1
Hardware and Performance / Re: Ierrs & Oerrs are way off on ax0
« on: November 20, 2024, 10:27:09 am »Is that interface a parent to, VLAN, LAGG or any overlay?
It is indeed. Does that mess with Ierrs/Oerrs?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
It is indeed. Does that mess with Ierrs/Oerrs?
2
Hardware and Performance / Ierrs & Oerrs are way off on ax0
« on: November 20, 2024, 09:40:46 am »
Hi,
When I run
The other interfaces report valid values, as far as I can tell.
How do I get the real Ierrs & Oerrs values for ax0?
When I run
Code: [Select]
netstat -i on our DEC2750 v2 unit, I get the following values on ax0:Code: [Select]
Ierrs: 18446744073709551598
Oerrs: 18446744073709551538Both of these values are ridiculously high, and suspiciously close to 2^64.The other interfaces report valid values, as far as I can tell.
How do I get the real Ierrs & Oerrs values for ax0?
3
General Discussion / Re: Why bother downloading Bogons v6 when they're not used?
« on: November 07, 2024, 08:14:59 am »
So it's a single file? The log suggests it was 2 separate files.
Yeah, if it's a single file anyway, then I guess it's fine
Yeah, if it's a single file anyway, then I guess it's fine
4
General Discussion / [SOLVED] Why bother downloading Bogons v6 when they're not used?
« on: November 07, 2024, 07:45:28 am »Code: [Select]
2024-11-07T03:05:02+01:00 PM0.arkivo.no root 27472 - [meta sequenceId="1"] bogons update is beginning the update cycle
2024-11-07T03:05:02+01:00 PM0.arkivo.no root 40527 - [meta sequenceId="2"] Bogons V4 file downloaded: no changes.
2024-11-07T03:05:02+01:00 PM0.arkivo.no root 52169 - [meta sequenceId="3"] Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off
2024-11-07T03:05:02+01:00 PM0.arkivo.no root 54919 - [meta sequenceId="4"] update bogons is ending the update cycle
Why not first check the state of IPv6 Allow, and base whether Bogons V6 gets downloaded on that?
6
High availability / CARP instability lately
« on: November 01, 2024, 12:26:01 pm »
Hi all,
We have 2 OPNsense units, GW0 & GW1. We're using CARP for HA. Port ax0 connects the unit to our office network. There's currently 6 VLANs in use.
GW0 is MASTER. GW1 is BACKUP
The last couple of days, we see occasionally that the CARP of some of the VLAN's switches over to GW1 as MASTER.
GW0:
GW1:
It's not always the same VLAN's which go from MASTER to BACKUP, but it's never all of them.
We have never had this issue before, and there have been no hardware/config changes in a while, other than updating to 24.10BE, but whether that has anything to do with it...?
Any suggestions on where I should start looking? 🤔
We have 2 OPNsense units, GW0 & GW1. We're using CARP for HA. Port ax0 connects the unit to our office network. There's currently 6 VLANs in use.
GW0 is MASTER. GW1 is BACKUP
The last couple of days, we see occasionally that the CARP of some of the VLAN's switches over to GW1 as MASTER.
GW0:
Code: [Select]
2024-11-01T11:30:18+01:00 GW0.domain.com kernel - - [meta sequenceId="1"] <6>carp: 100@vlan0.100: MASTER -> BACKUP (more frequent advertisement received)
2024-11-01T11:30:18+01:00 GW0.domain.com opnsense-business 64683 - [meta sequenceId="2"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP CONTROL (10.10.0.1) (100@vlan0.100)" has resumed the state "BACKUP" for vhid 100
2024-11-01T11:30:18+01:00 GW0.domain.com opnsense-business 65088 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:30:18+01:00 GW0.domain.com opnsense-business 65088 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:30:18+01:00 GW0.domain.com opnsense-business 65088 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-01T11:36:27+01:00 GW0.domain.com opnsense-business 60906 - [meta sequenceId="1"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP GUEST (192.168.254.1) (168@vlan0.192)" has resumed the state "BACKUP" for vhid 168
2024-11-01T11:36:27+01:00 GW0.domain.com kernel - - [meta sequenceId="2"] <6>carp: 168@vlan0.192: MASTER -> BACKUP (more frequent advertisement received)
2024-11-01T11:36:28+01:00 GW0.domain.com opnsense-business 61798 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:36:28+01:00 GW0.domain.com opnsense-business 61798 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:36:28+01:00 GW0.domain.com opnsense-business 61798 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-01T11:44:14+01:00 GW0.domain.com opnsense-business 68814 - [meta sequenceId="1"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP IoT (192.168.238.1) (238@vlan0.999)" has resumed the state "BACKUP" for vhid 238
2024-11-01T11:44:14+01:00 GW0.domain.com kernel - - [meta sequenceId="2"] <6>carp: 238@vlan0.999: MASTER -> BACKUP (more frequent advertisement received)
2024-11-01T11:44:14+01:00 GW0.domain.com opnsense-business 70199 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:44:14+01:00 GW0.domain.com opnsense-business 70199 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:44:14+01:00 GW0.domain.com opnsense-business 70199 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
GW1:
Code: [Select]
2024-11-01T11:30:18+01:00 GW1.domain.com kernel - - [meta sequenceId="1"] <6>carp: 100@vlan0.100: BACKUP -> MASTER (master timed out)
2024-11-01T11:30:18+01:00 GW1.domain.com opnsense-business 88827 - [meta sequenceId="2"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP CONTROL (10.10.0.1) (100@vlan0.100)" has resumed the state "MASTER" for vhid 100
2024-11-01T11:30:18+01:00 GW1.domain.com opnsense-business 91716 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:30:18+01:00 GW1.domain.com opnsense-business 91716 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:30:18+01:00 GW1.domain.com opnsense-business 91716 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-01T11:36:27+01:00 GW1.domain.com kernel - - [meta sequenceId="1"] <6>carp: 168@vlan0.192: BACKUP -> MASTER (master timed out)
2024-11-01T11:36:27+01:00 GW1.domain.com opnsense-business 28680 - [meta sequenceId="2"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP GUEST (192.168.254.1) (168@vlan0.192)" has resumed the state "MASTER" for vhid 168
2024-11-01T11:36:28+01:00 GW1.domain.com opnsense-business 31286 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:36:28+01:00 GW1.domain.com opnsense-business 31286 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:36:28+01:00 GW1.domain.com opnsense-business 31286 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
<85>1 2024-11-01T11:40:12+01:00 GW1.domain.com sudo 28873 - [meta sequenceId="1"] evert : TTY=pts/0 ; PWD=/home/evert ; USER=root ; COMMAND=/usr/bin/su -
2024-11-01T11:44:14+01:00 GW1.domain.com opnsense-business 75137 - [meta sequenceId="1"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP IoT (192.168.238.1) (238@vlan0.999)" has resumed the state "MASTER" for vhid 238
2024-11-01T11:44:14+01:00 GW1.domain.com kernel - - [meta sequenceId="2"] <6>carp: 238@vlan0.999: BACKUP -> MASTER (master timed out)
2024-11-01T11:44:14+01:00 GW1.domain.com opnsense-business 77007 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:44:14+01:00 GW1.domain.com opnsense-business 77007 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:44:14+01:00 GW1.domain.com opnsense-business 77007 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
It's not always the same VLAN's which go from MASTER to BACKUP, but it's never all of them.
We have never had this issue before, and there have been no hardware/config changes in a while, other than updating to 24.10BE, but whether that has anything to do with it...?
Any suggestions on where I should start looking? 🤔
7
General Discussion / Re: Monitoring Zabbix
« on: June 11, 2024, 09:56:39 am »OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]
os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.
I currently have os-zabbix64-agent installed. If I were to replace that with os-zabbix-agent , will I then automagically get an updated version when 'os-zabbix7-agent' is released?
In other words: which version of zabbix-agent does os-zabbix-agent represent?
8
24.1 Legacy Series / Reporting: Unbound DNS - only 21% resolved?
« on: April 08, 2024, 10:54:42 am »
Hi all,
I happened to notice that on the Reporting: Unbound DNS page I have a Resolved-% of only 21%. Blocked = 0.
Without any major DNS issues I'd expect this percentage to be much higher. Perhaps not 100%, but definitely somewhere in the 90's.
Is there something off with the way this percentage is being calculated perhaps?
I happened to notice that on the Reporting: Unbound DNS page I have a Resolved-% of only 21%. Blocked = 0.
Without any major DNS issues I'd expect this percentage to be much higher. Perhaps not 100%, but definitely somewhere in the 90's.
Is there something off with the way this percentage is being calculated perhaps?
9
24.1 Legacy Series / Resolving DNS & localhost (IPv4/IPv6)
« on: April 08, 2024, 10:32:39 am »
Hi,
We're running OPNsense with Unbound DNS. I was noticing that some quries made by localhost resulted in SERVFAIL.
With some testing in the cli I noticed the following: When running 'drill @localhost google.com' it either responds immediately, or it takes 15 seconds.
Given that 'drill @127.0.0.1 google.com' & ' drill -4 @localhost google.com' always respond immediately I think I have narrowed it down to the fact that /etc/hosts contains:
127.0.0.1 localhost localhost.domain.com
::1 localhost localhost.domain.com
However, it doesn't appear Unbound listens on IPv6 on my system.
Looks like I should either remove that ::1-line from /etc/hosts, or get Unbound to listen on IPv6 as well.
Any recommendations?
We're running OPNsense with Unbound DNS. I was noticing that some quries made by localhost resulted in SERVFAIL.
With some testing in the cli I noticed the following: When running 'drill @localhost google.com' it either responds immediately, or it takes 15 seconds.
Given that 'drill @127.0.0.1 google.com' & ' drill -4 @localhost google.com' always respond immediately I think I have narrowed it down to the fact that /etc/hosts contains:
127.0.0.1 localhost localhost.domain.com
::1 localhost localhost.domain.com
However, it doesn't appear Unbound listens on IPv6 on my system.
Looks like I should either remove that ::1-line from /etc/hosts, or get Unbound to listen on IPv6 as well.
Any recommendations?
10
24.1 Legacy Series / Re: Rule being ignored occasionally?
« on: March 14, 2024, 10:59:09 am »Most likely out-of-state traffic. What are the 'tcpflags' of blocked packets?
PA, FPA, RA or A. It varies.
11
24.1 Legacy Series / Rule being ignored occasionally?
« on: March 13, 2024, 09:36:16 am »
Hi all,
We have an interface named OFFICE where we allow anyone who is on the associated subnet (192.168.24.x) to connect to * on port 80 & 443 (TCP/UDP).
At the bottom of the rule list for this interface there's a rule blocking any traffic from OFFICE to !OFFICE.
When I enable logging on that last rule, I occasionally see requests from OFFICE to external hosts on 443/TCP (occasionally 80/TCP) being blocked.
Why would that traffic reach that rule, given that I allow all traffic on ports 80 and 443 higher up in the rule list?
We have an interface named OFFICE where we allow anyone who is on the associated subnet (192.168.24.x) to connect to * on port 80 & 443 (TCP/UDP).
At the bottom of the rule list for this interface there's a rule blocking any traffic from OFFICE to !OFFICE.
When I enable logging on that last rule, I occasionally see requests from OFFICE to external hosts on 443/TCP (occasionally 80/TCP) being blocked.
Why would that traffic reach that rule, given that I allow all traffic on ports 80 and 443 higher up in the rule list?
12
Virtual private networks / Re: Why does source = IPsec net not work in my case?
« on: March 05, 2024, 08:48:24 am »
Before I make the same mistake twice... It would work with Wireguard, right? That's different in this aspect from IPsec?
13
Virtual private networks / Re: Why does source = IPsec net not work in my case?
« on: February 28, 2024, 12:05:07 pm »
Ah, ok.
What if I replace '*' with an alias containing the networks of our customer? Would that be a functioning compromise?
What if I replace '*' with an alias containing the networks of our customer? Would that be a functioning compromise?
14
Virtual private networks / Why does source = IPsec net not work in my case?
« on: February 28, 2024, 10:23:23 am »
Hi all,
I've been configuring an IPsec connection between us, and one of our customers. IPsec itself was working pretty soon (both phase 1 & phase 2), but we had the hardest time pushing bits and bytes through that tunnel...
After trying many things I ended up going to Firewall: Rules: IPsec and changing the source of the rules, which was set to 'IPsec net', to '*'. As soon as I did this, the customer was able to connect to the resources.
We have various other subnets, including 2 Wireguard, where I've set the source to '[subnet name] net' in firewall rules, and this works flawlessly.
Why doesn't this work for our IPsec setup? Did I misconfigure something somewhere, or is this a bug... ahem... feature?
I've been configuring an IPsec connection between us, and one of our customers. IPsec itself was working pretty soon (both phase 1 & phase 2), but we had the hardest time pushing bits and bytes through that tunnel...
After trying many things I ended up going to Firewall: Rules: IPsec and changing the source of the rules, which was set to 'IPsec net', to '*'. As soon as I did this, the customer was able to connect to the resources.
We have various other subnets, including 2 Wireguard, where I've set the source to '[subnet name] net' in firewall rules, and this works flawlessly.
Why doesn't this work for our IPsec setup? Did I misconfigure something somewhere, or is this a bug... ahem... feature?
15
High availability / Re: Monit & HA/pfsync
« on: February 22, 2024, 08:24:19 am »So if you have two firewalls, and you are using PFSYNC, why do you need an additional sync outside of PFSYNC? I'm new to this also, so wondering, not attacking.
I'm probably as new as you
If I interpreted https://docs.opnsense.org/manual/hacarp.html correctly there is no automatic sync of config changes between nodes, so that's why I configured the hourly sync, as mentioned on that page.