Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - GreenMatter

Pages1 2 3 ... 12
#1
25.7 Series / Re: netflow on 25.7
July 24, 2025, 12:14:02 PM
+1
#2
25.1, 25.4 Series / Re: C-ICAP - Error adding acl spec: !localserver.
June 13, 2025, 02:05:44 PM
Quote from: franco on June 13, 2025, 12:20:00 PMFiling a plugins bug report could help reach the maintainer. Not sure if this a general issue as I haven't seen a ticket and nothing really changed except the C-ICAP upstream version recently I think.
Thanks, I filed bug report...
#3
25.1, 25.4 Series / C-ICAP - Error adding acl spec: !localserver.
June 13, 2025, 11:58:02 AM


Since version 25.1.7 C-ICAP doesn't start automatically and throws following errors in log: 


2025-06-12T21:03:43Criticalc-icapmain proc, Error opening/parsing config file
2025-06-12T21:03:43Criticalc-icapmain proc, WARNING: Can not check the used c-icap release to build service clamd_mod.so
2025-06-12T21:03:43Criticalc-icapmain proc,
2025-06-12T21:03:43Criticalc-icapmain proc, WARNING: Can not check the used c-icap release to build service virus_scan.so
2025-06-12T21:03:43Criticalc-icapmain proc, Warning, alias is the same as service_name, not adding
2025-06-12T21:03:43Criticalc-icapmain proc, The line is: sys_logger.access !localserver
2025-06-12T21:03:43Criticalc-icapmain proc, Fatal error while parsing config file: "/usr/local/etc/c-icap/c-icap.conf" line: 32
2025-06-12T21:03:43Criticalc-icapmain proc, Error adding acl spec: !localserver.
2025-06-12T21:03:10Criticalc-icapmain proc, Error opening/parsing config file
2025-06-12T21:03:10Criticalc-icapmain proc, WARNING: Can not check the used c-icap release to build service clamd_mod.so
2025-06-12T21:03:10Criticalc-icapmain proc,
2025-06-12T21:03:10Criticalc-icapmain proc, WARNING: Can not check the used c-icap release to build service virus_scan.so
2025-06-12T21:03:10Criticalc-icapmain proc, Warning, alias is the same as service_name, not adding
2025-06-12T21:03:10Criticalc-icapmain proc, The line is: sys_logger.access !localserver
2025-06-12T21:03:10Criticalc-icapmain proc, Fatal error while parsing config file: "/usr/local/etc/c-icap/c-icap.conf" line: 32
2025-06-12T21:03:10Criticalc-icapmain proc, Error adding acl spec: !localserver.

And once line:
sys_logger.access !localserver
is removed in config file /usr/local/etc/c-icap/c-icap.conf, I'm able to manually start C-ICAP.

How to fix it permanently?
#4
25.1, 25.4 Series / Re: c-icap error Error adding acl spec: !localserver after Update 25.1.7
May 27, 2025, 02:00:12 PM
Is there any update related to this issue?
#5
25.1, 25.4 Series / Re: c-icap error Error adding acl spec: !localserver after Update 25.1.7
May 21, 2025, 05:28:41 PM
I can see exactly same error. Is there any solution?
#6
25.1, 25.4 Series / Re: 25.1.5 update - WAN https not available
April 11, 2025, 10:46:33 AM
I've just upgraded my instance to 25.1.5_4 and now works.
Thanks, well done!
#7
25.1, 25.4 Series / Re: 25.1.5 update - WAN https not available
April 11, 2025, 09:40:27 AM
Quote from: franco on April 11, 2025, 09:30:59 AMIf you have a captive portal and reflection enabled there is an issue that is going to be hotfixed in 25.1.5_4.

Yes, captive portal is enabled on one of vlans and 1:1 along with port reflection are enabled as well.
So, I guess this is the reason...
#8
25.1, 25.4 Series / 25.1.5 update - WAN https not available
April 11, 2025, 09:28:13 AM
I run Opnsense (25.1.4) in Proxmox VM. After upgrading to 25.1.5, I couldn't connect to WAN services and local instance of AdguardHome (runs in Proxmox LXC and forwards all queries to Unbound). I couldn't find errors but I guess somehow I'd lost DNS resolution. I don't use Zenarmor - it is disabled.
After restoring Opnsense snapshot back to 25.1.4 all came back to normal...
#9
Virtual private networks / OpenVPN DCO affects Wireguard(?)
March 10, 2025, 12:53:51 PM
Recently I migrated OpenVPN servers from legacy to instances; I changed UDP server from TUN to DCO. It's been working but all of sudden client (Viscosity - OpenVPN 2.6) stopped being able to download anything and in server log was:
Code Select
Data Channel Offload doesn't support DATA_V1 packets. Upgrade your server to 2.4.5 or newer.
A bit strange (OpenVPN 2.6 - client and server), especially that Wireguard also stopped working (but handshakes were exchanged). It seems like setting DCO affects UDP connectivity also in Wireguard.
And once I set OpenVPN interface back to TUN, both Viscosity UDP client and Wireguard started working again.
So, that's experimental feature :-)?
#10
25.1, 25.4 Series / Re: Lost ip6 connectivity in LAN
February 26, 2025, 11:21:31 AM
Quote from: dseven on February 25, 2025, 09:12:12 PMThat document is just all kinds of wrong. How stuff like that gets into the official OPNsense docs is beyond my comprehension. smh...

If you want to be able to use IPv6 from your LAN, you will need at least one firewall rule to allow it - similar to the "Default allow LAN to any rule", but for IPv6.
Yes, I changed my config completely:
- disabled dhcpv6
- set RAD to "unmanaged" and in vlan where I manually assign ipv6 I set to "router only"
- removed those extra ipv6 fw rules and that's where I'm not so sure of it. Is it ok to rely only on automatic rules(?):
You cannot view this attachment.
and

You cannot view this attachment.
Now it works, but do I need to create fw rule to be more on safe side?
#11
25.1, 25.4 Series / Re: Lost ip6 connectivity in LAN
February 25, 2025, 05:22:58 PM
Quote from: dseven on February 25, 2025, 03:22:36 PMWhat does "I can connect to WAN ip6 services" mean? Are you saying that LAN hosts can reach the internet via IPv6, but can't get DNS from, or ping, your OPNsense firewall's LAN IP address? What do your firewall rules for LAN look like?
I meant, in LAN:
 - I'm not able to connect to local services (tried "nc -vz...", mainly DNS) or ping them
in WAN:
- contrary to above, I can ping them or test with netcat

I followed opnsense howto: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html so, I don't have very special firewall rules...
#12
25.1, 25.4 Series / Lost ip6 connectivity in LAN
February 25, 2025, 01:42:44 PM
Hello,

I have had dual stack (with tunnel broker) working fine. Recently I've noticed that all devices in LAN can't communicate via IP6 in LAN (ip6 DNS, to ping gateway...) despite having assigned ip6 addresses ( /64). At the same time I can connect to WAN ip6 services.
What may had happened and how to troubleshoot it? OPNsense is up to date: 25.1.1.
#13
Web Proxy Filtering and Caching / Large squid and i-cap access logs
September 16, 2024, 10:55:17 PM

Opnsense is in the latest version (24.7.4) and today I run into issue of completely filled disc.
After running following command I could have seen:
Code Select

root@OPNsense:/ # du -mah | sort -rh | head -n 10
37G .
28G ./var
25G ./var/log
16G ./var/log/squid
9.5G ./var/log/squid/access.log
8.0G ./usr
7.8G ./var/log/c-icap/access.log
7.8G ./var/log/c-icap
7.4G ./usr/local
7.0G ./var/log/squid/store.log



So, squid and i-cap access logs were enormous; I had to manually delete them and restart services. I use squid + I-cap + clamav to scan web data.


What could cause creation of such a big access logs?
#14
24.7, 24.10 Series / Re: puzzled by the ISC/KEA DHCP direction
July 29, 2024, 04:36:20 PM
 I'm puzzled too - I don't understand implementing KEA when it doesn't match functionalities in ISC. Issues in 24.7 with OpenVPN UDP server (at least in my case) plus removing functionality in ISC dhcp in 24.7 made me reverting upgrade back. to version 24.1.10...
#15
24.7, 24.10 Series / Re: Openvpn Server interface: dco_set_ifmode: failed
July 25, 2024, 11:00:02 PM
One more thing.
Openvpn TCP server (legacy) was fully running.
But UDP server (legacy) was running but there was no connectivity. I mean netcat was showing replies from hosts on various ports but nothing could go through browser.
I gave up and restored 24.1.10...
Pages1 2 3 ... 12