"
It will be nice to have an option "Send config/QR Code by email" or download from User Portal in Business Edition like for OpenVPN.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.1, 25.4 Series / No connection on one of connected network for 120sec after rebooting master.
September 05, 2025, 09:17:11 AM
Hi Guys,
I've HA cluster of 2 OPNsense 25.4.3.
Master node is in location "A", and backup/slave node is in location "B".
On screen You can see connection diagram from location "A" (B is the same, but different ip addresses/net on WAN interface). 0.0.0.0/0 route is advertised to opn-ints by BGP, so its always "Established". opn-ints advertise information about 10.15.3.0/24 (net "behind" opn-ints) to leafs (our core routers). There is L2 connection between opn-int01 and opn-int02 on vlan 1515. LAN and pfSync is on different physical connection (lagg1) and its always working (sorry for typos on picture).
You cannot view this attachment.
The problem that I have, is with lagg0_vlan1515 (10.15.3.251/24-opn-int01-master, 10.15.3.252/24-opn-int02-slave), lagg0_vlan1516 nets, on witch I have couple o VIP's (CARP).
When master node is going down for maintenance (update reboot, shutdown, etc.), VIP's and ip that is on slave node interface on opt2 (lagg0_vlan1515) or opt3 (lagg0_vlan1516) interface stop responding to ping or anything else. Just after couple of seconds I can see in opn-int02 GUI Master status of VIP's (CARP) but still nothing working for 120 sec.
After that time everything magically start working (master node (opn-int01) still down or rebooting). When master node came up, everything comes back (VIP's to master node) without any packet loss or connectivity interruption.
Do you have any clue what this 120 second "timer" could be about?
I will be grateful for any tips.
Regards
Borys
I've HA cluster of 2 OPNsense 25.4.3.
Master node is in location "A", and backup/slave node is in location "B".
On screen You can see connection diagram from location "A" (B is the same, but different ip addresses/net on WAN interface). 0.0.0.0/0 route is advertised to opn-ints by BGP, so its always "Established". opn-ints advertise information about 10.15.3.0/24 (net "behind" opn-ints) to leafs (our core routers). There is L2 connection between opn-int01 and opn-int02 on vlan 1515. LAN and pfSync is on different physical connection (lagg1) and its always working (sorry for typos on picture).
You cannot view this attachment.
The problem that I have, is with lagg0_vlan1515 (10.15.3.251/24-opn-int01-master, 10.15.3.252/24-opn-int02-slave), lagg0_vlan1516 nets, on witch I have couple o VIP's (CARP).
When master node is going down for maintenance (update reboot, shutdown, etc.), VIP's and ip that is on slave node interface on opt2 (lagg0_vlan1515) or opt3 (lagg0_vlan1516) interface stop responding to ping or anything else. Just after couple of seconds I can see in opn-int02 GUI Master status of VIP's (CARP) but still nothing working for 120 sec.
After that time everything magically start working (master node (opn-int01) still down or rebooting). When master node came up, everything comes back (VIP's to master node) without any packet loss or connectivity interruption.
Do you have any clue what this 120 second "timer" could be about?
I will be grateful for any tips.
Regards
Borys
#3
25.1, 25.4 Series / WireGuard Peer Generator "limit" or bug?
June 15, 2025, 10:32:10 PM
Hi,
Is it normal that if I enter more than 68 network CIDRs into the Allowed IPs field in WireGuard Peer Generator, the QR code will not be displayed, but I can still store this Peer?
The problem is that if I switch back to Peers and back to Peer Generator, the configuration of the last generated Peer (with more than 68 CIDRs) will appear, but there should be "new one" (empty name, new private/public key).
Regards
Borys Ohnsorge
Is it normal that if I enter more than 68 network CIDRs into the Allowed IPs field in WireGuard Peer Generator, the QR code will not be displayed, but I can still store this Peer?
The problem is that if I switch back to Peers and back to Peer Generator, the configuration of the last generated Peer (with more than 68 CIDRs) will appear, but there should be "new one" (empty name, new private/public key).
Regards
Borys Ohnsorge
#4
25.1, 25.4 Series / Re: User Portal OpenVPN - Custom Config
June 10, 2025, 11:43:59 PMQuote from: muchacha_grande on June 10, 2025, 03:36:17 PMHi,Yes, but this is the "server" side and if I understand it correctly, you will also need them in the client configuration, to make sure that the packets coming from it are the right size and not fragmented by the server. Not having this setting on the client side can sometimes lead to problems with some applications.
I'm using those two parameters in my config.
They are visible near the end of the page when you click advanced view on the OpenVPN instance configuration.
#5
25.1, 25.4 Series / User Portal OpenVPN - Custom Config
June 09, 2025, 01:19:27 PM
Hi,
Could you please advise if there are any plans to add a Custom config field to the Admin Portal for OpenVPN configuration, similar to what is available under VPN -> OpenVPN -> Client Export?
I need to define the following there:
Maybe it is possible to add these variables to some file that is used as a template when generating the configuration during download?
Regards
Borys
Could you please advise if there are any plans to add a Custom config field to the Admin Portal for OpenVPN configuration, similar to what is available under VPN -> OpenVPN -> Client Export?
I need to define the following there:
- fragment
- mssfix
Maybe it is possible to add these variables to some file that is used as a template when generating the configuration during download?
Regards
Borys
#6
25.1, 25.4 Series / Re: Portal Admin feedback
April 28, 2025, 10:17:12 AM
It would also be useful to have a "Custom config" option for OpenVPN configuration, as it is in the "VPN: OpenVPN: Client Export" section
#7
25.1, 25.4 Series / Re: LDAP Sync with TOTP after Update
April 24, 2025, 01:59:13 AM
I had the same concerns about the lack of user import from LDAP until I came across this link in one of the threads (BE Only):
OPNsense User Portal
OPNsense User Portal
#8
24.7, 24.10 Series / Re: Issue with UnboundDNS not answering DNS requests for local hostnames
January 17, 2025, 03:33:48 PM
Maybe try this:
Go to Services -> UnboundDNS -> Advanced
Then in "Rebind protection networks" remove 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
And then hit Apply button
Sorry it wont work, I missed that it's about Registering static Mappings
Go to Services -> UnboundDNS -> Advanced
Then in "Rebind protection networks" remove 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
And then hit Apply button
Sorry it wont work, I missed that it's about Registering static Mappings
#9
24.7, 24.10 Series / Re: IPv6 Help Needed
January 17, 2025, 03:30:22 PM
I've made some changes:
On the WAN interface:
On the LAN interface:
In ISC DHCPv6 LAN Interface, I have:
In Router Advertisements for Lan:
IPv6 "world" directly from lab1/lab2 works fine (I can ping google ipv6 dns).
Now my Lan client host gets IPv6 from Lab1 DHCPv6
First question why it is /128??
IPv6 routes on client host:
When NAT is enabled (Source: LAN_net, Dest: !LAN_Net, NAT Address: 2001:db8:b000::10):
But when NAT rule is disabled:
I can ping lab1-lan ipv6 address:
I can ping lab1-wan ipv6 address:
When I try to ping Lab1 IPv6 WANs GW, I can see that packet is going out from Lab1 and is reaching that GW
tcpdump from that GW:
GW (2001:db8:b000::1) has route to this host:
That GW sends "who has":
tcpdump from that GW:
I can see it on lab1-wan interface:
And nothing else happens...
Do you have any idea what might be wrong?
How can I ensure that client computers in the LAN network receive a /64 instead of a /128?
Why doesn't lab1 (OPNsense) respond to "neighbor solicitation," even though it clearly knows this host is in its LAN network?
Any information, suggestions, or feedback is welcome—even if it's not entirely accurate, it might still help or point me in the right direction to solve the problem.
Regards
Borys
On the WAN interface:
- Assigned static IPv6 addresses: Code Select
2001:db8:b000::11/48 on wan-lab1
2001:db8:b000::12/48 on wan-lab2 - Configured the IPv6 gateway: Code Select
2001:db8:b000::1 - Configured a VIP (WAN Interface CARP): Code Select
2001:db8:b000::10/48
On the LAN interface:
- I assigned static IPv6 addresses:Code Select
2001:db8:b000:300::1/56 on lan-lab1
2001:db8:b000:300::2/56 on lan-lab2
In ISC DHCPv6 LAN Interface, I have:
- Enable: Code Select
True - Subnet: Code Select
2001:db8:b000:300:: - Subnet mask: Code Select
/56 - Available range: Code Select
2001:db8:b000:300:: - 2001:db8:b000:3ff:ffff:ffff:ffff:ffff - Range:
From:Code Select2001:db8:b000:300::3To:Code Select2001:db8:b000:3ff:ffff:ffff:ffff:ffff
In Router Advertisements for Lan:
- Router Advertisements: Code Select
Assisted (tried Unmanaged/Managed) - Router Priority: Code Select
High - Source Address: Code Select
Automatic - Advertise Default Gateway: Code Select
True - DNS optionsCode Select
Use the DNS configuration of the DHCPv6 server: True
IPv6 "world" directly from lab1/lab2 works fine (I can ping google ipv6 dns).
Now my Lan client host gets IPv6 from Lab1 DHCPv6
First question why it is /128??
Code Select
noc@noc-NUC8i3BEK:~$ ip a s
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:7c:f3 brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
inet 10.255.5.30/24 brd 10.255.5.255 scope global dynamic noprefixroute eno1
valid_lft 200sec preferred_lft 200sec
inet6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb/128 scope global dynamic noprefixroute
valid_lft 198sec preferred_lft 85sec
inet6 fe80::92b2:3746:d197:5546/64 scope link noprefixroute
valid_lft forever preferred_lft forever
noc@noc-NUC8i3BEK:~$
IPv6 routes on client host:
Code Select
noc@noc-NUC8i3BEK:~$ ip -6 ro
2001:db8:b000:3d4:d156:9f78:d2a8:51bb dev eno1 proto kernel metric 100 pref medium
2001:db8:b000:300::/56 dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 1024 pref medium
default via fe80::3eec:efff:fedd:11b4 dev eno1 proto ra metric 20100 pref medium
noc@noc-NUC8i3BEK:~$
When NAT is enabled (Source: LAN_net, Dest: !LAN_Net, NAT Address: 2001:db8:b000::10):
Code Select
noc@noc-NUC8i3BEK:~$ ping 2001:db8:b000::1
PING 2001:db8:b000::1 (2001:db8:b000::1) 56 data bytes
64 bytes from 2001:db8:b000::1: icmp_seq=1 ttl=63 time=0.393 ms
^C
--- 2001:db8:b000::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.393/0.393/0.393/0.000 ms
noc@noc-NUC8i3BEK:~$ ping 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=116 time=1.39 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=116 time=1.43 ms
^C
--- 2001:4860:4860::8888 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.391/1.409/1.427/0.018 ms
noc@noc-NUC8i3BEK:~$
But when NAT rule is disabled:
I can ping lab1-lan ipv6 address:
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000:300::1
PING 2001:db8:b000:300::1 (2001:db8:b000:300::1) 56 data bytes
64 bytes from 2001:db8:b000:300::1: icmp_seq=1 ttl=64 time=0.240 ms
64 bytes from 2001:db8:b000:300::1: icmp_seq=2 ttl=64 time=0.384 ms
^C
--- 2001:db8:b000:300::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1035ms
rtt min/avg/max/mdev = 0.240/0.312/0.384/0.072 ms
I can ping lab1-wan ipv6 address:
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000::11
PING 2001:db8:b000::11 (2001:db8:b000::11) 56 data bytes
64 bytes from 2001:db8:b000::11: icmp_seq=1 ttl=64 time=0.314 ms
64 bytes from 2001:db8:b000::11: icmp_seq=2 ttl=64 time=0.385 ms
^C
--- 2001:db8:b000:300::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1034ms
rtt min/avg/max/mdev = 0.314/0.349/0.385/0.035 ms
When I try to ping Lab1 IPv6 WANs GW, I can see that packet is going out from Lab1 and is reaching that GW
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000::1
PING 2001:db8:b000::1 (2001:db8:b000::1) 56 data bytes
^C
--- 2001:db8:b000::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2037ms
Code Select
root@lab1:~ # tcpdump -ni lagg0_vlan52 host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lagg0_vlan52, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:16:35.053213 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 1, length 64
12:16:36.066610 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 2, length 64
12:16:37.090509 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 3, length 64
tcpdump from that GW:
Code Select
f1b-core01#tcpdump interface vlan 52 verbose filter host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: listening on vlan52, link-type EN10MB (Ethernet), capture size 262144 bytes
14:54:27.170987 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
0x0000: 001c 7388 3b66
14:54:28.183078 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
0x0000: 001c 7388 3b66
GW (2001:db8:b000::1) has route to this host:
Code Select
f1b-core01#show ipv6 route 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
VRF: default
Routing entry for 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B - BGP Aggregate, I L1 - IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG - Nexthop Group Static Route, M - Martian, DP - Dynamic Policy Route, L - VRF Leaked
C 2001:db8:b000::/48 [0/1]
via Vlan52, directly connected
That GW sends "who has":
tcpdump from that GW:
Code Select
f1b-core01#tcpdump interface vlan 52 verbose filter host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: listening on vlan52, link-type EN10MB (Ethernet), capture size 262144 bytes
14:54:27.170987 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
0x0000: 001c 7388 3b66
14:54:28.183078 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
0x0000: 001c 7388 3b66
I can see it on lab1-wan interface:
Code Select
root@lab1:~ # tcpdump -ni lagg0_vlan52 host 2001:db8:b000::1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lagg0_vlan52, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:22:32.860398 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32
14:22:33.890708 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32
14:22:34.914744 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32
And nothing else happens...
Do you have any idea what might be wrong?
How can I ensure that client computers in the LAN network receive a /64 instead of a /128?
Why doesn't lab1 (OPNsense) respond to "neighbor solicitation," even though it clearly knows this host is in its LAN network?
Any information, suggestions, or feedback is welcome—even if it's not entirely accurate, it might still help or point me in the right direction to solve the problem.
Regards
Borys
#10
24.7, 24.10 Series / Re: OPNsense randomly freezes under hyper-v
January 14, 2025, 12:54:11 AM
One of my OPNsense VM on OpenStack was freezing as well - kernel panic. Check the logs to see if it's not happening to you.
Paste output from
Paste output from
Code Select
uname -a. Reinstalling the kernel and syslog-ng helped me.
#11
24.7, 24.10 Series / IPv6 Help Needed
January 13, 2025, 05:14:43 PM
Hi,
I have my own IPv6 prefix from IANA, let's say 2001:db8::/32.
I've delegated the prefix 2001:db8:b000::/40 for my lab.
So far, through trial and error, I've managed to create a working IPv6 "like IPv4" network configuration, but I'm aware that's not the way it should be done.
Here's what I did to achieve a theoretically working IPv6 configuration:
2 machines lab1 and lab2 (HA).
On the WAN interface:
On the LAN interface:
In ISC DHCPv6 LAN Interface, I have:
In Router Advertisements for Lan:
Firewall NAT Outbound Rule:
The above configuration allows a client connected to the LAN network to request for IPv6 address (IPv4 as well, but I'm skipping that part). Client gets two specific IPv6 addresses from DHCPv6: one of the "global temporary dynamic" type and the other of the "global dynamic mngtmpaddr" type.
This client has internet access over IPv6, but its traffic is NAT-ed to the WAN VIP CARP IP, which is not how it should work in the IPv6 world (at least that's what I think).
How should I properly configure the WAN/LAN interfaces and DHCPv6 so that LAN client hosts derive the higher 64 bits from the OPN DHCPv6 and generate the lower 64 bits themselves (because, as far as I know, this is how it should work "properly")?
I need your support to correctly configure WAN IPv6 (static), LAN IPv6 (static?), and DHCPv6 for the LAN network. Unfortunately, I lack experience in this area, and the documentation seems rather sparse, especially regarding owning an IPv6 prefix and configuring interfaces statically.
Any suggestion on this topic is welcome.
Regards
Borys
I have my own IPv6 prefix from IANA, let's say 2001:db8::/32.
I've delegated the prefix 2001:db8:b000::/40 for my lab.
So far, through trial and error, I've managed to create a working IPv6 "like IPv4" network configuration, but I'm aware that's not the way it should be done.
Here's what I did to achieve a theoretically working IPv6 configuration:
2 machines lab1 and lab2 (HA).
On the WAN interface:
- Assigned static IPv6 addresses: Code Select
2001:db8:b000::11/64 on wan-lab1
2001:db8:b000::12/64 on wan-lab2 - Configured the IPv6 gateway: Code Select
2001:db8:b000::1 - Configured a VIP (WAN Interface CARP): Code Select
2001:db8:b000::10/64
On the LAN interface:
- I assigned static IPv6 addresses:Code Select
2001:db8:b003::2/64 on lan-lab1
2001:db8:b003::3/64 on lan-lab2 - Configured a VIP (LAN Interface CARP): Code Select
2001:db8:b003::1/64
In ISC DHCPv6 LAN Interface, I have:
- Enable: Code Select
True - Subnet: Code Select
2001:db8:b003:: - Subnet mask: Code Select
/64 - Available range: Code Select
2001:db8:b003:: - 2001:db8:b003:0:ffff:ffff:ffff:ffff - Range:
From:Code Select2001:db8:b003::To:Code Select2001:db8:b003:0:ffff:ffff:ffff:ffff
In Router Advertisements for Lan:
- Router Advertisements: Code Select
Unmanaged - Router Priority: Code Select
High - Source Address: Code Select
Automatic - Advertise Default Gateway: Code Select
True
Firewall NAT Outbound Rule:
Code Select
Interface: WAN
Source: LAN_net
Destination: !LAN_net
NAT Address: 2001:db8:b000::10
The above configuration allows a client connected to the LAN network to request for IPv6 address (IPv4 as well, but I'm skipping that part). Client gets two specific IPv6 addresses from DHCPv6: one of the "global temporary dynamic" type and the other of the "global dynamic mngtmpaddr" type.
This client has internet access over IPv6, but its traffic is NAT-ed to the WAN VIP CARP IP, which is not how it should work in the IPv6 world (at least that's what I think).
How should I properly configure the WAN/LAN interfaces and DHCPv6 so that LAN client hosts derive the higher 64 bits from the OPN DHCPv6 and generate the lower 64 bits themselves (because, as far as I know, this is how it should work "properly")?
I need your support to correctly configure WAN IPv6 (static), LAN IPv6 (static?), and DHCPv6 for the LAN network. Unfortunately, I lack experience in this area, and the documentation seems rather sparse, especially regarding owning an IPv6 prefix and configuring interfaces statically.
Any suggestion on this topic is welcome.
Regards
Borys
#12
24.7, 24.10 Series / Re: ISP hacked OPNSense Router
January 13, 2025, 10:09:02 AM
@peterwkc You should have something similar to this:
Copy it with to lines before "Fatal trap 12:..." and paste it here as a "code".
Code Select
<45>1 2025-01-10T02:33:17+01:00 opnsense2 syslog-ng 28239 - [meta sequenceId="1"] syslog-ng starting up; version='4.8.1'
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="2"] Fatal trap 12: page fault while in kernel mode
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="3"] cpuid = 3; apic id = 03
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="4"] fault virtual address = 0x0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="5"] fault code = supervisor write data, page not present
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="6"] instruction pointer = 0x20:0xffffffff80f3c00f
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="7"] stack pointer = 0x28:0xfffffe000edf1d10
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="8"] frame pointer = 0x28:0xfffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="9"] code segment = base 0x0, limit 0xfffff, type 0x1b
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="10"] = DPL 0, pres 1, long 1, def32 0, gran 1
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="11"] processor eflags = interrupt enabled, resume, IOPL = 0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="12"] current process = 0 (thread taskq)
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="13"] rdi: fffffe008ea60400 rsi: 0000000000000000 rdx: 000000000000002e
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="14"] rcx: 0000000000000000 r8: 0000000000000000 r9: fffff80005c2f480
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="15"] rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="16"] r10: fffff80005c2f480 r11: 00000000802e6e20 r12: fffff801c6694fe0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="17"] r13: fffffe008ea60400 r14: fffff801c6694318 r15: fffff80005c2f540
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="18"] trap number = 12
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="19"] panic: page fault
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="20"] cpuid = 3
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="21"] time = 1736472729
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="22"] KDB: stack backtrace:
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="23"] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe000edf1a00
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="24"] vpanic() at vpanic+0x131/frame 0xfffffe000edf1b30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="25"] panic() at panic+0x43/frame 0xfffffe000edf1b90
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="26"] trap_fatal() at trap_fatal+0x40b/frame 0xfffffe000edf1bf0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="27"] trap_pfault() at trap_pfault+0x46/frame 0xfffffe000edf1c40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="28"] calltrap() at calltrap+0x8/frame 0xfffffe000edf1c40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="29"] --- trap 0xc, rip = 0xffffffff80f3c00f, rsp = 0xfffffe000edf1d10, rbp = 0xfffffe000edf1d50 ---
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="30"] zone_release() at zone_release+0x1df/frame 0xfffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="31"] bucket_drain() at bucket_drain+0xb9/frame 0xfffffe000edf1d80
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="32"] bucket_cache_reclaim_domain() at bucket_cache_reclaim_domain+0x2ff/frame 0xfffffe000edf1de0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="33"] zone_timeout() at zone_timeout+0x2eb/frame 0xfffffe000edf1e20
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="34"] uma_timeout() at uma_timeout+0x58/frame 0xfffffe000edf1e40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="35"] taskqueue_run_locked() at taskqueue_run_locked+0x182/frame 0xfffffe000edf1ec0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="36"] taskqueue_thread_loop() at taskqueue_thread_loop+0xc2/frame 0xfffffe000edf1ef0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="37"] fork_exit() at fork_exit+0x7f/frame 0xfffffe000edf1f30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="38"] fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000edf1f30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="39"] --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="40"] KDB: enter: panic
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="41"] ---<<BOOT>>---
Copy it with to lines before "Fatal trap 12:..." and paste it here as a "code".
#13
24.7, 24.10 Series / Re: [SOLVED] Kernel Panic - box restarts every few hours
January 13, 2025, 10:01:44 AMQuote from: borys.ohnsorge on January 10, 2025, 07:16:53 PMNow I'm waiting and seeing if the kernel panic happens again.So far so good, no crash since Friday afternoon.
#14
24.7, 24.10 Series / Re: ISP hacked OPNSense Router
January 10, 2025, 07:44:41 PM
Check if your reboots are not related to kernel panic's, there have been several threads on this topic recently.
#15
24.7, 24.10 Series / Re: [SOLVED] Kernel Panic - box restarts every few hours
January 10, 2025, 07:16:53 PMQuote from: mem7192 on January 10, 2025, 06:00:32 PM@Borys - your log looks the same as mine did. Do what I did a couple posts up and I would imagine you will be good to go. Check the kernel version now that you've updated and thenCode Selectpkg install -f syslog-ng
I've already done that. Now I'm waiting and seeing if the kernel panic happens again.
