Messages

Have a look here: https://forum.opnsense.org/index.php?topic=45801.0. No clear characterization or solution yet. My guess is some oddity related to disabling the default rule logging.

Interesting, I would agree, thank you.

Can anyone help me understand why in the logs often I see blocked packets to allow rules such as this example?

I dont see why an allow rule would show as blocked in the logs when its also got logging disabled on the rule:

Thanks. I agree and have removed that package. (I agree root cause is ZA breaks opnsense upgrade due to manually installing packages).

ZA turned out to be pretty disappointing software anyway and not remotely useful in production. Pity.

Thank you for your idea cookiemonster. I actually have resolved the issue.

I put a screen on it and logged into the console locally, then ran \:

opnsense-update -ur 25.1 -A 25.1

This reinstalled 25.1 and took an absolute age to complete. After it rebooted twice automatically the system seems to be back to normal. The health check now completes successfully with no errors.

Many thanks.
P

Also tried updating from cli with option 12 but no difference, still just shows update is available:

  5) Power off system                  12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12     

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

A major firmware upgrade is available for this installation: 25.1

Make sure you have read the release notes and migration guide before
attempting this upgrade.  Approx. 1000MB will need to be downloaded and
require 2000MB of free space to unpack.  Continue with this major upgrade
by typing the major upgrade version number displayed above.

Minor updates may be available, answer 'y' to run them instead.

Proceed with this action? [25.1/y/N]: 25.1

Hi there,

For an entire decade now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

25.1, nicknamed "Ultimate Unicorn", features numerous MVC/API conversions,
improved security zones support and documentation, ZFS snapshot support,
a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much
more.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/25.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/25.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 24.7.12:

o system: migrate user, group and privilege management to MVC/API
o system: remove the "disable integrated authentication" feature
o system: add "Default groups" option to add standard groups when a LDAP/RADIUS user logs in
o system: remove the old manual LDAP importer
o system: migrate HA status page to MVC/API
o system: allow custom additions to sshd_config (contributed by Neil Greatorex)
o system: increase max-request-field-size for web GUI
o system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
o system: add support for RFC 5549 routes and refactor static route creation code
o system: improve notification support to also allow persistent notifications and static banners
o system: add notifications for low disk space and OpenSSH file override use
o system: migrate tunables page to MVC/API
o system: switch to temperature sensor caching
o system: add certificate widget to track expiration dates and allow quick renewal

Fetching packages-25.1-amd64.tar: ............................................ done
Extracting packages-25.1-amd64.tar... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
Passed all upgrade tests.
>>> Invoking upgrade script 'cleanup.sh'

*** OPNsense.workgroup.local: OPNsense 24.7.12_4 (amd64) ***

LAN (em1)      -> v4: 192.168.2.2/24
PPPoEWAN (pppoe0) -> v4/PPPoE: 142.117.117.156/32
Vlan5Unrestrict (em2_vlan5) -> v4: 192.168.5.1/24
Vlan5and7Phys (em2) ->
Vlan7Tenant (em2_vlan7) -> v4: 192.168.7.1/24
WGVirtInt (wg0) -> v4: 192.168.200.1/24

HTTPS: sha256 0B B2 9D 19 A6 91 16 20 9F 17 1A 2A 88 F0 A6 B4
              C6 E6 22 FF 7B 4B C0 7C 12 3C E9 40 4D 60 7F 59
SSH:  SHA256 +TCInaFfPrusQDICPlskgMLcaUHchw4buvXKb2Qgnr4 (ECDSA)
SSH:  SHA256 3Jr9aref9DTtMkehm1bXGLSTbA1pWIZKRCpVWC5xNiE (ED25519)
SSH:  SHA256 NNRmrSW9x+C/5kwJ6EFeYg5VQAfwlQnQ0QwvuFSvtXk (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                  8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                  12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:


GUI:

I tried doing a pkg install php82-session but it wanted to downgrade a bunch of packages so I dont think that is the right thing to do (I cancelled it).

onflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 46 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
   php83: 8.3.15
   php83-ctype: 8.3.15
   php83-curl: 8.3.15
   php83-dom: 8.3.15
   php83-filter: 8.3.15
   php83-gettext: 8.3.15
   php83-google-api-php-client: 2.4.0
   php83-ldap: 8.3.15
   php83-mbstring: 8.3.15
   php83-pcntl: 8.3.15
   php83-pdo: 8.3.15
   php83-pear: 1.10.13
   php83-pear-Crypt_CHAP: 1.5.0_1
   php83-pecl-mcrypt: 1.0.7
   php83-pecl-radius: 1.4.0b1_2
   php83-phalcon: 5.8.0
   php83-phpseclib: 3.0.42
   php83-session: 8.3.15
   php83-simplexml: 8.3.15
   php83-sockets: 8.3.15
   php83-sqlite3: 8.3.15
   php83-xml: 8.3.15
   php83-zlib: 8.3.15

New packages to be INSTALLED:
   php82: 8.2.27
   php82-ctype: 8.2.27
   php82-curl: 8.2.27
   php82-dom: 8.2.27
   php82-filter: 8.2.27
   php82-gettext: 8.2.27
   php82-google-api-php-client: 2.4.0
   php82-ldap: 8.2.27
   php82-mbstring: 8.2.27
   php82-pcntl: 8.2.27
   php82-pdo: 8.2.27
   php82-pear: 1.10.13
   php82-pear-Crypt_CHAP: 1.5.0_1
   php82-pecl-mcrypt: 1.0.7
   php82-pecl-radius: 1.4.0b1_2
   php82-phalcon: 5.8.0
   php82-phpseclib: 3.0.42
   php82-session: 8.2.27
   php82-simplexml: 8.2.27
   php82-sockets: 8.2.27
   php82-sqlite3: 8.2.27
   php82-xml: 8.2.27
   php82-zlib: 8.2.27

So guessing I need to try something else.

Do you think I can just install each of these missing packages manually and see what happens?

Ran the update but after it came back up something has gone wrong and it has half installed.

If I go to firmware - changelog it still thinks 24.7.12 is installed.
When I go to check for updated it finds "packages" and wants to upgrade from 24.7 to 25.1 but if I choose update, it installs then offers the exact same update again.

If I run an audit it says:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.7.12_4 (amd64) at Wed Jan 29 17:03:40 EST 2025
>>> Root file system: /dev/ufs/OPNsense
>>> Check installed kernel version
Version 25.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-cpu-microcode-intel 1.1
os-ddclient 1.26
os-dmidecode 1.1_1
os-hw-probe 1.0_1
os-smart 2.3
os-theme-cicada 1.38
os-theme-rebellion 1.9.2
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
opnsense has a missing dependency: php82-session
opnsense has a missing dependency: php82-phalcon
opnsense has a missing dependency: php82-xml
opnsense has a missing dependency: php82-simplexml
opnsense has a missing dependency: php82-dom
opnsense has a missing dependency: php82-ctype
opnsense has a missing dependency: php82-filter
opnsense has a missing dependency: php82-pear-Crypt_CHAP
opnsense has a missing dependency: php82-phpseclib
opnsense has a missing dependency: php82-google-api-php-client
opnsense has a missing dependency: php82-sockets
opnsense has a missing dependency: php82-ldap
opnsense has a missing dependency: php82-pecl-radius
opnsense has a missing dependency: php82-curl
opnsense has a missing dependency: php82-pcntl
opnsense has a missing dependency: php82-gettext
opnsense has a missing dependency: php82-sqlite3
opnsense has a missing dependency: php82-pdo
opnsense has a missing dependency: php82-zlib
php82-pecl-mongodb has a missing dependency: php82
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 24.7.12_4 has 69 dependencies to check.
Checking packages: ..................
lighttpd-1.4.77 version mismatch, expected 1.4.76_1
Checking packages: .......
opnsense-installer-25.1 version mismatch, expected 24.7
Checking packages: .
opnsense-lang-25.1 version mismatch, expected 24.7.8
Checking packages: .
opnsense-update-25.1 version mismatch, expected 24.7.12
Checking packages: ...
Package not installed: php82-ctype
Checking packages: .
Package not installed: php82-curl
Checking packages: .
Package not installed: php82-dom
Checking packages: .
Package not installed: php82-filter
Checking packages: .
Package not installed: php82-gettext
Checking packages: .
Package not installed: php82-google-api-php-client
Checking packages: .
Package not installed: php82-ldap
Checking packages: .
Package not installed: php82-pcntl
Checking packages: .
Package not installed: php82-pdo
Checking packages: .
Package not installed: php82-pear-Crypt_CHAP
Checking packages: .
Package not installed: php82-pecl-radius
Checking packages: .
Package not installed: php82-phalcon
Checking packages: .
Package not installed: php82-phpseclib
Checking packages: .
Package not installed: php82-session
Checking packages: .
Package not installed: php82-simplexml
Checking packages: .
Package not installed: php82-sockets
Checking packages: .
Package not installed: php82-sqlite3
Checking packages: .
Package not installed: php82-xml
Checking packages: .
Package not installed: php82-zlib
Checking packages: .............
radvd-2.20 version mismatch, expected 2.19_4
Checking packages: ......... done
***DONE***

So it seems like it has half installed.

I tried reinstalling kernel and rebooting with this command: opnsense-update -fkbr 25.1

Is there some way to fix this?

Everything is currently working but clearly some issue.

Unclear what command to enter to reinstall the parts that did not work.

Kind regards
P

I think I found my issue in reddit:

"
Please note we had to hotfix the kernel which will not reinstall automatically if you caught the bad version. If you experience panics on 24.7.10 relating to pf(4) please reinstall from the GUI (which includes an automatic reboot) or run "opnsense-update -fk" from the shell followed by a manual reboot. The correct kernel identifies itself as "stable/24.7-n267981-8375762712f" using "uname -v".

A hotfix release was issued as 24.7.10_2:"

I checked uname -v and had the wrong kernel. After doing the above and rebooting it was then correct. Hopefully this fixes the crashes.

Also started having random reboots since last update a couple days ago. Unaure why. Havent caught antthing in the logs yet.

No problems since the update also.

Same bullshit issue just hit me today after being fine for 2 days since the update.

Hi All,

Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?

I have a home license which I pay monthly.

When you say "we thought it could be useful information for the users to check the network" can you explain what we are supposed to check? Zenarmor has zero visibility into this as far as I can tell so its not clear what you are expecting us to check.

Like to give an example, when my car says 'check oil' I use the dip stick to check how much oil there is. What am I clicking in zenarmor to view the syn attack and associated logs?

I mean if there are no options to set, no thresholds to configure and nothing to view then it doesnt really help much.

Image: