Messages

I installed 24.7 on an Intel NUC. I like to assign interface 'xxx0' to 'outside' and 'xxx1' to 'inside', but the default is the opposite. After I installed, I chose to assign the interfaces and LAN IP address according to my preference, however, I could not ping the inbound gateway router. Not even any ARP entries. After some playing around I decided to go back to the default interface assignment and see if that worked. After going through the menu options again to choose 'igc0' as LAN and 'igc1' as WAN and assign VLAN 2 to the WAN and give the LAN the inside IP address (which will be my GW IP outbound), ifconfig showed me that both LAN and WAN have a VLAN2 subinterface and the same IP address is on both WAN and LAN (parent).

I found this reddit post which appears to be this exact issue in 23.x:
https://www.reddit.com/r/opnsense/comments/17jz2l0/interface_assignment_bug/?rdt=65466

Attached is the output from ifconfig.

Anyone know anything about this behaviour, and a fix for it?

You can look into these logfiles:

/var/log/dmesg.today
/var/log/dmesg.yesterday

If the OPNsense randomly reboots I would grep them for "panic".

In the GUI there's also the /crash_reporter.php

Thank you.

Not exactly what you're after but boot logs are saved normally. They get rotated but you can go back a bit in /var/log/ directory. But, it might not have a record of the trigger i.e. a crash dump. That needs to be configured and I haven't had the need to look at the way for OPN.
One thing I used for a different system I had to troubleshoot for the same thing is I created a small VM on the same network and configured as a syslog target. There I was able to see the trigger. Hope it helps.

Thank you.

Thanks @PatrickMHausen and @Greg_E.

I'll try memtest, followed by 'memswap'.

How do I run a thorough low-level hardware memory test to discover any bad memory cells that may exist?

If I do find bad memory cells, do I need to replace the RAM or can I flag the specific cell addresses as bad so OPNsense will not use them?

Interesting. Might give it a go. Thanks!

Sometimes my OPNsense box reboots itself.
I don't know what triggers it.

How do I:
1. configure OPNsense to record all reboot logs to a file I can later review? (e.g. save crash dump/data/errors and boot logs)
2. troubleshoot unplanned reboots?

Thanks.

I have noticed that the HDMI output seems to fail after the screen has gone to sleep or been power cycled.

I suspect this may have something to do with the HDMI protocol negotiations failing to reestablish trust (HDMI uses certificates or SSL I believe).

How can I debug this, or at least force the HDMI interface to renegotiate (bounce it)?

[Question:How do I debug packet process within the OPNsense OS to trace the path of the packet from INGRESS (Rx) through to EGRESS (Tx) or denial/dropping?]

I can run a packet capture in OPNsense, but in between the Rx (INGRESS) of a packet on an interface and the Tx (EGRESS) of a packet (assuming it passes all policies) the OPNsense obviously processes a packet through the various configured policies and filters.

Question:
How do I debug packet process within the OPNsense OS to trace the path of the packet from INGRESS (Rx) through to EGRESS (Tx) or denial/dropping?

Note, this is in addition to checking things like ARP cache, DNS cache and other standard diagnostic checks.
What I want to do does not appear to be available in the GUI so I want to know what commands I can use in the CLI to debug packet flow/processing.

TIA

[The JSON import bug I referred to is not a bug. It was my error.]

My previous post is how I believe the whole process should work, but it appears there may currently be a bug with the alias.json import function.

See this thread for details:
https://forum.opnsense.org/index.php?topic=39297.0

The JSON import bug I referred to is not a bug. It was my error.

But below I have added a slightly updated version of the Python script posted by @trumee above:

Code Select Expand


import json
import uuid
import csv

jsonfile = 'C:/path/to/aliases.json'
csvfile = 'C:/path/to/opnsense_alias.csv'
# jsonfile = '/path/to/aliases.json'
# csvfile = '/path/to/opnsense_alias.csv'

with open(jsonfile) as user_file:
    parsed_json = json.load(user_file)

cur_items=parsed_json['aliases']['alias']

with open(csvfile, newline='') as csvfile:
    reader = csv.DictReader(csvfile)
    for row in reader:
        #print(row)
        item_name = row['name']
        item_data = row['data']
        item_type = row['type']
        item_description = row['description']

        if len(row['data'].split(" "))>1:
            item_data = "\n".join(row['data'].split(" "))

        item_uuid = str(uuid.uuid4())

        new_alias =    {'enabled': '1',
                'name': item_name,
                'type': item_type,
                'proto': '',
                'interface': '',
                'counters': '0',
                'updatefreq': '',
                'content': item_data,
                'categories': '',
                'description': item_description
            }

        cur_items[item_uuid] = new_alias

with open(jsonfile, 'w', encoding="utf-8") as f:
    json.dump(parsed_json, f, indent=2)


Instructions from my previous post remaining unchanged.

Thanks.

JSON is not CSV though, so I will have to try and come up with a way to convert CSV to JSON.
Looking some API examples, it appears that I don't need to create an object UUID first, so this might be easier than I first thought.

I will do some testing and report back.

This is resolved in this post:
https://forum.opnsense.org/index.php?topic=36687.msg179205#msg179205

The name must start with a letter or single underscore, be less than 32 characters and only consist of alphanumeric characters or underscores

and still try to use hyphens?  ;)

My previous post is how I believe the whole process should work, but it appears there may currently be a bug with the alias.json import function.

See this thread for details:
https://forum.opnsense.org/index.php?topic=39297.0

[...hmmm, so based on that, I am concluding there is most definitely a bug that needs fixing...]

I think I have found a bug with the Alias JSON import function.
Before I raise a bug ticket on github, I wanted to check here first in case there is something I have missed.

This is the test alias.json I am trying to import:

Code Select Expand


{
  "geoip": {
    "url": "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<KEY-OMITTED>&suffix=zip"
  },
  "aliases": {
    "alias": {
      "19a042c4-e10c-4a3b-bec2-ddecc101f177": {
        "enabled": "1",
        "name": "a_AA-aaaAA-AA_99_9_9_99",
        "type": "host",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "10.7.9.56",
        "categories": "",
        "description": "Aaaaa AA Aa AA Aaaa"
      },
      "68301a50-f572-4c98-9494-73ac5ab50bfe": {
        "enabled": "1",
        "name": "a_aa_aaaa_aaa_aaa",
        "type": "urltable",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "au.pool.ntp.org",
        "categories": "",
        "description": "AA AAA Aaaa"
      }
    }
  }
}


It keeps giving me the error (first attachment):

"19a042c4-e10c-4a3b-bec2-ddecc101f177.name

The name must start with a letter or single underscore, be less than 32 characters and only consist of alphanumeric characters or underscores.

Please note that none of the aliases provided are imported due to the errors above"

I suspect that it is checking the UUID against the name constraint and therefore failing (on length and first character), but when I create another test alias through the GUI then download it, this is what I see:

Code Select Expand


{
  "geoip": {
    "url": "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<KEY-OMITTED>&suffix=zip"
  },
  "aliases": {
    "alias": {
        "4d69e8f5-1ba5-43a6-afd7-91db31c86f12": {
        "enabled": "1",
        "name": "test_host",
        "type": "host",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "10.1.1.1",
        "categories": "",
        "description": "test_host description"
      }
    }
  }
}


However, other default aliases do NOT use UUIDs, e.g. "bogons", "virusprot", and "__wan_network", so there is at least some inconsistency here.

Question: when creating a JSON file for alias import, should we just use the name in place of the UUID, like this:

Code Select Expand


{
  "geoip": {
    "url": "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<KEY-OMITTED>&suffix=zip"
  },
  "aliases": {
    "alias": {
      "a_AA-aaaAA-AA_99_9_9_99": {
        "enabled": "1",
        "name": "a_AA-aaaAA-AA_99_9_9_99",
        "type": "host",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "10.7.9.56",
        "categories": "",
        "description": "Aaaaa AA Aa AA Aaaa"
      },
      "a_aa_aaaa_aaa_aaa": {
        "enabled": "1",
        "name": "a_aa_aaaa_aaa_aaa",
        "type": "urltable",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "au.pool.ntp.org",
        "categories": "",
        "description": "AA AAA Aaaa"
      }
    }
  }
}

?
(although I tested this and still got the same error, which makes no sense because no field in the JSON is breaking the rule it claims it is breaking...(see second attachment)

...hmmm, so based on that, I am concluding there is most definitely a bug that needs fixing...

[Steps:]

Here is a python script which creates a json file for upload.

@trumee would you be willing to explain how to use your script?

Steps:

• Install Python if you do not already have it
• Install any of the required Python modules if you don't have them (json, uuid, csv) - see below *
• Save the script as a *.py file
• Download your current list of Aliases from your OPNsense device: Firewall>Aliases>'download' (button bottom right of the Alias list) - save the file as 'opnsense_aliases.json'
• Create a CSV file called 'pfsense_alias.csv' with four columns called 'name', 'data', 'type' and 'description' in the first row, and which then contains your new Aliases, one per row (be sure the 'name' field meets the name constraints for Aliases)
• Update the two 'with open...' script lines to include the full path to each of the above files
• Run the script
• Upload the resultant json output file back into your OPNsense device: Firewall>Aliases>'upload' (next to the 'download' button)

What does this script do?

• It reads in the current list of aliases you downloaded from your device into a Python variable (dict)
• It then reads in the CSV file containing your list of new (additional) aliases, also into a Python dict
• It ADDS (appends) all the new aliases to the current list (no deletions, assuming you don't experience a uuid collision)
• It then saves the new expanded list of aliases over the previously downloaded alias json file

Obviously, you need Python and the required modules to run the script.

*How to install Python modules after installing Python:

Code Select Expand

python -m pip install MODULE_NAME

You can create the CSV file in any Spreadsheet or text program (e.g. Notepad, Excel, LibreOffice Calc, Notepad++, etc.)

This only uses the API in the sense that whenever you are interacting with the OPNsense GUI, the API is being used under the hood. As a GUI user, you are just clicking buttons and typing text. You are not required to use tools such as curl or wget or Powershell Invoke-RestMethod in order to use this script.

HTH  8)