Messages

Just an Idea,
did you create a rule to allow traffic go through the interface? IIRC per default there isn't any so all traffic will be blocked.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

In case you run Opnsense on ZFS you could simply create a snapshot of the system before upgrading. Then you should be able to revert to the previous config easily.
I do that and additionally since my Opnsense runs on top of a Proxmox machine I use the backup feature of Proxmox to backup and recover.

I am aware, but fact is that until the upgrade it worked out of the box assigning to the clients the KEA assigned IP as GW and DNS server. And Unbound in my case was listening on those interfaces.
This was then not working after the upgrade.
However I tried the upgrade again and it works now.
Thanks for the help.

After Upgrading to 25.1.11 I realized that Kea DHCP Server still assigns IP Adresses, but DNS is no longer available. I did not add any extra DHCP options so the Gatway and the DNS Server is the IPadress assigned to the KEA interface on that specific VLAN.
Could not test any further as I need the environment up and running and decided to revert the snapshot.
Anyone had similar experiences?
Andreas

Hi,
just to be  on the safe side, did you create rules to allow the traffic between the nets? Per default IIRC the firewall will block al traffic.

I think someone from the team already fixed that.
I just searched for updates and there is a new Postfix release available.
Updated it --> all is fine.

Thank you!

After the upgrade to 25.1.2 postfix does not start anymore.

In the Log I only see:

28cafc05-69bf-4067-8fa6-be5124013484] Script action failed with Command 'postmap /usr/local/etc/postfix/transport ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 78, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 413, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command 'postmap /usr/local/etc/postfix/transport ' returned non-zero exit status 1.


Any help is appreiciated.

Is it safe for those that have external DB?

I can only share that for me, using an external elastic database it works without problems. But I have to admit I am a home user and I can rebuild the box easily (proxmox snapshot).
So in case you use opnsense on a business relevant machine I would recommend waiting for an official announcement.

For me it worked after the upgrade.
My setup is using a remote elastichsearch database and upgrading Opnsense did not defunctionalize zenarmour.

Fixed it by choosing an encryption protocol instead of setting the encryption to default

Hi,
after applying the hotfix 24.7.4_1 on my two Opnsense boxes during the IpSec negotiation I see the error:

Code Select Expand


"parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]"
received NO_PROPOSAL_CHOSEN notify error

Any ideas if there is some conection to the update?

I had exactly the same issue with a digicert certificate. When I imported it it showed up as self signed, although the Digicert issuein CA is my Authorities store.
After some try and error this is how I solved it:

• Import the certificate it will show up as self signed.
• Edit the certificate make sure the action is is set to "Reissue and Replace certificate and make sure you select the correct CA
• Click Save --> You will get an error
• Change the Action to "Create a certificate Signing Request" and Save. You should now see the certificate with the correct CA
• Click on edit and select "Import Certificate (Signed by CA) it should be the only option
• Save it.

After this you should see the certificate with the correct CA assigned.

I am of course just guessing, but based on what you shared you see that traffic is reaching your WAN interface and then is dropped/blocked. So I personally do not think that the ISP is blocking you, as you might not be able to see anything in this case.
Are you sure that you are not behind some carrier grade natting and got in an IPrange for private usage with your WAN  port, as this then would trigger the default rules.

Not all of them.
Some are servers, some are mobiles. Some are VM's and some are physical

Glad to hear that!