Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - badbroccoli

#1
Quote from: Taunt9930 on May 25, 2025, 01:39:39 PM
Quote from: badbroccoli on October 30, 2024, 11:22:09 PMTurned out to be a hardware issue, but thanks for your reply!

What was the hardware issue, and did you solve it? I have suddenly started seeing the same.

I wish I knew! I replaced the CMOS battery thinking that could have been it, but no. Memory all tested good. It was an older repurposed SuperMicro motherboard with a power hungry Xeon and super loud fan... figured something was going bad and so I just ended up getting a DEC850. No regrets there.

The most obvious symptom was that the "sources" pane of the chrony service would show delays/skews of 400-600ms+ for all the sources, even if pinging them directly would take only 20-40ms.
#2


Greetings all,

I recently wrote a PowerShell script to assist with migrating my OPNSense implementation from ISC DHCP to DNSMasq DHCP and wanted to share it here in case it can help anyone else.

The script ingests an OPNSense backup XML and converts the enabled ISC DHCP and DHCPv6 scopes into DNSMasq ranges and creates DNSMasq host entries for each ISC static mapping found in the enabled scopes. Currently it also adds NTP Server and Domain options for the ranges if they are configured in the ISC scopes.

Happy to review pull requests / issues if there are any improvements that can be made to make this more widely beneficial.

Cheers!

https://github.com/dreary-ennui/Convert-OPNSenseISCDHCPtoDNSMasqDHCP
#3
Quote from: doktornotor on September 10, 2024, 08:15:42 PM
Another one for your noise...

https://github.com/opnsense/plugins/pull/4228

Thanks! Subscribed to the issue. Hopefully it can get merged soon.

Edit: Just a few minutes after I posted this it was merged. Woot! Thanks all.
#4
Turned out to be a hardware issue, but thanks for your reply!
#5
hi all - wondering if anyone else is seeing excessive falseticker notifications from chronyd since upgrading to 24.7.7 or if it's just me.

for several months my configuration has been: i have disabled ntpd, chrony is set up on port 123, with several upstream NTS peers.

since 24.7.7, most sources are frequently (talking at least 2-4 log lines per minute of the various upstream going falseticker - i have 5 configured) marked as falsetickers leading to lots of "can't synchronize: no majority" errors. looking back at the logs, it started yesterday, which is when i upgraded to 24.7.7.

seems to come and go - there will be a few minutes where everything is a falseticker, and then a few minutes where everything is syncing fine - using sources and tracking chronyd commands to keep on top of things.

seems to happen even with NTS disabled and using regular pool.ntp.org peers instead of NTS peers.

i also have zenarmor on the box, but not protecting the wan interface opnsense should be using to talk to the peers.

just wondering if anyone else is seeing this, if this is "normal" behavior, or maybe it's an indication my hardware might be dying...  or if i should just buy a gps ntp box?... no idea. perhaps it's just one of my peers being too out of sync with the others and not an opnsense issue at all. seems to be random which ones get marked as falsetickers though, and a lot of times they are all marked as falsetickers.

thanks!
#6
Quote from: sy on April 24, 2024, 08:14:45 PM
Hi,

Sorry for the inconvenience. The team is working on it and the fix will be shipped with 1.17.2 maintenance release.

No problem, thanks for the update!
#7
Quote from: almodovaris on April 24, 2024, 07:08:48 PM
Updated to 1.17.1.

Did this resolve for you with 1.17.1? I have updated to 1.17.1 and am still seeing the issue.
#8
I am seeing the same and have opened a ticket. For me it's impacting all "Live sessions" drill-downs from the reports tab - not just Blocks. If you go to DNS tab, and do "live sessions" on a device there, it will show all that device's traffic and not just DNS traffic from that device, for example.
#9
Quote from: serbans on August 08, 2023, 04:53:38 PM
For me the patch has not corrected the fact that with an external elasticsearch database, I am still unable to see any traffic reports.

Status:
- in the settings/configuration page
    - reporting database  - elasticsearch (remote) - cannot be changed either when the engine is running or stopped
     - the field "remote url" does not contain the port information, adding it it says "saved" nd after a page reload it is gone

- in the settings data management page
     - stream reporting data to elasticsearch - I have configured the url and enabled it.

- in the dashboard page
     - regardless of the setting of the stream reporting data to elasticsearch - the setting Reporting database shows "elasticsearch". If I click on start, it shows someting starting and there is an elasticsearch locally running on the firewall.

Next step - removing the module completely and installing again.

I will try and open a ticket with Zenarmor as well.

I am having the same issues.

edit: ZA support claims a known issue w/ remote ES and another hotfix will be released today.
#10
Zenarmor (Sensei) / Re: TLS inspection question
January 27, 2023, 01:11:17 AM
Awesome! Looking forward to this.
#11
I have been dealing with an annoyance for several months now. Every time my OPNsense box reboots, IPv6 routing to the internet is broken until I release/renew the WAN interface. Internal routing seems to work just fine. I have a /60 from Comcast. Can be working fine for weeks, do a reboot, IPv4 comes back fine, WAN interface has an IPv6 address, but clients can't route out. Was wondering if anyone has seen similar and knows what the hell is going on, or can point me in the right direction. I've seen others report this but not sure I've seen a solve. Thanks in advance :)

Details:

OPNsense 22.7.10_2-amd64
WAN interface configured for DHCPv6 in Basic mode, with prefix delegation hint sent at /60
Internal clients configured for Track Interface tracking the WAN interface
Router advertisements configured for Managed, router priority High. RA mode "Assisted" also has issue. Advertise default gateway is checked.

Similar thread from pfsense 6 years ago - https://www.reddit.com/r/PFSENSE/comments/6gk5np/issue_with_comcast_ipv6_requires_dhcp/


me@opnsense:/var/etc % cat dhcp6c.conf
interface ixl3 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix ::/60 infinity;
  prefix-interface vlan0.1.2 {
    sla-id 2;
    sla-len 4;
  };
  prefix-interface igb0 {
    sla-id 0;
    sla-len 4;
  };
};

me@opnsense:/var/etc % cat dhcp6c_wan.conf
interface ixl3 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix ::/60 infinity;
  prefix-interface vlan0.1.2 {
    sla-id 2;
    sla-len 4;
  };
  prefix-interface igb0 {
    sla-id 0;
    sla-len 4;
  };
};

me@opnsense:/var/etc % cat radvd.conf
# Automatically generated, do not edit
# Generated for DHCPv6 server opt4
interface vlan0.1.2 {
AdvSendAdvert on;
MinRtrAdvInterval 120;
MaxRtrAdvInterval 600;
AdvLinkMTU 1500;
AdvDefaultPreference high;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix my:ipv6:prefix:382::/64 {
DeprecatePrefix on;
AdvOnLink on;
AdvAutonomous on;
};
RDNSS fd4e:9ee1:fc79:4db6:a4ab:44ff:feac:c11d {
};
DNSSL lan {
};
};
# Generated config for dhcp6 delegation from wan on lan
interface igb0 {
AdvSendAdvert on;
AdvLinkMTU 1500;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix my:ipv6:addr:prefix::/64 {
DeprecatePrefix on;
AdvOnLink on;
AdvAutonomous on;
};
RDNSS my:external:ipv6:address:of:the:wan:interface { };
DNSSL lan { };
};

#12
I filed a bug report over the weekend and today I got the following response:

"The team is working on it to decrease the config change messages. It will be shipped with the upcoming release most probably at next week."

So that's a good sign!
#13
I am also having this issue