1
Zenarmor (Sensei) / Re: Upgrading Zenarmor doesn't complete without powering down
« on: August 11, 2023, 05:45:22 pm »
Nope - it's been some time since I've run it in passive mode
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
23.7 Legacy Series / Re: Unbound fails to start when loading custom access control views
« on: August 09, 2023, 10:17:05 pm »Quote
It turns out my issue was a formatting issue. I got rid of the quotes around the view name and fixed the indents and now it starts with the following custom config. I guess the older version of unbound tolerated formatting issues but the newer version doesn't.
Did you indent using spaces or tabs? I tried both, and unbound still failed to start for me...
3
Zenarmor (Sensei) / Re: Upgrading Zenarmor doesn't complete without powering down
« on: August 08, 2023, 04:08:31 am »
I've attached a pic of a critical engine entry I found in the notifications tab...
4
Zenarmor (Sensei) / Upgrading Zenarmor doesn't complete without powering down
« on: August 08, 2023, 04:04:44 am »
Hi!
Just wanted to mention something I've seen twice now: I'll start a Zenarmor update, only to have it seemingly stall (no connectivity to the router or the web from my PC), forcing me to power down the router and power it up again to restore connectivity.
Today was updating to 1.14.1 - in the past it was whatever the most recent 1.13 build was.
Anyone have any ideas what might be going on? At this point I'm just happy everything came back up, but I'm concerned that one of these times it won't.
Thanks!
Just wanted to mention something I've seen twice now: I'll start a Zenarmor update, only to have it seemingly stall (no connectivity to the router or the web from my PC), forcing me to power down the router and power it up again to restore connectivity.
Today was updating to 1.14.1 - in the past it was whatever the most recent 1.13 build was.
Anyone have any ideas what might be going on? At this point I'm just happy everything came back up, but I'm concerned that one of these times it won't.
Thanks!
5
23.7 Legacy Series / Re: Unbound fails to start when loading custom access control views
« on: August 06, 2023, 03:06:42 am »
Not sure why you need custom views here, a simple port forward rule would do just fine:
Select all (V)LANs in scope, Proto UDP, Source Any Destination Any DPort 123 Redirect 127.0.0.1 Port 123
You can then clone the rule and change NTP to DNS, adjust the proto to TCP/UDP
Thanks for the response! Maybe I misunderstand your answer - primarily what I was trying to do was ensure that querying either 'opnsense' or its FQDN would resolve to the IP that matches the vlan the query was issued from. You're right, though, about the ntp entries - ironically, I already have port forwards for those in place - I must've forgotten to go back and prune them from the views file...
For now, since I really only access the router using it's 'short' name from my pc, I dropped an entry in hosts that matches the vlan my pc's on - that's good enough for now.
6
23.7 Legacy Series / Re: Unbound failed to start after upgrading to 23.7, Domain Overrides Issue
« on: August 01, 2023, 05:36:26 pm »
Here's something else that I didn't notice before in the error reporter:
Code: [Select]
[01-Aug-2023 11:28:57 America/New_York] PHP Fatal error: Uncaught TypeError: flock(): Argument #1 ($stream) must be of type resource, bool given in /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/JsonKeyValueStoreField.php:132
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/JsonKeyValueStoreField.php(132): flock(false, 2)
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php(193): OPNsense\Base\FieldTypes\JsonKeyValueStoreField->actionPostLoadingEvent()
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php(191): OPNsense\Base\FieldTypes\BaseField->eventPostLoading()
#3 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php(191): OPNsense\Base\FieldTypes\BaseField->eventPostLoading()
#4 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php(191): OPNsense\Base\FieldTypes\BaseField->eventPostLoading()
#5 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php(191): OPNsense\Base\FieldTypes\BaseField->eventPostLoading()
#6 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(367): OPNsense\Base\FieldTypes\BaseField->eventPostLoading()
#7 [internal function]: OPNsense\Base\BaseModel->__construct()
#8 /usr/local/opnsense/mvc/script/run_migrations.php(52): ReflectionClass->newInstance()
#9 {main}
thrown in /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/JsonKeyValueStoreField.php on line 132
7
23.7 Legacy Series / Re: Unbound failed to start after upgrading to 23.7, Domain Overrides Issue
« on: August 01, 2023, 05:34:17 pm »
For me, running the migration showed no output, and stopping and starting unbound with my custom conf file in place failed, with only this in the general log:
EDIT: note that I removed the <active_interface/> line as well before running the migration.
Code: [Select]
2023-08-01T11:32:08-04:00 Error opnsense /usr/local/sbin/pluginctl: The command '/bin/kill -'TERM' '65031'' returned exit code '1', the output was 'kill: 65031: No such process'
2023-08-01T11:32:08-04:00 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_start (execute task : unbound_configure_do(1))
2023-08-01T11:32:08-04:00 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_start (1)EDIT: note that I removed the <active_interface/> line as well before running the migration.
8
23.7 Legacy Series / Re: Unbound failed to start after upgrading to 23.7, Domain Overrides Issue
« on: August 01, 2023, 04:00:42 pm »
I'm in much the same boat, trying to set up access control views, but running into the same inability to start unbound, along with the same output from `unbound -ddvv -c /var/unbound/unbound.conf`...
9
23.7 Legacy Series / Unbound fails to start when loading custom access control views
« on: July 31, 2023, 06:40:04 pm »
Hello!
Unbound now fails to start when trying to load custom access control views, something that worked well up to this point.
Here's the content from the conf file that I drop in /usr/local/etc/unbound.opnsense.d, formatting as outlined in the unbound docs:
Any ideas of why this is failing now would be greatly appreciated!
Thanks!
Unbound now fails to start when trying to load custom access control views, something that worked well up to this point.
Here's the content from the conf file that I drop in /usr/local/etc/unbound.opnsense.d, formatting as outlined in the unbound docs:
Code: [Select]
access-control-view: 10.0.10.0/24 trusted
access-control-view: 10.0.20.0/24 kids
access-control-view: 10.0.30.0/24 iot
access-control-view: 10.0.40.0/24 dmz
access-control-view: 10.0.50.0/24 cameras
view:
name: "trusted"
local-zone: "beaker.ddnsgeek.com" transparent
local-data: "opnsense.beaker.ddnsgeek.com A 10.0.10.1"
local-data: "opnsense A 10.0.10.1"
view-first: yes
view:
name: "kids"
local-zone: "beaker.ddnsgeek.com" transparent
local-data: "opnsense.beaker.ddnsgeek.com A 10.0.20.1"
local-data: "opnsense A 10.0.20.1"
view-first: yes
view:
name: "iot"
local-zone: "beaker.ddnsgeek.com" transparent
local-data: "opnsense.beaker.ddnsgeek.com A 10.0.30.1"
local-data: "opnsense A 10.0.30.1"
local-zone: "ntp.org" redirect
local-data: "ntp.org A 10.0.30.1"
view-first: yes
view:
name: "dmz"
local-zone: "beaker.ddnsgeek.com" transparent
local-data: "opnsense.beaker.ddnsgeek.com A 10.0.40.1"
local-data: "opnsense A 10.0.40.1"
view-first: yes
view:
name: "cameras"
local-zone: "beaker.ddnsgeek.com" transparent
local-data: "opnsense.beaker.ddnsgeek.com A 10.0.50.1"
local-data: "opnsense A 10.0.50.1"
local-zone: "ntp.org" redirect
local-data: "ntp.org A 10.0.50.1"
view-first: yesAny ideas of why this is failing now would be greatly appreciated!
Thanks!
10
23.7 Legacy Series / Re: Upgradethread 23.1.11_1 to 23.7
« on: July 31, 2023, 05:42:16 pm »
Yep - I've had it in place for a while now without issue. I use it solely to map my router's name to it's IP for each vlan - convenient to avoid confusion on machines that can access the router through any vlan.
11
23.7 Legacy Series / Re: Upgradethread 23.1.11_1 to 23.7
« on: July 31, 2023, 05:37:33 pm »Any idea of what I can look at to resolve this?
I have so little config within Unbound that there's little to clear out, but I'll give it a shot...
Removed access-control-view.conf file (in /usr/local/etc/unbound.opnsense.d) - service started right up. Next: experiment with putting the file back and see if it fails again.
12
23.7 Legacy Series / Re: Upgradethread 23.1.11_1 to 23.7
« on: July 31, 2023, 05:26:53 pm »
Any idea of what I can look at to resolve this?
I have so little config within Unbound that there's little to clear out, but I'll give it a shot...
I have so little config within Unbound that there's little to clear out, but I'll give it a shot...
13
23.7 Legacy Series / Re: Upgradethread 23.1.11_1 to 23.7
« on: July 31, 2023, 05:19:06 pm »under general DNS> i have one DNS server applied to WAN.
9.9.9.9
my upgrade worked fine, i decided to tinker when i read this thread:
under unbound i setup DNS over TLS
9.9.9.9
dns.quad.net
port 853
traffic stopped entirely.
deleted the configuration. and everything went back to working again!
I tried this, but unfortunately it didn't help (I had tried earlier to simply disable the entries) - thanks for the tip tho!
14
23.7 Legacy Series / Re: Upgradethread 23.1.11_1 to 23.7
« on: July 31, 2023, 05:01:03 pm »Code: [Select]
[
{
"description": "ACME client",
"pidfile": "/var/run/lighttpd-acme-challenge.pid",
"configd": {
"restart": [
"acme-http-challenge restart"
],
"start": [
"acme-http-challenge start"
],
"stop": [
"acme-http-challenge stop"
]
},
"name": "acme",
"status": "acme is running as pid 25973."
},
{
"description": "chrony daemon",
"configd": {
"restart": [
"chrony restart"
],
"start": [
"chrony start"
],
"stop": [
"chrony stop"
]
},
"name": "chronyd",
"pidfile": "/var/run/chrony/chronyd.pid",
"status": "chronyd is running as pid 13315."
},
{
"description": "System Configuration Daemon",
"pidfile": "/var/run/configd.pid",
"mwexec": {
"restart": [
"/usr/local/etc/rc.d/configd restart"
],
"start": [
"/usr/local/etc/rc.d/configd start"
],
"stop": [
"/usr/local/etc/rc.d/configd stop"
]
},
"name": "configd",
"locked": true,
"status": "configd is running as pid 252."
},
{
"description": "Cron",
"php": {
"start": [
"system_cron_configure"
],
"restart": [
"system_cron_configure"
]
},
"pidfile": "/var/run/cron.pid",
"name": "cron",
"status": "cron is running as pid 86746."
},
{
"description": "CrowdSec",
"configd": {
"restart": [
"crowdsec restart"
],
"start": [
"crowdsec start"
],
"stop": [
"crowdsec stop"
]
},
"name": "crowdsec",
"status": "crowdsec is running as pid 4807."
},
{
"description": "ddclient",
"configd": {
"restart": [
"ddclient restart"
],
"start": [
"ddclient start"
],
"stop": [
"ddclient stop"
]
},
"name": "ddclient",
"pidfile": "/var/run/ddclient.pid",
"status": "ddclient is running as pid 61506."
},
{
"name": "dhcpd",
"description": "DHCPv4 Server",
"php": {
"restart": [
"dhcpd_dhcp4_configure"
],
"start": [
"dhcpd_dhcp4_configure"
]
},
"pidfile": "/var/dhcpd/var/run/dhcpd.pid",
"status": "dhcpd is running as pid 60955."
},
{
"description": "Shaper",
"configd": {
"restart": [
"ipfw reload"
],
"start": [
"ipfw reload"
],
"stop": [
"ipfw reload"
]
},
"name": "ipfw",
"nocheck": true,
"status": "ipfw is running."
},
{
"description": "Users and Groups",
"php": {
"restart": [
"system_login_configure"
]
},
"nocheck": true,
"name": "login",
"status": "login is running."
},
{
"description": "mDNS Repeater",
"configd": {
"restart": [
"mdnsrepeater restart"
],
"start": [
"mdnsrepeater start"
],
"stop": [
"mdnsrepeater stop"
]
},
"name": "mdns-repeater",
"status": "mdns-repeater is running as pid 14027."
},
{
"description": "Monit System Monitoring",
"configd": {
"restart": [
"monit restart"
],
"start": [
"monit start"
],
"stop": [
"monit stop"
]
},
"name": "monit",
"status": "monit is running as pid 11721."
},
{
"description": "Secure Shell Daemon",
"configd": {
"restart": [
"openssh restart"
],
"start": [
"openssh start"
],
"stop": [
"openssh stop"
]
},
"pidfile": "/var/run/sshd.pid",
"name": "openssh",
"status": "openssh is running as pid 13333."
},
{
"description": "Packet Filter",
"configd": {
"restart": [
"filter reload"
]
},
"nocheck": true,
"name": "pf",
"status": "pf is running."
},
{
"description": "System routing",
"php": {
"restart": [
"system_routing_configure"
]
},
"nocheck": true,
"name": "routing",
"status": "routing is running."
},
{
"description": "System tunables",
"php": {
"restart": [
"system_sysctl_configure"
]
},
"nocheck": true,
"name": "sysctl",
"status": "sysctl is running."
},
{
"description": "Syslog-ng Daemon",
"php": {
"stop": [
"system_syslog_stop"
],
"start": [
"system_syslog_start"
],
"restart": [
"system_syslog_start"
]
},
"pidfile": "/var/run/syslog-ng.pid",
"name": "syslog-ng",
"status": "syslog-ng is running as pid 18470."
},
{
"name": "unbound",
"dns_ports": [
"53"
],
"description": "Unbound DNS",
"php": {
"restart": [
"unbound_configure_do"
],
"start": [
"unbound_configure_do"
],
"stop": [
"unbound_service_stop"
]
},
"pidfile": "/var/run/unbound.pid",
"status": "unbound is not running."
},
{
"pidfile": "/var/run/lighty-webConfigurator.pid",
"description": "Web GUI",
"php": {
"restart": [
"webgui_configure_defer"
]
},
"name": "webgui",
"locked": true,
"status": "webgui is running as pid 18277."
}
]
15
23.7 Legacy Series / Re: Upgradethread 23.1.11_1 to 23.7
« on: July 31, 2023, 04:56:56 pm »
Not using the plugin - just using two entries in the DNS over TLS section