Messages

I originally posted this issue when attempting to upgrade form 21,1 to 21.7.  And the problem persists trying to upgrade from:

OPNsense 21.7.7-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l  24 Aug 2021
***GOT REQUEST TO UPDATE***
mkdir: /var/cache/opnsense-update/92971: Too many links
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-21.7.7-amd64.txz: .mkdir: /var/cache/opnsense-update/86969: Too many links
failed, mkdir error 0
***DONE***
NO ONE RESPONDED TO MY LAST REQUEST FOR HELP. 

NOT IMPRESSED.

Example of it partly working:
***GOT REQUEST TO UPGRADE***
Fetching packages-21.7-OpenSSL-amd64.tar: ................................................ done
Fetching base-21.7-amd64.txz: ................ done
Fetching kernel-21.7-amd64.txz: ..... done
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Extracting packages-21.7-OpenSSL-amd64.tar... done
Extracting base-21.7-amd64.txz... done
Installing kernel-21.7-amd64.txz... done
/usr/local/sbin/opnsense-update: rm: Argument list too long
***DONE***

The only think I changed was fix the mail address in Monit.

It appears to have tried to install the kernel >>
System: Firmware Updates tab

Package name	Current version	New version	Required action	Repository
kernel	21.7	21.1.8	upgrade	OPNsense

Also In the System: Firmware Packages Tab

kernel

21.7

121.0MiB

OPNsense

BSD2CLAUSE

HardenedBSD kernel set

[Installed:]

Installed:

OPNsense 21.1.9_1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k  25 Mar 2021
CPU type Intel(R) Core(TM)2 Duo CPU     E7400  @ 2.80GHz (2 cores)


Run Health Audit Reports: CLEAN

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.9_1 (amd64/OpenSSL) at Tue Sep 14 11:53:57 -01 2021
>>> Check installed kernel version
Version 21.1.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***


Run Security Audit Reports:
***GOT REQUEST TO AUDIT SECURITY***

.... Detail removed for security reasons ....

3 problem(s) in 3 installed package(s) found.

***DONE***
<blockquote>

</blockquote> Checking for updates (using the WEB GUI):

Package name	Current version	New version	Required action	Repository
base	21.1.8	21.7	upgrade	OPNsense
kernel	21.1.8	21.7	upgrade	OPNsense
packages	21.1.9_1	21.7	upgrade	OPNsense

First atempt:
***GOT REQUEST TO UPGRADE***
Fetching packages-21.7-OpenSSL-amd64.tar: .mkdir: /var/cache/opnsense-update/58221: Too many links
  failed, mkdir error 0
***DONE***


Go back to Status Tab and retry update:
***GOT REQUEST TO UPGRADE***
Fetching packages-21.7-OpenSSL-amd64.tar: .mkdir: /var/cache/opnsense-update/56544: Too many links
  failed, mkdir error 0
***DONE***


From Log Files - General:

Date	Process	Line
2021-09-14T12:09:02	monit[36141]	'No_FW_Updates' status didn't change (1) -- tput: no terminal type specified and no TERM environmental variable. mkdir: /var/cache/opnsense-update/40832: Too many links  1
2021-09-14T12:07:02	monit[36141]	Aborting event
2021-09-14T12:07:02	monit[36141]	Mail: Mailserver response error -- 553 5.7.1 <..............>: Sender address rejected: not owned by user................
2021-09-14T12:07:01	monit[36141]	'No_FW_Updates' status changed (0 -> 1) -- tput: no terminal type specified and no TERM environmental variable. mkdir: /var/cache/opnsense-update/25806: Too many links  1
2021-09-14T12:05:01	monit[36141]	'No_FW_Updates' status didn't change (0) -- tput: no terminal type specified and no TERM environmental variable. Your system is up to date. 0
2021-09-14T12:03:01	monit[36141]	Aborting event
2021-09-14T12:03:01	monit[36141]	Mail: Mailserver response error -- 553 5.7.1 <......................>: Sender address rejected: not owned by user ......................
2021-09-14T12:03:00	monit[36141]	'No_FW_Updates' status changed (1 -> 0) -- tput: no terminal type specified and no TERM environmental variable. Your system is up to date. 0
2021-09-14T12:02:28	syslog-ng[76420]	syslog-ng starting up; version='3.33.2'
2021-09-14T12:02:28	syslogd	kernel boot file is /boot/kernel/kernel
2021-09-14T12:02:27	syslogd	exiting on signal 15
2021-09-14T12:02:19	syslog-ng[22675]	syslog-ng starting up; version='3.33.2'
2021-09-14T12:02:19	syslogd	kernel boot file is /boot/kernel/kernel

Running option 12 on the console:
Proceed with this action? [21.7/y/N]: 21.7

Fetching packages-21.7-OpenSSL-amd64.tar: .mkdir: /var/cache/opnsense-update/13914: Too many links
  failed, mkdir error 0

*** opnsense.home.net: OPNsense 21.1.9_1 (amd64/OpenSSL) ***

ALSO. 

I have buy some means got as far as sucessfully downloading the three packages ( base, kernel and packages) .  Also atempting to install the afformentiond packages.  However the kernel package fails with the message rm: argument list too long.  I have also had base fail with .mkdir: /var/cache/opnsense-update/75470: Too many links


Does anyone have thoughts on this issue please.

[The Problem:]

The Problem:
After following the OpenVPN How-To for "Setup SSL VPN Road Warrior" in the documentation for version 20.1.6 of OPNsense and using the OpenVPN wizard for an initial configuration.  I could not connect to any internal or external websites.  Trying to ping a URL (rather than and IP) also failed.  I immaterially suspected the VPN tunnel was not finding the DNS server. 

Diagnosing the Problem:
I could eliminate the first step since I could successfully connect to OpenVPN.
I next used ping to confirm the end points (servers) could be seen.  Careful here because some servers and firewalls block ICMP and OPNsense will if no rule is in place to pass ICMP. I also used traceroute to check packets were going in the right direction to the endpoints.
I then used the Packet Capture (Interfaces > Diagnostics > Packet Capture) to look at the LAN port and discovered DNS requests from OpenVPN were being rejected.
Your friendly DuckDuckGo representative informed me that "reject" does not mean blocked but there was likely to be a configuration issue.
My OPNsense configuration uses Unbound as the resolver.  Since all devices on the LAN were working happily I assumed the basic configuration was correct.  But I did work through each setting just to check.  There it was the GOTCHA.

The GOTCHA:
It appears neither the OpenVPN wizard or the web GUI applies the appropriate setting to unbound.  Neither is it mentioned in the Documentation.  This when using Unbound as your DNS resolver and you cannot resolve DNS names through the VPN.

An Aside:

Also watch out if you manually setup the firewall rules.  If you forget to press Apply there is no warning on any other screen that you have un-applied changes.  May I suggest that after completing a manual configuration you reboot OPNsense and then recheck your configuration before proceeding to testing.
Regards

Thanks mimugmail your reply was insightful and raises specific OpenVPN question not related to this post so I'll give it some thought and maybe post a different question.
Mean while back to this ranch....  does OpenVPN use the ISAKMP protocol?

If you can ping both the accessible and non-accessible machines then your half way there.  Also check ping in the other direction.  Note: ICMP pings are sometimes blocked by firewalls, temporally enable it.

If that works then you need to be more explicit about what you mean by "accessing".  The machines may well have their own firewalls.  Are they blocking access?  Do the machines in question have different network setups?

[Interface Src. Networks Port Dest.]

I was digging around my firewall rules today trying to check why I'm having a problem with OpenVPN, unrelated.  I noted two autoconfigured NAT outbound rules both include IP address ranges associated with lan, localhost and my OpenVPN.

Interface  Src. Networks  Port     Dest. Networks  Port  NAT Address Port  Static Port     Description
WAN        LAN networks,   *          *                            500    WAN              *       YES                Auto created rule for ISAKMP
                 127.0.0.0/8,
                 op.en.vpn.0/24
 
WAN        LAN networks,   *          *                            *         WAN             *        NO                  Auto created rule
                 127.0.0.0/8,
                 op.en.vpn.0/24

What immediately caught my eye though was Auto created rule for ISAKMP.  Not being the most experienced in these things and not recognising ISAKMP I googled the interweb.  It appears ISAKAMP is strongly associated with IPSEC and CISCO neither of which I am using.  So why does this rule exsist?  Also, if my understanding of the outbound rules are correct, I'm wonder if the rule is actually required.  Would it not be covered by the second rule, (Auto created rule)?

It might also be sensible to query my reading of these rules and that would be: map source addresses:ports (the source networks listed) leaving the WAN interface to destination addresses:ports.  If that is wrong then please educate me.

Regards all and keep safe.

Thanks again. I never expected that.Regards

OK I decided to give up for the time being and decided to add a block list using aliases to firewall rules.  I followed the Spamhouse drop dont rout how to and it worked.  What didnt work was importing my own file.  I tried entering: "file://block_lists/block.txt" and "/block_lists/block.txt" and neither actuall imported any thing. 

Incidentally the next scheduled release (June) is tasked with merging unbound-plus so I'll take another look then.Regards

Thanks mimugmail - I'll have a play and let you know how I ge on.

[The Task:]

In the absense of documentation specifically relating to unbound-plus plugin.  Could some one please confirm, or other wise correct my understanding. 

The Task:
I'm trying to setup the the blacklist by following the setup documented for the Cashing Proxy "Setup Web Filtering".  So question one: is that reasonable?

I Enabled blacklist, selected Easy List and entered the URL of the full compressed UT1 catagory based list (ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz) and pressed save.  However I'm not sure it worked or not.  There were no error messages, no nasty supprises and nothing reported in the Unbound log file.  I canot even see any list of IPs it is actually blocking.  So question two: have I done everything I need to do?

Once I have this setup then question three: how do I get the block list to update?

Regards all and keep save.
Phil