1
21.7 Legacy Series / Re: [API] Required user permission to grant access to controller alias_util
« on: January 04, 2022, 06:11:41 pm »
Works! Thanks for responding
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
21.7 Legacy Series / [API] Required user permission to grant access to controller alias_util
« on: January 03, 2022, 04:43:45 pm »
Which user permissions are required for a non-priviledged-user in order to be able to access API Endpoint / Controller alias_util (and nothing else)?
Permissions "Firewall: Alias: Edit" and "Firewall: Aliases" don't work for me since they only grant access to /api/firewall/alias/*
The only option that works for me so far is "GUI:All pages" which grants access to all available API endpoints which i definitly don't want.
Looking forward for hints and advices.
BR
Michael
Permissions "Firewall: Alias: Edit" and "Firewall: Aliases" don't work for me since they only grant access to /api/firewall/alias/*
The only option that works for me so far is "GUI:All pages" which grants access to all available API endpoints which i definitly don't want.
Looking forward for hints and advices.
BR
Michael
3
20.7 Legacy Series / Re: IGMPproxy not leaving multicast streams
« on: August 03, 2020, 10:45:26 pm »
I can confirm the issue. Still investigating for a potential hint that leads to rc.
This is the output of igmpproxy during the event of a MC Group Leave Event:
However running tcpdump on pppoe0 shows, that the igmp leave message never passes the interface.
By the way - why can't I just rollback igmpproxy package like this?
This is the output of igmpproxy during the event of a MC Group Leave Event:
Code: [Select]
RECV Leave message from 192.168.100.15 to 224.0.0.2
Got leave message from 192.168.100.15 to 232.0.20.120. Starting last member detection.
counted 1 interfaces
Leaving group 2014576872 now
Leaving group 232.0.20.120 upstream on IF address 84.132.144.112
leaveMcGroup: 232.0.20.120 on pppoe0
Interface id 0 is in group $d
SENT Membership query from 192.168.100.1 to 232.0.20.120
Sent membership query from 192.168.100.1 to 232.0.20.120. Delay: 10
Created timeout 3 (#1) - delay 2 secs
(Id:2, Time:8)
(Id:3, Time:2)
RECV Membership query from 192.168.100.1 to 232.0.20.120
RECV Leave message from 192.168.100.15 to 224.0.0.2
Got leave message from 192.168.100.15 to 232.0.20.120. Starting last member detection.
Interface id 0 is in group $d
SENT Membership query from 192.168.100.1 to 232.0.20.120
Sent membership query from 192.168.100.1 to 232.0.20.120. Delay: 10
Created timeout 4 (#2) - delay 0 secs
(Id:2, Time:8)
(Id:3, Time:2)
(Id:4, Time:0)
RECV Membership query from 192.168.100.1 to 232.0.20.120
About to call timeout 2 (#0)
SENT Membership query from 192.168.100.1 to 224.0.0.1
Sent membership query from 192.168.100.1 to 224.0.0.1. Delay: 10
Created timeout 5 (#2) - delay 8 secs
(Id:3, Time:2)
(Id:4, Time:0)
(Id:5, Time:8)
Created timeout 6 (#3) - delay 21 secs
(Id:3, Time:2)
(Id:4, Time:0)
(Id:5, Time:8)
(Id:6, Time:21)
RECV Membership query from 192.168.100.1 to 224.0.0.1
The IGMP message was local multicast. Ignoring.
RECV V2 member report from 192.168.100.13 to 224.0.0.252
Should insert group 224.0.0.252 (from: 192.168.100.13) to route table. Vif Ix : 0
Updated route entry for 224.0.0.252 on VIF #0
Current routing table (Insert Route):
-----------------------------------------------------
#0: Src0: 87.141.215.251, Dst: 232.0.20.120, Age:2, St: A, OutVifs: 0x00000001
#1: Dst: 224.0.0.251, Age:2, St: I, OutVifs: 0x00000001
#2: Dst: 224.0.0.252, Age:1, St: I, OutVifs: 0x00000001
However running tcpdump on pppoe0 shows, that the igmp leave message never passes the interface.
By the way - why can't I just rollback igmpproxy package like this?
Code: [Select]
root@OPNsense:/home/michael # opnsense-revert -r 20.1 igmpproxy
Fetching igmpproxy.txz: .. failed
4
20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour
« on: March 06, 2020, 05:52:23 pm »
As suspected - the test confirms that the issue must be somehow service related, since a raw TCP Connection is established successfully.
Would you clarify, which particular service is running on the server?
Would you clarify, which particular service is running on the server?
5
20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour
« on: March 03, 2020, 10:43:13 pm »
Would you mind to check, if you can open a RAW TCP Connection between Server and client?
I believe the issue is somehow service related since the screenshot of site B's firewall log looks strange. Missing source and destination port on the initial TCP Reply probably makes the firewall to drop the connection.
Server
Client
Make sure to temporarily disable the affected service on the given listening port to make sure the tcp port can be bound.
I believe the issue is somehow service related since the screenshot of site B's firewall log looks strange. Missing source and destination port on the initial TCP Reply probably makes the firewall to drop the connection.
Server
Code: [Select]
michael@manjaro-xps13 ~ % netcat -l -p 7879 -vvv
Listening on any address 7879
Connection from 10.23.45.2:48756
Test. This works
Total received bytes: 17
Total sent bytes: 0
Client
Code: [Select]
$ netcat 192.168.100.24 7879 -v
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.100.24:7879.
Test. This worksMake sure to temporarily disable the affected service on the given listening port to make sure the tcp port can be bound.
6
18.1 Legacy Series / Re: IGMPProxy1.3 is not starting
« on: May 17, 2018, 07:28:13 pm »
Yes I'm somehow confused too.
I just made an upgrade to 18.1.8 on a previous installation and reset to factory defaults to get a clean start.
After setting up the configuration i was suprised, that igmpproxy came up without any issues...
Am I missing something?
I just made an upgrade to 18.1.8 on a previous installation and reset to factory defaults to get a clean start.
After setting up the configuration i was suprised, that igmpproxy came up without any issues...
Code: [Select]
root@OPNsense:~ # cat /usr/local/etc/igmpproxy.conf
##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint pppoe0 upstream ratelimit 0 threshold 1
altnet 87.141.215.0/24
altnet 224.0.0.0/24
phyint bridge0 downstream ratelimit 0 threshold 1
altnet 192.168.100.0/24
phyint igb0 disabled
phyint igb2 disabled
Code: [Select]
root@OPNsense:~ # igmpproxy -h
Usage: igmpproxy [-h] [-n] [-d] [-v [-v]] <configfile>
-h Display this help screen
-n Do not run as a daemon
-d Run in debug mode. Output all messages on stderr. Implies -n.
-v Be verbose. Give twice to see even debug messages.
igmpproxy 0.2.1
root@OPNsense:~ # opnsense-update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (18 candidates): 100%
Processing candidates (18 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Nothing to do.
Your system is up to date.
Am I missing something?
7
18.1 Legacy Series / Re: IGMPProxy1.3 is not starting
« on: May 17, 2018, 06:43:15 pm »
Appears to be fixed in 18.1.8
8
18.1 Legacy Series / Re: IGMPProxy1.3 is not starting
« on: April 17, 2018, 11:02:33 pm »
You are right.
It appears that i forgot one more step to investigate the issue.
I just changed upstream interface configuration to a non tagged pppoe Interface -> igmpproxy init failed.
However, changing upstream interface to a tagged non pppoe interface (e.g. static configuration) brought igmpproxy back to life.
I will change the failure report on Github...
It appears that i forgot one more step to investigate the issue.
I just changed upstream interface configuration to a non tagged pppoe Interface -> igmpproxy init failed.
However, changing upstream interface to a tagged non pppoe interface (e.g. static configuration) brought igmpproxy back to life.
I will change the failure report on Github...
9
18.1 Legacy Series / Re: IGMPProxy1.3 is not starting
« on: April 17, 2018, 01:20:13 am »
I can confirm the issue.
Upstream Interface pppoe on a vlan tagged interface. Downgrading igmpproxy resolves the issue. However - igmpproxy.conf remains unchanged since prior update.
System Log:
Upstream Interface pppoe on a vlan tagged interface. Downgrading igmpproxy resolves the issue. However - igmpproxy.conf remains unchanged since prior update.
Code: [Select]
root@OPNsense:~ # cat /usr/local/etc/igmpproxy.conf
##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint pppoe0 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/24
altnet 87.141.215.0/24
phyint igb0 downstream ratelimit 0 threshold 1
altnet 192.168.100.0/24
System Log:
Code: [Select]
Apr 17 01:15:51 igmpproxy[41961]: There must be at least 1 Vif as upstream.
Apr 17 01:15:51 igmpproxy[74057]: select() failure; Errno(4): Interrupted system call
Apr 17 01:15:42 pkg-static: igmpproxy upgraded: 0.1_2,1 -> 0.2.1,1
Pages: [1]