Messages

Anyone ?

Anyone else ?

Hi,

I tried updating OPNSense version 25.1 to 25.1.3 but something strange happened during the update process. At first everything went fine and the last thing I noticed in the Web GUI Log was:

Code Select Expand

SECURITY RECOMMENDATION
~~~~~~~~~~~~~~~~~~~~~~~
It is recommended to enable the wpad-related options
at the end of the configuration file (you may need to
copy them from the example file to yours) to fix
CERT Vulnerability VU#598349.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-ctrl-agent.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-dhcp4.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/keactrl.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.

After which I got the following error message in the GUI:

Code Select Expand

Danger: Unexpected error, check log for details.
Then it suddenly started downloading OPNSense Kernel 25.1.3 and other packages and installing them. The error was very vague and didn't mentioned anything useful. Any idea which logs I can check to verify what went wrong ? This is a bit concerning, the update took a bit of time to finish and on the surface everything is working fine but I want to diagnose what went wrong during the update, any idea where I can look ?


Thanks

Hi,

I'm fairly new to OPNSense and was wondering how you diagnose slow network speeds to pinpoint what's at fault, like is it hardware or software issue, is it a switch or access point itself etc. I currently don't have any issues but things are bound to happen eventually as not all hardware can last decades so I thought I would ask.

So far, I have:

• I heard of a tool called iPerf but haven't had time to check it out yet.
• Checking Speed Tests online that check the connection of the WAN.

Are there any more things ? If so, share !

Thanks

If everything came up as expected upon reboot I wouldn't be overly concerned about something being wrong

Are there no places or logs I can check to diagnose the root cause of why this happened ? This is a bit concerning as I thought firewall especially OPNSense would be more stable than that.

[General Logs:]

Hi,

I have noticed that under Firewall -> Rules section a new interface called OpenVPN have appeared out of nowhere. I don't have any type of VPN setup whatsoever so I'm kind of alarmed about it, especially that it contains automatically generated rules. I checked VPN section for any type of configuration for IPSec, OpenVPN and WireGuard to see if anything is set in there but as expected, nothing was set there. I also managed to find the following logs related to VPNs:

General Logs:

Code Select Expand

/usr/local/etc/rc.newwanip: plugins_configure VPN (execute task : Wireguard_configure_do(,wan))
/usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN
/usr/local/etc/rc.newwanip: plugins_configure VPN (execute task : openvpn_configure_do(,wan))
/usr/local/etc/rc.newwanip: plugins_configure VPN (execute task : ipsec_configure_do(,wan))
/usr/local/etc/rc.newwanip: plugins_configure VPN (,wan)

I'm not sure if they are normal logs or something unexpected and weird is happening with my OpenSense. I'm really puzzled why OpenVPN rules would appear in Firewall Rules out of nowhere if I don't have it setup in the first place.

Did anyone came across this or know why the said interface and rules are even there if OpenVPN is not setup ?

Thanks

I had my OPNSense box running for quite a while without doing any reboots but because of what happened recently I'm starting to question if my OPNSense or its VLANs or routing itself is malfunctioning. Here's what happened:


I added more VLANs and everything supposed to work, I tripple checked everything and I setup everything correctly but for some reason the newly added VLANs were not pingable by Firewall itself which resulted in 100% package loss, I tested this via Interfaces -> Diagnostics -> Ping. Then when I returned to the dashboard GUI, the new VLANs were not listed among my other old VLANs, at this point I decided to do a reboot and everything started working just fine, I was able to ping the new VLANs and they appeared among the list of all my VLANs.

This got me concerned that there is something wrong with my OPNSense or its VLANs or routing itself. Are there any places or logs I can check to figure out the root cause of why this happened ?

Thanks
Spiky_Gladiator

Put a quick allow rule above the generic block one?

I was thinking about this approach but wouldn't that mess up the Firewall \ Traffic ? Usually the block rules go first then allow rules last.

You already opened this exact thread a couple of days ago, right?

https://forum.opnsense.org/index.php?topic=42278.msg208676#msg208676

I could have sworn I answered your last question but my post seems nowhere to be found. DHCP is taken care of by automatic rules. It cannot be blocked by anything you configure in the UI.

See:

Code Select Expand

root@opnsense:~ # pfctl -s all | grep bootp
pass in quick on vlan07 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "e21ba82e2787507de82efd16e930703c"
pass in quick on vlan07 proto udp from any port = bootpc to (self) port = bootps keep state label "55d713eb0d0abdc53fd028019175cd04"
pass out quick on vlan07 proto udp from (self) port = bootps to any port = bootpc keep state label "398a032de2b9975e894f335916afb87e"
pass in quick on vlan01 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "1df7b65b293bf138df10f236a7889eee"
pass in quick on vlan01 proto udp from any port = bootpc to (self) port = bootps keep state label "385edc3329288e020aa9bbe9f9914de5"
pass out quick on vlan01 proto udp from (self) port = bootps to any port = bootpc keep state label "58ca7742b2c97951641023f18e2dd59d"
pass in quick on vlan05 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "cdbcc11b796adf41fbef4eeaf8f2c60e"
pass in quick on vlan05 proto udp from any port = bootpc to (self) port = bootps keep state label "8816b0e3add9c6e0d76c49d2151bc95f"
pass out quick on vlan05 proto udp from (self) port = bootps to any port = bootpc keep state label "a026e0c2fe364a6cad34204149483f6d"
pass in quick on vlan02 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "0c17538b1b995ab50d22bba9de47b66f"
pass in quick on vlan02 proto udp from any port = bootpc to (self) port = bootps keep state label "b142ef4302cd5c25827ce9ec481441e1"
pass out quick on vlan02 proto udp from (self) port = bootps to any port = bootpc keep state label "6d6efb231238eb62b54fb2ed977cb43f"
pass in quick on vlan03 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "4db3295e7047cf30b38a8bd19b6afce9"
pass in quick on vlan03 proto udp from any port = bootpc to (self) port = bootps keep state label "a0895b11d5fdf07c530f097ce0e489c5"
pass out quick on vlan03 proto udp from (self) port = bootps to any port = bootpc keep state label "a5d9128a5eac4049942d7c8e415a9d48"


The rest I explained in the linked thread.

HTH,
Patrick

Yeah, I had the same thread open but since there was no reply I have opened this one. So, if DHCP can't be blocked by anything, how come when I did the Network Group Alias with all the VLANs on the list with the Block rule, I couldn't get IP assigned on my client device ? This seems a little bit confusing for me.

Anyone ?

Hi,

I have quite a lot of VLANs in my setup and starting to have difficulty with managing firewall rules to block each VLAN individually, one by one using the block option. To make things easier to manage, I created Network Group Alias then selected all of my VLANs in it, then I used the said alias in the block rule to block access to all the VLANs and that seems to work great with exception that I can't exclude the current VLAN that the rule runs on so what ended up happening was, I couldn't get IP from DHCP as the rule was blocking the currently used VLAN. I tried using inverted rules but they don't exclude any VLANs from the alias list as far as I know.

Is there any way to block access to all of the VLANs I created with the exclusion of the currently used that the rule resides in using 1 or maximum of 2 firewall rules ?

Thanks

I have a network group named "Restricted" for all VLANs that are, well restricted, in the sense that they are allowed to access the Internet but not each other.

I attached a screen shot of the "Restricted" rule set. Net4_Local and Net6_Local contain all the locally attached VLANs probably very similar to your setup.

I am a bit lazy in the sense that while I pride myself of running dual stack @home and @work, I only provide DNS, NTP, SMTP over IPv4. Hence the structure of the rules you see in the attachment.

HTH,
Patrick

Since that setup contains all the VLANs on your setup, wouldn't Net4_Local and Net6_Local block the VLAN that's the rule is being run on therefore blocking itself from receiving IP from the DHCP server ? That's the issue that I came across when I used Aliases.

Hi,

I have quite a lot of VLANs in my setup and starting to have difficulty with managing firewall rules to block each VLAN individually, one by one using the block option. To make things easier to manage, I created Network Group Alias then selected all of my VLANs in it, then I used the said alias in the block rule to block access to all the VLANs and that seems to work great with exception that I can't exclude the current VLAN that the rule runs on so what ended up happening was, I couldn't get IP from DHCP as the rule was blocking the currently used VLAN. I tried using inverted rules but they don't exclude any VLANs from the alias list as far as I know.

Is there any way to block access to all of the VLANs I created with the exclusion of the currently used that the rule resides in using 1 or maximum of 2 firewall rules ?

Thanks

We've seen this too and thought to have deployed multiple fixes. The only theory we have is that the socket in question appears and then disappears again for a few seconds for whatever reason. it only happens on slower hardware as far as we can tell, but operational impact is minimal as the socket eventually comes up fine.


Cheers,
Franco

Is there any way I can check if the sockets are working fine, just to be sure ? Perhaps checking if the socket's service is currently running would do the trick ?

Which error are you talking about in your reply, the carrp and Configd or the python error for Configd.py ? Should I be concerned for any of the listed errors ? As of right now, I'm stuck in the limbo with the said errors as I'm not quite sure what they mean and if I should be concerned about them.

Hi,

I have noticed a couple of errors when my OPNSense is booting up and I'm not sure if it's something that I should worry about or just ignore them. They are:

PFLog0: Permanently Promiscuous Mode Enabled

I did some research on this error and it looks like it's some kind of a software switch to deactivate/activate internet connection or something like that as the only posts I came across were talking about the above going in a loop from Enable to Disabled every couple of seconds causing network distruptions.

Error in early script "Carp"

Generating Configuration: Carp socket missing

Looking online for the Carp protocol brings up failovers and redundancy, is this feature used by default in OPNSense ? In which cases would I need to use CARP protocol and finally can I just ignore this error ?

Generating Configuration: Configd socket missing

In combination with the above error, the one from below I found somewhere in the Web GUI:

Error Configd.py [Some Type of ID] returned exit status 1

I have checked and it looks like Configd.py is some type of backend for OPNSense which passes actions from the frontend (Web GUI) to the backend\firewall itself. The above error indicates that Configd.py have errored out and terminated to what I think is its backend ? Worrisome for sure.

I have successfully setup my network how I want and everything seems to be in order but the above errors worry me that something with the Firewall itself might be broken e.g WAN rules allowing someone to connect to my OPNSense where otherwise it would be secure to reject any connection attempts to OPNSense and so on.

Will someone please give me a hand with this as I tried to search and search online but can't find any solution to the above errors.

Thanks

I think you said that backwards. Manual is a static IP. The pc will accept any address you give it.
What  does "wrong IP" mean? If you plug into vlan4, it should get an IP in the vlan4 subnet. Did it not?

Yeah, I got the correct IP automatically assigned as soon as I plugged into VLAN4.

Why wouldn't it accept it?? It doesn't know what network you're connecting to. You set a static IP, it can't tell you "hey, you're giving me the wrong IP for that network.", YOU need to be smart enough to know that.

"Connected" doesn't mean connected to opnsense, the pc wouldn't know what type of router you're using. It means it has an active network connection. I have never seen a pc disconnect when it has the wrong IP assigned. Again, how would it know?? You gave it the IP.

I got it now.

Sounds like the switch isn't configured correctly.

Can you tell me how you came into this conclusion ? I think there might be some misunderstanding and want to double check.