Messages

Thanks Patrick and Franco.
I successfully managed to reinstall and import a recent backup from /conf/backup.
Very good to know, that there are automated backups on the device.
I used the chance and installed on zfs this time :)

Thanks for the advise. I don't use zfs yet.
I'd prefer to have this install fixed so I don't have to setup all the tons of firewall rules again.

I have just updated to 25.1 on my PC-Engines APU4D4 and the system now fails to boot with a fatal error.

These are the last lines I can see through the console before it stops:

Code Select Expand

>>> Invoking early script 'upgrade'
>>> Invoking early script 'configd'
Starting configd.
>>> Invoking early script 'templates'
Generating configuration: OK
>>> Invoking early script 'backup'
>>> Invoking backup script 'captiveportal'
>>> Invoking backup script 'dhcpleases'
>>> Invoking backup script 'duid'
>>> Invoking backup script 'netflow'
>>> Invoking backup script 'rrd'
>>> Invoking early script 'carp'
CARP event system: Error (255)
Launching the init system...done.
Initializing...
Fatal error: Uncaught Error: Call to undefined function OPNsense\Core\simplexml_load_string() in /usr/local/opnsense/mvc/app/library/OPNsense/Core/Config.php:389
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Core/Config.php(431): OPNsense\Core\Config->loadFromStream(Resource id #18)
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Core/Config.php(329): OPNsense\Core\Config->load()
#2 /usr/local/opnsense/mvc/app/library/OPNsense/Core/Singleton.php(51): OPNsense\Core\Config->init()
#3 /usr/local/opnsense/mvc/app/library/OPNsense/Core/Singleton.php(72): OPNsense\Core\Singleton->__construct()
#4 /usr/local/etc/inc/config.inc(114): OPNsense\Core\Singleton::getInstance()
#5 /usr/local/etc/inc/config.inc(369): parse_config()
#6 /usr/local/etc/rc.bootup(50): require_once('/usr/local/etc/...')
#7 {main}
  thrown in /usr/local/opnsense/mvc/app/library/OPNsense/Core/Config.php on line 389
Enter full pathname of shell or RETURN for /bin/sh:
Would anyone have any tips to get the system back to boot?
Thanks in advance.

Does anyone know if the upcoming FreeBSD 13.1 (coming in OPNsense 22.7) brings some single core network improvements?

still the same with 22.1.8_1

The issue with IPS remains with 22.1.4_1

I have no clue, what went wrong here, but I got it to work now, again.
I had to select the OpenVPN interface in unbound and now DNS is working again as before.

But I am quite sure it must have been selected before the upgrade.
And because the Update made it stop working, I had played around with the separate interface I have had assigned under interfaces to the OpenVPN interface and eventually had removed it.
Assumingly that removed it from Unbound as well.
So the issue probably was that I had manually assigned an interface to the OpenVPN interface in the past instead of just leaving it as it gets created by the OpenVPN package.

Since the OPNsense upgrade to 22.1, DNS is not working anymore on my VPN CLients.

My VPN network is 192.168.20.0/24 and i push 192.168.20.1 as DNS Server to the Clients.

I just created a test rule in the OpenVPN firewall section
Protocol    Source          Port    Destination Port    Gateway Schedule    Description
IPv4 *      192.168.20.0/24 *       *           *       *       *           Allow all

When I however run nmap -53 192.168.20.1 on the client, it states port 53 is filtered.

So I am wondering, if unbound is not serving this subnet anymore.

I have not had any issues prior to OPNsense 22.1.

Don't run IPS in VLAN interfaces. Emulated mode didn't work prior to 22.1 in kernel and now it does but it's buggy as hell as per upstream.

Thanks Franco, but I did only activate IPS on physical interfaces and not on the vlans.
Or does it mean, that we must not activate it on vlan parent interfaces either?

However I am also wondering, if IDS/IPS does work at all this way (sitting on the parent interface).

I finally found time to look into this:

I cleared all lists and started in IDS only mode.
All is working fine, even after 30 minutes.

However as soon as I enable IPS, the described issue is present again.

I assume it could have sth. to do with the "Promiscuous mode" setting, that needs to be enabled for IPS.
However it seems not to cause any issues with active promiscuous mode and IDS.

Most of the suggested tunables are not supported any more in 22.1.
I have however not yet tested network performance in 22.1 yet.

Tunables dev.igb.0.fc, dev.igb.1.fc,... are still shown as valid tunables.

These are shown as unsupported:
dev.igb.0.eee_disabled, dev.igb.1.eee_disabled, ...
hint.acpi_perf.0.disabled
hint.acpi_throttle.0.disabled
hint.p4tcc.0.disabled
hw.igb.0.fc, hw.igb.1.fc, ...
hw.igb.num_queues
hw.igb.rx_process_limit
hw.igb.tx_process_limit
legal.intel_igb.license_ack


I have removed the flow control tunables, as the network speed was minimally faster.
I got 350/210 MBit/s with ipferf in both directions (including the use of vlans) and IDS/IPS off.
One way got me 390 MBit/s.

With IDS (no IPS, because that is broken for me in 22.1):
one way: 300 MBit/s

First of all, I would like to thank everyone, involved in any way, for this wonderful firewall appliance!

I just upgraded to 22.1.
When booted up, all is normally working for around 3 minutes.
Then on the console, I can On the console I see these messages:

Code Select Expand

099.460195 [ 849] iflib_netmap_config       txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
igb1: link state changed to DOWN
igb1_vlan40: link state changed to DOWN
igb1_vlan11: link state changed to DOWN
igb1_vlan30: link state changed to DOWN
100.203318 [ 849] iflib_netmap_config       txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
100.510787 [ 849] iflib_netmap_config       txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
100.830802 [ 849] iflib_netmap_config       txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
igb3: link state changed to DOWN
igb3_vlan1: link state changed to DOWN
igb3_vlan40: link state changed to DOWN
igb3_vlan30: link state changed to DOWN
101.016024 [ 849] iflib_netmap_config       txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
101.349329 [ 849] iflib_netmap_config       txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048
igb1: link state changed to UP
igb1_vlan40: link state changed to UP
igb1_vlan11: link state changed to UP
igb1_vlan30: link state changed to UP
igb3: link state changed to UP
igb3_vlan1: link state changed to UP
igb3_vlan40: link state changed to UP
igb3_vlan30: link state changed to UP
Afterwards there s no network connection possible anymore via the vlan and dhcp also doesn#t work anymore.

Here is a little description of my systems and network:
OPNsense runs on a pcengines apu4d4:
igb0 is the wan port -> all is fine here
igb2 is bridged with the LAN interface and I get DHCP and network access to the OPNsense box and the internet as expected.
The parent interface for igb1 + igb3 are not used.
Instead 3 vlans for 3 subnets (LAN, GUEST, DMZ) are used.
vlan1 and vlan11 are bridged to the LAN interface; vlan 40 is bridged into GUEST and vlan 30 into DMZ. All 3 subnets have DHCP.

There is a vlan capable switch connected to both igb1 and igb3, which then taggs the vlans do different ports on the switch, so I can connect devices and have them in the respective subnet, where I want them to be.
All was working fine for at least 2 years with this setup.

What is also interesting is, that it shows (in addition to igb1, igb3) the following unassigned interfaces under interfaces -> overview
lo0, enc0, pfsync0, pflog0
and ovpns2, ovpns3 (I only have one OpenVPN server running and interestingly ovpn3 shows up)

I also have "Hardware CRC", "Hardware TSO" and "Hardware LRO" disabled.
I can also see that there are some tunables, which seem not to be supported anymore:

Code Select Expand

debug.pfftpproxy Disable the pf ftp proxy handler. unsupported unknown
dev.igb.0.eee_disabled Disable Energy Efficiency unsupported 1
dev.igb.1.eee_disabled Disable Energy Efficiency unsupported 1
dev.igb.2.eee_disabled Disable Energy Efficiency unsupported 1
dev.igb.3.eee_disabled Disable Energy Efficiency unsupported 1
hint.acpi_perf.0.disabled [fireburner] tuning CPU boost unsupported 0
hint.acpi_throttle.0.disabled [fireburner] tuning CPU boost unsupported 0
hint.p4tcc.0.disabled [fireburner] tuning CPU boost unsupported 0
hw.igb.0.fc disable flow control unsupported 0
hw.igb.1.fc disable flow control unsupported 0
hw.igb.2.fc disable flow control unsupported 0
hw.igb.3.fc disable flow control unsupported 0
hw.igb.num_queues Set number of queues to number of cores divided by number of ports, 0 lets FreeBSD decide (should be default) unsupported 0
hw.igb.rx_process_limit [fireburner] tuning net bandw unsupported -1
hw.igb.tx_process_limit [fireburner] tuning net bandw unsupported -1
legal.intel_igb.license_ack [fireburner] tuning net bandw unsupported 1

Does anyone have an idea, which changes might have caused issues here?

edit: I have removed all the unsupported tunables and restarted, but the issue remained.
and the full general log from within the GUI:

Code Select Expand

2022-01-28T23:02:16 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 3_VLAN_DMZ[opt4]
2022-01-28T23:02:16 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 3_VLAN_DMZ[opt4]) (real interface: igb3_vlan30).
2022-01-28T23:02:16 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb3_vlan30'
2022-01-28T23:02:16 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt4(igb3_vlan30)
2022-01-28T23:02:15 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 3_VLAN_GUEST[opt1]
2022-01-28T23:02:15 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 3_VLAN_GUEST[opt1]) (real interface: igb3_vlan40).
2022-01-28T23:02:15 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb3_vlan40'
2022-01-28T23:02:14 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt1(igb3_vlan40)
2022-01-28T23:02:14 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 3_VLAN_LAN[opt2]
2022-01-28T23:02:14 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 3_VLAN_LAN[opt2]) (real interface: igb3_vlan1).
2022-01-28T23:02:14 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb3_vlan1'
2022-01-28T23:02:13 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt2(igb3_vlan1)
2022-01-28T23:02:11 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 1_VLAN_DMZ[opt8]
2022-01-28T23:02:11 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 1_VLAN_DMZ[opt8]) (real interface: igb1_vlan30).
2022-01-28T23:02:11 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1_vlan30'
2022-01-28T23:02:11 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt8(igb1_vlan30)
2022-01-28T23:02:10 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 1_VLAN_LAN[opt7]
2022-01-28T23:02:10 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 1_VLAN_LAN[opt7]) (real interface: igb1_vlan11).
2022-01-28T23:02:10 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1_vlan11'
2022-01-28T23:02:10 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt7(igb1_vlan11)
2022-01-28T23:02:09 Error opnsense /usr/local/etc/rc.newwanip: Failed to detect IP for 1_VLAN_GUEST[opt9]
2022-01-28T23:02:09 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: ) (interface: 1_VLAN_GUEST[opt9]) (real interface: igb1_vlan40).
2022-01-28T23:02:09 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1_vlan40'
2022-01-28T23:02:08 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt9(igb1_vlan40)
2022-01-28T23:02:07 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt4(igb3_vlan30)
2022-01-28T23:02:06 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt1(igb3_vlan40)
2022-01-28T23:02:05 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt2(igb3_vlan1)
2022-01-28T23:02:02 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt8(igb1_vlan30)
2022-01-28T23:02:01 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt7(igb1_vlan11)
2022-01-28T23:02:00 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt9(igb1_vlan40)

edit2: by checking the boot messages, I found these suspect messages:

Code Select Expand

igb0: link state changed to UP
debugnet_any_ifnet_update: Bad dn_init result from igb0 (ifp 0xfffff800035c8800), ignoring.
igb1: link state changed to UP
debugnet_any_ifnet_update: Bad dn_init result from igb1 (ifp 0xfffff800034b8000), ignoring.
igb2: link state changed to UP
debugnet_any_ifnet_update: Bad dn_init result from igb2 (ifp 0xfffff800037fe000), ignoring.
igb3: link state changed to UP
debugnet_any_ifnet_update: Bad dn_init result from igb3 (ifp 0xfffff80003609800), ignoring.

edit3: I had IDS and IPS turned on. After disabling IDS completely, I can see on the console, that the vlans go down and up again. Then all is working normally again. I will investigate further what is wrong with IDS/IPS and if it only is one of them or if it is the blocklist that needs to be re applied.

see https://github.com/opnsense/core/issues/4231

Hi all,

i switched my hardware last week from a low performance Fujitsu Futro S550-2 to an APU4D4.

When booting the installer the boot screen is shown properly and installation went fine.
The serila connection afterwards works fine for the whole boot process except the boot screen, which is totally distorted and so nothing can be selected:

Code Select Expand

                 H  ____________    __________    __________                                               
                 H//    ____    ||//  ______  ||//  ____    ||                                             
                 H||  ||    ||  ||  ||____//  ||  ||    ||  ||______    ______  __  ____    ______    _____
                 H||  ||    ||  ||    ______//||  ||    ||  //  ____||//  __  \\  ''__  \\//  ____||//  __ \
                 H||  ||____||  ||  ||        ||  ||    ||  \\_/__  \\    ____//  ||  ||  \\____  \\    ___
                 H||__________//||__||        ||__||  //____||______//\\______||__||  ||__||______//\\_____|

H++HH=================H===================H++==========================================@@@@@@@@@@@@@@@@@@@@
H||                                       H|| H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
H||HH..HBBoooott  MMuullttii  UUsseerr  [[EEnntteerr]]@                                        @@@@@@@@@@
H||HH..HBBoooott  [[SS]]iinnggllee  UUsseerr| H        @@@@@@@@@@                        @@@@@@@@@@       
H||HH..H[[EEsscc]]aappee  ttoo  llooaaddeerr  pprroommpptt@@@@@@@@@@@@@              @@@@@@@@@@@@@@@@@@@@@@
H||HH..HRReebboooott                      H|| H            \\\\\\\\\\                  //////////         
H||                                       H|| H))))))))))))))))))))))))              ((((((((((((((((((((((
H||HOOppttiioonnss::                      H|| H            //////////                  \\\\\\\\\\         
H||HH..HK]]eerrnneell::  kkeerrnneell  ((11  ooff  22))@@@@@@@@@@@@@@@@              @@@@@@@@@@@@@@@@@@@@@@
H||HH..HCCoonnffiigguurree  BBoooott  [[OO]]ppttiioonnss......@@@@@                        @@@@@@@@@@     
H||                                       H|| H@@@@@@@@@@                                        @@@@@@@@@@
H||                                       H|| H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
H||                                       H|| H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   
H++=======================================H++=======================================                       
   H                                                                              nnggffiisshheerr''''     

/bboooott//kkeerrnneell//ccaarrpp..kkoo  ssiizzee  00xxee224488  aatt  00xx22448866000000 00\\
8++00xx1199ccdd1188\\
/bboooott//kkeerrnneell//iiff__bbrriiddggee..kkoo  ssiizzee  00xxee44ee88  aatt  00xx22449955000000

looaaddiinngg  rreeqquuiirreedd  mmoodduullee  ''bbrriiddggeessttpp''

/bboooott//kkeerrnneell//bbrriiddggeessttpp..kkoo  ssiizzee  00xx66ccbb00  aatt  00xx2244aa44000000
            l//iifssiissiizzee  00xxdd559900  aatt  00xx225522bb000000 00
/bboooott//kkeerrnneell//iiff__eenncc..kkoo  ssiizzee  00xx33225500  aatt  00xx2244aabb000000
Boooottiinngg...... ell//ppfflloogg..kkoo  ssiizzee  00xx22aabb88  aatt  00xx22552288000000
/bboooott//kkeerrnneell//iiff__ggrree..kkoo  ssiizzee  00xx66ee3300  aatt  00xx2244aaff000000

Afterwards everything is printed normally:

Code Select Expand

KDB: debugger backends: ddbpffssyynncc..kkoo  ||
KDB: current backend: ddb
Copyright (c) 2013-2018 The HardenedBSD Project.
Copyright (c) 1992-2018 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.2-RELEASE-p20-HBSD  07ef86ce9ca(stable/20.1) amd64
FreeBSD clang version 6.0.0 (tags/RELEASE_600/final 326565) (based on LLVM 6.0.0)
VT(vga): resolution 640x480
...

For now this is not a huge problem, but who knows. A future upgrade might need me to manually adjust the boot parameters. Does anyone have an idea why this screen is broken in the installed version, but not when booting then serial installer?

Of course I use 115200 baud (with picocom from Linux via a serial - USB adapter)