Messages

1

General Discussion / Forum login timeout very aggressive?

« on: November 20, 2024, 11:45:06 pm »

Didn't see a subforum dedicated to actual forum usage questions so this seemed like the best spot.

Is the forum login timeout very aggressive for everyone, or is it just me? I haven't been able to determine the exact value, but compared to most forums it seems much more aggressive than typical; pretty much if I leave the tab idle for a little while and then come back to it, I can pretty much be assured I'll have been logged out and will have to log back in.

Just wondering if this is intentional and if so, why.

2

24.7 Production Series / Re: System: Trust: Certificates: Show certificate info

« on: November 18, 2024, 11:02:46 pm »

I'm seeing the same thing. I went to the certificates page because I was intending to modify my cipher list and wanted to double check what how all the existing certs were keyed.

However, the "show certificate info" buttons don't do anything, nor do the "Download" buttons.

Versions
OPNsense 24.7.8-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

3

General Discussion / Re: haproxy won't start after WAN IP change

« on: October 11, 2024, 11:41:16 pm »

Finally figured it out. Stepped back, reread my post, and went back to review the basics.

Wrong IP was copied, didn't match the actual IP of the interface. Fixed that, it's working again.

When your eyes are crossing, take a break and start from step 1.

4

General Discussion / haproxy won't start after WAN IP change

« on: October 11, 2024, 04:05:41 pm »

Alright, seriously need some help, been banging my head against the wall on this yesterday. Will try to break it down as clearly as possible.

Background: I have haproxy routing traffic to a few resources inside my network. My original config had the front ends bound to the WAN IP address on ports 80 and 443 (and the opnsense web UI available locally on the private IP on ports 80/443). Running OPNsense 24.7.4 currently but the haproxy config has been in place for a while now.

Apparently, something happened with my internet provider the night before last and my WAN IP changed (unbeknownst to me). I noted those internal resources were down from external traffic (I have freshping monitors pointed at them) but it was nothing critical so I waited till yesterday to investigate.

First thing I noticed was that haproxy wasn't running. When I would start the service from the UI, it would spin for a moment, then just return to stopped status. Then I noticed the WAN IP was different, so I did the following:

Updated my HTTP and HTTPS front ends in haproxy to bind to the new WAN IP on ports 80 and 443 respectively.

Updated the public DNS records for those internal resources in Route53 to point to the new public IP (I previously had this setup to update automatically, but was caught out by the drop in support for dyndns and haven't set up a ddclient replacement yet).

I thought that would be it, but nope...haproxy service still fails to start. Nothing writing to the haproxy log either. Did some reading, seeing suggestions to try binding to 0.0.0.0 instead. Try that, whoops locked myself out of the web UI due to the port conflict.

SSH in, kill haproxy, log back into the web UI, change the web UI port to 4443, try restarting haproxy with the front ends bound to 0.0.0.0 again. Yay, haproxy starts! But...my freshping monitors don't come back up, and I can't hit those internal resources from outside either.

Did some more reading, checked the port bindings, noted that the opnsense web UI was still binding to port 80, and thought maybe that was an issue. Disabled the HTTP redirect option in opnsense, confirmed it was no longer binding to port 80, bounced the haproxy service, still no traffic reaching the internal resources. Tried rebinding back to the (new) WAN IP just to see if the other changes I'd made would allow the service to start, but no, back to the service failing to start (and still nothing writing to the haproxy log).

To summarize, after a WAN IP change, I am stuck between two nonfunctional configs:

Binding to the new WAN IP, the haproxy service fails to start

Binding to 0.0.0.0, the haproxy service starts but no traffic appears to be successfully routed to those internal resources

Appreciate any thoughts on what to look at or investigate next. I can share my cfg file here if that will help.

5

General Discussion / Re: configd service not starting after upgrade to 21.1.9

« on: September 02, 2024, 12:47:16 am »

So this afternoon I snagged one of my backup devices, loaded OPNsense 24.7, restored my backup config...and it seemed like everything just worked? No apparent issues so I swapped that out with the production router, upgraded to 24.7.3, added my plugins back in (mostly*), tested a few things to confirm, and then started reimaging the prod device to 24.7 and restored my backup. Swapped them back, upgraded prod to 24.7.3 and added my plugins, and it looks like everything is solid. And I've got my backup ready again on the current version should I need to swap back out for any reason.

* I had forgotten that os-dyndns was deprecated and was sad to see it was finally removed. Will have to do some reading to see what a good dynamic DNS client replacement would be.

6

General Discussion / Re: configd service not starting after upgrade to 21.1.9

« on: September 01, 2024, 01:39:26 am »

Appreciate both replies.

I can definitely bring it back to my bench to access the console directly, but I wouldn't have an easy way of giving it internet access at the same time, unfortunately. So the only real purpose would be diagnostic/manual repair.

I very much considered just reimaging to 24.7 and restoring a config (even before encountering an issue, since it would save so much time), but my main concern was the compatibility of a config backup file over that large of a gap. I searched a bit but couldn't find anything definitive regarding forward-compatibility of backups.

I suppose it wouldn't hurt anything to test. I could reimage on 24.7, try the backup restore, and if things go sideways, just reimage back to 21.1 or 21.7 where it seemed like things were fine and restore my existing backups from those versions.

7

General Discussion / configd service not starting after upgrade to 21.1.9

« on: September 01, 2024, 12:38:18 am »

Hey folks, looking for some help getting pointed in the right direction.

Background - I've got a number of OPNsense instances running in various applications, but I'll be up front and admit I have one particular bare-metal install that I have failed to keep updated as the resulting interruption is annoying and if the upgrade goes bad it's a pain to recover. But, after an (unrelated) issue on Friday made some network maintenance necessary, I decided to knock out the upgrades on this instance to bring it back to current version.

It was on 21.1.1 when I started (if I remember correctly) and the first upgrade (to 21.1.7, I believe) went fine. The next upgrade to 21.1.9 is where issues began. When the upgrade completed and the hardware (HP T620 Plus thin client) rebooted, I couldn't access it remotely, and no routing resumed so I'm assuming it was in some bad state. I took it back to my bench, connected a monitor, and it booted up just fine. Tried another power cycle and it was fine again. So I took it back to the network closet, reconnected it, and booted it back up.

Couple minutes later, it's back online so I log in to check things out and prep the next upgrade. That's when I notice that many parts of the GUI load extremely slowly, and in the Services pane of the dashboard it shows that configd is not running. Clicking to start it is not successful.

My first thought was to SSH in and see what was up (and maybe follow some tips from this thread: https://forum.opnsense.org/index.php?topic=14323.0) but when I attempted to, I just got "Access denied" responses for my creds. SSH was working just prior to the upgrade, so I don't think the SSH failure is a configuration problem. As far as I can tell, it's still routing just fine and most other services are running and operational.

Looking for any recommendations on next steps. Thanks in advance.

8

General Discussion / "Firewall Optimization" State Table setting

« on: May 21, 2024, 02:54:00 am »

Firewall > Settings > Advanced > Miscellaneous > Firewall Optimization

Does anyone know what the Normal, High-Latency, Aggressive, and Conservative options actually correlate to in terms of session timeouts? Is that the only thing that controls or does it affect other values as well?

I'm chasing an issue where a persistently-connected application keeps disconnecting. Originally it was happening quite frequently, every 60-70 seconds. After adjusting the Firewall Optimization setting to "Conservative", it's much more stable but still disconnects at regular intervals just over 15 minutes long.

I'd like to know what each of those options actually controls as I have a feeling that somewhere there's a timeout setting that is killing sessions at 900 seconds.

9

Zenarmor (Sensei) / Re: New Sensei install; Dashboard/Reports show no data

« on: January 27, 2022, 04:31:14 pm »

Upgraded OPNsense and Sensei to latest and it seems to be working as expected now.

10

Zenarmor (Sensei) / Re: New Sensei install; Dashboard/Reports show no data

« on: January 26, 2022, 05:23:56 am »

Interesting. So, for some further testing, I tried installing Sensei on an OPNsense VM (running on ESXi) that runs in my internal homelab. OPNsense 21.7.7 and Sensei 1.10.1.

Works perfectly. Only difference (other than versions) is that I did not try Passive Mode, I went straight to Routed Mode (L3 Mode, Reporting + Blocking) with native netmap driver. Other than that, exact same process I followed for my production router.

Would the underlying hardware/host make any difference?

11

Zenarmor (Sensei) / New Sensei install; Dashboard/Reports show no data

« on: January 26, 2022, 04:54:34 am »

OPNsense 20.7.8 on an HP T620+ thin client. Sensei 1.7.1.

I installed Sensei the other day as our oldest child is beginning to use the family computer for a few things and I'm interested in seeing what kind of safety barriers I can enforce.

I referenced a few install guides/videos and the install was straightforward with no issues. I initially selected Passive Mode as I was just curious to see what it would report on, before I attempted to enforce controls. I selected the LAN interface as the protected interface. The Status page shows it's recording bytes/packets in on the interface.

However, the Dashboard, Reports, and even Live Sessions Explorer pages are completely blank. The prebuilt tiles are there, but no data populates.

Out of curiosity, I switched the mode to Routed Mode (L3 Mode, Reporting + Blocking) with native netmap driver, and again, the Status page shows bytes/packets in and out now, but Dashboard, Reports, and Live Sessions Explorer are blank.

What am I overlooking? Happy to provide any specific info that might be helpful in troubleshooting.