1
23.7 Legacy Series / Re: c-icap fail after update to 23.7.8
« on: November 13, 2023, 10:29:21 am »
There is a [pull request](https://github.com/opnsense/plugins/pull/3667) using the solution from @chatmate
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
23.7 Legacy Series / Re: c-icap fail after update to 23.7.8
« on: November 13, 2023, 09:59:06 am »
I opened an [Issue][https://github.com/opnsense/core/issues/7007]
3
23.7 Legacy Series / c-icap fail after update to 23.7.8
« on: November 09, 2023, 04:59:05 pm »
There is an update in 23.7.8 to c-icap 0.5.11.
Starting in debug mode: c-icap -f //usr/local/etc/c-icap/c-icap.conf -N -D -d 9
...
Adding to acl AUTH the data *
In search specs list 0x0,name AUTH
New ACL with name:AUTH and ACL Type: auth
Creating new access entry as allow with specs:
In search specs list 0x829c62480,name AUTH
Checking name:AUTH with specname AUTH
In search specs list 0x829c62480,name AUTH
Checking name:AUTH with specname AUTH
Added acl spec: AUTH
In search specs list 0x829c62480,name 127.0.0.1
Checking name:127.0.0.1 with specname AUTH
In search specs list 0x829c62480,name 127.0.0.1
Checking name:127.0.0.1 with specname AUTH
The acl spec 127.0.0.1 does not exists!
The required acl spec '127.0.0.1' is missing
Fatal error while parsing config file: "//usr/local/etc/c-icap/c-icap.conf" line: 18
The line is: icap_access allow AUTH 127.0.0.1
...
With the mentioned line commented out the service starts.
"127.0.0.1" is not from configuration GUI - so this line is from standard config.
Starting in debug mode: c-icap -f //usr/local/etc/c-icap/c-icap.conf -N -D -d 9
...
Adding to acl AUTH the data *
In search specs list 0x0,name AUTH
New ACL with name:AUTH and ACL Type: auth
Creating new access entry as allow with specs:
In search specs list 0x829c62480,name AUTH
Checking name:AUTH with specname AUTH
In search specs list 0x829c62480,name AUTH
Checking name:AUTH with specname AUTH
Added acl spec: AUTH
In search specs list 0x829c62480,name 127.0.0.1
Checking name:127.0.0.1 with specname AUTH
In search specs list 0x829c62480,name 127.0.0.1
Checking name:127.0.0.1 with specname AUTH
The acl spec 127.0.0.1 does not exists!
The required acl spec '127.0.0.1' is missing
Fatal error while parsing config file: "//usr/local/etc/c-icap/c-icap.conf" line: 18
The line is: icap_access allow AUTH 127.0.0.1
...
With the mentioned line commented out the service starts.
"127.0.0.1" is not from configuration GUI - so this line is from standard config.
4
Virtual private networks / Re: IPv6 over openVPN is broken in 22.7.7
« on: November 10, 2022, 09:01:29 am »
After cloning a 22.7.6 system again and direct upgrade to 22.7.7_1 IPv6 works as expected.
5
Virtual private networks / Re: Allow User to create own OTP seed
« on: November 08, 2022, 11:13:46 am »
Solved: there is a new setting
System / Settings / Administration : User OTP seed
System / Settings / Administration : User OTP seed
6
Virtual private networks / Re: IPv6 over openVPN is broken in 22.7.7
« on: November 04, 2022, 10:10:14 am »
I test the update on a copy of another system with different IPs.
I changed ovpn-linkup according to the hotfix and restarted the ovpn server.
Interface and routing looks the same on both systems. Here the updated version:
# ifconfig ovpns1
ovpns1: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::70f9:5bf:be20:a07a%ovpns1 prefixlen 64 scopeid 0x7
inet6 fd00:0:ac:d1::1 prefixlen 64
inet 172.16.38.1 --> 172.16.38.2 netmask 0xffffff00
groups: tun openvpn
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 41745
# route -n6 show fd00:0:ac:d1::1
route to: fd00:0:ac:d1::1
destination: fd00:0:ac:d1::1
fib: 0
interface: lo0
flags: <UP,HOST,DONE,STATIC,PINNED>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 16384 1 0
# route -n6 show fd00:0:ac:d1::125
route to: fd00:0:ac:d1::125
destination: fd00:0:ac:d1::
mask: ffff:ffff:ffff:ffff::
fib: 0
interface: ovpns1
flags: <UP,DONE,PINNED>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0
# tcpdump -ni ovpns1 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns1, link-type NULL (BSD loopback), capture size 262144 bytes
09:53:02.526654 IP6 fd00:0:ac:d1::125 > fd00:0:ac:d1::1: ICMP6, echo request, seq 44, length 40
09:53:07.140131 IP6 fd00:0:ac:d1::125 > fd00:0:ac:d1::1: ICMP6, echo request, seq 45, length 40
09:53:12.135485 IP6 fd00:0:ac:d1::125 > fd00:0:ac:d1::1: ICMP6, echo request, seq 46, length 40
^C
So traffic from the client arrives but is not answered.
Also tested applying the hotfix and rebooting.
I changed ovpn-linkup according to the hotfix and restarted the ovpn server.
Interface and routing looks the same on both systems. Here the updated version:
# ifconfig ovpns1
ovpns1: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::70f9:5bf:be20:a07a%ovpns1 prefixlen 64 scopeid 0x7
inet6 fd00:0:ac:d1::1 prefixlen 64
inet 172.16.38.1 --> 172.16.38.2 netmask 0xffffff00
groups: tun openvpn
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 41745
# route -n6 show fd00:0:ac:d1::1
route to: fd00:0:ac:d1::1
destination: fd00:0:ac:d1::1
fib: 0
interface: lo0
flags: <UP,HOST,DONE,STATIC,PINNED>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 16384 1 0
# route -n6 show fd00:0:ac:d1::125
route to: fd00:0:ac:d1::125
destination: fd00:0:ac:d1::
mask: ffff:ffff:ffff:ffff::
fib: 0
interface: ovpns1
flags: <UP,DONE,PINNED>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0
# tcpdump -ni ovpns1 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpns1, link-type NULL (BSD loopback), capture size 262144 bytes
09:53:02.526654 IP6 fd00:0:ac:d1::125 > fd00:0:ac:d1::1: ICMP6, echo request, seq 44, length 40
09:53:07.140131 IP6 fd00:0:ac:d1::125 > fd00:0:ac:d1::1: ICMP6, echo request, seq 45, length 40
09:53:12.135485 IP6 fd00:0:ac:d1::125 > fd00:0:ac:d1::1: ICMP6, echo request, seq 46, length 40
^C
So traffic from the client arrives but is not answered.
Also tested applying the hotfix and rebooting.
7
Virtual private networks / IPv6 over openVPN is broken in 22.7.7
« on: November 03, 2022, 06:41:10 pm »
After upgrade the client gets an IPv6 address as before but cannot connect over IPv6.
8
Virtual private networks / Allow User to create own OTP seed
« on: November 03, 2022, 05:03:54 pm »
We use password + OTP for openVPN connection. Our user have an OTP app on their smartphone. To create a new seed we have all user in a group with this assigned privileges:
Type Name
GUI Diagnostics: Authentication
GUI System: User Password Manager
First is to test the login after creating the OTP seed, allowed by the second privilege.
I don't know the last working version but in 22.7.6 and 22.7.7 the passord manager page has no OTP generator button.
The business version 22.4.3 offers the OTP generation.
Is there a new privilege we have to grant for this?
Will it also disappear after upgrading the business version?
Some workaround?
Type Name
GUI Diagnostics: Authentication
GUI System: User Password Manager
First is to test the login after creating the OTP seed, allowed by the second privilege.
I don't know the last working version but in 22.7.6 and 22.7.7 the passord manager page has no OTP generator button.
The business version 22.4.3 offers the OTP generation.
Is there a new privilege we have to grant for this?
Will it also disappear after upgrading the business version?
Some workaround?
9
Web Proxy Filtering and Caching / Successor for os-web-proxy-useracl
« on: July 28, 2022, 02:24:30 pm »
Due to the release notes for 22.7 this extension is no longer available. Does anybody know an alerantive or a workaround for this?
10
22.1 Legacy Series / Re: no NAT after Upgrade to 22.4.2 / 22.1.10
« on: July 11, 2022, 05:59:46 pm »
I imported the configuration in a fresh installed 2.1.10 with cluster IPs deleted.
On this system NAT works.
On this system NAT works.
11
22.1 Legacy Series / no NAT after Upgrade to 22.4.2 / 22.1.10
« on: July 11, 2022, 12:05:54 pm »
I use a Cluster as VPN Gateway. The master is a Business Ed. and the backup system is a CE.
After Upgrade access to DMZ/Internet from VPN or LAN arrived the DMZ with the private sender address (no NAT).
I used "manuell NAT" to the cluster IP, but also tried "automatic NAT".
Switching to the backup system with same Problem. Backup system was not activated with 22.1.9 - I assume the problem is also in this version as 22.4.2 is based on it.
Restoring 22.1.8_1 to get the backup system working again.
Is there some known changes that interfere with NAT?
After Upgrade access to DMZ/Internet from VPN or LAN arrived the DMZ with the private sender address (no NAT).
I used "manuell NAT" to the cluster IP, but also tried "automatic NAT".
Switching to the backup system with same Problem. Backup system was not activated with 22.1.9 - I assume the problem is also in this version as 22.4.2 is based on it.
Restoring 22.1.8_1 to get the backup system working again.
Is there some known changes that interfere with NAT?
12
Web Proxy Filtering and Caching / Shallalist service closed
« on: January 17, 2022, 02:21:35 pm »
The download results in:
Quote
Shalla Secure ServicesAny suggestions for a replacement?
Shalla's Blacklists
No access
We have closed our service.
Pages: [1]