"
I was able to recover my firewall using the import in the installation. Seems fine now.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.1, 25.4 Production Series / Reinstallation or fixable?
February 13, 2025, 08:24:15 PM
Hi guys,
I did something wrong. Took advise from the "internet" very late and the result was unfixable from my standpoint..
The last output from "root@opnsense:~ # opnsense-update -G" was:
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/meta.txz: No such file or directory
repository OPNsense has no meta file, using default settings
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/packagesite.pkg: No such file or directory
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/packagesite.txz: No such file or directory
Unable to update repository OPNsense
Error updating repositories!
The last commands that were made were:
# opnsense-revert pkg
# opnsense-update -u
And now when the firewall starts im stuck with this error:
Please see attatched picture.
Im still able to reboot with a live environement using the import and get to the xml, but never had to do the process.. Is there something that can be done to get me out of this mess? I was running 24.7.12_4 prior to updating in shell..
Thank you,
Nick
I did something wrong. Took advise from the "internet" very late and the result was unfixable from my standpoint..
The last output from "root@opnsense:~ # opnsense-update -G" was:
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/meta.txz: No such file or directory
repository OPNsense has no meta file, using default settings
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/packagesite.pkg: No such file or directory
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/packagesite.txz: No such file or directory
Unable to update repository OPNsense
Error updating repositories!
The last commands that were made were:
# opnsense-revert pkg
# opnsense-update -u
And now when the firewall starts im stuck with this error:
Please see attatched picture.
Im still able to reboot with a live environement using the import and get to the xml, but never had to do the process.. Is there something that can be done to get me out of this mess? I was running 24.7.12_4 prior to updating in shell..
Thank you,
Nick
#3
25.1, 25.4 Production Series / Re: Zenarmor packet engine not working after update to 25.1.1
February 13, 2025, 06:53:11 PM
Hi,
Do you have Suricata and Zenarmor running on the same interface?
Nick
Do you have Suricata and Zenarmor running on the same interface?
Nick
#4
25.1, 25.4 Production Series / Re: Upgrade to 25.1 re-installs 24.7.12_4
February 12, 2025, 09:10:27 PM
Hi,
Have issues upgrading to 25.1 from 24.7.12_12.
Here are the errors from my output of :
root@opnsense:~ # opnsense-update -G
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/meta.txz: No such file or directory
repository OPNsense has no meta file, using default settings
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/packagesite.pkg: No such file or directory
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/packagesite.txz: No such file or directory
Unable to update repository OPNsense
Error updating repositories!
Is there something that can be done to fix this?
Thank you,
Nick
Have issues upgrading to 25.1 from 24.7.12_12.
Here are the errors from my output of :
root@opnsense:~ # opnsense-update -G
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/meta.txz: No such file or directory
repository OPNsense has no meta file, using default settings
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/packagesite.pkg: No such file or directory
pkg-static: file:///var/cache/opnsense-update/.sets.pending/packages-/packagesite.txz: No such file or directory
Unable to update repository OPNsense
Error updating repositories!
Is there something that can be done to fix this?
Thank you,
Nick
#5
25.1, 25.4 Production Series / Re: OSPF won't form a relationship from the OPNsense on 25.1
February 04, 2025, 06:05:02 PM
Hi Deathmage85,
Glad I was able to help. For forcing trafic to go were you want and not letting the routing fool you. I would advice using the Policy base routing fonction. You shoud see a option called "Gateway" in your firewall rules. Im currious to why you are redirecting back your DNS trafic in your LAN? Why not just tell your dhcp server to assign the correct DNS server to it's clients and permit only recurtions of those DNS request in your firewall rules to your wan. Another way of doing what you want, would be to redirecting to unbound. It's built in Opnsense in the Service section. Basicaly, your clients would use your FIREWALL lan ip has their dns server and Opnsense would catch that and rebind them on the port of your choise. I would advise against using HTTPS and go the DOT way (TCP 853). Makes it transparent and it dosent get mixed up in the "real" https trafic.
Nick
Glad I was able to help. For forcing trafic to go were you want and not letting the routing fool you. I would advice using the Policy base routing fonction. You shoud see a option called "Gateway" in your firewall rules. Im currious to why you are redirecting back your DNS trafic in your LAN? Why not just tell your dhcp server to assign the correct DNS server to it's clients and permit only recurtions of those DNS request in your firewall rules to your wan. Another way of doing what you want, would be to redirecting to unbound. It's built in Opnsense in the Service section. Basicaly, your clients would use your FIREWALL lan ip has their dns server and Opnsense would catch that and rebind them on the port of your choise. I would advise against using HTTPS and go the DOT way (TCP 853). Makes it transparent and it dosent get mixed up in the "real" https trafic.
Nick
#6
25.1, 25.4 Production Series / Re: OSPF won't form a relationship from the OPNsense on 25.1
February 02, 2025, 10:27:10 PM
Good Evening Deathmage85,
Please try removing what is configured in your network tab since the firewall is not actualy the gateway for any of your networks. Only have OSFP configured with the interface section, witch is what OFPS uses to form relationships (Interfaces, routers, next hops). Also, have a go at it with "type" configured to "none", since it's not a point-to-point network. You should also not configure your VLANs in your firewall since their gateways are in your LAYER 3 switch. The only interface that should be present in your OSPF configuration is your LAN interface aka the "NEXT HOP". In your gateway's, did you check the box "far gateway" witch tells opnsense that the network is external to it's lan interface? Regarding NAT, your internal router should not do the actual natting turn that off. That fonction should be configured in the outbound nat section, using the wan interface with the sources beeing your internal RFC's natted to your wan ip inteface.
Nick
Please try removing what is configured in your network tab since the firewall is not actualy the gateway for any of your networks. Only have OSFP configured with the interface section, witch is what OFPS uses to form relationships (Interfaces, routers, next hops). Also, have a go at it with "type" configured to "none", since it's not a point-to-point network. You should also not configure your VLANs in your firewall since their gateways are in your LAYER 3 switch. The only interface that should be present in your OSPF configuration is your LAN interface aka the "NEXT HOP". In your gateway's, did you check the box "far gateway" witch tells opnsense that the network is external to it's lan interface? Regarding NAT, your internal router should not do the actual natting turn that off. That fonction should be configured in the outbound nat section, using the wan interface with the sources beeing your internal RFC's natted to your wan ip inteface.
Nick
#7
25.1, 25.4 Production Series / Re: Upgrade fails from 24.7.12_4 to 25.1
February 02, 2025, 09:47:52 PM
Hi "non"sense,
Dont need to be a total ass about it. I see you also need paying attention lessons on kepping up to date. ZenArmor did in fact told the community that 25.1 was supported.
https://x.com/zenarmor/status/1885376841554247907
Sincerely,
Nick
Dont need to be a total ass about it. I see you also need paying attention lessons on kepping up to date. ZenArmor did in fact told the community that 25.1 was supported.
https://x.com/zenarmor/status/1885376841554247907
Sincerely,
Nick
#8
25.1, 25.4 Production Series / Re: Upgrade fails from 24.7.12_4 to 25.1
February 02, 2025, 09:26:17 PM
Hi mrpsycho,
Are you also using ZenArmor?
If you try this command in shell, does it make your firewall crash?
pkg install -f java-zoneinfo
Prety sure there an issue with Java..
Thank you,
Nick
Are you also using ZenArmor?
If you try this command in shell, does it make your firewall crash?
pkg install -f java-zoneinfo
Prety sure there an issue with Java..
Thank you,
Nick
#9
25.1, 25.4 Production Series / Re: Upgrade fails from 24.7.12_4 to 25.1
February 02, 2025, 04:59:26 AM
Update 1/02/2025:
Did some investigating and found that if a try to manualy reinstall Elastisearch8 in ZenArmor witch needs the missing java-zoneinfo and openjdk17-17.0.10+7.1_1.pkg to function (5th and 10th plugings needed out of the 16th) it makes my firewall crash and reboot itself.There seems to be an issue with Jave.
ElasticSearch8 installation log:
The process will require 994 MiB more space.
385 MiB to be downloaded.
[1/16] Fetching javavmwrapper-2.7.10.pkg: ... done
[2/16] Fetching libxcb-1.16.1.pkg: .......... done
[3/16] Fetching jna-5.7.0_1.pkg: .......... done
[4/16] Fetching libXt-1.3.0,1.pkg: .......... done
[5/16] Fetching openjdk17-17.0.10+7.1_1.pkg: .......... done
[6/16] Fetching libX11-1.8.7_1,1.pkg: .......... done
[7/16] Fetching xorgproto-2023.2.pkg: .......... done
[8/16] Fetching bash-5.2.26_1.pkg: .......... done
[9/16] Fetching libinotify-20211018_1.pkg: .... done
[10/16] Fetching java-zoneinfo-2021.e.pkg: .......... done
[11/16] Fetching openjdk8-8.402.06.1_1.pkg: .......... done
[12/16] Fetching libXau-1.0.9_1.pkg: .. done
[13/16] Fetching libICE-1.1.0_2,1.pkg: .......... done
[14/16] Fetching elasticsearch8-8.11.3.pkg: .......... done
[15/16] Fetching libSM-1.2.3_1,1.pkg: .... done
[16/16] Fetching libXdmcp-1.1.5.pkg: .. done
Checking integrity... done (0 conflicting)
[1/16] Installing xorgproto-2023.2...
[1/16] Extracting xorgproto-2023.2: .......... done
[2/16] Installing libXau-1.0.9_1...
[2/16] Extracting libXau-1.0.9_1: .......... done
[3/16] Installing libXdmcp-1.1.5...
[3/16] Extracting libXdmcp-1.1.5: ......... done
[4/16] Installing libxcb-1.16.1...
[4/16] Extracting libxcb-1.16.1: .......... done
[5/16] Crashes Here
Same results in shell for java-zoneinfo:
root@opnsense:~ # pkg install -f java-zoneinfo
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be REINSTALLED:
java-zoneinfo-2021.e [SunnyValley]
Number of packages to be reinstalled: 1
79 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching java-zoneinfo-2021.e.pkg: 100% 79 KiB 80.4kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Reinstalling java-zoneinfo-2021.e...
[1/1] Extracting java-zoneinfo-2021.e: 100%
Crashes here
Did some investigating and found that if a try to manualy reinstall Elastisearch8 in ZenArmor witch needs the missing java-zoneinfo and openjdk17-17.0.10+7.1_1.pkg to function (5th and 10th plugings needed out of the 16th) it makes my firewall crash and reboot itself.There seems to be an issue with Jave.
ElasticSearch8 installation log:
The process will require 994 MiB more space.
385 MiB to be downloaded.
[1/16] Fetching javavmwrapper-2.7.10.pkg: ... done
[2/16] Fetching libxcb-1.16.1.pkg: .......... done
[3/16] Fetching jna-5.7.0_1.pkg: .......... done
[4/16] Fetching libXt-1.3.0,1.pkg: .......... done
[5/16] Fetching openjdk17-17.0.10+7.1_1.pkg: .......... done
[6/16] Fetching libX11-1.8.7_1,1.pkg: .......... done
[7/16] Fetching xorgproto-2023.2.pkg: .......... done
[8/16] Fetching bash-5.2.26_1.pkg: .......... done
[9/16] Fetching libinotify-20211018_1.pkg: .... done
[10/16] Fetching java-zoneinfo-2021.e.pkg: .......... done
[11/16] Fetching openjdk8-8.402.06.1_1.pkg: .......... done
[12/16] Fetching libXau-1.0.9_1.pkg: .. done
[13/16] Fetching libICE-1.1.0_2,1.pkg: .......... done
[14/16] Fetching elasticsearch8-8.11.3.pkg: .......... done
[15/16] Fetching libSM-1.2.3_1,1.pkg: .... done
[16/16] Fetching libXdmcp-1.1.5.pkg: .. done
Checking integrity... done (0 conflicting)
[1/16] Installing xorgproto-2023.2...
[1/16] Extracting xorgproto-2023.2: .......... done
[2/16] Installing libXau-1.0.9_1...
[2/16] Extracting libXau-1.0.9_1: .......... done
[3/16] Installing libXdmcp-1.1.5...
[3/16] Extracting libXdmcp-1.1.5: ......... done
[4/16] Installing libxcb-1.16.1...
[4/16] Extracting libxcb-1.16.1: .......... done
[5/16] Crashes Here
Same results in shell for java-zoneinfo:
root@opnsense:~ # pkg install -f java-zoneinfo
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be REINSTALLED:
java-zoneinfo-2021.e [SunnyValley]
Number of packages to be reinstalled: 1
79 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching java-zoneinfo-2021.e.pkg: 100% 79 KiB 80.4kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Reinstalling java-zoneinfo-2021.e...
[1/1] Extracting java-zoneinfo-2021.e: 100%
Crashes here
#10
25.1, 25.4 Production Series / Upgrade fails from 24.7.12_4 to 25.1
February 01, 2025, 02:39:48 AM
Here is the install log:
Would this failing have anything to do with ZenArmor being not ready for the new version?
***GOT REQUEST TO UPGRADE***
Currently running OPNsense 24.7.12_4 (amd64) at Fri Jan 31 20:30:31 EST 2025
Fetching packages-25.1-amd64.tar: .......................................... done
Fetching base-25.1-amd64.txz: .......... done
Fetching kernel-25.1-amd64.txz: ..... done
Extracting packages-25.1-amd64.tar... done
Extracting base-25.1-amd64.txz... done
Extracting kernel-25.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
Passed all upgrade tests.
>>> Invoking upgrade script 'cleanup.sh'
find: /usr/local/share/java/zi/Etc/GMT+7: No such file or directory
find: /usr/local/datastore/elasticsearch/indices/c3w5yClHSiq-ALG5e4Tqog/0/index/segments_kr: No such file or directory
>>> Error in upgrade script '90-cleanup.sh'
***DONE***
Thank you,
Nick
Would this failing have anything to do with ZenArmor being not ready for the new version?
***GOT REQUEST TO UPGRADE***
Currently running OPNsense 24.7.12_4 (amd64) at Fri Jan 31 20:30:31 EST 2025
Fetching packages-25.1-amd64.tar: .......................................... done
Fetching base-25.1-amd64.txz: .......... done
Fetching kernel-25.1-amd64.txz: ..... done
Extracting packages-25.1-amd64.tar... done
Extracting base-25.1-amd64.txz... done
Extracting kernel-25.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
Passed all upgrade tests.
>>> Invoking upgrade script 'cleanup.sh'
find: /usr/local/share/java/zi/Etc/GMT+7: No such file or directory
find: /usr/local/datastore/elasticsearch/indices/c3w5yClHSiq-ALG5e4Tqog/0/index/segments_kr: No such file or directory
>>> Error in upgrade script '90-cleanup.sh'
***DONE***
Thank you,
Nick
#11
25.1, 25.4 Production Series / Re: Prevent OSPF from injecting a default route to a single neighbor
January 08, 2025, 10:46:44 PM
Hi Seimus,
Thanks for your latest awnser. Did what you recommended, but im getting an error in the nerwork tab.
2025-01-08T16:37:12-05:00 Error ospfd [SHWNK-NWT5S][EC 100663304] Command returned Warning Config Failed on config line 32: network 10.0.0.0/8 area 1.1.1.1
!
router ospf
ospf router-id 1.1.1.1
log-adjacency-changes
area 1.1.1.1 filter-list prefix test in
area 1.1.1.1 filter-list prefix test out
default-information originate metric 1
exit
!
!
ip prefix-list test seq 10 deny 0.0.0.0/0
ip prefix-list test seq 20 permit 0.0.0.0/0 le 32
!
end
!
interface ipsec1
ip ospf area 1.1.1.1
ip ospf network point-to-point
exit
!
It is still sending the default route to the neighbor in area 1.1.1.1.
What i'm I missign here?
Thank you,
Nick
Thanks for your latest awnser. Did what you recommended, but im getting an error in the nerwork tab.
2025-01-08T16:37:12-05:00 Error ospfd [SHWNK-NWT5S][EC 100663304] Command returned Warning Config Failed on config line 32: network 10.0.0.0/8 area 1.1.1.1
!
router ospf
ospf router-id 1.1.1.1
log-adjacency-changes
area 1.1.1.1 filter-list prefix test in
area 1.1.1.1 filter-list prefix test out
default-information originate metric 1
exit
!
!
ip prefix-list test seq 10 deny 0.0.0.0/0
ip prefix-list test seq 20 permit 0.0.0.0/0 le 32
!
end
!
interface ipsec1
ip ospf area 1.1.1.1
ip ospf network point-to-point
exit
!
It is still sending the default route to the neighbor in area 1.1.1.1.
What i'm I missign here?
Thank you,
Nick
#12
25.1, 25.4 Production Series / Re: Prevent OSPF from injecting a default route to a single neighbor
January 08, 2025, 09:30:04 PM
Hi Seimus,
The neighbor in question is fonctionning with a network type Point to Point in area 1.1.1.1. In the GUI, I dont see a way to exclude the default route to a specific neighbor. Thats why i tried in CLI.
Thank you,
Nick
The neighbor in question is fonctionning with a network type Point to Point in area 1.1.1.1. In the GUI, I dont see a way to exclude the default route to a specific neighbor. Thats why i tried in CLI.
Thank you,
Nick
#13
25.1, 25.4 Production Series / Re: Prevent OSPF from injecting a default route to a single neighbor
January 08, 2025, 05:40:06 PM
Hi Seimus,
In cli of the FRR plugin, that option is not present it seems.
I made a prefix list:
OSPF: ip prefix-list DEFAULT_ROUTE: 1 entries
seq 1 deny 0.0.0.0/0
but when I try to apply this list to the neighbor :
opnsense.srvnic.com(config-router)# neighbor 9.9.9.9
<cr>
poll-interval Dead Neighbor Polling interval
priority Neighbor Priority
opnsense.srvnic.com(config-router)# neighbor 9.9.9.9
There no option to apply the list on the neighbor.
Im i missing something?
Thank you,
Nicolas
In cli of the FRR plugin, that option is not present it seems.
I made a prefix list:
OSPF: ip prefix-list DEFAULT_ROUTE: 1 entries
seq 1 deny 0.0.0.0/0
but when I try to apply this list to the neighbor :
opnsense.srvnic.com(config-router)# neighbor 9.9.9.9
<cr>
poll-interval Dead Neighbor Polling interval
priority Neighbor Priority
opnsense.srvnic.com(config-router)# neighbor 9.9.9.9
There no option to apply the list on the neighbor.
Im i missing something?
Thank you,
Nicolas
#14
25.1, 25.4 Production Series / Prevent OSPF from injecting a default route to a single neighbor
January 08, 2025, 03:10:04 PM
Hi,
Is there a way in the GUI of the FRR plugin or in cli to prevent OSPF from injecting a default route to a specific OSPF neighbor?
Thank you,
Nicolas
Is there a way in the GUI of the FRR plugin or in cli to prevent OSPF from injecting a default route to a specific OSPF neighbor?
Thank you,
Nicolas
#15
24.7, 24.10 Legacy Series / RADIUS WITH WINDOWS NPS
November 16, 2024, 03:06:25 AM
Hi,
I'm having an issue setting up RADIUS authentication using Windows Server NPS as the authentication server. I've followed all the relevant guides and documentation I could find on the topic, even those meant for pfSense. Despite that, something still seems to be wrong.
The networking side is working as expected—my firewall is communicating correctly with the server. When I use the tester, I get a response from the server that's somewhat positive. It contains gibberish but includes the correct Class tag reading "admin," which was created and assigned the gui\all page permissions. This was copied from the default "admins" group.
The reason I say it's only kind of working is that when I try logging in with the user, I get the error: "No page assigned to this user! Click here to log out." However, if I change the Class value in NPS to something other than "admin," the same issue occurs. It's as if the system isn't interpreting the Class value correctly.
Does anyone have ideas on what could help resolve this?
Thank you,
Nick
I'm having an issue setting up RADIUS authentication using Windows Server NPS as the authentication server. I've followed all the relevant guides and documentation I could find on the topic, even those meant for pfSense. Despite that, something still seems to be wrong.
The networking side is working as expected—my firewall is communicating correctly with the server. When I use the tester, I get a response from the server that's somewhat positive. It contains gibberish but includes the correct Class tag reading "admin," which was created and assigned the gui\all page permissions. This was copied from the default "admins" group.
The reason I say it's only kind of working is that when I try logging in with the user, I get the error: "No page assigned to this user! Click here to log out." However, if I change the Class value in NPS to something other than "admin," the same issue occurs. It's as if the system isn't interpreting the Class value correctly.
Does anyone have ideas on what could help resolve this?
Thank you,
Nick
