"
noooo ;(
Now i have to fight with the buildin ACME Client and Azure DNS-01 again, it just worked with Caddy.
Now i have to fight with the buildin ACME Client and Azure DNS-01 again, it just worked with Caddy.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.1, 25.4 Production Series / Re: Attention: os-caddy-2.0.0 will remove DNS Providers (except Cloudflare)
May 19, 2025, 08:51:50 PM #2
24.7, 24.10 Legacy Series / Re: Business 24.10.2: acme-client version 4.7 contains sftp upload bug
March 31, 2025, 10:56:48 AM
Hi,
i can confirm this issue, we see this on our firewalls, OPNsense created a crashlog for that, i submitted the crash (if this does something).
i can confirm this issue, we see this on our firewalls, OPNsense created a crashlog for that, i submitted the crash (if this does something).
#3
24.7, 24.10 Legacy Series / OPNsense 24.10.2_6 corrupting IPSec config?
March 30, 2025, 03:33:13 PM
Hi all,
since yesterday, i have a hell of a ride with my OPNsense Business installations. All of them running 24.10.2_6 and i have massive issues with IPSec connections.
One Firewall is standalone and on another site, i have a pair building an CARP Cluster. Trouble starts as soon i try to edit something on a IPSec connection or just press save in one connection, several connections fail to start, under Status Overview i can see atleast one connection always appear twice, but with the protocol Version "1" instead of IKEv1 or IKEv2. There are some connections that always work and some that always fails since then. For affected connections, i cant see any outgoing traffic on my wan interface, only incoming.
I see a lots of "charon 28998 - [meta sequenceId="18483"] 04[NET] error writing to socket: Network is down" spam in /var/log/ipsec.log
ipsec status show these strange status, these are the entrys without a proper IKE Protokol in the status windows on my screenshot.
(unnamed)[63]: CONNECTING, x.x.x.x[%any]...x.x.x.x[%any]
Same happens to my CARP Cluster, but here it only affects the master firewall where i edit connections. When i make my backup to master, all ipsec connections work fine, even after syncing from the master to my backup, connections still work.
For me it looks like editing IPSec connections corrupts something and break several existing connections.
Surricata is disabled, no filtering software, i can ping all ipsec wan endpoint. Loading an older config before that issue does not help. Atleast my CARP Backup is doing well for now.
I am out of ideas.
since yesterday, i have a hell of a ride with my OPNsense Business installations. All of them running 24.10.2_6 and i have massive issues with IPSec connections.
One Firewall is standalone and on another site, i have a pair building an CARP Cluster. Trouble starts as soon i try to edit something on a IPSec connection or just press save in one connection, several connections fail to start, under Status Overview i can see atleast one connection always appear twice, but with the protocol Version "1" instead of IKEv1 or IKEv2. There are some connections that always work and some that always fails since then. For affected connections, i cant see any outgoing traffic on my wan interface, only incoming.
I see a lots of "charon 28998 - [meta sequenceId="18483"] 04[NET] error writing to socket: Network is down" spam in /var/log/ipsec.log
ipsec status show these strange status, these are the entrys without a proper IKE Protokol in the status windows on my screenshot.
(unnamed)[63]: CONNECTING, x.x.x.x[%any]...x.x.x.x[%any]
Same happens to my CARP Cluster, but here it only affects the master firewall where i edit connections. When i make my backup to master, all ipsec connections work fine, even after syncing from the master to my backup, connections still work.
For me it looks like editing IPSec connections corrupts something and break several existing connections.
Surricata is disabled, no filtering software, i can ping all ipsec wan endpoint. Loading an older config before that issue does not help. Atleast my CARP Backup is doing well for now.
I am out of ideas.
#4
24.7, 24.10 Legacy Series / Re: AcmeClient domain validation failed (dns01)
January 23, 2025, 03:45:23 PM
We have the same issue, it stopped working on two OPNsense Firewalls on 27.7.12. ACME complains about invalid key, but the key is correct. We tried changing the key, but no luck.
Maybe a result of "plugins: os-acme-client 4.7[1]" update in 27.7.12. Some certificates inthe first week of the year got successfully updated.
Maybe a result of "plugins: os-acme-client 4.7[1]" update in 27.7.12. Some certificates inthe first week of the year got successfully updated.
#5
Web Proxy Filtering and Caching / Re: Caddy won't start
January 21, 2025, 03:47:55 PM
Restarting syslog-ng didnt help and the file did not appear. I had a free slot to do a short maintanance reboot, now caddy is up again.
#6
Web Proxy Filtering and Caching / Re: Caddy won't start
January 15, 2025, 11:42:28 PM
I also have issues on 24.10.1 with caddy no longer starting. /var/log/caddy/caddy.log shows
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Error: caddy process exited with error: exit status 1
Starting it from console throw the same error:
# caddy run --config /usr/local/etc/caddy/Caddyfile
2025/01/15 22:44:05.709 INFO using config from file {"file": "/usr/local/etc/caddy/Caddyfile"}
2025/01/15 22:44:05.709 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.global"}
2025/01/15 22:44:05.709 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.conf"}
2025/01/15 22:44:05.712 INFO adapted config to JSON {"adapter": "caddyfile"}
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Deleting this the log section from Caddyfile let it start from console, but i prefer to have logs :)
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Error: caddy process exited with error: exit status 1
Starting it from console throw the same error:
# caddy run --config /usr/local/etc/caddy/Caddyfile
2025/01/15 22:44:05.709 INFO using config from file {"file": "/usr/local/etc/caddy/Caddyfile"}
2025/01/15 22:44:05.709 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.global"}
2025/01/15 22:44:05.709 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.conf"}
2025/01/15 22:44:05.712 INFO adapted config to JSON {"adapter": "caddyfile"}
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Deleting this the log section from Caddyfile let it start from console, but i prefer to have logs :)
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}
#7
24.7, 24.10 Legacy Series / netdata broken after 24.7.6 update
October 09, 2024, 06:27:29 PM
On two OPNsense machines, netdata was broken after installing 24.7.6. Netdata is no longer starting, it looks like netdata is not properly updated and missing "libprotobuf.so.28.1.0".
"ld-elf.so.1: Shared object "libprotobuf.so.28.1.0" not found, required by "netdata""
I solved it by reinstallating the netdata package from firmware/package, that updated netdata to a new minor version, now it works again.
Installed packages to be UPGRADED:
netdata: 1.43.2_5 -> 1.43.2_6
"ld-elf.so.1: Shared object "libprotobuf.so.28.1.0" not found, required by "netdata""
I solved it by reinstallating the netdata package from firmware/package, that updated netdata to a new minor version, now it works again.
Installed packages to be UPGRADED:
netdata: 1.43.2_5 -> 1.43.2_6
#8
24.7, 24.10 Legacy Series / Re: Stuck at update 24.7.6 (no more)
October 09, 2024, 06:21:21 PM
Same here, had to kill crowssec to continue the update.
#9
24.7, 24.10 Legacy Series / Re: After Upgrade to 24.7.4 Zerotier not working
September 13, 2024, 02:23:29 PM
Same issue on my end.
I run a Zerotier Tunnel between a OPNsense Business Edition (home) and OPNsense Community running at my hoster. Right after updating to 24.7.4 on the OPNsense Community Edition, Zerotier is dead. Both Zerotier installations are shown as online, but none of the devices can ping each other on their Zerotier IP or any other IP that is routed over this Tunnel.
I try to downgrade my OPNsense to 24.7.3 as a solution for now.
Update: Downgrade with "opnsense-revert -r 27.7.3_1" worked, traffic is fliowing again :)
I run a Zerotier Tunnel between a OPNsense Business Edition (home) and OPNsense Community running at my hoster. Right after updating to 24.7.4 on the OPNsense Community Edition, Zerotier is dead. Both Zerotier installations are shown as online, but none of the devices can ping each other on their Zerotier IP or any other IP that is routed over this Tunnel.
I try to downgrade my OPNsense to 24.7.3 as a solution for now.
Update: Downgrade with "opnsense-revert -r 27.7.3_1" worked, traffic is fliowing again :)
#10
Virtual private networks / Re: ZeroTier sessions from all interfaces?
July 12, 2024, 10:21:13 PM
I think Zerotier does this for multipath, if there are multiple ways out, it uses them. You can add options to ignore certain networks for transport.
try adding this to your zerotier config:
{
"settings": {
"interfacePrefixBlacklist": ["interface1", "interface2"]
}
}
https://docs.zerotier.com/config/#local-configuration-options
try adding this to your zerotier config:
{
"settings": {
"interfacePrefixBlacklist": ["interface1", "interface2"]
}
}
https://docs.zerotier.com/config/#local-configuration-options
#11
24.7, 24.10 Legacy Series / Re: Firewall ‣ Aliases: URL: Spamhaus: Create Alias from JSON format
June 24, 2024, 05:17:27 PM
I would like to see json support. Currently i get my Microsoft Azure Service List json with https://github.com/thedxt/IP-Downloader. Love to see something like that in OPNsense.
#12
German - Deutsch / Re: Kea DHCP - Subnetze auf Interfaces verteilen?
May 06, 2024, 02:02:59 PM
Das brauchst du auch nicht, Kea erkennt selber auf welchen Interfaces die Subnetze sind, du musst nur sicherstellen das Kea selber auf die Interfaces aktiviert wurde auf dem DHCP Dienste bereitgestellt werden sollen.
#13
Virtual private networks / Re: [Solved] Port forward WireGuard return traffic through WAN
May 03, 2024, 08:14:48 PM
i am sitting here for 6 hours and try to find the reason why a port forward from a wireguard tunnel (that provides me a static wan ip) to my mailserver does respond to requests coming in from wireguard. That manual firewall rule and settings reply-to saved my day.
I almost went insane.
I almost went insane.
#14
24.1, 24.4 Legacy Series / Re: Unbound keep crashing
February 20, 2024, 08:26:42 PM
I see this on several Business OPNsense 23.10.2 installations. Unbound stop resolving external domains (only), internal stills works. Looks like tls to quad9 is dying sometimes. A restart of unbound solve this issue immediately, if i do nothing, it fixes itself after a few minutes.
I dont know if this is a unbound or quad9 issue.
I dont know if this is a unbound or quad9 issue.
#15
24.1, 24.4 Legacy Series / Re: No access to URLs on WAN side after upgrading to 24.1
January 30, 2024, 09:30:44 PMQuote from: pgh on January 30, 2024, 08:56:52 PM
After upgrading to 24.1 I could no more access any host at the WAN side.
Calling "nslookup google.com" at terminal works great (on linux and windows) but the domain-names are not resolved!
I also tried the DNS Diagnose-Tool of my OPNsense, using 8.8.8.8, and it could receive the IP of amazon.com, but again no Domain-Name resolving when working with browser, calling apt-get etc.
Before upgrading to 24.1 I saved the configuration. I tried to solve the issue by restore the config saved before: the issue remains.
I also tried several restarts... did also not helped.
Now I am confused, sad, angry and cannot surf in the www :-(
Please help me!
Check if you still have an IPv4 gateway, two of my machines completly lost the IPv4 gateway entries. I had to recreate them by hand, luckly these remote firewall still had ipv6 running so i was able to fix it.
