Messages

I have open a feature request on Github
https://github.com/opnsense/plugins/issues/3905

Hi all,

just starting to enjoy the nginx plugin.
Currently performing some tests with one sample web app.
I also configured a remote syslog target but I'm only receiving the access log.
What about the error log?

Is this a bug or do I miss some configuration?

Best regards
Timmi

Since 6d it did not crash.

[Service Test Settings:]

Sure, I assume Monit is running already.

Service Test Settings:
Name: Crowdsec_Service
Condition: failed host 127.0.0.1 port 8080 type tcp
Action: Restart

Service Settings:
Enable service checks: yes
Name: Crowdsec
Type: Process
PID File: /var/run/crowdsec.pud
Start: /usr/sbin/service crowdsec start
Stop: /usr/sbin/service crowdsec stop
Tests: Crowdsec_Service
Depends: Nothing selected
Description: Check that Crowdsec is running

I have created a Monit test to restart the service is it is not running.

So the service should be back within two minutes.

Not for me as WAL mode is enabled.
I also don't receive the warning.

I know.
As I wrote I don't see anything specific in the crowdsec.log at that time. Just no logs anymore at some point.
Only the bouncer log is showing that the LAPI is not available as I wrote.

like this

time="08-03-2024 12:45:32" level=info msg="1 decision added"


This is what is shown if the system is running.

Hi,

I see in /var/log/crowdsec/crowdsec-firewall-bouncer.log

time="08-03-2024 01:00:52" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 172.28.52.65:8080: i/o timeout"
time="08-03-2024 01:00:52" level=error msg="Get \"http://192.168.1.1:8080/v1/decisions/stream?\": dial tcp 192.168.1.1:8080: i/o timeout"

Hi All,

since a few weeks I noticed that the Crowdsec daemon is stopping / crashing at 1am (which should be UTC midnight).
I don't see anything in the crowdsec logs.

I'm not sure if this is happening since OPNsense 24 or if my IPv6 changes added additional load on the server. I would say the LAPI server is gone as I can see that the bounce is still trying to communicate.

Could it be that the local LAPI server is at the capacity limit?
Service is looking normal after starting it again.

Thank for your help
Timmi

Hi all,

just to update this thread.
ISP changed the network to be routed as Zan have explained.

IPv6 is working perfect now.

Also I have upgraded to 24.1.2 in the meantime without any issues until now.

Once again thanks for all the help.
Timmi

Hi Zan,

thank you for the explanation.
I will get in touch with my ISP.

Once again thank you

Hi Zan,

looks like fe80::21f:9eff:feff:2f41 is the LLA of the ISP GW.

If it was WAN's then perhaps your prefix is a link prefix (not routed), better check with your ISP.

Can you explain this a bit more?

Then I can check on Monday with my ISP.

Thx


Hi Saarbremer

OK I will check with the ISP.

Thx

Hi Saarbremer,

What does reach mean? Name resoultion, PING, HTTP, physical proximity? Please state your observation more precise.

The OPNsense is able to reach DNS or ping via IPv6 in the Internet. I can do VPN via IPv6 into the OPNsense.

Can you see the traffic leaving the WAN interface?

Yes I can see that the traffic is leaving the WAN interface.
After that I see this on WAN:

19:56:30.191565 IP6 fe80::21f:9eff:feff:2f41 > ff02::1:ff58:21: ICMP6, neighbor solicitation, who has aaaa:bbbb:cccc:1:546f:78ff:fe58:21, length 32

Important: Only if the interface is in promiscuous mode. So that packet is ignored by the kernel. Means OPNsense is not blocking nor answering it.

* Inspect your prefix. Did you correctly derive an IPv6 and statically assign it to the LAN interface? Check again, the prefix MUST match! If unsure, check again three more times.

WAN static IPv6: aaaa:bbbb:cccc::2/64
LAN static IPv6: aaaa:bbbb:cccc:1:1/64

* Check that your client in LAN has a valid public IPv4 address that matches in the first 64 bits with the LAN IP of Opnsense. There will be some fe80::... or other adresses starting with f... but they are not relevant here.

The client is: aaaa:bbbb:cccc:1:546f:78ff:fe58:21/64 and it can reach the LAN IPv6 of the OPNsense.

Thank you again for your help.

Hi zan,

OK no problem.

So the configuration will look like this:
ISP IPv6 GW: aaaa:bbbb:cccc::1

WAN:
static IPv6: aaaa:bbbb:cccc::2/64
GW: auto
Router Advertisements: Router Only

LAN:
static IPv6: aaaa:bbbb:cccc:1::2/64
GW: auto
Router Advertisements: Unmanaged
Advertise Default Gateway: true

Hope this does look better.

Thank you for your help.