread   1   0:00   0.00% /usr/local/sbin/lighttpd -f /var/etc/lighttpd-acme-challenge.conf
  240 root          1  21    0   109M    60M accept   2   0:12   0.00% /usr/local/bin/python3 /usr/local/opnsense/service/configd.py console (python3.9)
12729 root          1  23    0    71M    42M accept   0   0:01   0.00% /usr/local/bin/php-cgi
14235 root          1  22    0    71M    42M accept   3   0:01   0.00% /usr/local/bin/php-cgi
22564 root          1  22    0    71M    40M accept   1   0:01   0.00% /usr/local/bin/php-cgi
14790 root          1  23    0    71M    40M accept   1   0:01   0.00% /usr/local/bin/php-cgi
19391 root          1  22    0    69M    38M accept   1   0:01   0.00% /usr/local/bin/php-cgi
14260 root          1  20    0    64M    37M accept   2   0:01   0.00% /usr/local/bin/php-cgi
85288 root          1  20    0    23M  6872K select   3   0:00   0.00% /usr/local/sbin/mpd5 -b -d /var/etc -f mpd_opt4.conf -p /var/run/pppoe_opt4.pid -s ppp pppoeclient
  238 root          1  52    0    24M    13M wait     0   0:00   0.00% /usr/local/bin/python3 /usr/local/opnsense/service/configd.py (python3.9)
14448 root          1  22    0    13M  2492K select   1   0:00   0.00% rtsold: rtsold.sendmsg (rtsold)
11328 root          1  20    0    50M    25M wait     0   0:00   0.00% /usr/local/bin/php-cgi
11029 root          1  52    0    56M    25M wait     0   0:00   0.00% /usr/local/bin/php-cgi
24983 dhcpd         1  20    0    25M  9972K select   1   0:00   0.00% /usr/local/sbin/dhcpd -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcp
 5670 root          1  24    0    19M  8732K select   1   0:00   0.00% sshd: ingemar [priv] (sshd)
  579 root          1  20    0    11M  1608K select   3   0:00   0.00% /sbin/devd
27949 dhcpd         1  20    0    22M  8728K select   1   0:00   0.00% /usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run
11433 root          1  20    0    13M  2564K kqread   1   0:00   0.00% /usr/sbin/rtsold -p /var/run/rtsold.pid -A /var/etc/rtsold_script.sh -R /usr/local/opnsense/scripts/int
28288 root          1  20    0    13M  4108K pause    0   0:00   0.00% /bin/csh
 7580 ingemar       1  22    0    14M  4528K wait     3   0:00   0.00% -bash (bash)
30022 root          1  20    0    13M  2804K wait     3   0:00   0.00% /bin/sh /usr/local/opnsense/scripts/dhcp/prefixes.sh
11672 root          1  48    0    13M  2576K nanslp   2   0:00   0.00% /usr/sbin/cron -s

14
24.1 Legacy Series / Re: GUI and traffic incredibly slow after upgrade
« on: February 03, 2024, 10:51:29 am »
That is ssh. Its a screenshot from my terminal, not on the console.

OPNsense just completely died, wouldn't even shutdown after pressing the power button (which usually does a clean shutdown and power off).

Took the power off, hooked up a monitor and powered it back on. Its actually a little better. More responsive and ping replies are better.

Code: [Select]
64 bytes from 10.0.0.1: icmp_seq=1771 ttl=64 time=5.912 ms
64 bytes from 10.0.0.1: icmp_seq=1772 ttl=64 time=6.739 ms
64 bytes from 10.0.0.1: icmp_seq=1773 ttl=64 time=4.854 ms
64 bytes from 10.0.0.1: icmp_seq=1774 ttl=64 time=7.470 ms
64 bytes from 10.0.0.1: icmp_seq=1775 ttl=64 time=7.027 ms
64 bytes from 10.0.0.1: icmp_seq=1776 ttl=64 time=5.839 ms
64 bytes from 10.0.0.1: icmp_seq=1777 ttl=64 time=18.693 ms
64 bytes from 10.0.0.1: icmp_seq=1778 ttl=64 time=5.696 ms
64 bytes from 10.0.0.1: icmp_seq=1779 ttl=64 time=10.358 ms
64 bytes from 10.0.0.1: icmp_seq=1780 ttl=64 time=68.548 ms
64 bytes from 10.0.0.1: icmp_seq=1781 ttl=64 time=81.970 ms
64 bytes from 10.0.0.1: icmp_seq=1782 ttl=64 time=4.834 ms
64 bytes from 10.0.0.1: icmp_seq=1783 ttl=64 time=13.632 ms
64 bytes from 10.0.0.1: icmp_seq=1784 ttl=64 time=29.814 ms
64 bytes from 10.0.0.1: icmp_seq=1785 ttl=64 time=7.193 ms
64 bytes from 10.0.0.1: icmp_seq=1786 ttl=64 time=4.040 ms
64 bytes from 10.0.0.1: icmp_seq=1787 ttl=64 time=4.211 ms
64 bytes from 10.0.0.1: icmp_seq=1788 ttl=64 time=26.885 ms
64 bytes from 10.0.0.1: icmp_seq=1789 ttl=64 time=8.788 ms
64 bytes from 10.0.0.1: icmp_seq=1790 ttl=64 time=7.044 ms
64 bytes from 10.0.0.1: icmp_seq=1791 ttl=64 time=10.948 ms
64 bytes from 10.0.0.1: icmp_seq=1792 ttl=64 time=4.936 ms
64 bytes from 10.0.0.1: icmp_seq=1793 ttl=64 time=27.574 ms
64 bytes from 10.0.0.1: icmp_seq=1794 ttl=64 time=25.530 ms
64 bytes from 10.0.0.1: icmp_seq=1795 ttl=64 time=8.949 ms

Still not good, but better. Still some timeouts too, less than before though.

15
24.1 Legacy Series / Re: GUI and traffic incredibly slow after upgrade
« on: February 03, 2024, 10:29:30 am »
Attached. Sometimes I see this one:
37650 root          2  52    0    70M    49M usem     0   0:01  42.22% python3.9

But that's it. Less than 100kbps traffic in total on the graph.

Rebooted, no change.

Disabled haproxy and wireguard services too. Average less than 50kbps now. I don't understand what is going on  ::)

Pages: [1] 2 3 ... 5
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2