Messages

[Brief history facts]

Hello to all,

I would like to clarify couple of things in this thread.

Couple of precision here:

Brief history facts

ToDoo (now DynFi) was one of the leading distributor of pfSense in France from 2008 until 2014, back when OPNsense didn't exist. So we share some common root with OPNsense.

DynFi was a key company behind the disclosure of the OPNsense.com scam organized by Netgate owners. Thanks to our deep knowledge of DNS (we maintain primary DNS for a country) and our specialized brand lawyer and WIPO, we have helped Deciso release the "Domain by Proxy" lock and recover this domain name. This was a huge victory for OPNsense team. We got 2 lines of credits in an obscure post at the time.

In 2015 / 2016 while we were early partners (and sponsors) of the project, we came and visited Deciso's team to discuss our will to develop a "Central Management solution" which didn't exist at the time and we were coldly welcome with a "we do not want any partner to develop this". Fair enough, but at the time and for the next four years and to a certain extent until now, there is no On Premise Central Management solution beside our own DynFi Manager.

Considering this will to not to share anything with any partner as far as development is concerned, which choices were we left with ?


Development of DynFi Manager

So back in 2017 what could have been a nice team work, clearly became the end of a partnership.

We drew the consequences of the rejection of cooperation on the Manager part and started the development of our DynFi Manager. The first version was officially launched in 2018.

There has been more than 60 releases and patches since we first launch the DynFi Manager in 2018.


Development of DynFi Firewall

We have started developing the DynFi Firewall back in 2019 because we thought It could interesting to have a distinct platform with no HardenedBSD in It, but rather directly based on the FBSD kernel. Turns out we were right because few months after we have started our own fork, OPNsense shifted back to the FreeBSD kernel.

I must add that we have our own distinct compilation platform and that we did some upstream of OPNsense code in the beginning (but didn't Deciso did the exact same thing with pfSense back in 2015 ?), the more we move forward the less upstream we do. Unfortunately we didn't had the chance to have GonzoPancho screaming on the whole internet so social marketing for our distro is still discrete at this stage...

I won't discuss future plans of our distro on the OPNsense forum, this seems like not the exact right place to do that ;-) but there clearly will have some very interesting stuff offered that will move us on our own trajectory...


Who is DynFi?

No, we are not an obscure agency of the French government, but a Paris based company created back in 2001.


Hope this post helps understand who we are and where we come from.

No, It didn't solve anything removing the "transparent proxy"

This is not good !

chown root:squid /usr/local/libexec/squid/pinger
chmod 4410 /usr/local/libexec/squid/pinger

Is way better.

Hello,

I have the same configuration... and the same problem.
Maybe we could try not to use the forwarding proxy (aka transparent proxy).

I will try this and let you know if it solved the problem.

I have synced my kernel source code from FreeBSD and I have used this to comile my Kernel (as far as I can remember) :

https://github.com/opnsense/src/blob/master/sys/amd64/conf/GENERIC


:P

> Again, they are providing full support for FreeBSD.

That's a "yes" you spoke with them and "no" they do not in any way will help to figure this out.

Is that correct? :)

Just to be precise: I am not discussing any "issue" with anyone anywhere beside this forum.

I am reporting an error that I have on a hardware that I am planing to use since I tend to prefer OPNsense to pfSense. This is not a major issue. Simply let me know if I can help anywhere or if these tests are simply useless.

Thanks a lot.

[a lot]

> The manufacturer of the hardware is fully compatible with FreeBSD 11.2

Okay, so I want to know:

Did you ask the vendor about this and they said this to you?

First note that my skills are limited and that I am trying to help with a global issue that you seem to have with HardenedBSD which does not exist with FreeBSD.

"Hardware vendors" do support well known OSes (Linux, FreeBSD) eventually less well known OSes (OpenBSD, NetBSD and FreeNAS), but they unfortunately don't provide support for an OS that is used by a very limited community and couple of years old.

If no, please ask the vendor about *HardenedBSD 11.2* support and what might be the issue from their point of view.

Generally speaking when you fork an OS you try to maintain hardware compatibility with upstream. I understand that this might be difficult, considering the fact that HBSD is changing low level hardware setting to enhance security... 

But considering the very few persons which have taken time to test this seriously as I did, I think that a lot of persons might be impacted by what I have been pointing at. And this is not good. 

If yes, please let us know that they do not intend to support it.

Again, they are providing full support for FreeBSD.
You can not expect to have a hardware vendor selling hundred thousands of unit to support an OS that is four years old.

From my humble point of view, the upstream compatibility must come from HBSD at this early stage.

I'm asking for clues to solve this or be able to say the vendor has no interest in supporting particular operating systems. I'm fine either way, but I don't appreciate you pushing this without giving us the background that you seem to have or maybe not gone ahead and collect for us to properly proceed.

Unfortunately my skills are limited.

I have spend time testing the HBSD, proceeded to multiple install with both OPNsense 19.1ß and HardenedBSD directly. I had systematic failure which have been fully reported in your forum.

I am willing to help and I don't see that many persons which have tested OPNsense with 19.1ß - If you think that my answers are not helpfull, I will stop my tests.

I am highlighting a fact that will hapened to MANY users before It becomes critical (before the launch of your 19.1 version). I hope this is considered as helpful.

That is indeed interesting. :)

I'll take a look this weekend. HardenedBSD hasn't made any changes to the CAM layer or SDHCI drivers. Regardless, I'll see if I can figure out what's going on. It'll be difficult with me not being able to reproduce, but I'll give it a shot.

Let me know if you want me to test anything... 

Thanks  ;)

So I have tried your hint

Code Select Expand

vm.pmap.pti=0
which didn't work at all and ended up with a SDHCI error (image below)

I have also tried the hint found in here : https://forum.opnsense.org/index.php?topic=10135.0

Code Select Expand

set hint.sdhci_pci.0.disabled=1
set hint.sdhci_pci.1.disabled=1
boot

This last one has allowed me to go further on the install process, but finally ended up with a disk install failure / CAM status problem (mountroot problem) also illustrated with the image below.


And this is the freeBSD 11.2 boot that I have :

Code Select Expand


Copyright (c) 1992-2018 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.2-RELEASE-p4 #0 r341013: Tue Nov 27 13:30:22 CET 2018
    root@FBSD:/usr/obj/usr/src/sys/GENERIC_OPNS amd64
FreeBSD clang version 6.0.0 (tags/RELEASE_600/final 326565) (based on LLVM 6.0.0)
VT(vga): resolution 640x480
CPU: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz (2200.07-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x506f1  Family=0x6  Model=0x5f  Stepping=1
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x4ff8ebbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,RDRAND>
  AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
  AMD Features2=0x101<LAHF,Prefetch>
  Structured Extended Features=0x2294e283<FSGSBASE,TSCADJ,SMEP,ERMS,NFPUSG,MPX,PQE,RDSEED,SMAP,CLFLUSHOPT,PROCTRACE,SHA>
  Structured Extended Features3=0x2c000000<IBPB,STIBP,ARCH_CAP>
  XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES>
  IA32_ARCH_CAPS=0x1<RDCL_NO>
  VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID,VID,PostIntr
  TSC: P-state invariant, performance statistics
real memory  = 8589934592 (8192 MB)
avail memory = 8186150912 (7806 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table: <INTEL  TIANO   >
WARNING: L1 data cache covers less APIC IDs than a core
0 < 1
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s)
random: unblocking device.
ioapic0 <Version 2.0> irqs 0-23 on motherboard
SMP: AP CPU #1 Launched!
SMP: AP CPU #3 Launched!
SMP: AP CPU #2 Launched!
Timecounter "TSC-low" frequency 1100035606 Hz quality 1000
random: entropy device external interface
kbd1 at kbdmux0
netmap: loaded module
module_register_init: MOD_LOAD (vesa, 0xffffffff80ff4580, 0) error 19
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
nexus0
vtvga0: <VT VGA driver> on motherboard
cryptosoft0: <software crypto> on motherboard
acpi0: <ALASKA A M I > on motherboard
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
cpu2: <ACPI CPU> on acpi0
cpu3: <ACPI CPU> on acpi0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 24000000 Hz quality 950
Event timer "HPET" frequency 24000000 Hz quality 550
Event timer "HPET1" frequency 24000000 Hz quality 440
Event timer "HPET2" frequency 24000000 Hz quality 440
Event timer "HPET3" frequency 24000000 Hz quality 440
Event timer "HPET4" frequency 24000000 Hz quality 440
atrtc0: <AT realtime clock> port 0x70-0x77 irq 8 on acpi0
atrtc0: Warning: Couldn't map I/O.
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: <AT timer> port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pcib0: _OSC returned error 0x10
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 6.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pci1: <processor> at device 0.0 (no driver attached)
pcib2: <ACPI PCI-PCI bridge> mem 0xdff60000-0xdff7ffff irq 20 at device 14.0 on pci0
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> mem 0xdff40000-0xdff5ffff irq 21 at device 15.0 on pci0
pci3: <ACPI PCI bus> on pcib3
igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0xd000-0xd01f mem 0xdfd00000-0xdfd7ffff,0xdfd80000-0xdfd83fff irq 21 at device 0.0 on pci3
igb0: Using MSIX interrupts with 5 vectors
igb0: Ethernet address: 00:90:0b:7c:3a:49
igb0: Bound queue 0 to cpu 0
igb0: Bound queue 1 to cpu 1
igb0: Bound queue 2 to cpu 2
igb0: Bound queue 3 to cpu 3
igb0: netmap queues/slots: TX 4/1024, RX 4/1024
pcib4: <ACPI PCI-PCI bridge> mem 0xdff20000-0xdff3ffff irq 22 at device 16.0 on pci0
pci4: <ACPI PCI bus> on pcib4
igb1: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0xc000-0xc01f mem 0xdfc00000-0xdfc7ffff,0xdfc80000-0xdfc83fff irq 22 at device 0.0 on pci4
igb1: Using MSIX interrupts with 5 vectors
igb1: Ethernet address: 00:90:0b:7c:3a:4a
igb1: Bound queue 0 to cpu 0
igb1: Bound queue 1 to cpu 1
igb1: Bound queue 2 to cpu 2
igb1: Bound queue 3 to cpu 3
igb1: netmap queues/slots: TX 4/1024, RX 4/1024
pcib5: <ACPI PCI-PCI bridge> mem 0xdff00000-0xdff1ffff irq 23 at device 17.0 on pci0
pci5: <ACPI PCI bus> on pcib5
ath0: <Atheros 9280> mem 0xdfb00000-0xdfb0ffff irq 23 at device 0.0 on pci5
[ath] enabling AN_TOP2_FIXUP
ath0: [HT] enabling HT modes
ath0: [HT] 1 stream STBC receive enabled
ath0: [HT] 1 stream STBC transmit enabled
ath0: [HT] 2 RX streams; 2 TX streams
ath0: AR9280 mac 128.2 RF5133 phy 13.0
ath0: 2GHz radio: 0x0000; 5GHz radio: 0x00c0
ahci0: <Intel Denverton AHCI SATA controller> port 0xe0c0-0xe0c7,0xe0b0-0xe0b3,0xe040-0xe05f mem 0xdff96000-0xdff97fff,0xdffa2000-0xdffa20ff,0xdffa1000-0xdffa17ff irq 20 at device 19.0 on pci0
ahci0: AHCI v1.31 with 1 6Gbps ports, Port Multiplier supported
ahcich0: <AHCI channel> at channel 0 on ahci0
ahciem0: <AHCI enclosure management bridge> on ahci0
ahci1: <Intel Denverton AHCI SATA controller> port 0xe0a0-0xe0a7,0xe090-0xe093,0xe020-0xe03f mem 0xdff94000-0xdff95fff,0xdffa0000-0xdffa00ff,0xdff9f000-0xdff9f7ff irq 21 at device 20.0 on pci0
ahci1: AHCI v1.31 with 1 6Gbps ports, Port Multiplier supported
ahcich8: <AHCI channel> at channel 7 on ahci1
ahciem1: <AHCI enclosure management bridge> on ahci1
xhci0: <Intel Denverton USB 3.0 controller> mem 0xdff80000-0xdff8ffff irq 19 at device 21.0 on pci0
xhci0: 32 bytes context size, 64-bit DMA
usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0
pcib6: <ACPI PCI-PCI bridge> irq 16 at device 22.0 on pci0
pci6: <ACPI PCI bus> on pcib6
ix0: <Intel(R) PRO/10GbE PCI-Express Network Driver, Version - 3.2.12-k> mem 0xdf600000-0xdf7fffff,0xdf804000-0xdf807fff irq 16 at device 0.0 on pci6
ix0: Using MSI-X interrupts with 5 vectors
ix0: Ethernet address: 00:90:0b:7c:3a:4b
ix0: netmap queues/slots: TX 4/2048, RX 4/2048
ix1: <Intel(R) PRO/10GbE PCI-Express Network Driver, Version - 3.2.12-k> mem 0xdf400000-0xdf5fffff,0xdf800000-0xdf803fff irq 17 at device 0.1 on pci6
ix1: Using MSI-X interrupts with 5 vectors
ix1: Ethernet address: 00:90:0b:7c:3a:4c
ix1: netmap queues/slots: TX 4/2048, RX 4/2048
pcib7: <ACPI PCI-PCI bridge> at device 23.0 on pci0
pci7: <ACPI PCI bus> on pcib7
ix2: <Intel(R) PRO/10GbE PCI-Express Network Driver, Version - 3.2.12-k> mem 0xdf000000-0xdf1fffff,0xdf204000-0xdf207fff irq 16 at device 0.0 on pci7
ix2: Using MSI-X interrupts with 5 vectors
ix2: Ethernet address: 00:90:0b:7c:3a:4d
ix2: netmap queues/slots: TX 4/2048, RX 4/2048
ix3: <Intel(R) PRO/10GbE PCI-Express Network Driver, Version - 3.2.12-k> mem 0xdee00000-0xdeffffff,0xdf200000-0xdf203fff irq 17 at device 0.1 on pci7
ix3: Using MSI-X interrupts with 5 vectors
ix3: Ethernet address: 00:90:0b:7c:3a:4e
ix3: netmap queues/slots: TX 4/2048, RX 4/2048
pci0: <simple comms> at device 24.0 (no driver attached)
pci0: <simple comms, UART> at device 26.0 (no driver attached)
pci0: <simple comms, UART> at device 26.1 (no driver attached)
pci0: <simple comms, UART> at device 26.2 (no driver attached)
sdhci_pci0: <Intel Denverton eMMC 5.0 Controller> mem 0xdff9a000-0xdff9afff,0xdff99000-0xdff99fff irq 16 at device 28.0 on pci0
sdhci_pci0: 1 slot(s) allocated
mmc0: <MMC/SD bus> on sdhci_pci0
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
pci0: <memory> at device 31.2 (no driver attached)
pci0: <serial bus> at device 31.5 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 7 flags 0x10 on acpi0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 10 on acpi0
ppc0: cannot reserve I/O port range
est0: <Enhanced SpeedStep Frequency Control> on cpu0
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 21c200001600
device_attach: est0 attach returned 6
est1: <Enhanced SpeedStep Frequency Control> on cpu1
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 21c200001600
device_attach: est1 attach returned 6
est2: <Enhanced SpeedStep Frequency Control> on cpu2
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 21c200001600
device_attach: est2 attach returned 6
est3: <Enhanced SpeedStep Frequency Control> on cpu3
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 21c200001600
device_attach: est3 attach returned 6
Timecounters tick every 1.000 msec
ugen0.1: <0x8086 XHCI root HUB> at usbus0
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
mmcsd0: 8GB <MMCHC M32508 5.2 SN 3642E57D MFG 06/2018 by 112 0x0000> at mmc0 200.0MHz/8bit/8192-block
mmcsd0boot0: 4MB partion 1 at mmcsd0
mmcsd0boot1: 4MB partion 2 at mmcsd0
mmcsd0rpmb: 4MB partion 3 at mmcsd0
ses0 at ahciem0 bus 0 scbus1 target 0 lun 0
ses0: <AHCI SGPIO Enclosure 1.00 0001> SEMB S-E-S 2.00 device
ses0: SEMB SES Device
ses1 at ahciem1 bus 0 scbus3 target 0 lun 0
ses1: <AHCI SGPIO Enclosure 1.00 0001> SEMB S-E-S 2.00 device
ses1: SEMB SES Device
ada0 at ahcich8 bus 0 scbus2 target 0 lun 0
ada0: <2.5" SATA SSD 3ME2 M170707> ACS-2 ATA SATA 3.x device
ada0: Serial Number 20180724AA1853000018
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada0: Command Queueing enabled
ada0: 122104MB (250069680 512 byte sectors)
Trying to mount root from ufs:/dev/gpt/rootfs [rw]...
uhub0: 8 ports with 8 removable, self powered
igb0: link state changed to UP
igb1: link state changed to UP
aesni0: <AES-CBC,AES-XTS,AES-GCM,AES-ICM> on motherboard
igb0: link state changed to DOWN
ix0: link state changed to UP
igb0: link state changed to UP
igb1: link state changed to DOWN
ng0: changing name to 'pppoe0'
pflog0: promiscuous mode enabled
igb1: link state changed to UP



Thanks for your support.

Ideally the manufacturer of the hardware would assist with troubleshooting compatibility. At the very least to provide steps for us to amend images provided.

The manufacturer of the hardware is fully compatible with FreeBSD 11.2

I don't see much thing that they could do to have a Hardened BSD image working with Denverton architecture and EMMc since It is working already with FreeBSD 11.2

So the problem is somewhere between the stock FreeBSD 11.2 source code and HardenedBSD 11.2

How could we help to try to solve this issue ?

Ok so couple of things here:

We are trying to have OPNsense working with a Netgate sg-5100 which is based on a Denverton architecture.
This device does not boot with any kernel on 11.1 (Denverton is not supported in 11.1) which makes sense.

It also does not boot at all on any kernel based on 11.2 and HardenedBSD.


So I have compiled a kernel based on FreeBSD 11.2 and installed it on top of an 18.7.8 and It boots straight out of the box.

What were the problems that you had with 11.2 and FreeBSD (if any) ?
Do you plan to create an option to install either on FreeBSD kernel or Hardened BSD ?


Thanks.

Is there a way to test 19.1 with FreeBSD 11.2 kernel ?

When I switch to the "Development" branch, I still have a 11.1 kernel.

I am currently trying 19.1.b_306 which seems to run on 11.1 kernel :

Code Select Expand


root@OPNsense:~ # uname -a
FreeBSD OPNsense.localdomain 11.1-RELEASE-p15 FreeBSD 11.1-RELEASE-p15  2be81e6145f(stable/18.7)  amd64



What are we supposed to do to switch to 11.2 kernel ?


Thanks.

Still the same boot problem... when reaching the mmc0 :

Code Select Expand

No compatible cards found on the device.


This is well supported in FreeBSD 11.2 so I guess there is a problem with the driver for mmc and supported devices compiled in the Kernel (probably).

Still the same boot problem... when reaching the mmc0 :

Code Select Expand

No compatible cards found on the device.


This is well supported in FreeBSD 11.2 so I guess there is a problem with the driver for mmc and supported devices compiled in the Kernel (probably).

Looks like you have some libraries in  FreeBSD-src/sys/dev/sdhci/*
which are partly from 11.1 and partly from 11.2

Like sdhci_fdt.c

Maybe merging with what's in there might help : https://github.com/freebsd/freebsd/tree/releng/11.2/sys/dev/sdhci/*