Messages

Hi Rookie24,

This post made me take a closer look at our dhcp traffic. On closer inspection I found that the dhcrelay on the passive node is misbehaving in out case. It duplicates all the replys it handles.

https://github.com/opnsense/dhcrelay/issues/3

However I have not encountered any impacts in our infrastructure. As far as I understand dhcp, it should be fine to receive multiple offers either from different servers or from different relays. I always used this independent redundancy in relays and server setups. Until now I am not aware of ans race conditions caused by this.

Regards Marius

I had an interface set so the rule was not shown in the list of floating rules. So clearly the problem was the User. The new automation rule list never shows you all rules only the floating, groups or interface rules. I like the possibility to look at and search all rules at once. But otherwise the new interface is very nice.

 - Marius

I created some rules using the API (with the ansible module) and are a bit perplexed that this rules does not show up in the UI. I created a second rule un the UI. This one shows up. The search api (/api/firewall/filter/search_rule) only return the rule i created in the UI. Unless the show_all=true is set. However in /api/firewall/filter/get the ansible created rule shows up and in "pfctl -v -s rule" too.

In the config both rules seem to look fine. Any ideas where to investigate further?

 - Marius

Code Select Expand

<Filter version="1.0.4">
<rules>
<rule uuid="b5ed14b9-54e9-4935-8de3-14f6aaa91715">
<enabled>1</enabled>
<statetype>keep</statetype>
<state-policy/>
<sequence>100</sequence>
<action>pass</action>
<quick>1</quick>
<interfacenot>0</interfacenot>
<interface/>
<direction>in</direction>
<ipprotocol>inet</ipprotocol>
<protocol>TCP/UDP</protocol>
<source_net>any</source_net>
<source_not>0</source_not>
<source_port/>
<destination_net>any</destination_net>
<destination_not>0</destination_not>
<destination_port/>
<gateway/>
<replyto/>
<disablereplyto>0</disablereplyto>
<log>0</log>
<allowopts>0</allowopts>
<nosync>0</nosync>
<nopfsync>0</nopfsync>
<statetimeout/>
<max-src-nodes/>
<max-src-states/>
<max-src-conn/>
<max/>
<max-src-conn-rate/>
<max-src-conn-rates/>
<overload/>
<adaptivestart/>
<adaptiveend/>
<prio/>
<set-prio/>
<set-prio-low/>
<tag/>
<tagged/>
<tcpflags1/>
<tcpflags2/>
<categories/>
<sched/>
<tos/>
<shaper1/>
<shaper2/>
<description>test</description>
</rule>
<rule uuid="894a4527-ea77-4c98-988a-5a75afc9a387">
<enabled>1</enabled>
<statetype>keep</statetype>
<state-policy/>
<sequence>101</sequence>
<action>pass</action>
<quick>1</quick>
<interfacenot>0</interfacenot>
<interface>lan</interface>
<direction>in</direction>
<ipprotocol>inet</ipprotocol>
<protocol>TCP</protocol>
<source_net>192.168.0.0/24</source_net>
<source_not>0</source_not>
<source_port/>
<destination_net>192.168.1.0/24</destination_net>
<destination_not>0</destination_not>
<destination_port>443</destination_port>
<gateway/>
<replyto/>
<disablereplyto>0</disablereplyto>
<log>1</log>
<allowopts>0</allowopts>
<nosync>0</nosync>
<nopfsync>0</nopfsync>
<statetimeout/>
<max-src-nodes/>
<max-src-states/>
<max-src-conn/>
<max/>
<max-src-conn-rate/>
<max-src-conn-rates/>
<overload/>
<adaptivestart/>
<adaptiveend/>
<prio/>
<set-prio/>
<set-prio-low/>
<tag/>
<tagged/>
<tcpflags1/>
<tcpflags2/>
<categories/>
<sched/>
<tos/>
<shaper1/>
<shaper2/>
<description>ANSIBLE_TEST_1_1</description>
</rule>
</rules>
<snatrules/>
<npt/>
<onetoone/>
</Filter>
</Firewall>