Messages

Thanks. I have put a SNAT workaround on my DHCP servers so DHCPOFFER messages appear to come from the DHCPrelay address. DHCPOFFER messages were being dropped because the source didn't match the DHCPrelay address config.

The patch fixes an endless loop in the packet capture. It's not a "functional" fix or it could also mean your setup is incorrect.

Thank for the patch. Unfortunately, DHCP relay is still not working for me.
I can see the DHCP responses from the server but these are not appearing on the correct interfaces.

root@OPNsense:/var/log/system # tcpdump -i igc1_vlan20 udp port 67 or port 68
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igc1_vlan20, link-type EN10MB (Ethernet), capture size 262144 bytes
16:23:01.335025 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b6:b7:dc:11:41:9a (oui Unknown), length 300
16:23:09.951942 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b6:b7:dc:11:41:9a (oui Unknown), length 300
16:23:18.588958 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b6:b7:dc:11:41:9a (oui Unknown), length 300
16:23:26.376540 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b6:b7:dc:11:41:9a (oui Unknown), length 300
16:23:34.825601 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b6:b7:dc:11:41:9a (oui Unknown), length 300
16:23:44.910245 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b6:b7:dc:11:41:9a (oui Unknown), length 300

https://github.com/opnsense/core/issues/7471#issuecomment-2133085251

feedback on the latest binary is welcome...

Are there further commands I can issue to troubleshoot? The ones below don't seem to show much.

In my case, igc0 = WAN, igc1 = LAN (trunk)

Thanks.

root@OPNsense:~ # opnsense-log | grep rc.linkup
root@OPNsense:~ # 
root@OPNsense:~ # dmesg | grep link.state
igc0: link state changed to UP
igc1: link state changed to UP
lo0: link state changed to UP
igc1: link state changed to DOWN
igc0: link state changed to DOWN
igc1: link state changed to UP
igc1_vlan50: link state changed to UP
igc1_vlan20: link state changed to UP
igc1_vlan40: link state changed to UP
igc0: link state changed to UP
igc0: link state changed to DOWN
igc0: link state changed to UP

As a follow up, I am also experiencing issues with DHCP relay since the upgrade to 24.1.6. Previously, DHCP relay was working.

This is the current status:

• I am not using Hyper-V
• Everything is on physical devices.
• DHCP guard is not enabled.
• As a workaround, I have enabled DHCPv4 on Opnsense

Thank you.

As a data point it would help to know if this is is a version before 24.1.6 or if this started with 24.1.6. If we don't have these data points it's harder to narrow this down (even if it is just a configuration hiccup).

This problem occurs only after 24.1.6.

• I am not using Hyper-V
• Everything is on physical devices.
• DHCP guard is not enabled.
• As a workaround, I have enabled DHCPv4 on Opnsense

Why would the DHCP relay contact the server with a source address of .20.254 (VLAN 20)?

This is the behaviour that I see when DHCP Relay is enabled. It uses the interface of VLAN20 as the source.

Similar to Op, DHCP relay is also no longer working for me since upgrading to 24.1.6.

As advised, I have also cross posted on the original support thread.

[Virtual IP in LAN Subnet (192.168.1.0/24)]

I am trying to follow the instructions to enable HAProxy for internal domains. However, I can't seem to get the frontend listener for the virtual ip to work. Service binding is disabled for the virtual ip.

When the frontend listener for the virtual ip is enabled:

1. haproxy cannot start (when webgui is running).
2. webgui cannot start (when haproxy is running).

I have tried various things such as assigning the virtual ip from a brand new subnet etc. However the frontend listener for virtual ip seems to conflict with lighttpd no matter what I do. The only way I can get both services to start is to remove the virtual ip from /var/etc/lighty-webConfigurator.conf.

Virtual IP in LAN Subnet (192.168.1.0/24)

Code Select Expand


root@OPNsense:~ # sockstat -4 -l | grep lighttpd
root     lighttpd   28364 6  tcp4   192.168.1.65:443      *:*
root     lighttpd   28364 8  tcp4   192.168.1.1:443       *:*
root     lighttpd   28364 10 tcp4   192.168.1.65:80       *:*
root     lighttpd   28364 12 tcp4   192.168.1.1:80        *:*
root     sshd       84263 5  tcp4   192.168.1.1:22        *:*

root@OPNsense:~ # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT]    (2036) : Starting frontend 1_HTTP_frontend: cannot bind socket (Can't assign requested address) [192.168.1.65:80]
[ALERT]    (2036) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Can't assign requested address) [192.168.1.65:443]
[ALERT]    (2036) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy


Virtual IP in Brand New Subnet (192.168.10.0/32)

Code Select Expand


root@OPNsense:~ # /usr/local/etc/rc.restart_webgui
Starting web GUI...done.
Generating RRD graphs...done.

root@OPNsense:~ # sockstat -4 -l | grep lighttpd
root     lighttpd   64654 6  tcp4   192.168.10.65:443     *:*
root     lighttpd   64654 8  tcp4   192.168.1.1:443       *:*
root     lighttpd   64654 10 tcp4   192.168.10.65:80      *:*
root     lighttpd   64654 12 tcp4   192.168.1.1:80        *:*
root     sshd       84263 5  tcp4   192.168.1.1:22        *:*

root@OPNsense:~ # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT]    (18033) : Starting frontend 1_HTTP_frontend: cannot bind socket (Address already in use) [192.168.10.65:80]
[ALERT]    (18033) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Address already in use) [192.168.10.65:443]
[ALERT]    (18033) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.

[Virtual IP in LAN Subnet]

Thanks Bunch and Franco for your assistance thus far.

It is advised to, as we don't know the config of your HAProxy, so we are unable to guess how it failed.

I have added the frontend listener for 0.0.0.0 as per the tutorial. However, as soon as I enable the frontend listener for the virtual ip, haproxy refuses to start.

What I am noticing is that as soon as the webgui starts up, lighttpd binds port 80 and 443 to the virtual ip (even though "Allow Services Binding" option is unchecked).

I even tried using a completely brand new subnet as the new virtual ip (unrelated to any of the interfaces). However, the same symptoms appear.

For example, changing the virtual ip to 192.168.10.65 (from 192.168.1.65 - LAN subnet is 192.168.1.0/24), I see the following as soon as the webgui is restarted.

Virtual IP in LAN Subnet

Code Select Expand

root@OPNsense:~ # sockstat -4 -l | grep lighttpd
root     lighttpd   28364 6  tcp4   192.168.1.65:443      *:*
root     lighttpd   28364 8  tcp4   192.168.1.1:443       *:*
root     lighttpd   28364 10 tcp4   192.168.1.65:80       *:*
root     lighttpd   28364 12 tcp4   192.168.1.1:80        *:*
root     sshd       84263 5  tcp4   192.168.1.1:22        *:*

root@OPNsense:~ # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT]    (2036) : Starting frontend 1_HTTP_frontend: cannot bind socket (Can't assign requested address) [192.168.1.65:80]
[ALERT]    (2036) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Can't assign requested address) [192.168.1.65:443]
[ALERT]    (2036) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy

Virtual IP in Brand New Subnet

Code Select Expand

root@OPNsense:~ # /usr/local/etc/rc.restart_webgui
Starting web GUI...done.
Generating RRD graphs...done.

root@OPNsense:~ # sockstat -4 -l | grep lighttpd
root     lighttpd   64654 6  tcp4   192.168.10.65:443     *:*
root     lighttpd   64654 8  tcp4   192.168.1.1:443       *:*
root     lighttpd   64654 10 tcp4   192.168.10.65:80      *:*
root     lighttpd   64654 12 tcp4   192.168.1.1:80        *:*
root     sshd       84263 5  tcp4   192.168.1.1:22        *:*

root@OPNsense:~ # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT]    (18033) : Starting frontend 1_HTTP_frontend: cannot bind socket (Address already in use) [192.168.10.65:80]
[ALERT]    (18033) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Address already in use) [192.168.10.65:443]
[ALERT]    (18033) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy

How can I reverse the wrong patch? Reapplying the same command doesn't seem to work.

Please make sure that only one of below statements can be true (If both statement true, your thing won't work)
1. In HAProxy, one of your frontends is binding to 0.0.0.0:80, or 0.0.0.0:443 or (WAN_IP):80 or (WAN_IP):443
2. In webui, you haven't changed the port and haven't disabled auto redirect, i.e. it's still using port 443 or 80

In my case, only (2) is true. I haven't changed the standard port and HTTP Redirect is unchecked.

Do I still need (1) if I have defined virtual ip?

Whenever I add a virtual ip and configure haproxy to listen to it on ports 80/443, I can't start:

1. haproxy (when webui is running) or
2. webui (when haproxy is running)

This issue seems very similar to the one reported for v22.1.

Patch 9a618ba6 doesn't seem to work on OPNsense 22.7.2-amd64.
Error message:

Code Select Expand

root@OPNsense:/var/log/system # opnsense-patch 9a618ba6
Found local copy of 9a618ba6, skipping fetch.
2 out of 6 hunks failed while patching etc/inc/interfaces.inc

Virtual ip is attached to lo0 with service binding disabled. I was trying to follow the haproxy tutorial