Messages

Sometimes (very rare), I'm observing that I cannot resolve hostname which gets address from DHCP.
Hostname and its IP is  correctly shown on "leases" page. But file /var/etc/dnsmasq-hosts doesn't contain this host in section

Code Select Expand

# dhcpleases automatically entered

I just wondering how to reproduce this problem. Can you check if race is possible when  /var/etc/dnsmasq-hosts is generated (i.e. In case when two hosts refresh their leases in the same time) ?

Hello.
Today I've upgraded OPNSense to latest devel version:

Code Select Expand


User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
FreeBSD 11.2-RELEASE-p20-HBSD  07ef86ce9ca(stable/20.1) amd64
OPNsense 20.7.b_157 c2123d540
Plugins os-debug-1.3 os-dmidecode-1.1 os-dyndns-1.20 os-etpro-telemetry-1.4_1 os-iperf-1.0 os-mail-backup-devel-1.1 os-net-snmp-1.4 os-ntopng-1.2 os-nut-1.7 os-redis-1.1 os-siproxd-1.3 os-smart-2.1 os-vnstat-1.2 os-wol-2.3 os-zabbix-agent-1.7
Time Mon, 25 May 2020 09:35:32 +0000
OpenSSL 1.1.1g  21 Apr 2020
PHP 7.3.18


Now CPU is constantly almost at 100%:

Code Select Expand


last pid: 84990;  load averages: 26.49, 24.59, 24.22                                                                                                                                       up 0+01:57:54  09:44:47
106 processes: 28 running, 78 sleeping
CPU: 80.6% user,  0.0% nice, 18.4% system,  1.0% interrupt,  0.0% idle
Mem: 1263M Active, 46M Inact, 508K Laundry, 522M Wired, 317M Buf, 1294M Free
Swap: 8192M Total, 1859M Used, 6332M Free, 22% Inuse, 136K In

  PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
91567 root          1  75    0 91752K 73220K RUN     0   0:10  18.54% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
37485 root          1  75    0 91752K 73172K CPU0    0   0:26  16.99% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
97250 root          1  74    0 91752K 23836K RUN     1   7:37  10.54% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
52661 root          1  74    0 91752K 22608K RUN     1   4:57   6.50% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
77188 root          1  73    0 91752K 22440K RUN     1   5:32   6.41% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
90577 root          1  73    0 91752K 23320K RUN     1   4:39   6.06% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
3382 root          1  74    0 91752K 23080K RUN     1   5:37   6.01% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
37066 root          1  74    0 91752K 22732K RUN     1   5:18   6.00% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
  261 root          1  74    0 91752K 23540K RUN     1   5:03   5.97% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
70014 root          1  74    0 91752K 24572K RUN     1   7:12   5.88% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
24852 root          1  74    0 91752K 24800K RUN     1   8:38   5.80% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
21193 root          1  74    0 91752K 28356K RUN     1   9:19   5.38% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
32245 root          1  74    0 91752K 22296K RUN     1   6:31   5.21% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
41259 root          1  73    0 91752K 23084K RUN     1   4:48   5.18% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
89979 root          1  73    0 91752K 23132K RUN     1   5:51   5.16% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
19120 root          1  73    0 91752K 22856K RUN     1   6:48   4.96% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
37070 root          1  73    0 91752K 22760K RUN     1   4:06   4.95% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php
71332 root          1  73    0 91752K 22792K RUN     1   3:40   4.88% /usr/local/bin/php /usr/local/opnsense/scripts/dhcp/prefixes.php


Update:

I found root cause:
Some times ago I've increased log file size to 100MB each. I'm running OPNsense on normal PC, with very big storage, not resource restricted embedded system. I knew that circular log files are used. But I never thought that clog implementation is  so archaic and not touched since 2001. It is creating ring buffer in "memory" region obtained from mmap call on log file.

After system update something was changed. Something related to how system flushes dirty pages. I don't know what and I don't want to dig into it. After system update my HDD was constanly killing by lots of writes by syslog and lots of stucks readers like python/php scripts.

Now it is not possible to switch to other logging mechanism - only remote syslog is a solution.
Internal components depends on this archaic clog solution (php/python scripts to live view log files).

As a workaround I will recommend to add some restriction on configuration page to limit maximum log size to some reasonable value and add information how this will affect overall system performance.

The same. Huge CPU usage after usage.
Package ntopng version 4.0.d20200326,1.

Lots of error in ntop log:

Code Select Expand



tail -f /var/db/ntopng/ntopng.log

21/Apr/2020 19:56:01 [minute.lua:25] [rrd.lua:413] ERROR: rrd_update_r() [/var/db/ntopng/0/rrd/FTP_CONTROL.rrd][1587498960:786] failed [opening '/var/db/ntopng/0/rrd/FTP_CONTROL.rrd': Permission denied]
21/Apr/2020 19:56:01 [minute.lua:25] [rrd.lua:413] ERROR: rrd_update_r() [/var/db/ntopng/0/rrd/MQTT.rrd][1587498960:2854] failed [opening '/var/db/ntopng/0/rrd/MQTT.rrd': Permission denied]
21/Apr/2020 19:56:01 [minute.lua:25] [rrd.lua:413] ERROR: rrd_update_r() [/var/db/ntopng/0/rrd/WindowsUpdate.rrd][1587498960:775] failed [opening '/var/db/ntopng/0/rrd/WindowsUpdate.rrd': Permission denied]
21/Apr/2020 19:56:01 [minute.lua:25] [rrd.lua:413] ERROR: rrd_update_r() [/var/db/ntopng/0/rrd/SSH.rrd][1587498960:219766] failed [opening '/var/db/ntopng/0/rrd/SSH.rrd': Permission denied]


Code Select Expand


ls -l /var/db/ntopng/0/rrd/       

-rw-------   1 ntopng  wheel    34640 Dec 10 01:58 AFP.rrd
-rw-------   1 ntopng  wheel    34640 Dec 10 01:58 AJP.rrd
----rw-rw-   1 ntopng  wheel    34640 Apr  2  2019 Apple.rrd
-rw-------   1 ntopng  wheel    34640 Apr 21 19:07 ApplePush.rrd
-rw-------   1 ntopng  wheel    34640 Feb 13 07:13 AppleStore.rrd
-rw-------   1 ntopng  wheel    34640 Apr 21 19:38 AppleiCloud.rrd
----rw-rw-   1 ntopng  wheel    34640 Apr  2  2019 AppleiTunes.rrd
-rw-------   1 ntopng  wheel    34640 Oct 24 06:27 BGP.rrd
----rw-rw-   1 ntopng  wheel    34640 Apr  2  2019 BJNP.rrd
-rw-------   1 ntopng  wheel    34640 Apr 21 19:07 BitTorrent.rrd
...


RW permission for ntopng is missing on some RRD files, but this not cause of CPU usage. After fixing permission problems, no error reported, but CPU usage stays on the same almost 100% level.


Removal of /var/db/ntopng and /var/db/redis doesn't help also.

Finally

Code Select Expand

opnsense-revert -r 20.1.3 ntopng helps :)

You can add more IP addresses to interface using Firewall --> Virtual IPs --> Settings.
Then use rules to create policy based routing.

[Disable force gateway]

Hello.
I'm using OPNsense 19.7.a_288-amd64 with two ethernet WAN connections (static IP), and one ethernet LAN interface.
On LAN side I have additionally 2 routers which provides connectivity to other private networks. (OpenVPN / StrongsWAN).

• 192.168.0.1 OPNSense
• 192.168.0.231 - machine with StrongsWAN (host behind 192.168.251.235/32)
• 192.168.0.242 - machine with OpenVPN (networks behinds 10.0.0.0/8)

To define static route route to 192.168.251.235 and 10.0.0.0/8 I was "forced" to define gateways on LAN side.

Ok. This is not big issue. Working with predefined gateways is nice - I can monitor and see gateways status. This can be useful.
But by default static routes are not working. I was digging and found that strange rule was created:

Code Select Expand

pass out route-to ( bge0 192.168.0.242 ) from {bge0} to {!(bge0:network)} keep state allow-opts label "let out anything from firewall host itself"
As workaround I've created rule to pass traffic to 192.168.251.235 using gateway 192.168.231.
Later I found option to disable this rule generation Disable force gateway.


1st Q: Why it is not possible to enter IP address of gateway manually and only use predefined gateways in static routes?  I do not know well OPNSense internals but I can only imagine that you want to keep user from directly manipulating routing tables and to have all possible gateways defined to generate another rules not related to static routing.

2nd Q: Why option Disable force gateway it is not enabled by default? Or ar least if it is disabled, there should be some info on
ui/routes page to warn that firewall rules can override routing table entries.


After some working hours I realized that after changing some settings in LAN gateway and reloading gateway configuration, I lost WAN connectivity. Default gateway was changed from WAN gateway to LAN gateway 192.168.0.242. I found that this a known issue and will be fixed in 19.7. As a workaround all LAN gateways has to be set in to Mark Gateway as Down  without disabling gateway monitoring (due to another issue already known).

But I found that disabling Disable force gateway is not honoring gateway down state and OPNSense chooses one of the gateways to creating force gateway rule:

Code Select Expand

pass out route-to ( bge0 192.168.0.242 ) from {bge0} to {!(bge0:network)} keep state allow-opts label "let out anything from firewall host itself"
3rd Q: Should I write issue for this?
4rd Q: Why not add simply option on interface configuration to set IPv4 Upstream Gateway to None ?