Messages

the temp removal of zenarmor.com fixed everythink.
No it i's a clean 23.7.12_5 and an upgrade to 24.1 is suggested.

thanks

One sec here... did you attempt the 24.1 upgrade yet? If yes, what are your current "kernel" and "base" version? (see packages tab). I'm assuming your "opnsense" package is at 23.7.12_5.


Cheers,
Franco

Sorry for the delay. i'm out of town this week.

you are correct.
there was no upgrade to 24.1.
base and Kernel are at 23.7.10
opnsense is at 23.7.12_5

@newsense, i will try disabeling ZA repo on the weekend when i'm back home

No, mimugmail third party is not compatible with anything lower than  24.1 now due to the OpenSSL 3 switch.


Cheers,
Franco

So that would mean the best approch would bei reinstall and apply a backup of the config.

maybe i will try that.
whats is a bit more concerning is that the removal of the 135 packages.
in the GUI they are Marke aß obsolete.

Code Select Expand

pkg remove py37-markupsafe

Then retry the upgrade

i tried it but sadly didn't help.
still wnats to delete opnsense virtual package

Hello guys,

i got no idea what happend. i tried to Upgrade today but it looks opnsense tries to delete itself.
anyone an idea how to fix this?

Code Select Expand


Last login: Fri Feb  2 18:10:48 2024 from 192.168.2.115
----------------------------------------------
|      Hello, this is OPNsense 23.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code:         https://github.com/opnsense  |        @@@@         @@@@
| Twitter:      https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

HTTPS: SHA256 F3 82 F4 27 D8 55 BF 0B 48 AF 2E 5C 8D D7 C9 96
               15 D2 B5 FE 4E 51 A2 4C 9E D9 E5 79 E9 42 4E 97
SSH:   SHA256 TM3ud5YFIp/TvIry1HLTNMlJZoHVn6Uzr3l8SauHOEQ (ECDSA)
SSH:   SHA256 FHUp3mCIQfl3Y6M4vemV3no5m0DcgQV212OQSU1ousw (ED25519)
SSH:   SHA256 UItAYMcQMA+r4J7n/RaE+JtSc5svcRrJncsXqmStHbA (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Hi there,

One more release it was indeed.  We have added considerable backend work
for improving security and adding a streaming function to avoid memory
exhaustion for data-intense data exchanges.  Note this is in preparation
for 24.1 where these will be used, but direct use in 23.7 is avoided to
lower the possibility for regressions.

The release date for 24.1 is January 30 and we approaching this differently
this time with release candidates only being available from the development
version meaning there will be no installation media before the final release.

While RC1 is mostly ready the publication is currently on hold due to chasing
down a kernel panic.  Watch out for the release notes of the RC1.  It should
be available this week with a follow-up RC2 in the following week.

Here are the full patch notes:

o system: change ZFS transaction group defaults to avoid excessive disk wear[1]
o firewall: validate if GeoIP and BGP ASN targets contain at least 1 kb of data before assuming timestamp is correct
o firmware: automatically install os-squid plugin install when web proxy is enabled before major upgrade
o firmware: refactor export and scrub Unbound DNS database before major upgrade
o firmware: disallow TLS lower than 1.3 on business mirror
o openvpn: add validation for netmask greater than 29 exactly as specified in the OpenVPN source code
o backend: support streaming output using the "stream_output" handler
o backend: implement optional trust model and add extended logging
o backend: support optional configd configuration files
o mvc: add an IPPortField type
o mvc: split configdRun() in order to return a resource which the controller can stream with minimal memory consumption
o ui: fix the missing dialog padding in some modals
o ui: set a default data-size for increased readability in selectpickers
o ui: show tooltip when grid td content does not fit
o plugins: os-bind 1.29[2]
o plugins: os-ddclient 1.20[3]
o plugins: os-frr 1.38[4]
o plugins: os-node_exporter 1.2[5]
o plugins: os-sunnyvalley 1.4 switches to new repository layout
o ports: py-netaddr 0.10.1[6]
o ports: sudo 1.9.15p5[7]

A hotfix release was issued as 23.7.12_5:

o reporting: print status message when Unbound DNS database was not found during firmware upgrade
o firmware: enable upgrade path to 24.1
o backend: only parse stream results when configd socket could be opened


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/core/commit/269b9fbaf
[2] https://github.com/opnsense/plugins/blob/stable/23.7/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/23.7/sysutils/node_exporter/pkg-descr
[6] https://netaddr.readthedocs.io/en/latest/changes.html#release-0-10-1
[7] https://www.sudo.ws/stable.html#1.9.15p5

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (21 candidates): .......... done
Processing candidates (21 candidates): ........ done
Checking integrity... done (2 conflicting)
  - openssl-1.1.1w,1 [SunnyValley] conflicts with openssl111-1.1.1w [installed] on /usr/local/bin/c_rehash
  - openssl-1.1.1w,1 [SunnyValley] conflicts with openssl111-1.1.1w [OPNsense] on /usr/local/bin/c_rehash
Cannot solve problem using SAT solver, trying another plan
Cannot solve problem using SAT solver, trying another plan
Cannot solve problem using SAT solver, trying another plan
Checking integrity... done (0 conflicting)
The following 140 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
        avahi-app: 0.8_1
        bind-tools: 9.18.20_1
        cpdup: 1.22
        curl: 8.5.0
        cyrus-sasl: 2.1.28_1
        cyrus-sasl-gssapi: 2.1.28
        dbus-glib: 0.112
        ddclient: 3.11.2_1
        gamin: 0.1.10_10
        glib: 2.78.3,2
        gnutls: 3.7.10
        hostapd: 2.10_8
        hw-probe: 1.6.5
        iperf3: 3.16
        isc-dhcp44-server: 4.4.3P1
        krb5: 1.21.2
        ldns: 1.8.3
        libevent: 2.1.12
        libfido2: 1.14.0
        lighttpd: 1.4.73
        monit: 5.33.0
        ntp: 4.2.8p17_1
        openldap26-client: 2.6.6
        openssh-portable: 9.6.p1_1,1
        openssl111: 1.1.1w
        openvpn: 2.6.8_1
        opnsense: 23.7.12
        opnsense-installer: 24.1
        opnsense-update: 23.7.10_1
        os-cache: 1.0_1
        os-ddclient: 1.20
        os-hw-probe: 1.0_1
        os-iperf: 1.0_1
        os-redis: 1.1_2
        p11-kit: 0.25.3
        php82: 8.2.14
        php82-ctype: 8.2.14
        php82-curl: 8.2.14
        php82-dom: 8.2.14
        php82-filter: 8.2.14
        php82-gettext: 8.2.14
        php82-google-api-php-client: 2.4.0
        php82-ldap: 8.2.14
        php82-mbstring: 8.2.14
        php82-opcache: 8.2.14
        php82-pcntl: 8.2.14
        php82-pdo: 8.2.14
        php82-pear: 1.10.13
        php82-pear-Crypt_CHAP: 1.5.0_1
        php82-pecl-mcrypt: 1.0.6
        php82-pecl-mongodb: 1.15.3
        php82-pecl-radius: 1.4.0b1_2
        php82-phalcon: 5.3.1
        php82-phpseclib: 3.0.34
        php82-session: 8.2.14
        php82-simplexml: 8.2.14
        php82-sockets: 8.2.14
        php82-sqlite3: 8.2.14
        php82-xml: 8.2.14
        php82-zlib: 8.2.14
        pkcs11-helper: 1.29.0_1
        py39-Babel: 2.14.0
        py39-Jinja2: 3.1.2
        py39-aioquic: 0.9.24
        py39-anyio: 4.2.0
        py39-async_generator: 1.10
        py39-attrs: 23.1.0
        py39-boto3: 1.34.7
        py39-botocore: 1.34.7
        py39-bottleneck: 1.3.7_1
        py39-certifi: 2023.11.17
        py39-cffi: 1.16.0
        py39-charset-normalizer: 3.3.2
        py39-cryptography: 41.0.7_2,1
        py39-cython: 0.29.37
        py39-dateutil: 2.8.2
        py39-dnspython: 2.4.2,1
        py39-duckdb: 0.8.1
        py39-exceptiongroup: 1.2.0
        py39-h11: 0.14.0
        py39-h2: 4.1.0
        py39-hpack: 4.0.0
        py39-httpcore: 1.0.2
        py39-httpx: 0.26.0
        py39-hyperframe: 6.0.0
        py39-idna: 3.6
        py39-importlib-metadata: 7.0.1
        py39-jmespath: 1.0.1
        py39-markdown: 3.3.7_1
        py39-markupsafe: 2.1.3
        py39-netaddr: 0.10.1
        py39-numexpr: 2.8.8
        py39-numpy: 1.25.0_4,1
        py39-openssl: 23.2.0,1
        py39-outcome: 1.3.0_1
        py39-pandas: 2.0.3,1
        py39-pyasn1: 0.5.0
        py39-pyasn1-modules: 0.3.0
        py39-pycparser: 2.21
        py39-pylsqpack: 0.3.18
        py39-pysocks: 1.7.1
        py39-pytz: 2023.3,1
        py39-requests: 2.31.0
        py39-s3transfer: 0.10.0
        py39-service-identity: 23.1.0
        py39-setuptools: 63.1.0_1
        py39-six: 1.16.0
        py39-sniffio: 1.3.0
        py39-sortedcontainers: 2.4.0
        py39-sqlite3: 3.9.18_7
        py39-trio: 0.24.0
        py39-typing-extensions: 4.9.0
        py39-tzdata: 2023.4
        py39-ujson: 5.9.0
        py39-urllib3: 1.26.18,1
        py39-vici: 5.9.11
        py39-yaml: 6.0.1
        py39-zipp: 3.17.0
        python39: 3.9.18
        redis: 7.2.3
        rrdtool: 1.8.0_3
        ruby: 3.1.4_1,1
        ruby31-gems: 3.4.20
        rubygem-rexml: 3.2.6
        squid: 6.6
        strongswan: 5.9.13
        sudo: 1.9.15p5
        suricata: 6.0.15
        syslog-ng: 4.4.0
        talloc: 2.3.4
        tdb: 1.4.7,1
        tevent: 0.13.0_1
        unbound: 1.19.0
        vim: 9.1.0015_1
        wget: 1.21.4
        wpa_supplicant: 2.10_10

New packages to be INSTALLED:
        openssl: 1.1.1w,1 [SunnyValley]

Installed packages to be UPGRADED:
        libxcb: 1.15_1 -> 1.15_2 [mimugmail]
        os-sunnyvalley: 1.4_1 -> 1.4_3 [OPNsense]

Installed packages to be REINSTALLED:
        libarchive-3.7.2,1 [mimugmail] (direct dependency changed: openssl)

Number of packages to be removed: 136
Number of packages to be installed: 1
Number of packages to be upgraded: 2
Number of packages to be reinstalled: 1

The operation will free 725 MiB.
pkg-static: Cannot delete vital package: opnsense!
pkg-static: If you are sure you want to remove opnsense,
pkg-static: unset the 'vital' flag with: pkg set -v 0 opnsense
Starting web GUI...done.
Generating RRD graphs...done.

*** OPNsense.lan.dom: OPNsense 23.7.12 ***

LAN (em2)       -> v4: 192.168.2.2/25
                    v6/t6: /64
S2Sxanten (wg1) ->
WAN (em1)       -> v4/DHCP4: xyz/23
                    v6/DHCP6: /128
guest (em0_vlan13) -> v4: 192.168.13.1/24
                    v6/t6: /64
iot (em0_vlan15) -> v4: 192.168.15.1/24
trunk (em0)     ->
voip (em0_vlan14) -> v4: 192.168.14.1/29
wireg (wg0)     -> v4: 10.10.100.0/24

HTTPS: SHA256 F3 82 F4 27 D8 55 BF 0B 48 AF 2E 5C 8D D7 C9 96
               15 D2 B5 FE 4E 51 A2 4C 9E D9 E5 79 E9 42 4E 97
SSH:   SHA256 TM3ud5YFIp/TvIry1HLTNMlJZoHVn6Uzr3l8SauHOEQ (ECDSA)
SSH:   SHA256 FHUp3mCIQfl3Y6M4vemV3no5m0DcgQV212OQSU1ousw (ED25519)
SSH:   SHA256 UItAYMcQMA+r4J7n/RaE+JtSc5svcRrJncsXqmStHbA (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:


this is the health audit

Code Select Expand


***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.7.12 at Fri Feb  2 18:35:12 CET 2024
>>> Root file system: /dev/gpt/rootfs
>>> Check installed kernel version
Version 23.7.10 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.7.10 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
mimugmail
SunnyValley
>>> Check installed plugins
os-adguardhome-maxit 1.10
os-api-backup 1.1
os-cache 1.0_1
os-collectd 1.4_1
os-crowdsec 1.0.7
os-ddclient 1.20
os-dmidecode 1.1_1
os-dyndns 1.27_3
os-etpro-telemetry 1.6_1
os-firewall 1.4_2
os-hw-probe 1.0_1
os-intrusion-detection-content-pt-open 1.0_1
os-ipcheck-community 0.3
os-iperf 1.0_1
os-nextcloud-backup 1.0_1
os-redis 1.1_2
os-sensei 1.16.2
os-sensei-updater 1.16
os-siproxd 1.3_2
os-smart 2.2_4
os-speedtest-community 0.9_4
os-sunnyvalley 1.4_1
os-vnstat 1.3_1
os-wireguard 2.6
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
>>> Check for missing or altered package files
Checking all packages: ....
os-adguardhome-maxit-1.10: checksum mismatch for /usr/local/AdGuardHome/AdGuardHome
os-adguardhome-maxit-1.10: checksum mismatch for /usr/local/AdGuardHome/AdGuardHome.sig
Checking all packages....
os-sensei-1.16.2: missing file /usr/local/zenarmor/output/archive/.placeholder
Checking all packages........ done
>>> Check for core packages consistency
Core package "opnsense" has 69 dependencies to check.
Checking packages: .......................
opnsense-23.7.12 version mismatch, expected 23.7.12_5
Checking packages: ............................................... done
***DONE***

Alternativ kannst du die ja mal Sensi anschauen. Da kannst du die Dienste explizit auswählen.
Es sei gesagt das Sensei nur etwas an Hardware Resourcen braucht.

wenn du genug Ports auf der Firewall und dem Switch hast dann jedes Netz einzeln.
Ich habe es bei mir so.
FW WAN -> WAN Modem
FW LAN -> Switch port 1
FW Trunk -> Switch port 2 Trunk  (Vlan für IoT, VoIP und Gäste)

somit kann mein LAN mit 1Gig ins WAN (Unitymedia/Vodafone Gigabit Anbindung)
meine anderen 3 VLANs teilen sich 1Gig Link zur Firewall.

Aktuell habe ich im LAN Sensei aktiv. da es nur auf dem physischen Port als access Port läuft muss da auch nicht in die einzelnen Ethernet Header geschaut werden.
Ich überlege Sensei auf den anderen Netzen zu aktivieren. (Muss noch Performance Tests machen)

Die Frage ist am Ende wie viel Traffic hast du zwischen den Netzen?

Bei 1 Port mit Trunk und 2 VLANs hast du halt keinen 1Gig Durchsatz zwischen den Systemen

Traffic bei deinem IoT Netz wird sicher in Grenzen halten. Gäste Netz ist im Normalfall auch egal. Ist es eben langsam.

Wenn du 4 NICs hast dann würde ich es so machen:
1x WAN
1x LAN/Mgmt
1x Mitarbeiter WLAN/LAN
1x Trunk mit IoT Vlan und Gäste Vlan

klingt für mich nach einem Trunking Problem auf den Swicthen.
Sind auf beiden Seiten die Glasports auf Trunk gestellt?
Sind auf beiden Seiten die VLANs in der allow Liste? (Falls es so eine gibt. Habe selber kein Ubiquiti)

Ist ggf. irgendwo auf den Ports ein Channel Protokoll aktiv (LACP oder DTP zB?), Dann müsste es auf der anderen Seite ja auch konfiguriert werden.

ggf. ein native VLAN missmatch?

das geht nur über eine Bridge.

Da würde ich lieber ein paar Euro in einen ordentlichen Switch investieren.

Lass den Switch switchen. Dafür ist die ASIC und Backplane ausgelegt

Die Firewall/Router sollte im Netzwerk immer als "Edge" Device angesehen werden. Also das Router on a Stick Prinzip (Bei genug Ports auch pro VLAN 1 Port statt eines Trunks, macht es mit Sensei einfacher)

Es gibt ein Community Projekt das die Unifi Software auf der opnsense bereitstellt. (Habe selber keine und kann nichts genaues dazu sagen)

ich sehe das auch so wie Gauss23. Du hast damit ein A-syncrones Routing. Sprich Hin und Rückweg sind nicht gleich. Je nach Applikation kann das zu Problemem führen.

Ich denke du hast 3 Möglichkeiten

1. IP vom Backup Router ändern und die OPNSense mit einem Transfernetz versorgen und darüber routen.
2. Ein NAT auf der OPNSense um alle Pakete die zum VPN Router gehen "hinter der OPNSense" zu verstecken. (Outbound NAT)
3. Auf den Clients eine Route für 80.80.80.80/32 eintragen die zum Backup Router geht.

Jetzt kommt es drauf an über wieviel traffic wir reden und wie viele Interface deine OPNSense hat. Wenn es immer mal nur ein bisschen ist dann würde ich mit Option 1 gehen.
Option 2 würde ich ganz sein lassen. Macht nur "Last" und ist beim debuggen immer mist.
Bei Option 3 bin ich mir nicht sicher ob man die Route per DHCP pushen kann. Das wäre dann sehr komfortabel und du müsstest kaum etwas ändern.

Persönlich würde ich mit Option 1 gehen.

i have the same problem.
i have an internet connection via cable from a ISP in Germany.

not the best solution but i ended up looking up the ip ranges of the ISP which they are handing out to customers.
i just added the subnets as local. Not nice but that way it is working for me.

Das ist soweit auch alles korrekt.
Jetzt musst du der Fritzbox nur noch sagen was Sie mir Paketen für die Netze 192.168.1/24 und 192.168.2/24 machen soll.

Also in der Fritzbox 2 statische routen einrichten.
192.168.1.0/24 nach 192.168.192.2
und 192.168.2.0/24 nach 192.168.192.2

Auf der opnsense kein NAT einrichten. (sonst hast du double NAT :( )

Auf der Opnsense als default gateway die 192.168.192.1 eintragen.

Wenn du noch VPN nutzen willst dann musst du auf der Firtzbox noch Portforward zur Opnsense machen.
Bin mir nicht sicher ob es bei Vodafone/Unitymedia mitlerweile geht. Aber du könntest überlegen die Firtzbox komplett als Modem zu nutzen. Dann hättest du die öffentliche IP(s) auf der opnsense

gemeint war glaube ich die banaction

von dem was ich so auf github und im freebsd forum lese
https://forums.freebsd.org/threads/communication-between-fail2ban-and-pf-fails.64452/
https://github.com/fail2ban/fail2ban/issues/1915

sollte es so ausehen

Code Select Expand

banaction = pf[actiontype=<allports>]

thanks.

i had to add nfl.demdex.net and also imasdk.googleapis.com