Messages

pkg works on 24.1...

Code Select Expand


root@OPNsense:~ # pkg search -o postfix
opnsense/os-postfix            SMTP mail relay
opnsense/os-postfix-devel      SMTP mail relay
mail/postfix                   Secure alternative to widely-used Sendmail


Code Select Expand

opnsense-update -bkr 24.7

This did not work. 24.1 booted again, but in an unusable state. I could not even log in to the console. Reverted back using bectl.

I attached the complete console log, but I don't see anything useful there...

Any further advice?

Before anything, make a copy of the config file first.

Since you know how to use bectl, what's the output for this command ?

Code Select Expand

opnsense-update -bkr 24.7.3


If it exits cleanly asking for a reboot do as it says, ssh in and check for updates to sync the rest of the packages.


Whatever output you can post here - no matter how irrelevant it may seem - could be helpful. This is what I would do anyway before either

a) Franco chimes in with a better solution
OR
b) time is of the essence and installing 24.7 from scratch and importing the config is something that cannot be avoided anymore

I really appreciate you guys looking into this! Thank you!

I know how to use bectl, I'm quite nerdy but on the Linux side of things not bsd :)

As far as I understand, this command triggers the update; why is it  24.7.3, not  24.7_9 ?

I prepared two USB drives already to install a fresh 24.7, haha, but I really want to avoid the downtime.

Here is the ls:

Code Select Expand

root@OPNsense:~ # ls -al /var/cache/opnsense-update/
total 10
drwxr-x---  3 root  wheel  3 Aug 31 08:50 .
drwxr-xr-x  6 root  wheel  6 May 28 08:51 ..
drwxr-x---  2 root  wheel  4 Aug 31 08:50 77836

I didn't touch anything in /var

I hooked up the serial console and that what I see:

After the restart, the update script executes and then complains:

Code Select Expand


/usr/local/lib/ipsec /usr/local/lib/perl5/5.36/mach/CORE
32-bit compatibility ldconfig path:
done.
>>> Invoking early script 'upgrade'
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/usr/local/sbin/opnsense-update: /var/cache/opnsense-update/.sets.pending/base-freebsd-version/bin/freebsd-version: Permission denied
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing packages-24.7-amd64.tar...
pkg-1.19.2_1: already unlocked
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries:
pkg-static: wrong architecture: FreeBSD:14:amd64 instead of FreeBSD:13:amd64
pkg-static: repository OPNsense contains packages with wrong ABI: FreeBSD:14:amd64
Processing entries... done
Unable to update repository OPNsense
Error updating repositories!
Rebooting now.
Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 0 0 0 0 0 0 0 done
All buffers synced.
Uptime: 34s
uhub1: detached
uhub0: detached

Nothing unusual. I can try a different mirror.

Will upgrading via serial help?

Sure.

No disk space problems that I can see:

Code Select Expand

root@OPNsense:~ # df -h
Filesystem                   Size    Used   Avail Capacity  Mounted on
zroot/ROOT/24.1.10_8         207G    2.3G    205G     1%    /
devfs                        1.0K    1.0K      0B   100%    /dev
/dev/gpt/efiboot0            260M    1.8M    258M     1%    /boot/efi
zroot                        205G     96K    205G     0%    /zroot
zroot/usr/home               205G     96K    205G     0%    /usr/home
zroot/var/crash              205G     96K    205G     0%    /var/crash
zroot/var/audit              205G     96K    205G     0%    /var/audit
zroot/tmp                    205G    624K    205G     0%    /tmp
zroot/usr/ports              205G     96K    205G     0%    /usr/ports
zroot/var/mail               205G    136K    205G     0%    /var/mail
zroot/var/log                206G    1.4G    205G     1%    /var/log
zroot/var/tmp                205G    100K    205G     0%    /var/tmp
zroot/usr/src                205G     96K    205G     0%    /usr/src
devfs                        1.0K    1.0K      0B   100%    /var/dhcpd/dev
devfs                        1.0K    1.0K      0B   100%    /var/unbound/dev
/usr/local/lib/python3.11    207G    2.3G    205G     1%    /var/unbound/usr/local/lib/python3.11
/lib                         207G    2.3G    205G     1%    /var/unbound/lib

root@OPNsense:~ # zpool list
NAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
zroot   224G  12.3G   212G        -         -    16%     5%  1.00x    ONLINE  -


Health Audit log also looks normal:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.1.10_8 at Sat Aug 31 11:02:32 EDT 2024
>>> Root file system: zroot/ROOT/24.1.10_8
>>> Check installed kernel version
Version 24.1.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 24.1.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-api-backup 1.1
os-ddclient 1.22
os-igmp-proxy 1.5_2
os-iperf 1.0_1
os-mdns-repeater 1.1_1
os-net-snmp 1.5_4
os-nut 1.8.1_2
os-realtek-re 1.0
os-telegraf 1.12.11
os-udpbroadcastrelay 1.0_3
os-upnp 1.5_6
os-wol 2.4_2
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 68 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

I initiated an upgrade from the UI, the system rebooted, and now it's in a weird state of base being from 24.1 and kernel from 24.7:

base   24.1.8   593.6MiB   OPNsense   BSD2CLAUSE   FreeBSD userland set   
kernel   24.7.1   175.2MiB   OPNsense   BSD2CLAUSE   FreeBSD kernel set   
pkg   1.19.2_1   14.9MiB   OPNsense   BSD2CLAUSE   Package manager   


I rolled back to known working 24.1 via bectl and initiated the upgrade again via SSH, and still the same result. Please advise what to do.

I'm wondering how to properly set up a VPN split tunnel that works by the domain name, not by resolved IP address. Let me explain what I mean:

I use mullvad VPN as a gateway for all my traffic. I also created a rule that allows several websites to bypass the VPN and use the default ISP gateway. That's how I can access websites blocking VPNs, like banking apps and chatGPT (haha).

The problem with that setup is the rules are applied by IP address not by the domain name. That results in two unwanted effects:
1. If a domain points to some CDN the whole CDN traffic will bypass the VPN traffic, and I can leak my IP address for the websites that are not on the VPN bypass list
2. If a website uses DNS round-robin, there could be a situation when opnsense and a client resolve the domain to different IPs and the client request is not bypassed and I'm getting blocked. (chatGPT does this all the time)

To overcome this, I created a POC, which works, but it's hard to scale.

1. Started dnsmasq on some random port (not 53)
2. Write a NAT rule to map DNS requests from my machines to this port

Then for each domain I need to add bypass I add the following rules:

3. Add a rule override the  domain name I want to bypass to some random IP address
4. Add a NAT rule to map HTTP and HTTPS ports on this


And this works. There however two problems that I cannot overcome:
1. I have to maintain two DNS services since my local machine need to resolve the overridden domain names, but opnsense itself needs to resolve the public IP address. This is not ideal.
2. I need manually add domain override and a NAT rule for each of the domains manually. (not that a big deal, but annoying)


Am I overthinking this? Is there a simpler way to achieve this? My biggest annoyence that I have to have two DNS servers.

What I did (if someone finds this in Google):

1. Generate a ULA (unique local address) here https://dnschecker.org/ipv6-address-generator.php
2. Create a Virtual IP and assign it to the loopback interface. Not to worry if the UI shows a /32 subnet when you enter an IP in the Virtual IP field, it switches to the IPv6 format right after you enter an IPv6 address. Using the generated prefix above I entered an IP something like this: fd7f:a69c:b042:48ab::beef/64
3. In the NAT rule use fd7f:a69c:b042:48ab::beef as the redirect target IP
4. At this point NAT forwarding should work, one can check it from one of the machines in your network:

$ dig @fd:: AAAA google.com

if the above works - the DNS queries are forwarded to your unbound.

5. But that's not all! As fd7f:a69c:b042:48ab::beef is a perfectly valid IPv6 address, your opnsense box can be accessed by this address from ANY downstream network. Yes, you can access a loopback interface from an external network, IPv6 is weird... Technically you can generate a random address and since nobody knows it, you should be good. But security by obscurity is not the way to go!
6. What you should do is block all ULAs in your "Allow internet rule" in the same way as you are blocking RFC1918 addresses for IPv4. Create an alias called ULA with the value fd00::/8.  Then allow all IPv6 traffic except the ULA group.
7. If you ever will use ULA for the local stuff, just add additional rules for the used ULAs subnets.


PS. IPv6 is freaking hard. There is not much info on the interwebs, especially for hobbyists like myself. I'm glad that I can use the external IPv6 internet from all of my networks. Will I use it for the local stuff? Probably no, I don't see much value, honestly. The only benefit is that I will never experience a local address collision with some other networks. But again, it is probably almost impossible to go IPv6 only (not all devices support IPv6), but supporting a double stack is a pain with no real benefit. 

Worked with ULA. This is REALLY not obvious....

In my IPv4 networks, I map all outgoing DNS requests to the local unbound server.

I recreated the same NAT rule for IPv6, but it does not appear to work. There is even nothing in the logs.

I also checked that unbound is listening to ::1 locally by login in into the opnsense shell and executing dig from there.

Edit: when the rule is active no external ipv6 DNS servers are working either. So opnsense does intercept traffic but fails to redirect ti to the loopback interface for some reason.

Interesting idea cross-blocking ipv6 between the vlans, thanks!

I have two VLANs, one for trusted devices (VLAN1) and one for my IoT stuff that I don't trust entirely (VLAN2). My IPv4 rules always have been allowing all traffic from VLAN1 to VLAN2 and allowing certain VLAN2 udp traffic to VLAN1.

Now my provider finally got me an IPv6 prefix. I set up IPv6 for my VLAN1 via WAN interface tracking. I also added a broad firewall rule allowing all outbound IPv6 connections on VLAN1. So far so good, I can access the IPv6 internet from VLAN1.

However, there are obvious problems with this setup:

1. Opnsense box itself receives an IPv6 address. Now it's wide open from VLAN1. How do I restrict it? In the IPv4 world, I can restrict RFC1918 and therefore limit access to internal devices. I cannot just block the current opnsense address because the provider may change the prefix at a later time.

2. The same problem I have for my VLAN2. How do I tell opnsense to block traffic from VLAN2 to VLAN1 if both have global IPv6 addresses and the prefix can be changed?