"Quote from: muchacha_grande on June 10, 2025, 03:36:17 PMHi,Yes, but this is the "server" side and if I understand it correctly, you will also need them in the client configuration, to make sure that the packets coming from it are the right size and not fragmented by the server. Not having this setting on the client side can sometimes lead to problems with some applications.
I'm using those two parameters in my config.
They are visible near the end of the page when you click advanced view on the OpenVPN instance configuration.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.1, 25.4 Production Series / Re: User Portal OpenVPN - Custom Config
June 10, 2025, 11:43:59 PM #2
25.1, 25.4 Production Series / User Portal OpenVPN - Custom Config
June 09, 2025, 01:19:27 PM
Hi,
Could you please advise if there are any plans to add a Custom config field to the Admin Portal for OpenVPN configuration, similar to what is available under VPN -> OpenVPN -> Client Export?
I need to define the following there:
Maybe it is possible to add these variables to some file that is used as a template when generating the configuration during download?
Regards
Borys
Could you please advise if there are any plans to add a Custom config field to the Admin Portal for OpenVPN configuration, similar to what is available under VPN -> OpenVPN -> Client Export?
I need to define the following there:
- fragment
- mssfix
Maybe it is possible to add these variables to some file that is used as a template when generating the configuration during download?
Regards
Borys
#3
25.1, 25.4 Production Series / Re: Portal Admin feedback
April 28, 2025, 10:17:12 AM
It would also be useful to have a "Custom config" option for OpenVPN configuration, as it is in the "VPN: OpenVPN: Client Export" section
#4
25.1, 25.4 Production Series / Re: LDAP Sync with TOTP after Update
April 24, 2025, 01:59:13 AM
I had the same concerns about the lack of user import from LDAP until I came across this link in one of the threads (BE Only):
OPNsense User Portal
OPNsense User Portal
#5
24.7, 24.10 Legacy Series / Re: Issue with UnboundDNS not answering DNS requests for local hostnames
January 17, 2025, 03:33:48 PM
Maybe try this:
Go to Services -> UnboundDNS -> Advanced
Then in "Rebind protection networks" remove 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
And then hit Apply button
Sorry it wont work, I missed that it's about Registering static Mappings
Go to Services -> UnboundDNS -> Advanced
Then in "Rebind protection networks" remove 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
And then hit Apply button
Sorry it wont work, I missed that it's about Registering static Mappings
#6
24.7, 24.10 Legacy Series / Re: IPv6 Help Needed
January 17, 2025, 03:30:22 PM
I've made some changes:
On the WAN interface:
On the LAN interface:
In ISC DHCPv6 LAN Interface, I have:
In Router Advertisements for Lan:
IPv6 "world" directly from lab1/lab2 works fine (I can ping google ipv6 dns).
Now my Lan client host gets IPv6 from Lab1 DHCPv6
First question why it is /128??
IPv6 routes on client host:
When NAT is enabled (Source: LAN_net, Dest: !LAN_Net, NAT Address: 2001:db8:b000::10):
But when NAT rule is disabled:
I can ping lab1-lan ipv6 address:
I can ping lab1-wan ipv6 address:
When I try to ping Lab1 IPv6 WANs GW, I can see that packet is going out from Lab1 and is reaching that GW
tcpdump from that GW:
GW (2001:db8:b000::1) has route to this host:
That GW sends "who has":
tcpdump from that GW:
I can see it on lab1-wan interface:
And nothing else happens...
Do you have any idea what might be wrong?
How can I ensure that client computers in the LAN network receive a /64 instead of a /128?
Why doesn't lab1 (OPNsense) respond to "neighbor solicitation," even though it clearly knows this host is in its LAN network?
Any information, suggestions, or feedback is welcome—even if it's not entirely accurate, it might still help or point me in the right direction to solve the problem.
Regards
Borys
On the WAN interface:
- Assigned static IPv6 addresses: Code Select
2001:db8:b000::11/48 on wan-lab1
2001:db8:b000::12/48 on wan-lab2 - Configured the IPv6 gateway: Code Select
2001:db8:b000::1 - Configured a VIP (WAN Interface CARP): Code Select
2001:db8:b000::10/48
On the LAN interface:
- I assigned static IPv6 addresses:Code Select
2001:db8:b000:300::1/56 on lan-lab1
2001:db8:b000:300::2/56 on lan-lab2
In ISC DHCPv6 LAN Interface, I have:
- Enable: Code Select
True - Subnet: Code Select
2001:db8:b000:300:: - Subnet mask: Code Select
/56 - Available range: Code Select
2001:db8:b000:300:: - 2001:db8:b000:3ff:ffff:ffff:ffff:ffff - Range:
From:Code Select2001:db8:b000:300::3To:Code Select2001:db8:b000:3ff:ffff:ffff:ffff:ffff
In Router Advertisements for Lan:
- Router Advertisements: Code Select
Assisted (tried Unmanaged/Managed) - Router Priority: Code Select
High - Source Address: Code Select
Automatic - Advertise Default Gateway: Code Select
True - DNS optionsCode Select
Use the DNS configuration of the DHCPv6 server: True
IPv6 "world" directly from lab1/lab2 works fine (I can ping google ipv6 dns).
Now my Lan client host gets IPv6 from Lab1 DHCPv6
First question why it is /128??
Code Select
noc@noc-NUC8i3BEK:~$ ip a s
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:7c:f3 brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
inet 10.255.5.30/24 brd 10.255.5.255 scope global dynamic noprefixroute eno1
valid_lft 200sec preferred_lft 200sec
inet6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb/128 scope global dynamic noprefixroute
valid_lft 198sec preferred_lft 85sec
inet6 fe80::92b2:3746:d197:5546/64 scope link noprefixroute
valid_lft forever preferred_lft forever
noc@noc-NUC8i3BEK:~$
IPv6 routes on client host:
Code Select
noc@noc-NUC8i3BEK:~$ ip -6 ro
2001:db8:b000:3d4:d156:9f78:d2a8:51bb dev eno1 proto kernel metric 100 pref medium
2001:db8:b000:300::/56 dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 1024 pref medium
default via fe80::3eec:efff:fedd:11b4 dev eno1 proto ra metric 20100 pref medium
noc@noc-NUC8i3BEK:~$
When NAT is enabled (Source: LAN_net, Dest: !LAN_Net, NAT Address: 2001:db8:b000::10):
Code Select
noc@noc-NUC8i3BEK:~$ ping 2001:db8:b000::1
PING 2001:db8:b000::1 (2001:db8:b000::1) 56 data bytes
64 bytes from 2001:db8:b000::1: icmp_seq=1 ttl=63 time=0.393 ms
^C
--- 2001:db8:b000::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.393/0.393/0.393/0.000 ms
noc@noc-NUC8i3BEK:~$ ping 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=116 time=1.39 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=116 time=1.43 ms
^C
--- 2001:4860:4860::8888 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.391/1.409/1.427/0.018 ms
noc@noc-NUC8i3BEK:~$
But when NAT rule is disabled:
I can ping lab1-lan ipv6 address:
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000:300::1
PING 2001:db8:b000:300::1 (2001:db8:b000:300::1) 56 data bytes
64 bytes from 2001:db8:b000:300::1: icmp_seq=1 ttl=64 time=0.240 ms
64 bytes from 2001:db8:b000:300::1: icmp_seq=2 ttl=64 time=0.384 ms
^C
--- 2001:db8:b000:300::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1035ms
rtt min/avg/max/mdev = 0.240/0.312/0.384/0.072 ms
I can ping lab1-wan ipv6 address:
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000::11
PING 2001:db8:b000::11 (2001:db8:b000::11) 56 data bytes
64 bytes from 2001:db8:b000::11: icmp_seq=1 ttl=64 time=0.314 ms
64 bytes from 2001:db8:b000::11: icmp_seq=2 ttl=64 time=0.385 ms
^C
--- 2001:db8:b000:300::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1034ms
rtt min/avg/max/mdev = 0.314/0.349/0.385/0.035 ms
When I try to ping Lab1 IPv6 WANs GW, I can see that packet is going out from Lab1 and is reaching that GW
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000::1
PING 2001:db8:b000::1 (2001:db8:b000::1) 56 data bytes
^C
--- 2001:db8:b000::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2037ms
Code Select
root@lab1:~ # tcpdump -ni lagg0_vlan52 host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lagg0_vlan52, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:16:35.053213 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 1, length 64
12:16:36.066610 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 2, length 64
12:16:37.090509 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 3, length 64
tcpdump from that GW:
Code Select
f1b-core01#tcpdump interface vlan 52 verbose filter host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: listening on vlan52, link-type EN10MB (Ethernet), capture size 262144 bytes
14:54:27.170987 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
0x0000: 001c 7388 3b66
14:54:28.183078 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
0x0000: 001c 7388 3b66
GW (2001:db8:b000::1) has route to this host:
Code Select
f1b-core01#show ipv6 route 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
VRF: default
Routing entry for 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B - BGP Aggregate, I L1 - IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG - Nexthop Group Static Route, M - Martian, DP - Dynamic Policy Route, L - VRF Leaked
C 2001:db8:b000::/48 [0/1]
via Vlan52, directly connected
That GW sends "who has":
tcpdump from that GW:
Code Select
f1b-core01#tcpdump interface vlan 52 verbose filter host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: listening on vlan52, link-type EN10MB (Ethernet), capture size 262144 bytes
14:54:27.170987 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
0x0000: 001c 7388 3b66
14:54:28.183078 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
0x0000: 001c 7388 3b66
I can see it on lab1-wan interface:
Code Select
root@lab1:~ # tcpdump -ni lagg0_vlan52 host 2001:db8:b000::1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lagg0_vlan52, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:22:32.860398 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32
14:22:33.890708 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32
14:22:34.914744 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32
And nothing else happens...
Do you have any idea what might be wrong?
How can I ensure that client computers in the LAN network receive a /64 instead of a /128?
Why doesn't lab1 (OPNsense) respond to "neighbor solicitation," even though it clearly knows this host is in its LAN network?
Any information, suggestions, or feedback is welcome—even if it's not entirely accurate, it might still help or point me in the right direction to solve the problem.
Regards
Borys
#7
24.7, 24.10 Legacy Series / Re: OPNsense randomly freezes under hyper-v
January 14, 2025, 12:54:11 AM
One of my OPNsense VM on OpenStack was freezing as well - kernel panic. Check the logs to see if it's not happening to you.
Paste output from
Paste output from
Code Select
uname -a. Reinstalling the kernel and syslog-ng helped me.
#8
24.7, 24.10 Legacy Series / IPv6 Help Needed
January 13, 2025, 05:14:43 PM
Hi,
I have my own IPv6 prefix from IANA, let's say 2001:db8::/32.
I've delegated the prefix 2001:db8:b000::/40 for my lab.
So far, through trial and error, I've managed to create a working IPv6 "like IPv4" network configuration, but I'm aware that's not the way it should be done.
Here's what I did to achieve a theoretically working IPv6 configuration:
2 machines lab1 and lab2 (HA).
On the WAN interface:
On the LAN interface:
In ISC DHCPv6 LAN Interface, I have:
In Router Advertisements for Lan:
Firewall NAT Outbound Rule:
The above configuration allows a client connected to the LAN network to request for IPv6 address (IPv4 as well, but I'm skipping that part). Client gets two specific IPv6 addresses from DHCPv6: one of the "global temporary dynamic" type and the other of the "global dynamic mngtmpaddr" type.
This client has internet access over IPv6, but its traffic is NAT-ed to the WAN VIP CARP IP, which is not how it should work in the IPv6 world (at least that's what I think).
How should I properly configure the WAN/LAN interfaces and DHCPv6 so that LAN client hosts derive the higher 64 bits from the OPN DHCPv6 and generate the lower 64 bits themselves (because, as far as I know, this is how it should work "properly")?
I need your support to correctly configure WAN IPv6 (static), LAN IPv6 (static?), and DHCPv6 for the LAN network. Unfortunately, I lack experience in this area, and the documentation seems rather sparse, especially regarding owning an IPv6 prefix and configuring interfaces statically.
Any suggestion on this topic is welcome.
Regards
Borys
I have my own IPv6 prefix from IANA, let's say 2001:db8::/32.
I've delegated the prefix 2001:db8:b000::/40 for my lab.
So far, through trial and error, I've managed to create a working IPv6 "like IPv4" network configuration, but I'm aware that's not the way it should be done.
Here's what I did to achieve a theoretically working IPv6 configuration:
2 machines lab1 and lab2 (HA).
On the WAN interface:
- Assigned static IPv6 addresses: Code Select
2001:db8:b000::11/64 on wan-lab1
2001:db8:b000::12/64 on wan-lab2 - Configured the IPv6 gateway: Code Select
2001:db8:b000::1 - Configured a VIP (WAN Interface CARP): Code Select
2001:db8:b000::10/64
On the LAN interface:
- I assigned static IPv6 addresses:Code Select
2001:db8:b003::2/64 on lan-lab1
2001:db8:b003::3/64 on lan-lab2 - Configured a VIP (LAN Interface CARP): Code Select
2001:db8:b003::1/64
In ISC DHCPv6 LAN Interface, I have:
- Enable: Code Select
True - Subnet: Code Select
2001:db8:b003:: - Subnet mask: Code Select
/64 - Available range: Code Select
2001:db8:b003:: - 2001:db8:b003:0:ffff:ffff:ffff:ffff - Range:
From:Code Select2001:db8:b003::To:Code Select2001:db8:b003:0:ffff:ffff:ffff:ffff
In Router Advertisements for Lan:
- Router Advertisements: Code Select
Unmanaged - Router Priority: Code Select
High - Source Address: Code Select
Automatic - Advertise Default Gateway: Code Select
True
Firewall NAT Outbound Rule:
Code Select
Interface: WAN
Source: LAN_net
Destination: !LAN_net
NAT Address: 2001:db8:b000::10
The above configuration allows a client connected to the LAN network to request for IPv6 address (IPv4 as well, but I'm skipping that part). Client gets two specific IPv6 addresses from DHCPv6: one of the "global temporary dynamic" type and the other of the "global dynamic mngtmpaddr" type.
This client has internet access over IPv6, but its traffic is NAT-ed to the WAN VIP CARP IP, which is not how it should work in the IPv6 world (at least that's what I think).
How should I properly configure the WAN/LAN interfaces and DHCPv6 so that LAN client hosts derive the higher 64 bits from the OPN DHCPv6 and generate the lower 64 bits themselves (because, as far as I know, this is how it should work "properly")?
I need your support to correctly configure WAN IPv6 (static), LAN IPv6 (static?), and DHCPv6 for the LAN network. Unfortunately, I lack experience in this area, and the documentation seems rather sparse, especially regarding owning an IPv6 prefix and configuring interfaces statically.
Any suggestion on this topic is welcome.
Regards
Borys
#9
24.7, 24.10 Legacy Series / Re: ISP hacked OPNSense Router
January 13, 2025, 10:09:02 AM
@peterwkc You should have something similar to this:
Copy it with to lines before "Fatal trap 12:..." and paste it here as a "code".
Code Select
<45>1 2025-01-10T02:33:17+01:00 opnsense2 syslog-ng 28239 - [meta sequenceId="1"] syslog-ng starting up; version='4.8.1'
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="2"] Fatal trap 12: page fault while in kernel mode
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="3"] cpuid = 3; apic id = 03
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="4"] fault virtual address = 0x0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="5"] fault code = supervisor write data, page not present
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="6"] instruction pointer = 0x20:0xffffffff80f3c00f
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="7"] stack pointer = 0x28:0xfffffe000edf1d10
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="8"] frame pointer = 0x28:0xfffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="9"] code segment = base 0x0, limit 0xfffff, type 0x1b
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="10"] = DPL 0, pres 1, long 1, def32 0, gran 1
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="11"] processor eflags = interrupt enabled, resume, IOPL = 0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="12"] current process = 0 (thread taskq)
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="13"] rdi: fffffe008ea60400 rsi: 0000000000000000 rdx: 000000000000002e
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="14"] rcx: 0000000000000000 r8: 0000000000000000 r9: fffff80005c2f480
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="15"] rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="16"] r10: fffff80005c2f480 r11: 00000000802e6e20 r12: fffff801c6694fe0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="17"] r13: fffffe008ea60400 r14: fffff801c6694318 r15: fffff80005c2f540
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="18"] trap number = 12
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="19"] panic: page fault
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="20"] cpuid = 3
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="21"] time = 1736472729
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="22"] KDB: stack backtrace:
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="23"] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe000edf1a00
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="24"] vpanic() at vpanic+0x131/frame 0xfffffe000edf1b30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="25"] panic() at panic+0x43/frame 0xfffffe000edf1b90
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="26"] trap_fatal() at trap_fatal+0x40b/frame 0xfffffe000edf1bf0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="27"] trap_pfault() at trap_pfault+0x46/frame 0xfffffe000edf1c40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="28"] calltrap() at calltrap+0x8/frame 0xfffffe000edf1c40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="29"] --- trap 0xc, rip = 0xffffffff80f3c00f, rsp = 0xfffffe000edf1d10, rbp = 0xfffffe000edf1d50 ---
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="30"] zone_release() at zone_release+0x1df/frame 0xfffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="31"] bucket_drain() at bucket_drain+0xb9/frame 0xfffffe000edf1d80
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="32"] bucket_cache_reclaim_domain() at bucket_cache_reclaim_domain+0x2ff/frame 0xfffffe000edf1de0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="33"] zone_timeout() at zone_timeout+0x2eb/frame 0xfffffe000edf1e20
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="34"] uma_timeout() at uma_timeout+0x58/frame 0xfffffe000edf1e40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="35"] taskqueue_run_locked() at taskqueue_run_locked+0x182/frame 0xfffffe000edf1ec0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="36"] taskqueue_thread_loop() at taskqueue_thread_loop+0xc2/frame 0xfffffe000edf1ef0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="37"] fork_exit() at fork_exit+0x7f/frame 0xfffffe000edf1f30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="38"] fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000edf1f30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="39"] --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="40"] KDB: enter: panic
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="41"] ---<<BOOT>>---
Copy it with to lines before "Fatal trap 12:..." and paste it here as a "code".
#10
24.7, 24.10 Legacy Series / Re: [SOLVED] Kernel Panic - box restarts every few hours
January 13, 2025, 10:01:44 AMQuote from: borys.ohnsorge on January 10, 2025, 07:16:53 PMNow I'm waiting and seeing if the kernel panic happens again.So far so good, no crash since Friday afternoon.
#11
24.7, 24.10 Legacy Series / Re: ISP hacked OPNSense Router
January 10, 2025, 07:44:41 PM
Check if your reboots are not related to kernel panic's, there have been several threads on this topic recently.
#12
24.7, 24.10 Legacy Series / Re: [SOLVED] Kernel Panic - box restarts every few hours
January 10, 2025, 07:16:53 PMQuote from: mem7192 on January 10, 2025, 06:00:32 PM@Borys - your log looks the same as mine did. Do what I did a couple posts up and I would imagine you will be good to go. Check the kernel version now that you've updated and thenCode Selectpkg install -f syslog-ng
I've already done that. Now I'm waiting and seeing if the kernel panic happens again.
#13
24.7, 24.10 Legacy Series / Re: Fatal Trap 12: page fault while in kernel mode (Kernel Panic)
January 10, 2025, 05:51:29 PM
@DocHodges can You show output from:
Look at this thread: [SOLVED] Kernel Panic - box restarts every few hours
And @dedi #4 post
Regards
Borys
Code Select
uname -aLook at this thread: [SOLVED] Kernel Panic - box restarts every few hours
And @dedi #4 post
Regards
Borys
#14
24.7, 24.10 Legacy Series / Re: Kernel Panic - box restarts every few hours
January 10, 2025, 05:46:27 PM
I'm experiencing exactly the same issue:
Regards
Borys
Code Select
<45>1 2025-01-10T02:33:17+01:00 opnsense2 syslog-ng 28239 - [meta sequenceId="1"] syslog-ng starting up; version='4.8.1'
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="2"] Fatal trap 12: page fault while in kernel mode
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="3"] cpuid = 3; apic id = 03
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="4"] fault virtual address = 0x0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="5"] fault code = supervisor write data, page not present
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="6"] instruction pointer = 0x20:0xffffffff80f3c00f
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="7"] stack pointer = 0x28:0xfffffe000edf1d10
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="8"] frame pointer = 0x28:0xfffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="9"] code segment = base 0x0, limit 0xfffff, type 0x1b
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="10"] = DPL 0, pres 1, long 1, def32 0, gran 1
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="11"] processor eflags = interrupt enabled, resume, IOPL = 0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="12"] current process = 0 (thread taskq)
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="13"] rdi: fffffe008ea60400 rsi: 0000000000000000 rdx: 000000000000002e
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="14"] rcx: 0000000000000000 r8: 0000000000000000 r9: fffff80005c2f480
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="15"] rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="16"] r10: fffff80005c2f480 r11: 00000000802e6e20 r12: fffff801c6694fe0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="17"] r13: fffffe008ea60400 r14: fffff801c6694318 r15: fffff80005c2f540
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="18"] trap number = 12
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="19"] panic: page fault
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="20"] cpuid = 3
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="21"] time = 1736472729
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="22"] KDB: stack backtrace:
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="23"] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe000edf1a00
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="24"] vpanic() at vpanic+0x131/frame 0xfffffe000edf1b30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="25"] panic() at panic+0x43/frame 0xfffffe000edf1b90
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="26"] trap_fatal() at trap_fatal+0x40b/frame 0xfffffe000edf1bf0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="27"] trap_pfault() at trap_pfault+0x46/frame 0xfffffe000edf1c40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="28"] calltrap() at calltrap+0x8/frame 0xfffffe000edf1c40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="29"] --- trap 0xc, rip = 0xffffffff80f3c00f, rsp = 0xfffffe000edf1d10, rbp = 0xfffffe000edf1d50 ---
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="30"] zone_release() at zone_release+0x1df/frame 0xfffffe000edf1d50
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="31"] bucket_drain() at bucket_drain+0xb9/frame 0xfffffe000edf1d80
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="32"] bucket_cache_reclaim_domain() at bucket_cache_reclaim_domain+0x2ff/frame 0xfffffe000edf1de0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="33"] zone_timeout() at zone_timeout+0x2eb/frame 0xfffffe000edf1e20
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="34"] uma_timeout() at uma_timeout+0x58/frame 0xfffffe000edf1e40
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="35"] taskqueue_run_locked() at taskqueue_run_locked+0x182/frame 0xfffffe000edf1ec0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="36"] taskqueue_thread_loop() at taskqueue_thread_loop+0xc2/frame 0xfffffe000edf1ef0
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="37"] fork_exit() at fork_exit+0x7f/frame 0xfffffe000edf1f30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="38"] fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000edf1f30
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="39"] --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="40"] KDB: enter: panic
<13>1 2025-01-10T02:33:17+01:00 opnsense2 kernel - - [meta sequenceId="41"] ---<<BOOT>>---
I just performed a manual kernel update (unfortunately, I didn't check what the previous version was :/), and we'll see if the situation improves for me as well.Regards
Borys
#15
24.7, 24.10 Legacy Series / Re: Fatal Trap 12: page fault while in kernel mode (Kernel Panic)
January 09, 2025, 09:21:19 PM
Hi,
I also struggle with kernel panic on a backup machine in a cluster running as virtual machines on opnestack. In my case, the problems started after updating to 24.7.10, as far as I remember.
The strange thing is that the master is in exactly the same version and there are no problems with it. Of course, it is running in a different location on a different compute node (but with the same parameters for both virtual machines and compute nodes).
Regards,
Borys
I also struggle with kernel panic on a backup machine in a cluster running as virtual machines on opnestack. In my case, the problems started after updating to 24.7.10, as far as I remember.
Code Select
Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 02
fault virtual address = 0x0
fault code = supervisor write data, page not present
instruction pointer = 0x20:0xffffffff80f3c00f
stack pointer = 0x28:0xfffffe000edf1d10
frame pointer = 0x28:0xfffffe000edf1d50
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (thread taskq)
rdi: fffffe008e859400 rsi: 0000000000000000 rdx: 000000000000002e
rcx: 0000000000000000 r8: 0000000000000000 r9: fffff80005bbe480
rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe000edf1d50
r10: fffff80005bbe480 r11: 00000000800a7d8e r12: fffff80156d6cfe0
r13: fffffe008e859400 r14: fffff80156d6ccb8 r15: fffff80005bbe540
trap number = 12
panic: page fault
cpuid = 2
time = 1736260351
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe000edf1a00
vpanic() at vpanic+0x131/frame 0xfffffe000edf1b30
panic() at panic+0x43/frame 0xfffffe000edf1b90
trap_fatal() at trap_fatal+0x40b/frame 0xfffffe000edf1bf0
trap_pfault() at trap_pfault+0x46/frame 0xfffffe000edf1c40
calltrap() at calltrap+0x8/frame 0xfffffe000edf1c40
--- trap 0xc, rip = 0xffffffff80f3c00f, rsp = 0xfffffe000edf1d10, rbp = 0xfffffe000edf1d50 ---
zone_release() at zone_release+0x1df/frame 0xfffffe000edf1d50
bucket_drain() at bucket_drain+0xb9/frame 0xfffffe000edf1d80
bucket_cache_reclaim_domain() at bucket_cache_reclaim_domain+0x2ff/frame 0xfffffe000edf1de0
zone_timeout() at zone_timeout+0x2eb/frame 0xfffffe000edf1e20
uma_timeout() at uma_timeout+0x58/frame 0xfffffe000edf1e40
taskqueue_run_locked() at taskqueue_run_locked+0x182/frame 0xfffffe000edf1ec0
taskqueue_thread_loop() at taskqueue_thread_loop+0xc2/frame 0xfffffe000edf1ef0
fork_exit() at fork_exit+0x7f/frame 0xfffffe000edf1f30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000edf1f30
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
Code Select
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x0
fault code = supervisor write data, page not present
instruction pointer = 0x20:0xffffffff82785e61
stack pointer = 0x28:0xfffffe0084263a40
frame pointer = 0x28:0xfffffe0084263a70
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (irq28: virtio_pci2)
rdi: fffff801245bc210 rsi: fffff801245bc210 rdx: 000000002ce7b27e
rcx: 0000000000000000 r8: 000000004150a7d2 r9: 0000000020510000
rax: 0000000000000000 rbx: fffff80018710b00 rbp: fffffe0084263a70
r10: 000000002c28d619 r11: 0000000000000301 r12: fffffe008ea5c000
r13: 000000000005625c r14: fffff801245bc210 r15: fffff80003aea000
trap number = 12
panic: page fault
cpuid = 1
time = 1736353882
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0084263730
vpanic() at vpanic+0x131/frame 0xfffffe0084263860
panic() at panic+0x43/frame 0xfffffe00842638c0
trap_fatal() at trap_fatal+0x40b/frame 0xfffffe0084263920
trap_pfault() at trap_pfault+0x46/frame 0xfffffe0084263970
calltrap() at calltrap+0x8/frame 0xfffffe0084263970
--- trap 0xc, rip = 0xffffffff82785e61, rsp = 0xfffffe0084263a40, rbp = 0xfffffe0084263a70 ---
pf_detach_state() at pf_detach_state+0x6c1/frame 0xfffffe0084263a70
pf_unlink_state() at pf_unlink_state+0x290/frame 0xfffffe0084263ab0
pfsync_in_del_c() at pfsync_in_del_c+0x6c/frame 0xfffffe0084263af0
pfsync_input() at pfsync_input+0x23a/frame 0xfffffe0084263b70
ip_input() at ip_input+0x268/frame 0xfffffe0084263bd0
netisr_dispatch_src() at netisr_dispatch_src+0x9e/frame 0xfffffe0084263c20
ether_demux() at ether_demux+0x149/frame 0xfffffe0084263c50
ether_nh_input() at ether_nh_input+0x36a/frame 0xfffffe0084263cb0
netisr_dispatch_src() at netisr_dispatch_src+0x9e/frame 0xfffffe0084263d00
ether_input() at ether_input+0x56/frame 0xfffffe0084263d50
vtnet_rxq_eof() at vtnet_rxq_eof+0x6e9/frame 0xfffffe0084263e20
vtnet_rx_vq_process() at vtnet_rx_vq_process+0xbc/frame 0xfffffe0084263e60
ithread_loop() at ithread_loop+0x257/frame 0xfffffe0084263ef0
fork_exit() at fork_exit+0x7f/frame 0xfffffe0084263f30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0084263f30
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
The strange thing is that the master is in exactly the same version and there are no problems with it. Of course, it is running in a different location on a different compute node (but with the same parameters for both virtual machines and compute nodes).
Regards,
Borys
