Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - JDA

Pages1
#1
Development and Code Review / Getting additional tools into opnsense?
August 03, 2024, 11:12:24 PM
Hi,

I need some additional tools (and don't want to build them on myself). I tried it with an issue, but no reaction for months :(
I created a PR (based on my naive understanding of the files), but how can I get it checked and approved? See https://github.com/opnsense/tools/pull/422


And I'm really curious - how is anyone updating their Intel NIC firmware on the opnsense boxes? ;)
#2
Hardware and Performance / Intel ixl interface flapping
May 27, 2024, 12:15:00 PM
I replaced a virtualized opnsense with hardware and now we get a flapping 10GbE (on SFP+ with DAC).

Has anyone a clue on how to debug this?

View from the switch:
Code Select
<190> May 27 11:53:18 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 1056 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:53:18 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 1055 %% [NOTE] Link Down: 0/26
<190> May 27 11:40:14 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 1006 %% [INFO] Port (26) inst(0) role changing from ROLE_DISABLED to ROLE_DESIGNATED
<189> May 27 11:40:14 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 1005 %% [NOTE] Link Up: 0/26
<190> May 27 11:39:51 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 1001 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:39:51 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 1000 %% [NOTE] Link Down: 0/26
<190> May 27 11:39:28 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 989 %% [INFO] Port (26) inst(0) role changing from ROLE_DISABLED to ROLE_DESIGNATED
<189> May 27 11:39:28 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 988 %% [NOTE] Link Up: 0/26
<190> May 27 11:39:06 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 984 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:39:06 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 983 %% [NOTE] Link Down: 0/26
<190> May 27 11:15:56 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 938 %% [INFO] Port (26) inst(0) role changing from ROLE_DISABLED to ROLE_DESIGNATED
<189> May 27 11:15:56 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 937 %% [NOTE] Link Up: 0/26
<190> May 27 11:15:33 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 933 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:15:33 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 932 %% [NOTE] Link Down: 0/26
<190> May 27 11:03:36 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 896 %% [INFO] Port (26) inst(0) role changing from ROLE_DISABLED to ROLE_DESIGNATED
<189> May 27 11:03:36 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 895 %% [NOTE] Link Up: 0/26
<190> May 27 11:03:13 sw002-1 DOT1S[dot1s_task]: dot1s_sm.c(314) 891 %% [INFO] Port (26) inst(0) role changing from ROLE_DESIGNATED to ROLE_DISABLED
<189> May 27 11:03:13 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 890 %% [NOTE] Link Down: 0/26
<189> May 27 10:49:20 sw002-1 TRAPMGR[trapTask]: traputil.c(708) 885 %% [NOTE] Link Up: 0/26


View from the opnsense (not the same events):
Code Select

<13>1 2024-05-27T12:00:01+02:00 fw flowd_aggregate.py 90284 - [meta sequenceId="1"] startup, check database.
<13>1 2024-05-27T12:00:01+02:00 fw flowd_aggregate.py 90284 - [meta sequenceId="2"] start watching flowd
<13>1 2024-05-27T12:00:01+02:00 fw flowd_aggregate.py 90284 - [meta sequenceId="3"] vacuum done
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="1"] <6>ixl0: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="2"] <6>vlan0.50: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="3"] <6>vlan0.55: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="4"] <6>vlan0.54: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="5"] <6>vlan0.250: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="6"] <6>vlan0.20: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="7"] <6>vlan0.10: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="8"] <6>vlan0.29: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="9"] <6>vlan0.28: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw kernel - - [meta sequenceId="10"] <6>vlan0.30: link state changed to DOWN
<13>1 2024-05-27T12:03:41+02:00 fw opnsense 96488 - [meta sequenceId="11"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for
opt6(vlan0.50)
<13>1 2024-05-27T12:03:41+02:00 fw opnsense 97480 - [meta sequenceId="12"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for
opt8(vlan0.55)
<13>1 2024-05-27T12:03:42+02:00 fw opnsense 98548 - [meta sequenceId="13"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for
opt7(vlan0.54)
<13>1 2024-05-27T12:03:42+02:00 fw opnsense 99510 - [meta sequenceId="14"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for
opt3(vlan0.20)
<13>1 2024-05-27T12:03:42+02:00 fw opnsense 1044 - [meta sequenceId="15"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for o
pt2(vlan0.10)
<13>1 2024-05-27T12:03:42+02:00 fw opnsense 2101 - [meta sequenceId="16"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for o
pt4(vlan0.29)
<13>1 2024-05-27T12:03:43+02:00 fw opnsense 3410 - [meta sequenceId="17"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for o
pt5(vlan0.30)
<28>1 2024-05-27T12:03:43+02:00 fw lldpd 85765 - [meta sequenceId="18"] unable to send packet on real device for ixl0: Network is down
<28>1 2024-05-27T12:03:49+02:00 fw lldpd 85765 - [meta sequenceId="19"] unable to send packet on real device for ixl0: Network is down
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="20"] <5>ixl0: Link is up, 10 Gbps Full Duplex, Requested FEC: None, Neg
otiated FEC: None, Autoneg: False, Flow Control: None
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="21"] <6>ixl0: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="22"] <6>vlan0.50: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="23"] <6>vlan0.55: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="24"] <6>vlan0.54: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="25"] <6>vlan0.250: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="26"] <6>vlan0.20: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="27"] <6>vlan0.10: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="28"] <6>vlan0.29: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="29"] <6>vlan0.28: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw kernel - - [meta sequenceId="30"] <6>vlan0.30: link state changed to UP
<13>1 2024-05-27T12:03:49+02:00 fw opnsense 15545 - [meta sequenceId="31"] /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for
opt6(vlan0.50)


I already added a tunable for hw.ixl.core_debug_mask to be 0x00000010 (hope the syntax is correct), but need to wait till I can reboot.
#3
Web Proxy Filtering and Caching / Re: Transparent Proxy with SSL SNI only inspection and whitelist feature
September 10, 2023, 08:48:36 PM
I tried a few variants, but my current solution right now is:
Code Select
http_access allow bump_step1
acl whiteListSSL ssl::server_name login.microsoftonline.com
http_access allow whiteListSSL
#4
Web Proxy Filtering and Caching / Transparent Proxy with SSL SNI only inspection and whitelist feature
September 09, 2023, 11:49:51 PM
I'm currently trying to set up my squid as proxy to restrict internet access to certain servers. As I don't want to update all the clients, I'm trying a transparent proxy with "Log SNI information only".
This works fine as long as I have the client in "Unrestricted IP addresses". The access log shows both a CONNECT to the IP and the actual servername. But as soon as I want to use the whitelist feature, it doesn't work -> I assume the ACL is evaluated too early in the bump/peak process (at_step acl option?).

Am I correct or is it just a layer 8 error?
Has anyone a working example on how to allow some https URLs with a transparent proxy without modifying the clients?
#5
21.7 Legacy Series / haproxy - missing log socket in chroot
September 21, 2021, 01:50:15 PM
Hi,

I've just tried to configure haproxy but stumbled across the issue that only starting of the service is logged.

haproxy in debug mode:
Code Select
[ALERT] 263/133931 (84070) : sendmsg()/writev() failed in logger #1: No such file or directory (errno=2)


/var/haproxy/var/run/ is empty...

As I'm not so deep in the logic of opnsense yet, I only found the plugin "setup" of the logging, but not sure where it's executed:

https://github.com/opnsense/plugins/blob/master/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc

Code Select
/**
*  register legacy syslog facilities
* @return array
*/
function haproxy_syslog()
{
    $syslogconf = array();

    $syslogconf['haproxy'] = array(
        'local' => '/var/haproxy/var/run/log',
        'facility' => array('haproxy'),
        'remote' => 'relayd',
    );

    return $syslogconf;
}

Any idea before I just try reinstalling haproxy?

Thanks in advance & best regards
Jens
Pages1