Messages

Waited 4 days for these guys to give the okay before updating and then - yep - same mongodb errors multiple users here are reporting.  ZA is so frustrating.

EDIT -- Thanks @bandit8623 - your fix eliminated my crash report as well.  When I get some more cycles I'll have to dig deeper to ensure it did actually eliminate the log flood of those messages, but it's promising.

Most of zenarmor upgrade issues I ever had was with databases, usually a reset would work, but recently I put elasticsearch on another machine to lower the load on the router so I had no issues with the upgrade.

I would advice you to try and reset/reinstall zenarmor, but backup your data first if you can, or use and external database.

Is it safe for those that have external DB?

I can only share that for me, using an external elastic database it works without problems. But I have to admit I am a home user and I can rebuild the box easily (proxmox snapshot).
So in case you use opnsense on a business relevant machine I would recommend waiting for an official announcement.

Already did the upgrade, so far so good, no issues.

I have dedicated hardware for opnsense but all my security SIEM and other security software is on a seperate box, ELK stack, crowdsec, wazuh, etc.

Is it safe for those that have external DB?

Thanks Franco.

Not the ideal solution, should I add an issue in github to brainstorm a better solution for this?

hey guys, I tried to put a loopback with track interface to use with NPTv6.

At first it kind of worked but then dhcpv6 started throwing some errors

Code Select Expand

Unsupported device type 24 for "lo1"

here is the full line:

Code Select Expand

/usr/local/sbin/pluginctl: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid vlan0.3.200 lo1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.4.3-P1 Copyright 2004-2022 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpdv6.conf Database file: /var/db/dhcpd6.leases PID file: /var/run/dhcpdv6.pid Wrote 3 NA, 0 TA, 0 PD leases to lease file. Bound to *:547 Unsupported device type 24 for "lo1" If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging. exiting.'


It works if I add a VLAN that I do not use, is there a better way of doing this instead of VLAN?

My reason for using track with NPTv6 is the IPv6 /56 is provided dynamically by ISP, this way I can have my local resources always with the same IPv6 and I do not have to change the firewall rules.

Not only that, it generates generic rules on all interfaces, do not open stuff where you don't need be open.

It's listening on all of them, some are disabled, can that be an issue?

Did that already twice before, here is the output.

Code Select Expand

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: h

>>> Check installed kernel version
Version 23.7.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.7.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
SunnyValley
OPNsense
>>> Check installed plugins
os-acme-client 3.19
os-ddclient 1.14
os-frr 1.34_1
os-hw-probe 1.0_1
os-mdns-repeater 1.1
os-nginx 1.32.1_3
os-sensei 1.14.3
os-sensei-updater 1.14
os-smart 2.2_2
os-sunnyvalley 1.2_3
os-theme-vicuna 1.45
os-upnp 1.5_3
os-wol 2.4_1
os-zerotier 1.3.2_4
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: .................................................................... done

Press any key to return to menu.


I dont know why but I have one machine that is having issues with creating the socket.

I have checked the logs for it I cant find who or where creates the link to /var/run/php-webgui.socket and why it fails

The lighthttpd just complains about the socker is non existent

******************** lighttpd 95143 - [meta sequenceId="3"] (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.71/src/gw_backend.c.281) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-0: No such file or directory


Does anyone have any idea why this happens?

I was able to fix it, I had to reset to factory defaults.

It's in the uninstall tab.

Nonetheless there is another issue, even if you haverouted native netmap, ZA will use emulated netmap.
It's in the Opnsense general logs (debug)

Guys, for the sake of trying to figure what is going on, what type of nics are you guys running this.

I have the same problem on a n100 mini pc. Funny enough, i have the exact same configuration on a esxi vm, no issues.  Had to uninstall zenarmor only on mini pc.  Both 8GB ram.  Let me know what zenarmor has to say.

Thanks!

I am suspecting an issue with zenarmor talking with netmap, I have ZA only on one nic (realtek) and suricata on the wan.
The only time ZA does not go to 100% is if all my networks stop talking, not just the one it is attach to.

Hi I did made a pull request but I think it needs improvements.

https://github.com/opnsense/plugins/pull/3432

So here is the issue, FRR adds Firewall filter rules to all interfaces, for each network it adds 2 in rules and 2 out rules.

I have tested locally and it does have a performance impact with these rules added with or without the interface, noticeable difference in intervlan routing in the branch office, everything fells faster to respond.

I questioned in github, what I do not know is what is the proper way to identify what interfaces to add these rules to, if it is the interfaces configure in the interfaces tab of OSPF or the non passive interfaces in the general tab.

The pull request code might need just one improvement to add the rules only once per enabled interface, but I would like some feedback on what is the proper way to identify and add the rules for the required interfaces to get OSPF running properly instead of general automated rules.

I am a bit rusty in OSPF, gimp skills are also bad, sorry.

Here is the original code that is creating all the rules, you can see the rules in any interface FW rules, there is a small line "automaticly added rules" just expand it and you can see the OSPF rules added.

Code Select Expand


foreach ($ospf->networks->network->iterateItems() as $network) {
            if ((string)$network->enabled == '1') {
                $fw->registerFilterRule(
                    1, /* priority */
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF (autogenerated)',
                        'from'           => $network->ipaddr . '/' . $network->netmask,
                        'to'             => '224.0.0.0/24',
                        'direction'      => 'in',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF UNICAST (autogenerated)',
                        'from'           => $network->ipaddr . '/' . $network->netmask,
                        'to'             => '(self)',
                        'direction'      => 'in',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF (autogenerated)',
                        'from'           => '224.0.0.0/24',
                        'to'             => $network->ipaddr . '/' . $network->netmask,
                        'direction'      => 'out',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF UNICAST (autogenerated)',
                        'from'           => '(self)',
                        'to'             => $network->ipaddr . '/' . $network->netmask,
                        'direction'      => 'out',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );

I trying to understand the automatically added routes in opnsense by FRR, FRR adds 4 rules for each network added to OSPF and it appears on all networks, even passive ones.

So are theses rules "general" or per interface?

have you tried on CLI

Code Select Expand

pkg install -fy os-sensei

edit:
Tried it, didn't work.

check on another post if you are on version 22.7.1 check if you have a single package for php7.4 (php74-pecl-mongodb) and remove it.

Code Select Expand

pkg remove php74-pecl-mongodb

IF and only IF this is the only thing of php 7.4, nothing else, do not remove anything from php8

Is this advisable - to use zenarmor for both internal and external interfaces?

Not really a good idea.
i.e. if you have a DMZ, the added overhead for serving requests will skyrocket and you will have double the logs for the same traffic, also you might want not to put some internal interfaces.

Also zenarmor has exceptions for certain domains you add and also might have based on traffic going in the interface not out.
i.e. it might consider every external connection in the wan interface has an internal device, so naturally zenarmor might consider that you have +1000 devices that aren't really yours, that might not do well in the database and also in the way it logs and analyzes traffic.
It all depends on how Zenarmor is implemented.

Honestly I would keep suricata with hyperscan for Wan interfaces and Zenarmor for analyzing and protecting internal interfaces for your end users.
For DMZ you have other stuff like WAF (web application firewall) on nginx.