Messages

[Question]

Summary: When the WAN connection goes down, it does not re-request DHCP for the WAN address, so OPNsense has no WAN gateway and can't communicate with the Internet until the OPNsense box is restarted.
 
Does anyone know of a setting or script that could detect los of WAN address (a good symptom seems to be no WAN gateway) and keep trying to re-request  WAN DHCP until a result is received?

I have Comcast and sometimes the cable modem goes offline and comes back on.  When this happens my OPNsense box loses connectivity to the WAN.  The cable modem status shows that it has connectivity, so all that is needed is for the OPNsense box to re-request DHCP for the WAN connection.  I don't know of a way to automatically trigger this.  I also don't know the best way to trigger a WAN re-request of DHCP via a script.  Has anyone solved this or does anyone have info on the best way to trigger a WAN re-request via a script/cron job?

UPDATE: I've added this script as a cron job on my OPNsense box that runs every minute, and it seems to work (probably needs more testing, but at least it worked for the common case that impacts me).    I hope this helps someone else, and if you see a better way to do this, please reply with your suggestions.

Caveat: I only have one WAN link and it is the default route for my OPNsense box.

Note: I have entered my WAN interface as a string in the script (wanInterface="em0").

Question: Does anyone know of a good way to get the WAN interface by looking at config files and/or via some shell command?  I'd rather not have hard-coded interface names in my script.

Code Select Expand


#!/bin/sh
gatewayIP=$(netstat -4rn | grep default | awk '{print $2}')
wanInterface="em0"

echo "Gateway: $gatewayIP"
echo "WAN Interface: $wanInterface"
if [ -z $gatewayIP ]
then
  echo "NO Gateway"
  #Bring the interface down then up to renew the WAN DHCP
  ifconfig $wanInterface down
  ifconfig $wanInterface up
else
  # if return = 0 then host is reachable
  ping -c 1 $gatewayIP > /dev/null
  if [ $? -eq 0 ]
  then
    echo "Gateway Reachable"
  else
    echo "Gateway Unreachable"
    #Bring the interface down then up to renew the WAN DHCP
    ifconfig $wanInterface down
    ifconfig $wanInterface up
  fi
fi



I am only using FlowQueue-CoDel.
On my i5-7200U hardware, I performed a health audit and even reinstalled key packages (like the core OPNsense package), but I'm still getting random reboots.

As a test, I installed OPNsense on a box with a Celeron J3455 (also with Intel NICs), and restored the config from the i5-7200U box.  So far, it has run for 14 hours without a random reboot. 

I am currently running memtest on the i5-7200U box--so far no errors.  Then I'll try a fresh install of OPNSense on that box & restore the config to that box as a test.

For people who are running traffic shaping without periodic crashes/reboots, what hardware are you running OPNsense on?  I am seeing the issues on an I5-7200U

[NOT]

Is anyone actively using traffic shaping in OPNsense 20.1.7-amd64, and NOT getting random reboots?

Here is the version info off the dashboard:
OPNsense 20.1.7-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
OpenSSL 1.1.1g 21 Apr 2020

I believe this is related to traffic shaping.  If I disable all the shaper rules, I don't see the periodic reboots (uptime of the firewall is 14hours and counting). If I enable the traffic shaper rules, I'll get the periodic reboots happening again (uptime <2 hours before a reboot).

I'd appreciate some help with this please.
I recently started using traffic shaping and I'm getting a periodic fatal trap and reboot of my OPNSense box (see below).  It's running on a Protectli box with Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz (4 cores)

Does anyone have any suggestions for tracking this down and resolving it?

This seems to occur only when traffic shaper rules are enabled.  As a test, I disabled the traffic shaper rules and the firewall has run for 14 hours without rebooting. Enabling traffic shaper rules results in a reboot within 30m-3 hours.

Here is the version info off the dashboard:
OPNsense 20.1.7-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
OpenSSL 1.1.1g 21 Apr 2020
-----------------------------------
Fatal trap 12: page fault while in kernel mode

cpuid = 2; apic id = 02
fault virtual address   = 0xffffffff00040061
fault code      = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80d9c2e3
stack pointer           = 0x28:0xfffffe0232b352a0
frame pointer           = 0x28:0xfffffe0232b352a0

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xffffffff00040061
fault code      = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80daa0b3
stack pointer           = 0x28:0xfffffe0232dee7a0
frame pointer           = 0x28:0xfffffe0232dee7f0
code segment      = base 0x0, limit 0xfffff, type 0x1b
         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process      = 0 (dummynet)
version.txt0600007013663554527  7550 ustarrootwheelFreeBSD 11.2-RELEASE-p20-HBSD  07ef86ce9ca(stable/20.1)

UPDATE: Resolved.
After backing up the configuration, then re-installing OPNsense and restoring the configuration, my OPNsense box has not encountered a crash/random reboot with traffic shaping enabled. The re-install installed 20.1 then upgraded to 20.1.7. I've been running for over 14 hours without a crash.

Note: Before re-installing, I had performed a Firmware audit several times and everything checked out, but I was still encountering periodic crashes and reboots only when traffic shaping was enabled. 
I also tried re-installing key packages including opnsense, but I continued to encounter random crashes and reboots only when traffic shaping was enabled.
Conclusion: Successful completion of firmware audit does not provide a comprehensive check of the integrity of the OPNSense install.

Hi,
I'd like your help please.
I'm trying to get the IPsec Road Warrior VPN working.

On my VPN server, in the VPN->IPsec->Status Overview, my status icon at the right of the display is orange.  Should it be green? 

I couldn't find any info on this in the documentation.

In The VPN->IPsec->Status Overview, my status icon at the right of the display is orange.  Should it be green?  I couldn't find any info on this in the documentation.

I have re configured the server and the client and I am at least getting an IPsec VPN Log.  Does anyone have suggestions regarding what may be going on, and/or next steps to diagnose this issue further?
The Mac VPN client now fails with "The negotiation with the VPN server failed. Verify the server address and try reconnecting"

Here is the log data:

Code Select Expand

Jan 20 22:43:32 charon: 05[JOB] deleting half open IKE_SA with CLIENT_IP after timeout
Jan 20 22:43:26 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (429 bytes)
Jan 20 22:43:26 charon: 05[IKE] sending retransmit 3 of response message ID 0, seq 1
Jan 20 22:43:13 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (429 bytes)
Jan 20 22:43:13 charon: 05[IKE] sending retransmit 2 of response message ID 0, seq 1
Jan 20 22:43:06 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (429 bytes)
Jan 20 22:43:06 charon: 05[IKE] sending retransmit 1 of response message ID 0, seq 1
Jan 20 22:43:02 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (429 bytes)
Jan 20 22:43:02 charon: 05[ENC] generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Jan 20 22:43:02 charon: 05[CFG] selected peer config "con1"
Jan 20 22:43:02 charon: 05[CFG] looking for XAuthInitPSK peer configs matching FIREWALL_IP...CLIENT_IP[groupname@domain.com]
Jan 20 22:43:02 charon: 05[IKE] CLIENT_IP is initiating a Aggressive Mode IKE_SA
Jan 20 22:43:02 charon: 05[IKE] CLIENT_IP is initiating a Aggressive Mode IKE_SA
Jan 20 22:43:02 charon: 05[IKE] received DPD vendor ID
Jan 20 22:43:02 charon: 05[IKE] received Cisco Unity vendor ID
Jan 20 22:43:02 charon: 05[IKE] received XAuth vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jan 20 22:43:02 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jan 20 22:43:02 charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Jan 20 22:43:02 charon: 05[IKE] received FRAGMENTATION vendor ID
Jan 20 22:43:02 charon: 05[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Jan 20 22:43:02 charon: 05[NET] received packet: from CLIENT_IP[10977] to FIREWALL_IP[500] (777 bytes)
Jan 20 22:43:01 charon: 05[NET] sending packet: from FIREWALL_IP[500] to CLIENT_IP[10977] (56 bytes)
Jan 20 22:43:01 charon: 05[ENC] generating INFORMATIONAL_V1 request 1178221751 [ N(NO_PROP) ]
Jan 20 22:43:01 charon: 05[IKE] no proposal found
Jan 20 22:43:01 charon: 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 20 22:43:01 charon: 05[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Jan 20 22:43:01 charon: 05[IKE] CLIENT_IP is initiating a Aggressive Mode IKE_SA
Jan 20 22:43:01 charon: 05[IKE] CLIENT_IP is initiating a Aggressive Mode IKE_SA
Jan 20 22:43:01 charon: 05[IKE] received DPD vendor ID
Jan 20 22:43:01 charon: 05[IKE] received Cisco Unity vendor ID
Jan 20 22:43:01 charon: 05[IKE] received XAuth vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jan 20 22:43:01 charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jan 20 22:43:01 charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Jan 20 22:43:01 charon: 05[IKE] received FRAGMENTATION vendor ID


Hmmm.  I must have something wrong with my firewall config.  I'm not seeing anything in the IPsec log when I try to connect from my Mac Client.  I have verified that the WAN address is correct.  My Mac Client is accessing the net via a Verizon Jetpack MiFi box.

I've verified that Block Private Networks on the WAN interface is disabled, and the two screenshots show my WAN and IPSEC firewall rules.

Can anyone suggest steps to try to diagnose this further?

For example, should telnet be able to connect to port 500 or port 4500 on my external WAN IP?    Does anyone have a good IPsec VPN troubleshooting guide to recommend?

Hi Dobbin,

Thanks for your reply. 

Here's what I did, and what I see:
On 18.1r1 If I go to System->Access->Users
Click on the edit/pencil for the user in question
Then Click on edit/pencil in Effective Privileges
There is a Search Field under description, and if I type in Xauth I get no results.
In fact, my list only contains results prefixed with "GUI"

Are you seeing other prefixes? 

Based on the description in the docs of "User - VPN - IPsec xauth Dialin" I got the impression that it might have a different prefix other than "GUI"

Examples of what I see:
        ...
   GUI   Status: IPsec
   GUI   Status: IPsec: Leasespage
   GUI   Status: IPsec: SAD
   GUI   Status: IPsec: SPD
        ...

Are you getting options where the first 3 letters are different from GUI?  What is the option that comes back when you search for Xauth?

Hi Folks,
I'm using OPNsense 18.1.r_15-amd64. and I'm trying to get IPsec Road Warrior VPN configured.

I'm following the steps here:
https://docs.opnsense.org/manual/how-tos/ipsec-road.html

And on Step 4 (Add IPsec Users) it says:
"Add privilege User - VPN - IPsec xauth Dialin by pressing the + under Effective Privileges."

I don't see a "+" under Effective Privileges.  Under Effective Privileges the only button is an edit button (pencil)--If I press this, then I get a list of GUI components, and none of them say "IPsec xauth Dialin".  In fact none of the options have xauth in the title.  I have these selected:

• GUI VPN: IPsec and
• GUI VPN: IPsec: Mobile
  
  Am I doing something wrong, or have the options changed since the documentation was created?
  
  When I configure the native client in OS X, I get this error when I try to connect:  "The VPN server did not respond. Verify the server address and try reconnecting."
  
  Would someone please point me to some updated docs or steps to try to diagnose this issue?
  
  Also, just checking, should the IPsec VPN be working with OPNsense 18.1.r_15
  I've applied the patch: opnsense-patch 0ec330d7
  per this thread: https://forum.opnsense.org/index.php?topic=6843.0
  
  I would greatly appreciate any tips or pointers.
  
  Thanks!

Hi Folks,
I'd like some help please.
I'm running 18.1.b, and I can't get hostnames to show up on the Insight reports--I just see IP addresses.

I've followed the steps here:  https://github.com/opnsense/core/issues/1854

I am looking at the Insight->Totals->Top usage ports/sources for the lan

I'm running dnsmasq, and I have these dnsmasq options enabled:

• Enable DNS Forwarder
  
• Register DHCP leases in DNS forwarder
  
• Register DHCP static mappings in DNS forwarder
  
• Resolve DHCP mappings first
  
  And in Systems->Settings->General I have ensured that this option is not enabled:
  [ ] Do not use the DNS Forwarder/Resolver as a DNS server for the firewall
  
  Is there anything else that I need to do to get the IP addresses to resolve to hostnames?
  
  Also, should the IPs (both local and remote) on the Insight Details report also resolve to hostnames?
  
  
  
  OK I was not seeing the option because I was using the Beta and not the dev version, and these changes apparently have not made it to the Beta yet.
  
  After I perform (in a shell on the OPNsense box):
  opnsense-update -t opnsense-devel
  
  and restart I see the Reverse-Lookup option
  

I'm having the same issue with this hardware:
Protectli FW6C
CPU: Intel i5-7200U
RAM: 8GB

Config = very basic config from the install wizard (WAN,LAN, OPT1-4)
I have applied all updates, and the issues still exists.
Here is the version info:
OPNsense 17.7.11-amd64
FreeBSD 11.0-RELEASE-p17
OpenSSL 1.0.2n 7 Dec 2017

Does anyone have any troubleshooting tips to suggest?

Note: Fixed in OPNsense 18.1 Beta -- I tried the 18.1 Beta and it does not have the hang on reboot issue.
Does anyone know if there is a config change that could be applied to 17.7 to get reboot to work on 17.7 without hanging, or is the fix possibly the fact that 18.1b uses FreeBSD 11.1 and that resolved the issue?