OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of b1k3rdude »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - b1k3rdude

Pages: [1]
1
24.1 Legacy Series / Re: Unable update from 23.7.12 to 24.1.8
« on: June 20, 2024, 01:00:59 pm »
Quote from: b1k3rdude on June 15, 2024, 11:17:54 pm
So I am now running 24.1.8 and the 3 things I learned were -

- use SSH/console for updating/upgrading, as doing this through the webGUI is unreliable or wont work at all.
- pressing Q (not esc, space, enter) will quit the text file when attempting an update via the console.
- even though progress would appear to have hung when doing the update via the console via SSH, clicking into and pressing enter will refresh the window.

So thank you everyone that helped and gave advice (Franco, Patrick and Newsense), that helped me to help myself. The issue can be marked as resolved :-)
Just an update to first point. I just noticed that on the update tab on the webGUI, I had NOT been scrolling all the way to the bottom. So all this time when checking for updates I thought it was failing, you live and learn. Just updated to 24.1.9_3, doh!

2
24.1 Legacy Series / Re: Unable update from 23.7.12 to 24.1.8
« on: June 15, 2024, 11:17:54 pm »
So I am now running 24.1.8 and the 3 things I learned were -

- use SSH/console for updating/upgrading, as doing this through the webGUI is unreliable or wont work at all.
- pressing Q (not esc, space, enter) will quit the text file when attempting an update via the console.
- even though progress would appear to have hung when doing the update via the console via SSH, clicking into and pressing enter will refresh the window.

So thank you everyone that helped and gave advice (Franco, Patrick and Newsense), that helped me to help myself. The issue can be marked as resolved :-)

3
24.1 Legacy Series / Re: Unable update from 23.7.12 to 24.1.8
« on: June 15, 2024, 10:49:38 pm »
So upgrading with the Webgui never seems to actually do an upgrade/update. I have had to do every update/upgrade via the console via SSH.

I'm now running 24.1.5_3 and am trying to update to 24.1.8...

4
24.1 Legacy Series / Re: Unable update from 23.7.12 to 24.1.8
« on: June 15, 2024, 08:59:11 pm »
So that worked, but i had to manually reboot via ssh despite being asked to and rebooting after doing the upgrade. So now I am on 23.7.13_5.

But im having to type this reply from my phone, because i am getting access denied on the desktop, wtf? Its like ive been ip blocked for some reason, if so why?

5
24.1 Legacy Series / Re: Unable update from 23.7.12 to 24.1.8
« on: June 15, 2024, 06:57:13 pm »
Hah, bloody surmised it might be something smple that.. bah!

Well between my reply above and now I did a search "trying to do update from console stuck on readable opnsense" which then led me to the following post -

- https://forum.opnsense.org/index.php?topic=30836.0

This then made me aware that "opnsense-update" was changed to "opnsense-update -bkp", and I obviously wasnt aware of this. So an doing an update via the CLI as I type this...

Will be back with the result.

6
24.1 Legacy Series / Re: Unable update from 23.7.12 to 24.1.8
« on: June 15, 2024, 06:35:20 pm »
Quote from: franco on June 13, 2024, 06:24:39 pm
PS: Not sure why your health audit claims everything is on 23.7, but in this case going to 23.7.12 should be trivial?
How would I do this is both attempting via the webGui and manually via SSH and the console fail..?

And when doing so bia ssh and the console, I mean it displays a readme/txt outbut, but I dont know how to continue from that point. Pressing escape, space or enter does nothing

7
24.1 Legacy Series / Re: Unable update from 23.7.12 to 24.1.8
« on: June 13, 2024, 06:08:25 pm »
Atm its default>community, but get the same issue if I specify a local mirror. Checking my post above it looks like one of the errors is "Error updating repositories!" and its trying to connect via IPV6 only, why isnt it trying to also update via IPV4 or is that a red hearring..?

That and why isnt connecting to whats looks like the repo for the version on my box (https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7) why isnt not looking update to a later version..?

Where there might be an upgrade log, but Ive not been able to find it. Where 'exacty' is it supposed to be lcoations? as im not seeing antying with the keyword 'upgrade' in the section "System: Log Files: Audit" for example.

8
24.1 Legacy Series / Re: Unable update from 23.7.12 to 24.1.8
« on: June 13, 2024, 01:33:18 pm »
Hi Franco

I dont know where to obtain that from, but (see below) for the system>firmware> audit outputs.

And I have attached a copy of the update ppoup I get when trying to do an update via the web-GUI.


Connectivity:
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7 at Thu Jun 13 12:13:09 BST 2024
Checking connectivity for host: www.mirrorservice.org -> 212.219.56.184
PING 212.219.56.184 (212.219.56.184): 1500 data bytes
1508 bytes from 212.219.56.184: icmp_seq=1 ttl=53 time=10.464 ms
1508 bytes from 212.219.56.184: icmp_seq=2 ttl=53 time=8.980 ms
1508 bytes from 212.219.56.184: icmp_seq=3 ttl=53 time=9.976 ms

--- 212.219.56.184 ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/stddev = 8.980/9.807/10.464/0.617 ms
Checking connectivity for repository (IPv4): https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 863 packages processed.
All repositories are up to date.
Checking connectivity for host: www.mirrorservice.org -> 2001:630:341:12::184
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***

Health:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.7 at Thu Jun 13 12:20:00 BST 2024
>>> Check installed kernel version
Version 23.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: .
beep-1.0_1 version mismatch, expected 1.0_2
Checking packages: .
ca_root_nss-3.91 version mismatch, expected 3.93
Checking packages: .
choparp-20150613 version mismatch, expected 20150613_1
Checking packages: ......
filterlog-0.7 version mismatch, expected 0.7_1
Checking packages: ...
hostapd-2.10_5 version mismatch, expected 2.10_8
Checking packages: .....
lighttpd-1.4.71 version mismatch, expected 1.4.73
Checking packages: ..
mpd5-5.9_16 version mismatch, expected 5.9_17
Checking packages: .
ntp-4.2.8p17 version mismatch, expected 4.2.8p17_1
Checking packages: .
openssh-portable-9.3.p2,1 version mismatch, expected 9.6.p1_1,1
Checking packages: .
openvpn-2.6.5 version mismatch, expected 2.6.8_1
Checking packages: .
opnsense-23.7 version mismatch, expected 23.7.12_5
Checking packages: .
opnsense-installer-23.1 version mismatch, expected 24.1
Checking packages: .
opnsense-lang-22.7.3 version mismatch, expected 23.7.11
Checking packages: .
opnsense-update-23.7 version mismatch, expected 23.7.10_1
Checking packages: ..
pftop-0.8_4 version mismatch, expected 0.10
Checking packages: .
php82-ctype-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-curl-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-dom-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-filter-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-gettext-8.2.8 version mismatch, expected 8.2.14
Checking packages: ..
php82-ldap-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-pdo-8.2.8 version mismatch, expected 8.2.14
Checking packages: ...
php82-phalcon-5.2.3 version mismatch, expected 5.3.1
Checking packages: .
php82-phpseclib-3.0.19 version mismatch, expected 3.0.34
Checking packages: .
php82-session-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-simplexml-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-sockets-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-sqlite3-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-xml-8.2.8 version mismatch, expected 8.2.14
Checking packages: .
php82-zlib-8.2.8 version mismatch, expected 8.2.14
Checking packages: ...
py39-dnspython-2.4.0,1 version mismatch, expected 2.4.2,1
Checking packages: ..
py39-netaddr-0.8.0 version mismatch, expected 0.10.1
Checking packages: .
py39-numpy-1.25.0,1 version mismatch, expected 1.25.0_4,1
Checking packages: ...
py39-sqlite3-3.9.17_7 version mismatch, expected 3.9.18_7
Checking packages: .
py39-ujson-5.8.0 version mismatch, expected 5.9.0
Checking packages: ...
rrdtool-1.8.0_2 version mismatch, expected 1.8.0_3
Checking packages: ..
squid-5.9 version mismatch, expected 6.6
Checking packages: .
strongswan-5.9.10_2 version mismatch, expected 5.9.13
Checking packages: .
sudo-1.9.14p3 version mismatch, expected 1.9.15p5
Checking packages: .
suricata-6.0.13_1 version mismatch, expected 6.0.15
Checking packages: .
syslog-ng-4.2.0 version mismatch, expected 4.4.0
Checking packages: .
unbound-1.17.1_3 version mismatch, expected 1.19.0
Checking packages: .
wpa_supplicant-2.10_6 version mismatch, expected 2.10_10
Checking packages: . done
***DONE***

Security:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.7 at Thu Jun 13 12:23:41 BST 2024
Fetching vuln.xml.xz: .......... done
unbound-1.17.1_3 is vulnerable:
  DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities
  CVE: CVE-2023-50868
  CVE: CVE-2023-50387
  WWW: https://vuxml.FreeBSD.org/freebsd/21a854cc-cac1-11ee-b7a7-353f1e043d9a.html

openssl-1.1.1u,1 is vulnerable:
  OpenSSL -- Multiple vulnerabilities
  CVE: CVE-2023-6237
  CVE: CVE-2024-0727
  WWW: https://vuxml.FreeBSD.org/freebsd/10dee731-c069-11ee-9190-84a93843eb75.html

  OpenSSL -- Vector register corruption on PowerPC
  CVE: CVE-2023-6129
  WWW: https://vuxml.FreeBSD.org/freebsd/8337251b-b07b-11ee-b0d7-84a93843eb75.html

  OpenSSL -- Denial of Service vulnerability
  CVE: CVE-2024-4603
  WWW: https://vuxml.FreeBSD.org/freebsd/b88aa380-1442-11ef-a490-84a93843eb75.html

  OpenSSL -- Excessive time spent checking DH q parameter value
  CVE: CVE-2023-3817
  WWW: https://vuxml.FreeBSD.org/freebsd/bad6588e-2fe0-11ee-a0d1-84a93843eb75.html

  OpenSSL -- Use after free vulnerability
  CVE: CVE-2024-4741
  WWW: https://vuxml.FreeBSD.org/freebsd/73a697d7-1d0f-11ef-a490-84a93843eb75.html

  OpenSSL -- DoS in DH generation
  CVE: CVE-2023-5678
  WWW: https://vuxml.FreeBSD.org/freebsd/a5956603-7e4f-11ee-9df6-84a93843eb75.html

  OpenSSL -- potential loss of confidentiality
  CVE: CVE-2023-5363
  WWW: https://vuxml.FreeBSD.org/freebsd/4a4712ae-7299-11ee-85eb-84a93843eb75.html

  OpenSSL -- Unbounded memory growth with session handling in TLSv1.3
  CVE: CVE-2024-2511
  WWW: https://vuxml.FreeBSD.org/freebsd/7c217849-f7d7-11ee-a490-84a93843eb75.html

openvpn-2.6.5 is vulnerable:
  openvpn -- 2.6.0...2.6.6 --fragment option division by zero crash, and TLS data leak
  CVE: CVE-2023-46850
  CVE: CVE-2023-46849
  WWW: https://vuxml.FreeBSD.org/freebsd/2fe004f5-83fd-11ee-9f5d-31909fb2f495.html

krb5-1.21.1 is vulnerable:
  krb5 -- Double-free in KDC TGS processing
  CVE: CVE-2023-39975
  WWW: https://vuxml.FreeBSD.org/freebsd/a6986f0f-3ac0-11ee-9a88-206a8a720317.html

python39-3.9.17 is vulnerable:
  Python -- multiple vulnerabilities
  CVE: CVE-2023-40217
  WWW: https://vuxml.FreeBSD.org/freebsd/a57472ba-4d84-11ee-bf05-000c29de725b.html

php82-8.2.8 is vulnerable:
  php -- Multiple vulnerabilities
  CVE: CVE-2024-2757
  CVE: CVE-2024-3096
  CVE: CVE-2024-2756
  CVE: CVE-2024-1874
  WWW: https://vuxml.FreeBSD.org/freebsd/6d82c5e9-fc24-11ee-a689-04421a1baf97.html

curl-8.1.2 is vulnerable:
  curl -- HTTP headers eat all memory
  CVE: CVE-2023-38039
  WWW: https://vuxml.FreeBSD.org/freebsd/833b469b-5247-11ee-9667-080027f5fec9.html

  curl -- SOCKS5 heap buffer overflow
  CVE: CVE-2023-38545
  WWW: https://vuxml.FreeBSD.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html

  curl -- OCSP verification bypass with TLS session reuse
  CVE: CVE-2024-0853
  WWW: https://vuxml.FreeBSD.org/freebsd/02e33cd1-c655-11ee-8613-08002784c58d.html

suricata-6.0.13_1 is vulnerable:
  suricata -- multiple vulnerabilities
  CVE: CVE-2024-23837
  CVE: CVE-2024-24568
  CVE: CVE-2024-23835
  CVE: CVE-2024-23836
  CVE: CVE-2024-23839
  WWW: https://vuxml.FreeBSD.org/freebsd/979dc373-d27d-11ee-8b84-b42e991fc52e.html

squid-5.9 is vulnerable:
  squid -- Multiple vulnerabilities
  WWW: https://vuxml.FreeBSD.org/freebsd/a8fb8e3a-730d-11ee-ab61-b42e991fc52e.html

strongswan-5.9.10_2 is vulnerable:
  strongSwan -- vulnerability in charon-tkm
  CVE: CVE-2023-41913
  WWW: https://vuxml.FreeBSD.org/freebsd/a62c0c50-8aa0-11ee-ac0d-00e0670f2660.html

19 problem(s) in 10 installed package(s) found.
***DONE***



9
24.1 Legacy Series / Unable update from 23.7.12 to 24.1.8 - SOLVED
« on: June 13, 2024, 11:59:59 am »
Hello

So I have tried to update from 23.7.12 to 24.1.8 and Opnsense dosent wont to update past 23.7.12.

- webgui performs the update and shows 23.7.12 each time.
- via ssh and option 12 (Update all from console), I just get presented with a text of the update to 24.1.8 but it dosent appear do the actual update.
- via ssh option 8 (shell), I tried opnsense-update -up and get the message "No known packages set to fetch was specified."

Short of doing doing a complete install from scratch, what are my other options..? or am I missiong something major/obvious..?

update - For the solution go to my 14th reply.

10
General Discussion / Connecting to OS on internal LAN: I get website/cert error
« on: April 18, 2024, 04:02:51 pm »
So trying to search for help with this online is in a word 'unhelpful' as all the advice is referring to having the issue with external websites. I tried search for both of the errors on here, but only found one post and that didn't apply to my situation.

When I try to access my OS box (192.168.1.1) on my internal LAN I am getting the following errors from Firefox & Kaspersky (see attached). I have tried adding the IP to the trusted sites in internet setting (Win10) and trusted URLs in Kaspersky, but I still keep getting that message.

Now while I don't have to access the firewall all that often, its still no less annoying. Any guidance would be welcome.

11
Tutorials and FAQs / Re: Question: x86 appliance & OpnSense as home router replacement.
« on: October 12, 2023, 12:58:41 pm »
Yeah I learned that fairley recently, and the issue with trying to do that with OpnSense/pfsense is its all done in s/w hence being so slow/less reliable etc.

12
Tutorials and FAQs / Re: Question: x86 appliance & OpnSense as home router replacement.
« on: October 11, 2023, 06:57:06 pm »
Evnening

So as I suspected might be the case then, thanks for the confirmation.

I did try proxmox, to run pfsense and pihole, but as a Pc/Mac engineer the linux networking side of things is a bit outside my wheelhouse, as I never managed to get it to work.

Well maybe a softa hybrid approach then, thanks for the info.

13
Tutorials and FAQs / Question: x86 appliance & OpnSense as home router replacement.
« on: October 11, 2023, 04:47:35 pm »
Afternoon

I did do a DG/GGL search for this, but wasnt getting concreate answers - 

So currently I have a 'miniPC' running pfsense (its over kill, 2x ethernet, i3-8GB-120SSD) and my old Tp-Link router as the access point. I would like to replace both of them with a single appliance. I live in a single floor flat so wifi transmission is not a concerne

- If the appliance come with a supported wifi adapter, I assume OpenSense has the ability to control that as an access point?
- If the appliance has multiple ethernet ports, can all the non-wan used ports be used as a switch?

If no to the above questions are I best then just going down the OpenWRT path with an old Soho Router?

thanks.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2