Messages

I tried using kea without luck so far... Even though I disabled the ISC server on my vlan 630, stopped and started ISC to make sure it frees up the listening on port 67 on 192.168.63.1 but kea still complains it's unable to start properly

Code Select Expand

WARN [kea-dhcp4.dhcpsrv.0x83359d000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface ix1_vlan630, reason: failed to bind fallback socket to address 192.168.63.1, port 67, reason: Address already in use - is another DHCP server running?


Checking netstat, I see *:67 so I guess ISC is listening on *:67 and prevents kea from running side-by-side.

Still trying to see if there is a way around this...

I have multiple vlans and was getting the same type of error messages. What worked for me was stopping the ISC DHCP service and then starting the KEA DHCP service. Before shutting down ISC DHCP service (clicking the red square button) I only disabled the particular VLAN interface within ISC DHCP that I wanted to test in KEA DHCP. I thought that was enough but it wasn't because ISC DHCP was still running and binding to the VLAN interface eventhough I had disabled listening on it in ISC DHCP.

Thanks to Franco pointing out what I was missing, I was able to correct my steps and get back on track with successful results. Here were the command line steps I used to verify the download by using sha256 and openssl.

1.  Download all files directly (my download folder is Downloads). In my case, I downloaded the files from https://mirrors.nycbug.org/pub/opnsense/releases/mirror/ .  The README file contains the public key (one of a few that I checked from different sources, and they all matched): https://mirrors.nycbug.org/pub/opnsense/releases/mirror/README

2.  The written instructions for verifying the image file are found at https://docs.opnsense.org/manual/install.html

3. Then from within the terminal enter the following commands in the sequence listed.

anthony@opensusebox:~> cd Downloads

anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig
OPNsense-22.1.pub
OPNsense-22.1.pub.sig

anthony@opensusebox:~/Downloads> sha256sum OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f  OPNsense-22.1-OpenSSL-vga-amd64.img.bz2

anthony@opensusebox:~/Downloads> openssl base64 -d -in OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig  -out sha256conversion.byme.sig

anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256     
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2     
OPNsense-22.1.pub     
sha256conversion.byme.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig 
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig 
OPNsense-22.1.pub.sig

anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature sha256conversion.byme.sig OPNsense-22.1-OpenSSL-checksums-amd64.sha256
Verified OK

anthony@opensusebox:~/Downloads> openssl base64 -d -in OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig  -out image.sig

anthony@opensusebox:~/Downloads> ls
image.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig 
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig 
OPNsense-22.1.pub.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256 
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2           
OPNsense-22.1.pub
sha256conversion.byme.sig

anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature image.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
Verified OK
anthony@opensusebox:~/Downloads>

Done. Then off to creating the bootable USB according to instructions at https://opnsense.org/users/get-started/

:)

--------
Anthony

Thank you Franco. I mis-interpreted the instructions and didn't apply the converson step. I appreciate you clarifying this important piece of the puzzle. I'll attempt this again later (stepping out now) and report back here...

Best regards
Anthony

Hello

I am able to perform sha256sum on the downloaded bz2-zipped image file and it checks out ok (see below), however when I use the openssl public key verification method it fails the check. I verified the public key I downloaded from a few sources were all the same, so with that I can at least have some level of confidence the key is legit:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----

This verification failure happens no mater if I download from a server in the US or Netherlands (haven't tried others). When I attempt to perform the public key verification of the downloaded image I get "Verification Failure". When it fails a check, the instructions at https://docs.opnsense.org/manual/install.html state "...you may have made an error using the commands, or the image has been compromised."

The details for these instructions state the following:
"Once you have downloaded all the required files and a copy of the public key, and verified that the public key matches the public key from the alternate sources listed above, you can be relatively certain that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the names in brackets for the files you downloaded):

openssl base64 -d -in <filename>.sig -out /tmp/image.sig

openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2

Make sure to change the "img" to "iso" in the second line if you downloaded a different installer type.

If the output of the second command is "Verified OK", your image was verified successfully, and you can install it. If it has any other output, you may have made an error using the commands, or the image may have been compromised."


Here are the sequence of commands as I entered them in the terminal:

anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256      OPNsense-22.1-OpenSSL-vga-amd64.img.bz2      OPNsense-22.1.pub     
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig  OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig  OPNsense-22.1.pub.sig

anthony@opensusebox:~/Downloads> sha256sum OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f  OPNsense-22.1-OpenSSL-vga-amd64.img.bz2

anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
Verification Failure

anthony@opensusebox:~/Downloads>

Can anyone point out any mistakes I might have made in the commands above? Is there anything to be concerned about when sha256sum passes, but the public key method does not?

Thank you if you can help.


Regards
Anthony

Did some research on the web because I couldn't find out any sooner from searching this forum. Basically Growl notifications got replaced with Monit. There, resolved.

from https://github.com/opnsense/core/issues/2408

Hi @lopsch,

The current notification framework is scheduled for a full removal in 18.7. We already imported Monit into the core package for this reason. I don't see this code going anywhere because of it. Ok?

Cheers,
Franco

In previous OPNsense versions I had setup growl notifications but in 19.1 I can't find the configuration setup in the web GUI. Has Growl been eliminated? Or am I not seeing it?

antonym

Hi Franco

Thank you very much for the instruction, and quick reply. I'll do that next.

Regards
Ant

I am able to make changes to paramaters in suricata.yaml , and the file appears to save properly with the edits (file size changes after initially being saved with the edits), but then the file reverts back to the original form and size again (as if never edited) as soon as suricata is enabled again. I tried many variations of trying to edit this file: making the edits on the desktop, then using scp to transfer to the OPNSense router; making the edits from within the OPNSense shell (ssh) using vi. The edits made to this file just don't stick. Anyone else having this problem? Anyone know what the cause it and how to fix it?