Messages

Hi all,

When we were on OPNsense BE 24.10.2, Wireguard worked flawlessly. Now, after upgrading to 25.4, it still works flawlessly, but... when a peer goes offline they don't switch from 'Online' to 'Offline', but from 'Online' to 'Stale'...

Just a minor issue, I know. But still... 

Is this something I can fix, or is this how it will be from now on?  ;-)

I see that a hotfix has been released, version 24.10.2_6

Does this hotfix resolve the issues in this thread?

The current suspicion is around os-mdns-repeater plugin, which apparently causes a lot of packets and associated states and lookup operations.


Cheers,
Franco

We have a DEC2750 v2, and we use the os-mdns-repeater plugin. Should we hold off on installing 24.10.2 for now?

I spotted this in the changelog for 24.10.2 business edition / 24.7.10:

Code Select Expand

interfaces: remove ancient MAC address trickery to unbreak hostapd

What ancient trickery was involved here? Human sacrifices to Huītzilōpōchtli? 😎

In that case a health audit is in order. Maybe a partial upgrade? Or a missing reboot?

the audit seems happy:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.10.1 (amd64) at Thu Dec  5 09:00:13 CET 2024
Strict TLS 1.3 and CRL checking is enabled.
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 24.7.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 24.7.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-OPNBEcore 1.4_3
os-cpu-microcode-amd 1.0
os-iperf 1.0_2
os-mdns-repeater 1.1_1
os-net-snmp 1.6
os-nut 1.8.1_2
os-smart 2.3
os-zabbix7-agent 1.14
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense-business" at 24.10.1 has 70 dependencies to check.
Checking packages: ....................................................................... done
***DONE***

the unit reports an uptime of 58 minutes, so the most recent reboot (when I thought I patched the kernel) seems to have been successful.

Hi Evert,

You have to update first. Looks like you still have either 24.7.8 or 24.7.9 installed.

"opnsense-update -fk" will force a kernel update, but to the last known good version that opnsense-update knows, which is 24.7.8 as it is likely also at 24.7.8 judging by the fact that it reinstalls the kernel for 24.7.8 :)


Cheers,
Franco

Hmm, I should have noticed that myself!  8)
Still early here...  😁

However, the web GUI reports:
OPNsense 24.10.1-amd64, which made me think I was running 24.10 .

It's hotfixed now in 24.7.10_2. Announcement follows.

My unit reported

Code Select Expand

root@OPN0:~ # uname -v
FreeBSD 14.1-RELEASE-p6 stable/24.7-n267939-fd5bc7f34e1 SMP

so I ran

Code Select Expand

root@OPN0:~ # opnsense-update -fk
Fetching kernel-24.7.8-amd64.txz: ... done
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing kernel-24.7.8-amd64.txz... done
Please reboot.
and I rebooted.

However, it still reports:

Code Select Expand

FreeBSD 14.1-RELEASE-p6 stable/24.7-n267939-fd5bc7f34e1 SMP

How do I proceed?

Hi,

When I updated to OPNsense 24.10.1 it appeared first all went as mentioned, but then I noticed that some of the services weren't running and that my unit hadn't actually rebooted.

Some searching on the console revealed that the reboot never happened because of a stuborn monitrc-process. As soon as I killed it, the reboot process commenced.

After the reboot all services started as they should, and all was well.

Has anyone else experienced this?
(Perhaps an idea to forcefully kill processes like monitrc if they don't go down gracefully?)

Is that interface a parent to, VLAN, LAGG or any overlay?

It is indeed. Does that mess with Ierrs/Oerrs?

Hi,

When I run

Code Select Expand

netstat -i on our DEC2750 v2 unit, I get the following values on ax0:

Code Select Expand

Ierrs: 18446744073709551598
Oerrs: 18446744073709551538
Both of these values are ridiculously high, and suspiciously close to 2^64.

The other interfaces report valid values, as far as I can tell.

How do I get the real Ierrs & Oerrs values for ax0?

So it's a single file? The log suggests it was 2 separate files.

Yeah, if it's a single file anyway, then I guess it's fine  :)

Code Select Expand

2024-11-07T03:05:02+01:00 PM0.arkivo.no root 27472 - [meta sequenceId="1"] bogons update is beginning the update cycle
2024-11-07T03:05:02+01:00 PM0.arkivo.no root 40527 - [meta sequenceId="2"] Bogons V4 file downloaded: no changes.
2024-11-07T03:05:02+01:00 PM0.arkivo.no root 52169 - [meta sequenceId="3"] Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off
2024-11-07T03:05:02+01:00 PM0.arkivo.no root 54919 - [meta sequenceId="4"] update bogons is ending the update cycle


Why not first check the state of IPv6 Allow, and base whether Bogons V6 gets downloaded on that?  8)

dmesg doesn't seem to give much more. Here's the most recent occurrence, where only 1 vlan switched.

GW0:

Code Select Expand

carp: 238@vlan0.999: MASTER -> BACKUP (more frequent advertisement received)

GW1:

Code Select Expand

carp: 238@vlan0.999: BACKUP -> MASTER (master timed out)

Hi all,

We have 2 OPNsense units, GW0 & GW1. We're using CARP for HA. Port ax0 connects the unit to our office network. There's currently 6 VLANs in use.

GW0 is MASTER. GW1 is BACKUP

The last couple of days, we see occasionally that the CARP of some of the VLAN's switches over to GW1 as MASTER.

GW0:

Code Select Expand

2024-11-01T11:30:18+01:00 GW0.domain.com kernel - - [meta sequenceId="1"] <6>carp: 100@vlan0.100: MASTER -> BACKUP (more frequent advertisement received)
2024-11-01T11:30:18+01:00 GW0.domain.com opnsense-business 64683 - [meta sequenceId="2"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP CONTROL (10.10.0.1) (100@vlan0.100)" has resumed the state "BACKUP" for vhid 100
2024-11-01T11:30:18+01:00 GW0.domain.com opnsense-business 65088 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:30:18+01:00 GW0.domain.com opnsense-business 65088 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:30:18+01:00 GW0.domain.com opnsense-business 65088 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-01T11:36:27+01:00 GW0.domain.com opnsense-business 60906 - [meta sequenceId="1"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP GUEST (192.168.254.1) (168@vlan0.192)" has resumed the state "BACKUP" for vhid 168
2024-11-01T11:36:27+01:00 GW0.domain.com kernel - - [meta sequenceId="2"] <6>carp: 168@vlan0.192: MASTER -> BACKUP (more frequent advertisement received)
2024-11-01T11:36:28+01:00 GW0.domain.com opnsense-business 61798 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:36:28+01:00 GW0.domain.com opnsense-business 61798 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:36:28+01:00 GW0.domain.com opnsense-business 61798 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-01T11:44:14+01:00 GW0.domain.com opnsense-business 68814 - [meta sequenceId="1"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP IoT (192.168.238.1) (238@vlan0.999)" has resumed the state "BACKUP" for vhid 238
2024-11-01T11:44:14+01:00 GW0.domain.com kernel - - [meta sequenceId="2"] <6>carp: 238@vlan0.999: MASTER -> BACKUP (more frequent advertisement received)
2024-11-01T11:44:14+01:00 GW0.domain.com opnsense-business 70199 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:44:14+01:00 GW0.domain.com opnsense-business 70199 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:44:14+01:00 GW0.domain.com opnsense-business 70199 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))


GW1:

Code Select Expand

2024-11-01T11:30:18+01:00 GW1.domain.com kernel - - [meta sequenceId="1"] <6>carp: 100@vlan0.100: BACKUP -> MASTER (master timed out)
2024-11-01T11:30:18+01:00 GW1.domain.com opnsense-business 88827 - [meta sequenceId="2"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP CONTROL (10.10.0.1) (100@vlan0.100)" has resumed the state "MASTER" for vhid 100
2024-11-01T11:30:18+01:00 GW1.domain.com opnsense-business 91716 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:30:18+01:00 GW1.domain.com opnsense-business 91716 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:30:18+01:00 GW1.domain.com opnsense-business 91716 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-01T11:36:27+01:00 GW1.domain.com kernel - - [meta sequenceId="1"] <6>carp: 168@vlan0.192: BACKUP -> MASTER (master timed out)
2024-11-01T11:36:27+01:00 GW1.domain.com opnsense-business 28680 - [meta sequenceId="2"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP GUEST (192.168.254.1) (168@vlan0.192)" has resumed the state "MASTER" for vhid 168
2024-11-01T11:36:28+01:00 GW1.domain.com opnsense-business 31286 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:36:28+01:00 GW1.domain.com opnsense-business 31286 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:36:28+01:00 GW1.domain.com opnsense-business 31286 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
<85>1 2024-11-01T11:40:12+01:00 GW1.domain.com sudo 28873 - [meta sequenceId="1"]    evert : TTY=pts/0 ; PWD=/home/evert ; USER=root ; COMMAND=/usr/bin/su -
2024-11-01T11:44:14+01:00 GW1.domain.com opnsense-business 75137 - [meta sequenceId="1"] /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtual IP IoT (192.168.238.1) (238@vlan0.999)" has resumed the state "MASTER" for vhid 238
2024-11-01T11:44:14+01:00 GW1.domain.com kernel - - [meta sequenceId="2"] <6>carp: 238@vlan0.999: BACKUP -> MASTER (master timed out)
2024-11-01T11:44:14+01:00 GW1.domain.com opnsense-business 77007 - [meta sequenceId="3"] /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-01T11:44:14+01:00 GW1.domain.com opnsense-business 77007 - [meta sequenceId="4"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-01T11:44:14+01:00 GW1.domain.com opnsense-business 77007 - [meta sequenceId="5"] /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))


It's not always the same VLAN's which go from MASTER to BACKUP, but it's never all of them.

We have never had this issue before, and there have been no hardware/config changes in a while, other than updating to 24.10BE, but whether that has anything to do with it...?

Any suggestions on where I should start looking? 🤔

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]

os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.

I currently have os-zabbix64-agent installed. If I were to replace that with os-zabbix-agent , will I then automagically get an updated version when 'os-zabbix7-agent' is released?

In other words: which version of zabbix-agent does os-zabbix-agent represent?