Messages

A workaround for unwanted DNSBL blocks is to use a VPN (I use the free version of ProtonVPN).

Remember to disable the VPN ASAP after you access an Unbound DNS DNSBL blocked web site as the VPN completely bypasses the DNS protections afforded by OPNsense.

1)  Whitelist problem.  Using "cloreautomotive.com" as an example.  This domain appears in several DNSBL.  Using the Whitelist entries of "cloreautomotive.com" and "www.cloreautomotive.com" (and "*.cloreautomotive.com) does not enable any Whitelist action to override the DNSBL blocking domain entries.  Does Unbound DNS examine the Whitelist first or is the Whitelist ignored as the blocklist overrides are looked at after the DNSBL domains have been checked (which effectively ignores the Whitelist entries)?

2)  Suggestion:  Quad9 has a web page where you may check for blocked domains (use  https://quad9.com/result/?url=cloreautomotive.com  with  Services: Unbound DNS: General  "Enable Unbound" unchecked).  A similar query for Unbound DNS which lists the DNSBLs involved if Unbound DNS is blocking a domain would be very helpful for investigating unwanted blocks and creating a Whitelist entry.

Skipping any update in any released sequence of updates has proven to be problematic for devices running software as "firmware" such as OPNsense.   A question for the OPNsense maintainers is whether OPNsense should prevent skipping of even minor update releases to insure that all updates require and may assume that all the prior updates have been executed in chronological sequence.

This could be done by OPNsense's update logic when an updater attempts to skip over an update (often to jump directly to a major release such as 24.7). 

Testing with both of my Linux/FF ESR and Windows 10/Pale Moon laptops indicates that the OPNsense javascript does not recover when the Screen Saver becomes active either automatically (elapsed time) or manually (lock).  This indicates that the OPNsense's javascript keyboard handler or the javascript interface with the OPNsense appliance server for these situations is problematic (i.e., non-functional).  OPNsense may think that the laptop's running the OPNsense GUI interface have timed out when they have not.

1)  A Linux laptop (Debian 12.5, FF ESR browser) fails (often within seconds) after startup of the dashboard widgets (dashboard stops working).  A Windows 10 laptop pressed into duty (old Windows 1709 version, but running the latest Pale Moon and Iridium browsers) runs the dashboard & widgets fine.  The various monitoring OPNsense displays (Live logfile, etc.) sometimes work and sometimes do not even start on the Linux laptop, but always do run on the Windows laptop.
2)  The Linux laptop loses execution focus when the OPNsense provided javascript is interrupted by engaging the screen saver (either by elapsed time or by a manual lock) and then unlocking the screen saver.  The OPNsense javascript never recovers from the screen saver lock on the Linux laptop, but always recovers on the Windows laptop.
3)  Eventually, OPNsense runs out of memory (even when simply running pftop on the OPNsense console of the firewall appliance) after complaining that the swapspace requests have failed - the 10 GB swap space is allocated - and a panic reboot is done.
4) Processing of the Hagezi block lists completed in under an hour in background (pre 24.7).  Does not complete at all starting with 24.7.2 (appears to be related to memory not being freed by OPNsense).  OPNsense is generating every 2-3 minutes a backup configuration file while processing block lists (not just Hagezi).  Disabling Hagezi block list processing has eliminated the generation of hundreds of spurious backup configuration files (which used up 30% of a 500 GB SSD).    24.7.2 is also generating multiple requests to 127.0.0.1:53 (which never occurred pre-24.7.x) when processing block lists - perhaps a surriata <--> OPNsense conflict regarding memory usage and releases.
5)  Memory non-release problems may be related to the Python3 updates . . . . .
In addition, per top running in the OPNsense console shell, Suricata has 297M (increasing about 3M every hour) of resident RAM and 3330M of total  memory when no block lists are being actively processed. The suricata swap footprint goes up when processing blocklists such that eventually even pftop is denied swap space (both 8GB and 10GB max swap sizes have been tried). 

Grep memory /var/run/dnesg.boot   displays:
agp0: aperture size is 256M, detected 8188k stolen memory
pid 69794 (pftop), jid 0, uid 0, was killed: failed to reclaim memory

These messages started appearing with an upgrade to 24.7 and first noticed with an upgrade to 24.7.2 (even with the cessation of Hagezi blocklist processing).  Note that Hagezi blocklist processing (as a background task) pre-24.7 took less than an hour to always complete.

With 24.7.2, there apparently is a memory leak.  Eventually, OPNsense reboots itself automatically.  The VGA console display presents a Login prompt (and a corresponding login needs to be done for the GUI OPNsense management interface).

I noticed that in System: Settings: Miscellaneous, the Swap File setting to "add a 2GB swap file to the system" was unchecked.  It is unclear whether a 24.7.x update disabled my swap file settings, I remember having an 8GB swap file for my OPNsense appliance.

When the swap file fills up (or is not established by a setting), it would be nice to have a more elegant way to add more swap space dynamically as well as a FYI message as part of the login messages displayed why an automatic restart was done by OPNsense (such as the swap file filing up).

It is possible that when the blocklists are being processed that invariably the swap file space will fill up (my configuration is 4GB Ram, 8GB swap space).   It seems that blocklist processing under 24.7.2 (Hagezi specifically) has never successfully completed since I applied the 24.7.2 changes.  OPNsense is also creating multiple history backups (every 2-3 minutes!) while processing the blocklists - so I have lost my original configuration backups (my generous backup of count of 2048 means that OPNsense has trashed all of my pre 24.7 history backups and has used up 30% of my disk space for useless history backups).   While processing blocklists, there is no need for interim history backups!!!

It would be very helpful to add a 14th option to the console selection menu:
14)  Display status of settings for RAM, Swap Space, Disk Space

I am disabling my usage of Hagezi block lists until the 24.7.x problems are sorted out.

The upgrade from 24.7.1 to 24.7.2:
* A Linux Debian 12.5 laptop (dedicated to being a firewall management device) with Firefox ESR is unable to run:
  - /ui/diagnostics/firewall/log#Lobby
  - /?url=ui/core/dashboard
  An error message is eventually displayed:  The Connection has timed out
  Linux is no longer usable as a firewall management device for OPNsense.
* My OPNsense firewall appliance has a USB port for keyboard and a VGA port for a monitor.
* The swap file in OPNsense (console displayed error message onto the VGA display running pfTop) shows that the FreeBSD swap file for OPNsense kept expanding in one execution until the swap space filled up.
* A Windows 10 laptop executing the Pale Moon browser is able to run as expected the  Lobby  and  Firewall:Log Files:Live View  displays.  Missing is a display of the swap file size.  The graphics now work smoothly in 24.7.2. 

The pre-24.7 lobby displayed memory status (disk,ram,swap) in text - please return this display capability as an option.

The Windows 10/Iridium's OPNsense dashboard is still working fine after two hours have passed -- even after a forced screen saver (i.e., a Lock).   This is on an old Windows 10 laptop (16 GB RAM) that is missing more than a few OS updates; the Iridium browser is the latest version.  Other activity in addition to the Iridium browser are not affecting the dashboard's widget displays (when focus returns to Iridium's dashboard page, the widgets restart correctly and as expected).

The Linux/Firefox ESR laptop's OPNsense dashboard stops working sometimes only after a few seconds even though there is no other keyboard/mouse activity after an OS restart and only the Firefox ESR is started up.   Whether or not the public Internet access is enabled or not does not appear to affect OPNsense dashboard widgets behavior.

My LANNER PFW600 (at OPNsense 24.7_9) starts the Lobby: Dashboard OK, but eventually stops working on my Linux laptop dedicated to being a OPNsense management laptop connected to a local network access only port on the LANNER (Browser is the current Linux Firefox ESR variant running on a System 76 EduBook Starling 2; EduBook's OS is Debian 12.5 with updates).  A 2nd browser just activated for 24.7 dashboard testing is an Iridium (Chrome fork) running on a Windows 10 system on a Toshiba Portege laptop.

The Linux machine, even when the only program that is active is the browser running the OPNsense dashboard and a Firewall: Log Files: Live View eventually ends up with the OPNsense dashboard no longer working when the dashboard no longer has focus and always if the screen saver kicks in.  The Firefox ESR complains about the drag on browser performance due to the dashboard javascript.  The CPU widget appears to stop working first, then every other widget quickly comes to a halt.

There may be a problem with the widgets re-initializing after being suspended by the OS due to not having focus (swapping and laptop/browser memory constraints are not a factor).     The dashboard responsiveness slowly degrades even if focus is kept on the dashboard web page -- there may be a problem with flags not being cleared, memory leakage, memory not being freed.

Testing of the Windows 10/dashboard is ongoing, will update this post with a reply if insights occur . . . . . (the Windows 10/Iridium machine's dashboard display is still working after 30 minutes . . . . .).

Having an option to run the old dashboard on my Linux laptop would be a workaround.