Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Noci

#1
i have not enabled frr rules...,

I removed all entries with <enabled>0</enabled> in them , most were in then  <IDS....><rules>...</rules>...</IDS..>  section.

Filesize is now: 599186 bytes (17K lines).

with 172 "rules uuid" left.

This did work out. the system does behave like before now.

(I could hardly find anything on configd using the regular search methods though, at least i now know where to look).

System info:
FreeBSD 14.3-RELEASE-p12 stable/26.1-n272089-81f87c4d694c SMP amd64
OPNsense 26.1.8_5 d67741d16
Plugins os-cache-1.0_1 os-chrony-1.5_3 os-collectd-1.4_1 os-cpu-microcode-intel-1.1 os-crowdsec-1.0.12 os-dnscrypt-proxy-1.16_2 os-etpro-telemetry-1.8_1 os-freeradius-1.10.1 os-frr-1.52 os-git-backup-1.1_3 os-igmp-proxy-1.5_6 os-intrusion-detection-content-et-open-1.0.2_2 os-intrusion-detection-content-ptopen-1.0 os-iperf-1.0_2 os-isc-dhcp-1.0_4 os-lldpd-1.2 os-maltrail-1.10_1 os-mdns-repeater-1.2 os-nextcloud-backup-1.2 os-ntopng-1.3 os-nut-1.9_1 os-openconnect-1.4.6 os-redis-1.1_4 os-smart-2.4 os-stunnel-1.0.6_1 os-theme-cicada-1.41_1 os-theme-rebellion-1.9.4 os-udpbroadcastrelay-1.0_6 os-upnp-1.9 os-vnstat-1.3_1 os-wol-2.5_4 os-zabbix7-agent-1.19
Time Thu, 28 May 2026 14:37:06 +0200
OpenSSL 3.0.20
Python 3.13.13
PHP 8.3.30

CPU info:
12th Gen Intel(R) Core(TM) i7-1265U (10 cores, 12 threads)

Memory:
16GB

(Should be sufficient.)
#2
---8<---
# ls -l  /conf/config.xml
-rw-r-----  1 wwwonly wheel 4247118 May 28 13:59 /conf/config.xml
---8<---

Not sure what is considered to be large...
94 Alias Firewall entries (grep "alias uuid"...)
Firewall new rules, 21796 (grep "rule uuid" lines).

It may be connected to attempting to allow IDP/IPS to actualy start doing something. Not exactly sure though.

#3
The firewall is sluggish at best, any GUI access takes (change of screen) takes several minutes
The dashboard is severly limited in view, most items stay black, only disk usage has some display and sometimes the firewall pie chart.  CPU load starts being in view, but disappears after a minute of so.


When logging in the configd has several (up to #of cores in CPU) subtasks that all take 100% of CPU and live for a few seconds each. (Long enough to seem present in top, short enough to be vanished between ps ax ... filter .. attempt lsof on the pid....

This is continuos.
---8<---
last pid: 58804;  load averages:  5.89,  2.00,  0.82                                                                                           up 11+14:37:26  13:42:41
84 processes:  9 running, 75 sleeping
CPU: 66.0% user,  0.0% nice,  0.8% system,  0.0% interrupt, 33.2% idle
Mem: 761M Active, 1603M Inact, 27M Laundry, 6276M Wired, 104K Buf, 6882M Free
ARC: 4882M Total, 1499M MFU, 3097M MRU, 1368K Anon, 45M Header, 238M Other
     4221M Compressed, 13G Uncompressed, 3.11:1 Ratio
Swap: 8192M Total, 63M Used, 8129M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
55491 root          1 103    0   118M    76M CPU3     3   0:04 100.20% php
54982 root          1 105    0   120M    78M CPU7     7   0:05 100.20% php
54472 root          1 107    0   110M    75M CPU9     9   0:06 100.16% php
57810 root          1  96    0   104M    70M CPU11   11   0:02 100.07% php
55873 root          1 100    0   106M    72M CPU0     0   0:03 100.04% php
52735 root          1 109    0   112M    78M CPU10   10   0:06  99.71% php
22825 root          1  21    0   270M   102M select   3   0:13   5.67% php-cgi
31611 root         12  68    0   123M    37M accept   3  28:19   0.56% python3.13
39975 root          1  20    0   322M   148M CPU5     5   0:08   0.53% php-cgi
23917 root         23  20    0  1596M   253M uwait    3   8:52   0.20% crowdsec
---8<---


---8<--
31135  -  Is        0:01.15 |-- /usr/local/bin/python3 /usr/local/opnsense/service/configd.py (python3.13)
31611  -  S        28:19.92 | `-- /usr/local/bin/python3 /usr/local/opnsense/service/configd.py console (python3.13)
  251  -  S         0:09.75 |   |-- /usr/local/bin/php /usr/local/sbin/pluginctl -S
12288  -  S         0:10.44 |   |-- /usr/local/bin/php /usr/local/sbin/pluginctl -S
28963  -  R         0:08.95 |   |-- /usr/local/bin/php /usr/local/opnsense/scripts/routes/gateway_status.php
31240  -  R         0:08.16 |   |-- /usr/local/bin/php /usr/local/sbin/pluginctl -S
31483  -  R         0:06.70 |   |-- /usr/local/bin/php /usr/local/opnsense/scripts/ipsec/get_legacy_vti.php
31737  -  R         0:06.69 |   |-- /usr/local/bin/php /usr/local/opnsense/scripts/routes/gateway_status.php
31832  -  R         0:05.06 |   |-- /usr/local/bin/php /usr/local/opnsense/scripts/ipsec/get_legacy_vti.php
32199  -  R         0:04.56 |   |-- /usr/local/bin/php /usr/local/sbin/pluginctl -D
41813  -  R         0:03.57 |   |-- /usr/local/bin/php /usr/local/sbin/pluginctl -D
42362  -  R         0:02.12 |   `-- /usr/local/bin/php /usr/local/opnsense/scripts/routes/gateway_status.php
32146  -  Ss       16:08.03 |-- /usr/local/sbin/collectd
---8<---

Any idea what causes this?  might be since upgrade to 26.1.5...
Currently running OpnSense 26.1.8_5
#4
26.1, 26,4 Series / Static route issue
March 16, 2026, 11:28:17 PM
I had some trouble with a system that used to be routed using a static route or firewall rule with gateway.

This doesn't work anymore with 26.1.

Static routes are not added as check with netstat -rn shows
adding a route with route add destination internal-IP-address   then it DOES work...

I have an address block...  one of the addresses (PUB-1) is handing all NATted ports. usual NAT rules apply, works no problem.
An other address is routed through....

This used to be a static route:  IP address = PUB-2, with gateway 192.168.x.10
The system on 192.168.x.10 has the PUB-2 address as default and 192.168.x.10 as an alias.

On previous versions this was no problem.  Current version fails to add the route needed.

Also adding a in the firewall with a gateway added does not work.
There is a reason for NOT using NAT..., it helps when some systems have the public address on the local system, due to software/protocol limitations.
#5
The do become visible under inspection, then again  in the drop down selector   "all rulles" only shows the non-automatic ones.
Whereas the "inspect button" mentions  "all rules" to mean inclusing automatic ones.   including an extra column with counter.
Could have been more clear though.
#6
Where did the automatic rules end up?
Those that were installed by f.e. crowsec etc.

I do use floating rules that are generic for ALL interfaces, it could be replaced by a group that has ALL interfaces in it if it needs to be.
That would require an ALL interface group to be applied first i guess, and requires an ordering on Groupnames in the rules section.
#7
26.1, 26,4 Series / Re: Old rules deprecation
January 31, 2026, 11:38:03 PM
Feedback on New Rule interface...
Looks nice, needs a bit of getting acquainted i guess.

Two issues that could be handled better.
1) During export old, import new there was one error: interface lo0..? rule.  I deleted that one as i see no reason for a rule filtering traffic on lo0.  appearently it doesn't exist in 26.1 anymore. 

2) There is an error either in export or import  of rules with html encoding.  allrules having special signs like > are different.
Allow Float -> ICMP out      changed into    Allow Float -&gt; ICMP out
If exporting uses HTML safe data, then import should as well.

https://github.com/opnsense/core/issues/9694
#8
Quote from: franco on January 31, 2026, 02:36:02 PMCan't fix that. This and other things are unavoidable when enabling the FreeBSD repository.


Cheers,
Franco
What needs to be disabled?
#9
This might have been the result of installing zenarmor... :-(
#10
Only thing left i cannot resolve is this message... which looks like an annoyance not a problem.

pkg: warning: database version 37 is newer than libpkg(3) version 36, but still compatible
#11
That worked out:

Type opnsense
Version 26.1_4
Architecture amd64
Commit 889098cfa
Mirror https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Repositories OPNsense (Priority: 11)
Updated on Fri Jan 30 22:40:46 CET 2026
Checked on N/A
#12
Reinstall didnt work So now i try:

# pkg install --force pkg-2.3.1_1
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be DOWNGRADED:
        pkg: 2.5.1 -> 2.3.1_1

Number of packages to be downgraded: 1

The process will require 2 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Downgrading pkg from 2.5.1 to 2.3.1_1...
[1/1] Extracting pkg-2.3.1_1: 100%
#13
It took a little bit longer.

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 22:12:43 CET 2026
Fetching packages-26.1-amd64.tar: ............ done
Fetching base-26.1-amd64.txz: .... done
Fetching kernel-26.1-amd64.txz: ... done
Extracting packages-26.1-amd64.tar... done
Extracting base-26.1-amd64.txz... done
Extracting kernel-26.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
The Package manager "pkg" is incompatible and needs a reinstall.
>>> Error in upgrade script '10-sanity.sh'
>>> Invoking upgrade script 'isc-dhcp-plugin.sh'
Skipping already installed legacy ISC-DHCP plugin...
>>> Invoking upgrade script 'cleanup.sh'
The upgrade was aborted due to an error.
***DONE***



# pkg info pkg
pkg-2.5.1
Name          : pkg
Version        : 2.5.1
Installed on  : Fri Jan 23 00:52:37 2026 CET
Origin        : ports-mgmt/pkg
Architecture  : FreeBSD:14:amd64
Prefix        : /usr/local
Categories    : ports-mgmt
Licenses      : BSD2CLAUSE
Maintainer    : pkg@FreeBSD.org
WWW            : https://github.com/freebsd/pkg
Comment        : Package manager
Options        :
        DOCS          : on
Shared Libs required:
        libarchive.so.7
        libc.so.7
        libcrypto.so.30
        libelf.so.2
        libjail.so.1
        libm.so.5
        libssl.so.30
        libthr.so.3
        libutil.so.9
        libz.so.6
Shared Libs provided:
        libpkg.so.4
Annotations    :
        FreeBSD_version: 1403000
        build_timestamp: 2026-01-15T01:04:23+0000
        built_by      : poudriere-git-3.4.4-15-g61aba751
        port_checkout_unclean: no
        port_git_hash  : 9514ac9990434680c9394df1a07b7b7469198293
        ports_top_checkout_unclean: no
        ports_top_git_hash: 9514ac9990434680c9394df1a07b7b7469198293
        repo_type      : binary
        repository    : FreeBSD
Flat size      : 23.6MiB
Description    :
Package management tool
#14
Ok

***GOT REQUEST TO REINSTALL***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 22:10:22 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following packages will be fetched:

New packages to be FETCHED:
   pkg: 2.3.1_1 (6 MiB: 100.00% of the 6 MiB to download)

Number of packages to be fetched: 1

The process will require 6 MiB more space.
6 MiB to be downloaded.
Fetching pkg-2.3.1_1: .......... done
pkg-2.5.1: already unlocked
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

try again.
#15
Well that stops quickly.
Copy paste from the status window.

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 25.7.11_9 (amd64) at Fri Jan 30 20:31:26 CET 2026
Fetching packages-26.1-amd64.tar: ............. done
Fetching base-26.1-amd64.txz: ..... done
Fetching kernel-26.1-amd64.txz: ... done
Extracting packages-26.1-amd64.tar... done
Extracting base-26.1-amd64.txz... done
Extracting kernel-26.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
The Package manager "pkg" is incompatible and needs a reinstall.
>>> Error in upgrade script '10-sanity.sh'
>>> Invoking upgrade script 'isc-dhcp-plugin.sh'
Installing legacy ISC-DHCP plugin for compatibility...
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   os-isc-dhcp: 0.1

Number of packages to be installed: 1

883 B to be downloaded.
[1/1] Fetching os-isc-dhcp-0.1: . done
Checking integrity... done (0 conflicting)
[1/1] Installing os-isc-dhcp-0.1...
[1/1] Extracting os-isc-dhcp-0.1: . done
Checking integrity... done (0 conflicting)
Nothing to do.
>>> Invoking upgrade script 'cleanup.sh'
The upgrade was aborted due to an error.
***DONE***