Messages

Thanks for the confirmation.

If you're going to be in the guts of pf logging, any way we could get source/destination mac addresses added to the logs?

Thanks.     -Steve

Just started upgrading our devices to 24.7.6/24.10 BE from 24.1.10/24.4.3 BE, and since the upgrade I've noticed I'm getting duplicate filterlog entries on the 2 devices I've upgraded so far:

Code Select Expand

2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,61522,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,12885,0,S,239732202,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,61522,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,12885,0,S,239732202,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,62024,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,13388,0,S,4074003440,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,62024,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,13388,0,S,4074003440,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,24880,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,53637,0,S,3214463445,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,24880,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,53637,0,S,3214463445,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,64047,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,50387,0,S,4103569185,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,64047,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,50387,0,S,4103569185,,1024,,
This is from the WebUI, also getting duplicate messages sent to syslog server where I initially noticed the log volume double.  So far it appears to only be duplicating log entries for blocked traffic.

Thanks.    -Steve

Code Select Expand

root@testrange:/tmp # /usr/local/opnsense/scripts/system/update-crl-fetch.py opnsense-update.deciso.com
# [i] fetch certificate for https://opnsense-update.deciso.com
# [i] fetch CRL from http://x1.c.lencr.org/
-----BEGIN X509 CRL-----
MIIBVDCB3AIBATAKBggqhkjOPQQDAzBIMQswCQYDVQQGEwJERTEVMBMGA1UEChMM
RC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0EgMSAyMDIw
...

I see this additional CRL added to libfetch_crl.24101714:

Code Select Expand

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Last Update: Feb  5 00:00:00 2024 GMT
        Next Update: Jan  4 23:59:59 2025 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
            X509v3 CRL Number:
                104
No Revoked Certificates.
Check for updates is now only showing one No CRL:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10 at Thu Oct 17 14:15:45 EDT 2024
Fetching subscription information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
done
Fetching changelog information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /CN=opnsense-update.deciso.com
done
Updating OPNsense repository catalogue...
No CRL was provided for /CN=opnsense-update.deciso.com
Fetching meta.conf: . done
No CRL was provided for /CN=opnsense-update.deciso.com
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Thanks!    -Steve

Code Select Expand

root@testrange:~ # /usr/local/opnsense/scripts/system/update-crl-fetch.py opnsense-update.deciso.com
# [i] fetch certificate for https://opnsense-update.deciso.com
[!!] Chain fetch failed for https://opnsense-update.deciso.com (HTTPSConnectionPool(host='opnsense-update.deciso.com', port=443): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x2cedeac42d10>, 'Connection to opnsense-update.deciso.com timed out. (connect timeout=0.1)')))
-----BEGIN X509 CRL-----
MIIBVDCB3AIBATAKBggqhkjOPQQDAzBIMQswCQYDVQQGEwJERTEVMBMGA1UEChMM
RC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0EgMSAyMDIw
...


I had checked the box for Auto fetch CRLs in System:Trust:Settings, and the 1pm update of /tmp/libfetch_crl.24101713 has CRLs in the file now:

Code Select Expand

root@testrange:/tmp # cat libfetch_crl.24101713
-----BEGIN X509 CRL-----
MIIBVDCB3AIBATAKBggqhkjOPQQDAzBIMQswCQYDVQQGEwJERTEVMBMGA1UEChMM
RC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0EgMSAyMDIw
Fw0yNDAxMTUxNDAwNDlaFw0yNTAxMTYxMzU5NDlaMDEwLwIQaOXtSmaheM68bssu
...
sptVq1l7Np3JGm7LV6UkiPfEHWbtz3BXrGWe8TYJacs1ekmk06yHivnEFZHUVNAf
CzjrFOBpb2V0giVc4FT1pFyyAsHYJ8CEACufMddpJcnmqsm+u5v5s5ECvwcIVcrV
iyfpHYL9lVi4VI7b2k++Adl0fJXojykktFeycNFYCYP/fw==
-----END X509 CRL-----
# [i] fetch certificate for https://opnsense-update.deciso.com


Check for Updates appears to be working now:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10 at Thu Oct 17 13:16:14 EDT 2024
Fetching subscription information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
done
Fetching changelog information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
done
Updating OPNsense repository catalogue...
No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Fetching meta.conf: . done
No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Still seeing Chain fetch failed from the python script, but it's now printing the CRLs as well:

Code Select Expand

root@testrange:/tmp # /usr/local/opnsense/scripts/system/update-crl-fetch.py opnsense-update.deciso.com
# [i] fetch certificate for https://opnsense-update.deciso.com
[!!] Chain fetch failed for https://opnsense-update.deciso.com
-----BEGIN X509 CRL-----
MIIBVDCB3AIBATAKBggqhkjOPQQDAzBIMQswCQYDVQQGEwJERTEVMBMGA1UEChMM
RC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0EgMSAyMDIw
Fw0yNDAxMTUxNDAwNDlaFw0yNTAxMTYxMzU5NDlaMDEwLwIQaOXtSmaheM68bssu
...


Code Select Expand

root@testrange:~ # /usr/local/opnsense/scripts/system/update-crl-fetch.py opnsense-update.deciso.com
# [i] fetch certificate for https://opnsense-update.deciso.com
[!!] Chain fetch failed for https://opnsense-update.deciso.com


It looks like I can, but strangely it doesn't contain any revoked certs:

Code Select Expand

root@testrange:~ # curl http://x1.c.lencr.org/ --output /tmp/test.crl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   717  100   717    0     0   9425      0 --:--:-- --:--:-- --:--:--  9434
root@testrange:~ # openssl crl -in /tmp/test.crl -inform DER -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Last Update: Feb  5 00:00:00 2024 GMT
        Next Update: Jan  4 23:59:59 2025 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
            X509v3 CRL Number:
                104
No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        59:26:d6:a5:01:52:f5:e1:20:f8:e7:5d:6d:28:5c:a1:6f:39:
        1e:ee:92:a8:4d:07:f9:a4:65:af:37:db:f8:a9:4f:df:a1:b4:
        96:e5:61:1a:84:3c:03:66:0d:4f:6c:33:1c:97:b1:e5:33:9e:
        4a:d9:1e:88:c7:42:8e:fd:36:21:24:e6:a0:87:b0:d2:c4:34:
        41:7c:d3:68:9c:50:f2:a5:a6:09:8c:8b:c2:62:63:dc:26:a4:
        12:ae:c3:81:65:c0:44:2a:35:01:49:b2:cd:59:6a:e7:5d:f1:
        1f:63:84:aa:a1:53:3a:5f:7f:f3:9a:ed:42:4b:64:21:52:fa:
        9d:e9:b9:af:bb:c7:5c:e4:78:3c:47:f3:be:16:78:c4:23:63:
        c1:6a:e9:8e:65:31:9b:00:24:0f:91:20:98:1f:47:55:ca:ab:
        6a:72:ad:ac:b9:c0:f9:3c:4f:1b:46:58:d8:50:8f:e7:13:7b:
        ff:fb:5f:8b:c1:ba:01:97:37:77:34:20:a8:d5:4d:b0:9c:f2:
        8f:6d:22:b2:dd:5f:05:b6:2c:de:99:a2:b6:ea:ef:59:64:d5:
        c1:b0:7f:80:45:cc:68:87:7c:63:eb:63:07:f1:49:1a:8f:38:
        e4:05:2d:7c:e0:42:98:ae:07:07:8b:f7:9c:3b:a9:09:70:bf:
        8f:52:d3:30:ea:df:42:67:88:6b:d2:de:ab:3d:28:a4:7a:d7:
        7d:bb:82:6f:6a:10:96:01:4a:3f:81:d7:e1:e3:5a:91:58:9e:
        2d:f2:f9:5e:58:cf:ce:63:a3:bd:46:8f:0c:97:6c:4f:97:d5:
        48:de:9c:cb:57:c3:9a:c6:a2:92:78:e6:05:3d:d5:4e:14:d9:
        f8:f4:09:9e:d2:fe:13:38:5b:e9:af:0a:ec:92:e7:bf:ee:5a:
        33:48:ee:31:82:d7:6f:0b:cd:ec:aa:db:66:9f:d8:a1:63:20:
        57:7b:76:aa:d0:d6:a5:1e:c9:44:45:dd:3c:18:bd:6f:05:b8:
        19:58:a0:e9:c5:8a:58:70:3b:e4:22:bf:0d:c8:a3:e0:53:a6:
        7f:2b:a6:39:14:ad:2b:0d:b7:4a:46:d2:78:21:67:6b:25:33:
        23:d6:ab:17:80:bb:66:22:ec:ee:6d:b1:e5:01:ae:4e:5b:5c:
        3b:35:54:3e:5a:94:51:f5:81:eb:cb:10:ca:d6:39:7e:17:ae:
        f0:4d:25:81:64:cd:b6:06:09:ea:75:eb:0e:06:e5:a4:c0:1e:
        0e:24:9f:33:bf:fd:1f:12:48:57:60:e1:a4:e8:aa:b2:30:e9:
        ec:e0:52:76:44:4e:bd:42:69:69:b5:de:51:ef:84:a4:16:19:
        49:a2:2b:d2:3d:62:b4:6e
root@testrange:~ #

Just upgraded to 24.10 BE on my test device.  Upgrade itself went fine, but when I go to check for updates, I'm getting a CRL error:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10 at Thu Oct 17 10:50:46 EDT 2024
Fetching subscription information, please wait... Could not load CRL file /tmp/libfetch_crl.24101710
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/subscription: Authentication error
Fetching changelog information, please wait... Could not load CRL file /tmp/libfetch_crl.24101710
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.pkg: Authentication error
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
This is what's in /tmp/libfetch_crl.24101710:

Code Select Expand

# [i] fetch certificate for https://opnsense-update.deciso.com

Figured a new file would be updated on the hour and it was.  libfetch_crl.24101711 also only contains that single line.

Thanks.    -Steve

Found my issue - the onetoone stanza in my config.xml was still in pfsense format from when I migrated last year.  I toggled the disable box and saved, which made these changes:

Code Select Expand

--- /conf/backup/config-1716803141.3662.xml 2024-05-27 05:45:41.372306000 -0400
+++ /conf/backup/config-1720538699.8016.xml 2024-07-09 11:24:59.854129000 -0400
@@ -805,16 +805,17 @@
       </rule>
     </outbound>
     <onetoone>
-      <disabled/>
       <external>**externalVIP**</external>
+      <category/>
       <descr/>
       <interface>wan</interface>
-      <ipprotocol>inet</ipprotocol>
+      <type>binat</type>
+      <disabled>1</disabled>
       <source>
         <address>**internalIP**</address>
       </source>
       <destination>
-        <any/>
+        <any>1</any>
       </destination>
     </onetoone>
   </nat>
Now that my onetoone config is in OPNsense format, the upgrade from 24.1.8 to 24.1.9_4 migrated the config successfully.

Just upgraded from 24.1.8 to 24.1.9_4, and my 1:1 NAT config didn't migrate.

Code Select Expand

--- /conf/backup/config-1716803141.3662.xml 2024-05-27 05:45:41.372306000 -0400
+++ /conf/backup/config-1719321616.8927.xml 2024-06-25 09:20:16.898912000 -0400
@@ -804,19 +804,6 @@
         </created>
       </rule>
     </outbound>
-    <onetoone>
-      <disabled/>
-      <external>**externalVIP**</external>
-      <descr/>
-      <interface>wan</interface>
-      <ipprotocol>inet</ipprotocol>
-      <source>
-        <address>**internalIP**</address>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </onetoone>
   </nat>
   <filter>
     <rule uuid="fca06965-4caf-41e4-992a-166d5b00e036">
@@ -2156,8 +2143,8 @@
   </widgets>
   <revision>
     <username>(system)</username>
-    <description>/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php made changes</description>
-    <time>1716803141.3662</time>
+    <description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
+    <time>1719321616.8927</time>
   </revision>
   <OPNsense>
     <IPsec version="1.0.1">
@@ -2383,10 +2370,11 @@
       <Category version="1.0.0">
         <categories/>
       </Category>
-      <Filter version="1.0.3">
+      <Filter version="1.0.4">
         <rules/>
         <snatrules/>
         <npt/>
+        <onetoone/>
       </Filter>
     </Firewall>
     <Netflow version="1.0.1">