Messages

Follow up here.  I took the advice to save a snapshot of a working config, then updated.  The update from 24.7.9 to 24.7.12 broke the untagged traffic to the interface.  The update from 24.7.12 to 25.1 resolved the problem.  25.1 > current = appears to be working fine.

Can anyone tell me if this bug has been resolved?  I'd be ready to update to current if it is....

Thanks to anyone who can help.

GM

I upgraded vom 24.7.7 to 24.7.10_2 yesterday evening and let it run, since our Internet connection was a bit slow yesterday evening.

This Morning my familiy complained about broken connectivity. Tried to login to my OpnSense installation, but failed. Finally I could login over VPN / Mobile.

I could not figure out what the source of the Problem was. Symptoms: No untagged VLAN Traffic over the LAN Interface (igc0), however all tagged traffic worked like a charm over the same interface. No Config change by the Update nor on the Switch on the other Side. It is definitively not a Firewall issue, since there was no traffic arriving on the LAN Interface.

Since I did not know how to fix, I reverted the installation to 24.7.9 and the Kernel to 24.7.8. Again everything works as expected.

Interfaces that do not have mixed traffic (Tagged and Untagged) worked flawless.

@tops4u have you learned anything more about this condition?  I have a similar problem, and also fixed with the same reversion you used.  But I'd like to know when it's safe to attempt update again.

@franco just curious if this issue has been identified and fixed in the latest kernel?

Hey Franco, thanks for taking interest in this.

Yes, as stated in my original post, we had to revert to the 24.7.8 kernel to get operational.

This user appeared to have the same issue:

https://forum.opnsense.org/index.php?topic=44531.0

Running a Supermicro server chassis with Intel gigabit hardware.

Gerald

Does anyone know if the underlying issue here has been identified and fixed in 24.7.11?

@franco can you confirm if this is a known bug - if so what the resolution plan is?  Thank you.

Sure looks like it.  When the interface goes into a broken state, it won't respond to a ping, even from the opnsense shell

Good morning.

After updating from 24.7.9 to 24.7.10_2 (and pulling latest kernel) the LAN interface that had two vlans attached was unreachable.

At first, I thought something had failed with the interface itself, so swapped the LAN assignment to a different interface.

However, today, when the VLAN's were reassigned to the new parent interface, it too became unreachable.

Reverting to 24.7.9 (with 24.7.8 kernel, because 24.7.9 kernel was not available to download?) and restoring a backup has gotten us operational again.

Can this problem be duplicated elsewhere?  Is this a kernel bug?

Gerald Martin

@franco Thank you, this solved it!  Here's output from the upgrade audit, which is now there as expected:

The Lobby now says running 23.7.5

However - the check for updates now returns this (see image)  Why would it be wanting to download 23.7.4 packages if we are now running 23.7.5?

Or maybe I'm not understanding something.

GM

Hello Franco, I've looked but have not found it.  Is this the correct place?  Appreciate any help you can offer.

Have used multiple mirrors, no apparent change.

But this is WEIRD - do I have an update partially completed?

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.1.11_2 at Mon Oct  9 21:06:28 CDT 2023
>>> Check installed kernel version
Version 23.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-nextcloud-backup 1.0_1
os-upnp 1.5_3
os-wireguard 1.13_5
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..
ca_root_nss-3.91 version mismatch, expected 3.89.1
Checking packages: ........................
opnsense-update-23.7 version mismatch, expected 23.1.11
Checking packages: .......................
py39-dnspython-2.4.0,1 version mismatch, expected 2.3.0,1
Checking packages: .
py39-duckdb-0.8.1 version mismatch, expected 0.6.1
Checking packages: ..
py39-numpy-1.25.0,1 version mismatch, expected 1.24.1_4,1
Checking packages: .
py39-pandas-2.0.3,1 version mismatch, expected 2.0.2,1
Checking packages: ....
py39-vici-5.9.11 version mismatch, expected 5.9.10
Checking packages: ......
sudo-1.9.14p3 version mismatch, expected 1.9.13p3
Checking packages: .
suricata-6.0.13_1 version mismatch, expected 6.0.13
Checking packages: ..
unbound-1.17.1_3 version mismatch, expected 1.17.1_2
Checking packages: .. done
***DONE***


***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.1.11_2 at Mon Oct  9 21:08:28 CDT 2023
Checking connectivity for host: mirrors.nycbug.org -> 66.111.2.15
PING 66.111.2.15 (66.111.2.15): 1500 data bytes
1508 bytes from 66.111.2.15: icmp_seq=0 ttl=56 time=33.917 ms
1508 bytes from 66.111.2.15: icmp_seq=1 ttl=56 time=33.892 ms
1508 bytes from 66.111.2.15: icmp_seq=2 ttl=56 time=33.918 ms
1508 bytes from 66.111.2.15: icmp_seq=3 ttl=56 time=33.869 ms

--- 66.111.2.15 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 33.869/33.899/33.918/0.020 ms
Checking connectivity for repository (IPv4): http://mirrors.nycbug.org/pub/opnsense/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 835 packages processed.
All repositories are up to date.
No IPv6 address could be found for host: mirrors.nycbug.org
***DONE***

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.1.11_2 at Mon Oct  9 21:09:06 CDT 2023
vulnxml file up-to-date
openssl-1.1.1u,1 is vulnerable:
  OpenSSL -- Excessive time spent checking DH q parameter value
  CVE: CVE-2023-3817
  WWW: https://vuxml.freebsd.org/freebsd/bad6588e-2fe0-11ee-a0d1-84a93843eb75.html

krb5-1.21.1 is vulnerable:
  krb5 -- Double-free in KDC TGS processing
  CVE: CVE-2023-39975
  WWW: https://vuxml.freebsd.org/freebsd/a6986f0f-3ac0-11ee-9a88-206a8a720317.html

python39-3.9.17 is vulnerable:
  Python -- multiple vulnerabilities
  CVE: CVE-2023-40217
  WWW: https://vuxml.freebsd.org/freebsd/a57472ba-4d84-11ee-bf05-000c29de725b.html

curl-8.1.2 is vulnerable:
  curl -- HTTP headers eat all memory
  CVE: CVE-2023-38039
  WWW: https://vuxml.freebsd.org/freebsd/833b469b-5247-11ee-9667-080027f5fec9.html

4 problem(s) in 4 installed package(s) found.
***DONE***

Actually, since that attempt seemed to hang, I rebooted and re-downloaded update.  This is the result.

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 23.1.11_2 at Sat Oct  7 19:28:20 CDT 2023
Fetching packages-23.7-amd64.tar: .......................................... done
Extracting packages-23.7-amd64.tar... done
Please reboot.
>>> Invoking upgrade script 'unbound-duckdb.py'
Unbound DNS database export not required.
***DONE***


PS:  I rebooted.  No change, still 23.1.11_2 version

Hello all,

I'm unable to complete an update to one of my servers.

Usually it appears to download the package, and says reboot - but reboot brings back up the current 23.1.11 version.

Today I get this:



***GOT REQUEST TO UPGRADE***
Currently running OPNsense 23.1.11_2 at Sat Oct  7 18:12:39 CDT 2023
Fetching packages-23.7-amd64.tar: ...


Would appreciate ideas!  Could there be a conflicting package?  Is there more I can try short of upgrading from a new system image?

Gerald