OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of JDA »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - JDA

Pages: [1]
1
Development and Code Review / Getting additional tools into opnsense?
« on: August 03, 2024, 11:12:24 pm »
Hi,

I need some additional tools (and don't want to build them on myself). I tried it with an issue, but no reaction for months :(
I created a PR (based on my naive understanding of the files), but how can I get it checked and approved? See https://github.com/opnsense/tools/pull/422


And I'm really curious - how is anyone updating their Intel NIC firmware on the opnsense boxes? ;)

2
Hardware and Performance / Intel ixl interface flapping
« on: May 27, 2024, 12:15:00 pm »
I replaced a virtualized opnsense with hardware and now we get a flapping 10GbE (on SFP+ with DAC).

Has anyone a clue on how to debug this?

View from the switch:
Code: [Select]
<190> May 27 11:53:18 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 1056 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:53:18 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 1055 %% [NOTE] Link Down: 0/26
<190> May 27 11:40:14 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 1006 %% [INFO] Port (26) inst(0) role changing from ROLE_DISABLED to ROLE_DESIGNATED
<189> May 27 11:40:14 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 1005 %% [NOTE] Link Up: 0/26
<190> May 27 11:39:51 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 1001 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:39:51 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 1000 %% [NOTE] Link Down: 0/26
<190> May 27 11:39:28 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 989 %% [INFO] Port (26) inst(0) role changing from ROLE_DISABLED to ROLE_DESIGNATED
<189> May 27 11:39:28 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 988 %% [NOTE] Link Up: 0/26
<190> May 27 11:39:06 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 984 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:39:06 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 983 %% [NOTE] Link Down: 0/26
<190> May 27 11:15:56 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 938 %% [INFO] Port (26) inst(0) role changing from ROLE_DISABLED to ROLE_DESIGNATED
<189> May 27 11:15:56 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 937 %% [NOTE] Link Up: 0/26
<190> May 27 11:15:33 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 933 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:15:33 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 932 %% [NOTE] Link Down: 0/26
<190> May 27 11:03:36 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 896 %% [INFO] Port (26) inst(0) role changing from ROLE_DISABLED to ROLE_DESIGNATED
<189> May 27 11:03:36 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 895 %% [NOTE] Link Up: 0/26
<190> May 27 11:03:13 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 891 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:03:13 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 890 %% [NOTE] Link Down: 0/26
<189> May 27 10:49:20 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 885 %% [NOTE] Link Up: 0/26

View from the opnsense (not the same events):
Code: [Select]
<13>1 2024-05-27T12:00:01+02:00 fw flowd_aggregate.py 90284 - [meta sequenceId="1"] startup, check database.
<13>1 2024-05-27T12:00:01+02:00 fw flowd_aggregate.py 90284 - [meta sequenceId="2"] start watching flowd
<13>1 2024-05-27T12:00:01+02:00 fw flowd_aggregate.py 90284 - [meta sequenceId="3"] vacuum done
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="1"] <6>ixl0: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="2"] <6>vlan0.50: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="3"] <6>vlan0.55: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="4"] <6>vlan0.54: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="5"] <6>vlan0.250: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="6"] <6>vlan0.20: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="7"] <6>vlan0.10: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="8"] <6>vlan0.29: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="9"] <6>vlan0.28: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="10"] <6>vlan0.30: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw opnsense 96488 - [meta sequenceId="11"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for
opt6(vlan0.50)
<13>1 2024-05-27T12:03:41+02:00 fw opnsense 97480 - [meta sequenceId="12"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for
opt8(vlan0.55)
<13>1 2024-05-27T12:03:42+02:00 fw opnsense 98548 - [meta sequenceId="13"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for
opt7(vlan0.54)
<13>1 2024-05-27T12:03:42+02:00 fw opnsense 99510 - [meta sequenceId="14"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for
opt3(vlan0.20)
<13>1 2024-05-27T12:03:42+02:00 fw opnsense 1044 - [meta sequenceId="15"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for o
pt2(vlan0.10)
<13>1 2024-05-27T12:03:42+02:00 fw opnsense 2101 - [meta sequenceId="16"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for o
pt4(vlan0.29)
<13>1 2024-05-27T12:03:43+02:00 fw opnsense 3410 - [meta sequenceId="17"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for o
pt5(vlan0.30)
<28>1 2024-05-27T12:03:43+02:00 fw lldpd 85765 - [meta sequenceId="18"] unable to send packet on real device for ixl0: Network is down
<28>1 2024-05-27T12:03:49+02:00 fw lldpd 85765 - [meta sequenceId="19"] unable to send packet on real device for ixl0: Network is down
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="20"] <5>ixl0: Link is up, 10 Gbps Full Duplex, Requested FEC: None, Neg
otiated FEC: None, Autoneg: False, Flow Control: None
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="21"] <6>ixl0: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="22"] <6>vlan0.50: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="23"] <6>vlan0.55: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="24"] <6>vlan0.54: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="25"] <6>vlan0.250: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="26"] <6>vlan0.20: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="27"] <6>vlan0.10: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="28"] <6>vlan0.29: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="29"] <6>vlan0.28: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="30"] <6>vlan0.30: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw opnsense 15545 - [meta sequenceId="31"] /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for
opt6(vlan0.50)

I already added a tunable for hw.ixl.core_debug_mask to be 0x00000010 (hope the syntax is correct), but need to wait till I can reboot.

3
Web Proxy Filtering and Caching / Re: Transparent Proxy with SSL SNI only inspection and whitelist feature
« on: September 10, 2023, 08:48:36 pm »
I tried a few variants, but my current solution right now is:
Code: [Select]
http_access allow bump_step1
acl whiteListSSL ssl::server_name login.microsoftonline.com
http_access allow whiteListSSL

4
Web Proxy Filtering and Caching / Transparent Proxy with SSL SNI only inspection and whitelist feature
« on: September 09, 2023, 11:49:51 pm »
I'm currently trying to set up my squid as proxy to restrict internet access to certain servers. As I don't want to update all the clients, I'm trying a transparent proxy with "Log SNI information only".
This works fine as long as I have the client in "Unrestricted IP addresses". The access log shows both a CONNECT to the IP and the actual servername. But as soon as I want to use the whitelist feature, it doesn't work -> I assume the ACL is evaluated too early in the bump/peak process (at_step acl option?).

Am I correct or is it just a layer 8 error?
Has anyone a working example on how to allow some https URLs with a transparent proxy without modifying the clients?

5
21.7 Legacy Series / haproxy - missing log socket in chroot
« on: September 21, 2021, 01:50:15 pm »
Hi,

I've just tried to configure haproxy but stumbled across the issue that only starting of the service is logged.

haproxy in debug mode:
Code: [Select]
[ALERT] 263/133931 (84070) : sendmsg()/writev() failed in logger #1: No such file or directory (errno=2)

/var/haproxy/var/run/ is empty...

As I'm not so deep in the logic of opnsense yet, I only found the plugin "setup" of the logging, but not sure where it's executed:

https://github.com/opnsense/plugins/blob/master/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc

Code: [Select]
/**
 *  register legacy syslog facilities
 * @return array
 */
function haproxy_syslog()
{
    $syslogconf = array();

    $syslogconf['haproxy'] = array(
        'local' => '/var/haproxy/var/run/log',
        'facility' => array('haproxy'),
        'remote' => 'relayd',
    );

    return $syslogconf;
}
Any idea before I just try reinstalling haproxy?

Thanks in advance & best regards
Jens

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2