Messages

No significant entries in logfile.
Maybe related: My OpenVPN tunnel provides the IPv6 default route.

I'm trying now WireGuard, as OpenVPN legacy client is obsolete ...

Thanks for replying

I upgraded may backup node and then did a failover to (persistent CARP switch) to upgrade the old master.
The OpenVPN client could not create a tunnel.
I switched back to the old master (running 25.1.5_5) and the tunnel came up.

Does the OpenVPN configuration needs a change with 25.1.7, related to (from README):
  openvpn: add port-share as advanced feature
  openvpn: add (push) block-ipv6 option
?

Is this a known bug ?

What else can I do to resolve the issue ?

ajr

I upgraded may backup node and then did a failover to (persistent CARP switch) to upgrade the old master.
The OpenVPN client could not create a tunnel.
I switched back to the master with old master and the tunnel came up.

Does the OpenVPN configuration needs a change with 25.1.7, related to:
openvpn: add port-share as advanced feature
openvpn: add (push) block-ipv6 option

Unfortunately this breaks connectivity of the backup system and
 needs some hack (route through master system) to do firmware update.
 

Unfortunately I can't get selection of backup gateway as default gateway working.
Even if gateway monitoring is on and "Allow default gateway switching" is on in system->settings->general.
It seems that gateway priority always takes precedence. See attached screenshot.

root@opn2:~ # netstat -rnfinet | grep default
default            192.168.178.1      UGS            igb1

How can I fix this ?

This setup works (for me) only if I have deleted the IPv4 address
 of the WAN interface (keeping only the virtual address).

Can anybody please explain, why it works only with this setup ?

ajr

 I have a setup where WLANs receive (periodically changing)
 DHCPv6 nets from the DSL router und some LANs receive static
 public IPv6 addresses via a OpenVPN tunnel which also provides
 the route to the internet for them.
 
 This setup works (for me) only if I have deleted the IPv4 address
 of the WAN interface (keeping only the virtual address).
 
 Unfortunately this breaks connectivity of the backup system and
 needs some hack (route through master system) to do firmware update.
 
 How can I replace the hack through some automatic gateway config
 change, e.g. gateway monitoring/scripting ?
 
 Is there a better solution for may dual IPv6 WAN setup ?
 
 
 Thanks, ajr
 
 PS: some details:
 
HA configuration (master/backup)
All interfaces have VIPs via CARP
All IPv4 addresses use NAT

LAN nets
 IPv4: static (rfc1918)
 IPv6: static (subnet from VPN)

WLAN nets (via APs)(all have VIPs via CARP)
 IPv4: static (rfc1918)
 IPv6: Track interface (DHCPv6)
 
WAN Interface (transfer net to VDSL router)
 IPv4: none
 IPv6: DHCPv6

Gateways
 IPv4: VDSL router (if master, VIP, Monitor IP router))
  IPv6: DHCPv6

OpenVPN client(legacy)
 Server Mode: Peer to Peer
 Interface: WAN VIP
 IPv6 Remote Network: ::/1,8000::/1
 

Hi Franco,

UPGRADE SUCCEEDED !

/var/cache/opnsense-update/.upgrade.log is 40kB !


Thanks a lot for your time and your patience.

Ajr

Hi Franco,


The check for updates page shows

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.7.12_4 (amd64) at Thu Feb  6 10:21:00 UTC 2025
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 869 packages processed.
All repositories are up to date.
Child process pid=2663 terminated abnormally: Segmentation fault
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (1 candidates): . done
Processing candidates (1 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.

The next page shows current version 25.1 and new version 24.7.12 for both
base and kernel.

So the update script seems to be confused by the combination of OS 14.2 and
opnsense 24.7.3

Shall I try a opnsense-update -kr 24.7.12 ?


After an upgrade attempt (opnsense-update -ur 25.1), the audit log again shows
    pkg-1.21.3 version mismatch, expected 1.19.2_5

Now, reverting the pkg does no longer work:

root@opn2:~ # pkg info | grep pkg
pkg-1.21.3                     Package manager
root@opn2:~ # opnsense-revert -r 24.7.12 pkg
Fetching pkg.pkg: ...... done
Verifying signature with trusted certificate pkg.opnsense.org.20240611... done
pkg-1.21.3: already unlocked

root@opn2:~ # pkg info | grep pkg
pkg-1.21.3                     Package manager
root@opn2:~ # pkg lock pkg
pkg-1.21.3: lock this package? [y/N]: y
Locking pkg-1.21.3
root@opn2:~ # opnsense-revert -r 24.7.12 pkg
Fetching pkg.pkg: .... done
Verifying signature with trusted certificate pkg.opnsense.org.20240611... done
Unlocking pkg-1.21.3
Installing pkg-1.19.2_5...
package pkg is already installed, forced install
Extracting pkg-1.19.2_5: 100%

But now the audit shows:

pkg-1.19.2_5 repository mismatch: unknown-repository

From the log, it seems, unlocking an already unlocked package seems to be fatal.
bash-5.2.37: already unlocked

So I removed bash earlier.

But now:

root@opn2:~ # opnsense-update -G
beep-1.0_2: already unlocked

Any clue ?
Should I lock all packages and retry ?

Any options left to recover my situation ?

Ajr

Also, any chance you might have deleted /var/cache while troubleshooting - before coming here that is - and that is why you had to manually recreate the missing folder ?

I never deleted any log files/directories.

root@opn2:~ #  opnsense-update -G
bash-5.2.37: already unlocked

I did

Code Select Expand

root@opn2:~ # opnsense-update -up 25.1
Usage: man opnsense-update
root@opn2:~ # opnsense-update -ur 25.1
Fetching packages-25.1-amd64.tar: .......................................................................... done
Extracting packages-25.1-amd64.tar... done
Please reboot.
root@opn2:~ # reboot
. . .
Last login: Wed Feb  5 11:57:49 2025 from 192.168.220.124
----------------------------------------------
|      Hello, this is OPNsense 24.7          |         @@@@@@@@@@@@@@@
. . .
root@opn2:~ # freebsd-version
14.2-RELEASE
root@opn2:~ # ls -l /var/cache/opnsense-update/
total 2
drwxr-xr-x  3 root wheel  3 Feb  5 14:58 .sets.pending
-rw-r--r--  1 root wheel 30 Feb  5 15:08 .upgrade.log
prw-r--r--  1 root wheel  0 Feb  5 15:08 .upgrade.pipe

What shall I do now ?

The audit is now correct.

Trying the update with the console menu option 12 did not succeed.

The GUI still shows 25.1 as running version on the update page.

Should I use opnsense-update -u -r 25.1  or some other options ?
Which ones ?

ajr

Nothing appears there.

I did an audit and found issues:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.7.12_4 (amd64) at Tue Feb  4 17:44:03 UTC 2025
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.1 is incorrect, expected: 24.7.12
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.1 is incorrect, expected: 24.7.12
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 24.7.12_4 has 69 dependencies to check.
Checking packages: .................................................
pkg-1.21.3 repository mismatch: FreeBSD
pkg-1.21.3 version mismatch, expected 1.19.2_5
Checking packages: ..................... done
***DONE***
Looking at pkg repo config shows:

Code Select Expand

root@opn2:~ # cat /usr/local/etc/pkg/repos/FreeBSD.conf
FreeBSD: { enabled: no }
root@opn2:~ # cat /usr/local/etc/pkg/repos/OPNsense.conf
OPNsense: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
  url: "https://pkg.opnsense.org/${ABI}/24.7/latest",
  signature_type: "fingerprints",
  priority: 11,
  enabled: yes
}

So it should use opnsense repo, but it used the freebsd one.
Please advice a fix.

Just created missing directory /var/log/cache and retrying . . .

root@opn2:~ # ls -la /var/cache/opnsense-update/.upgrade.log
ls: /var/cache/opnsense-update/.upgrade.log: No such file or directory