Messages

Thanks for the quick reply  8).

I do forget to check Github. I'll try and remember that before posting here.

I'll keep an eye on that thread and jump in if I feel I can contribute.

Recently DHCP hosts stopped being registered in Unbound. I first noticed it last week after the previous update or the one before that (I am on OPNsense 24.7.9_1-amd64 and have not  yet updated to the latest fixes).

I found this thread:
https://forum.opnsense.org/index.php?topic=41376.msg204431#msg204431

Where my issue differs is that I don't find the log messages in unbound he talks about. I increased logging to level 5 and I still could not find that message, nor the hostname or ip address in question.

Last week I had the issue with two Macbooks, figuring it might be the recent updates on Macos I received and looked no further. This time its a new host I installed, standard Lenovo laptop with Archlinux. I forced a renew several times and while it keeps getting an IP address, I see no DNS registering.

To verify, I ssh into OPNsense and use dig with FQDN. This shows me SERVER: 127.0.0.1. While it can find static address reserverations, regular DHCP addresses no longer seem to be picked up.

If someone can help me troubleshoot would be much appreciated.

Thanks!

Perhaps someone can help me out.

Have a setup following the guide, with 2 internal sites with ssl termination and wildcard cert. I had a public site as well also setup via the guide using local and public mappings. I no longer use the public site but it worked well.

I have an internal gitea (alternative to gitlab) server with its own certificate. It listens on 22,80,443. 22 is for SSH and 80 is redirected to 443.

I've been reading up and changed the 0_sni_public to listen on LAN ip instead of 0.0.0.0, and attempted to add a new public service listening on wan ip and a backend server on tcp. A real server added with the ip of the internal host.

I can see traffic is allowed in firewall logging but the ha proxy logs arent showing me anything useful, even on debug.

Would appreciate the help!
Thanks.

Edit: solved! The reason HAproxy wasnt showing any relevant logging was becuase I overlooked a port forward rule. once disabled things started working.

I figured I could help you with those questions but my issue is gone, I'm not sure what it was to be honest. The connectivity audit showed IPv6 wasn't working properly yesterday and I ticked to prefer IPv4 over IPv6. It didn't help and updates still hanged, the connectivity audit showed no change. I left it as I had no time to spend on that, and this morning it actually worked.

I just got the kernel and core update to 24.1.8 coming from 24.1.5 and I no longer see the truncated message, it downloads, installs and reboots without delay. After the reboot another check is fast, and shows everything is up to date.

Sorry, wish I could help you with the questions they are simple enough.

Thanks but this comes too late for me unfortunately. I should have made a snapshot  :-[

I tried the opnsense bootstrap command but the same thing happened and now its dead.

I need to reinstall and restore the backup. That will have to wait until next week.

Correction: it didn't die. I don't know how it survived but it came back up after a reboot. The problem still persists so i can have another look at it later today.

You can simply make a NAT rule on your LAN interface and redirect to whatever you want.

I have one install running in KVM (on Arch Linux if that matters) that has always updated fine but the last time when I clicked to check it said waiting for another process to finish, a little bit later it started to update but it seemed really, really slow. Eventually all it did was just output dots and never finished. I kind of forgot about that and updated the Arch Linux server and rebooted. Luckily, opnSense did come back up but it is still not updating properly. It still seems like it is really slow for some reason even though I don't think that's the root cause.

From the CLI it says this:

Code Select Expand


root@opnsense:~ # opnsense-update -c
root@opnsense:~ #
root@opnsense:~ # opnsense-update
Nothing to do.
root@opnsense:~ # opnsense-update -p
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
Nothing to do.


But the GUI is still outputting dots ... its working on something.

Code Select Expand


***GOT REQUEST TO UPDATE***
Currently running OPNsense 24.1.8 at Sun Jun  9 14:26:19 CEST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
Nothing to do.
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-24.1.8-amd64.txz: ...100 or more rows of dots ....
...


Any ideas? Do I need to run some checks to see whether something has been corrupted?

Thanks!

Another one here.

After reading the release notes saying ISC DHCP removal, I looked into moving the DHCP ranges. Manual moving is a bitch with more than a few interfaces and custom DHCP settings like DNS servers, domain names, etc.

In addition, I am also using DHCPv6 which KEA does not yet have. I certainly hope ICS will not be removed before DHCPv6 is implemented.

I have 2 domains, public and internal seperated and its been working fine. Needed the patches of course after the updates which bugged out SNI on haproxy, but fortunately that was an easy fix (thanks!  8)).

I actually have more internal domains in different subnets. Is it possible to add new certificates for each one and then add these to the list the same way as the first internal domain? I would need to setup a map for each one too and I am thinking that as long as they are before the public map this should work?

I don't wanna bork things up so I figured I'd ask first  :D .

Has anyone done this and is it as straightforward as I think it is?

Thanks!

Solved it!

Don't ask why but the gateway was gone and on the interface it was set to "automatic".

I had to recreate the gateway and reconfigure it on the interface and things started working again.

I don't know if it happened after upgrading Site A or Site B. I should have checked before upgrading Site B but I forgot after chasing this wild goose for a few hours.

In any case, Site A has several peers in a "road warrior" setup. These work without a hitch. There is a peer for another OPNsense box (Site B) for a S2S which is down.

I have a backdoor via SSH and port forward, so I'm still able to access the OPNsense interface on Site B that way.

I checked firewall rules on both ends, no changes here.
I checked and verified public keys between instance B and its peer on A and vice versa. Pasted them to be sure and confirmed, restarted Wireguard. No change.

I can see one error in the logging on both ends and it has been there since forever. It still appears:

Code Select Expand


2024-02-03T15:34:17 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid interface gateway address: ''

I doubt that has anything to do with todays' issues.

Tcpdump shows packets on both sites on their outside interfaces but the handshake never completes.

What else can I do? I see nothing in the logging, keys are correct, packets are flowing?

Ah cool. Thank you.

Thanks. I should probably do that as well, Ive never reset it and I dont need long term historical data.

What is the proper way to do that? I cant really find it in the gui?

I haven't, but I do look at it occasionally (like this morning).

However, it's gone ....  :o

Mysteriously disappeared  :-[

I really don't mind an occasional problem and do some troubleshooting but I hate it when this happens and I have no clue what caused it let alone solved it :-X

In any case, thanks @newsense for taking the time. Appreciate the help!

Then you didn't press a as instructed in top before taking the screenshot. That was the info I was asking for.

Correct, I missed that. Here it is:

Code Select Expand


last pid: 21770;  load averages:  0.17,  0.38,  0.33                                                                                                   up 0+00:13:10  10:57:59
64 processes:  2 running, 62 sleeping
CPU:  0.3% user,  0.0% nice,  0.1% system,  0.7% interrupt, 98.9% idle
Mem: 849M Active, 491M Inact, 1437M Wired, 40K Buf, 4937M Free
ARC: 556M Total, 186M MFU, 316M MRU, 13M Anon, 3777K Header, 37M Other
     443M Compressed, 1137M Uncompressed, 2.57:1 Ratio
Swap: 10G Total, 10G Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
19343 root          4  20    0    51M    15M kqread   1   0:18   0.11% /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -p /var/run/syslog-ng.pid
49188 root          1  20    0    14M  3864K CPU1     1   0:00   0.08% top
46041 root          1  20    0    12M  2276K select   1   0:00   0.05% /usr/sbin/powerd -b hadp -a hadp -n hadp
15719 unbound       4  20    0  1096M   878M kqread   2   0:25   0.05% /usr/local/sbin/unbound -c /var/unbound/unbound.conf
16059 root          1  20    0    13M  2776K bpf      1   0:00   0.03% /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
17140 root          1  20    0    25M    15M select   0   0:00   0.02% /usr/local/bin/python3 /usr/local/opnsense/scripts/dhcp/unbound_watcher.py --domain internal.privatebit
18271 root          8  21    0   187M   118M kqread   0   0:05   0.01% /usr/local/bin/python3 /usr/local/opnsense/scripts/unbound/logger.py (python3.9)
3791 root          1  20    0    23M    12M select   3   0:00   0.01% /usr/local/bin/python3 /usr/local/sbin/configctl -e -t 0.5 system event config_changed (python3.9)
5028 root          1  20    0    23M    12M select   3   0:00   0.01% /usr/local/bin/python3 /usr/local/opnsense/scripts/syslog/lockout_handler (python3.9)
6996 ingemar       1  20    0    19M  9032K select   3   0:00   0.01% sshd: ingemar@pts/0 (sshd)
71197 root          2  20    0    23M  8208K select   0   0:00   0.01% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf
77439 root          1  20    0    54M    36M select   0   0:46   0.01% /usr/local/bin/python3 /usr/local/opnsense/scripts/netflow/flowd_aggregate.py (python3.9)
21694 root          1  23    0    13M  2744K wait     3   0:00   0.01% /bin/sh /var/db/rrd/updaterrd.sh
34546 root          1  20    0    23M  8232K select   2   0:00   0.01% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf
73692 _flowd        1  20    0    12M  2468K select   1   0:00   0.00% flowd: net (flowd)
11971 ingemar       1  20    0    20M  9300K select   0   0:00   0.00% sudo -i
10690 root          1  20    0    22M  9828K kqread   1   0:00   0.00% /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
21714 nobody        1  20    0    12M  2172K sbwait   1   0:00   0.00% /usr/local/bin/samplicate -s 127.0.0.1 -p 2055 127.0.0.1/2056
67403 root          1  20    0    14M  4084K kqread   1   0:00   0.00% /usr/local/sbin/lighttpd -f /var/etc/lighttpd-acme-challenge.conf
  240 root          1  21    0   109M    60M accept   2   0:12   0.00% /usr/local/bin/python3 /usr/local/opnsense/service/configd.py console (python3.9)
12729 root          1  23    0    71M    42M accept   0   0:01   0.00% /usr/local/bin/php-cgi
14235 root          1  22    0    71M    42M accept   3   0:01   0.00% /usr/local/bin/php-cgi
22564 root          1  22    0    71M    40M accept   1   0:01   0.00% /usr/local/bin/php-cgi
14790 root          1  23    0    71M    40M accept   1   0:01   0.00% /usr/local/bin/php-cgi
19391 root          1  22    0    69M    38M accept   1   0:01   0.00% /usr/local/bin/php-cgi
14260 root          1  20    0    64M    37M accept   2   0:01   0.00% /usr/local/bin/php-cgi
85288 root          1  20    0    23M  6872K select   3   0:00   0.00% /usr/local/sbin/mpd5 -b -d /var/etc -f mpd_opt4.conf -p /var/run/pppoe_opt4.pid -s ppp pppoeclient
  238 root          1  52    0    24M    13M wait     0   0:00   0.00% /usr/local/bin/python3 /usr/local/opnsense/service/configd.py (python3.9)
14448 root          1  22    0    13M  2492K select   1   0:00   0.00% rtsold: rtsold.sendmsg (rtsold)
11328 root          1  20    0    50M    25M wait     0   0:00   0.00% /usr/local/bin/php-cgi
11029 root          1  52    0    56M    25M wait     0   0:00   0.00% /usr/local/bin/php-cgi
24983 dhcpd         1  20    0    25M  9972K select   1   0:00   0.00% /usr/local/sbin/dhcpd -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcp
5670 root          1  24    0    19M  8732K select   1   0:00   0.00% sshd: ingemar [priv] (sshd)
  579 root          1  20    0    11M  1608K select   3   0:00   0.00% /sbin/devd
27949 dhcpd         1  20    0    22M  8728K select   1   0:00   0.00% /usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run
11433 root          1  20    0    13M  2564K kqread   1   0:00   0.00% /usr/sbin/rtsold -p /var/run/rtsold.pid -A /var/etc/rtsold_script.sh -R /usr/local/opnsense/scripts/int
28288 root          1  20    0    13M  4108K pause    0   0:00   0.00% /bin/csh
7580 ingemar       1  22    0    14M  4528K wait     3   0:00   0.00% -bash (bash)
30022 root          1  20    0    13M  2804K wait     3   0:00   0.00% /bin/sh /usr/local/opnsense/scripts/dhcp/prefixes.sh
11672 root          1  48    0    13M  2576K nanslp   2   0:00   0.00% /usr/sbin/cron -s