"Quote from: franco on July 31, 2025, 11:13:23 AMFragmentation doesn't work on your end. It may cause large packets to be dropped and make your firmware updates fail for hard to debug reasons otherwise. That's why the ping is oversized at 1500 bytes in the connectivity check but you are using a short ping packet.
Cheers,
Franco
It has been a while since I got my education on networking. I googled Opnsense fragmentation, and I get results that talk about the packet size via IPsec Tunnels. I have not made any setting changes in Opnsense that I am aware of that affect the packet size. Is there a setting in Opnsense I am not aware of?
Could this be due to the managed switches I am using on my LAN? All my switches support jumbo frames. What size should I use for the TCPIP frames? The following are my choices: 1522, 1536, 1552, 9216, 16383. It looks like I have it set to 16383. Should I go to 1522?
Thanks, GadgetAngel
EDIT: I changed the jumbo Frame setting to the two switches involved in my network setup, and I get the same result. I first used a jumbo frame of 9216 and reran the Firmware -> Status -> Run an audit -> Connectivity command, and still ended up with the same result. I then changed the jumbo frame size to 1522 (the lowest setting) and reran the firmware -> Status -> Run an audit -> Connectivity command, and still ended up with the same "Non-recoverable resolver failure" error.
I just received the latest update to 25.7.1, and it downloaded without error. So now I am worried, are my updates getting corrupted? Is my Opnsense software 25.7.1 corrupted?
Here is the output of the latest update:
Code Select
Update to 25.7.1
Ouput:
***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7 (amd64) at Thu Jul 31 12:29:40 EDT 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (17 candidates): .......... done
Processing candidates (17 candidates): .......... done
The following 17 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
abseil: 20250127.0 -> 20250127.1
boost-libs: 1.88.0_1 -> 1.88.0_2
crowdsec: 1.6.9 -> 1.6.10
crowdsec-firewall-bouncer: 0.0.32_2 -> 0.0.32_3
curl: 8.14.1 -> 8.15.0
ivykis: 0.43.2 -> 0.43.2_1
jq: 1.8.0 -> 1.8.1
libucl: 0.9.2_1 -> 0.9.2_2
nspr: 4.36 -> 4.37
nss: 3.113.1_1 -> 3.114
opnsense: 25.7 -> 25.7.1
os-crowdsec: 1.0.11 -> 1.0.11_1
py311-certifi: 2025.6.15 -> 2025.7.14
py311-duckdb: 1.3.1_1 -> 1.3.2
py311-typing-extensions: 4.14.0 -> 4.14.1
re2: 20250626b -> 20250722
sudo: 1.9.17p1 -> 1.9.17p2
Number of packages to be upgraded: 17
The operation will free 62 MiB.
88 MiB to be downloaded.
[1/17] Fetching re2-20250722.pkg: .......... done
[2/17] Fetching boost-libs-1.88.0_2.pkg: .......... done
[3/17] Fetching os-crowdsec-1.0.11_1.pkg: ... done
[4/17] Fetching nss-3.114.pkg: .......... done
[5/17] Fetching crowdsec-1.6.10.pkg: .......... done
[6/17] Fetching jq-1.8.1.pkg: .......... done
[7/17] Fetching crowdsec-firewall-bouncer-0.0.32_3.pkg: .......... done
[8/17] Fetching abseil-20250127.1.pkg: .......... done
[9/17] Fetching ivykis-0.43.2_1.pkg: .......... done
[10/17] Fetching py311-certifi-2025.7.14.pkg: .......... done
[11/17] Fetching curl-8.15.0.pkg: .......... done
[12/17] Fetching nspr-4.37.pkg: .......... done
[13/17] Fetching libucl-0.9.2_2.pkg: .......... done
[14/17] Fetching opnsense-25.7.1.pkg: .......... done
[15/17] Fetching py311-duckdb-1.3.2.pkg: .......... done
[16/17] Fetching py311-typing-extensions-4.14.1.pkg: .......... done
[17/17] Fetching sudo-1.9.17p2.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/17] Upgrading py311-typing-extensions from 4.14.0 to 4.14.1...
[1/17] Extracting py311-typing-extensions-4.14.1: .......... done
[2/17] Upgrading py311-certifi from 2025.6.15 to 2025.7.14...
[2/17] Extracting py311-certifi-2025.7.14: .......... done
[3/17] Upgrading abseil from 20250127.0 to 20250127.1...
[3/17] Extracting abseil-20250127.1: .......... done
[4/17] Upgrading nspr from 4.36 to 4.37...
[4/17] Extracting nspr-4.37: .......... done
[5/17] Upgrading re2 from 20250626b to 20250722...
[5/17] Extracting re2-20250722: .......... done
[6/17] Upgrading boost-libs from 1.88.0_1 to 1.88.0_2...
[6/17] Extracting boost-libs-1.88.0_2: .......... done
[7/17] Upgrading nss from 3.113.1_1 to 3.114...
[7/17] Extracting nss-3.114: .......... done
[8/17] Upgrading jq from 1.8.0 to 1.8.1...
[8/17] Extracting jq-1.8.1: .......... done
[9/17] Upgrading crowdsec-firewall-bouncer from 0.0.32_2 to 0.0.32_3...
[9/17] Extracting crowdsec-firewall-bouncer-0.0.32_3: ...... done
crowdsec_firewall is running as pid 43874.
Stopping crowdsec_firewall.
[10/17] Upgrading ivykis from 0.43.2 to 0.43.2_1...
[10/17] Extracting ivykis-0.43.2_1: .......... done
[11/17] Upgrading curl from 8.14.1 to 8.15.0...
[11/17] Extracting curl-8.15.0: .......... done
[12/17] Upgrading libucl from 0.9.2_1 to 0.9.2_2...
[12/17] Extracting libucl-0.9.2_2: .......... done
[13/17] Upgrading crowdsec from 1.6.9 to 1.6.10...
[13/17] Extracting crowdsec-1.6.10: .......... done
crowdsec is running as pid 38019.
Stopping crowdsec.
Waiting for PIDS: 38019.
Updating crowdsec hub data
Downloading /usr/local/etc/crowdsec/hub/.index.json
Loaded: 144 parsers, 10 postoverflows, 764 scenarios, 8 contexts, 4 appsec-configs, 118 appsec-rules, 139 collections
Starting crowdsec.
[14/17] Upgrading py311-duckdb from 1.3.1_1 to 1.3.2...
[14/17] Extracting py311-duckdb-1.3.2: .......... done
[15/17] Upgrading sudo from 1.9.17p1 to 1.9.17p2...
[15/17] Extracting sudo-1.9.17p2: .......... done
[16/17] Upgrading os-crowdsec from 1.0.11 to 1.0.11_1...
[16/17] Extracting os-crowdsec-1.0.11_1: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/CrowdSec: OK
OK
[17/17] Upgrading opnsense from 25.7 to 25.7.1...
[17/17] Extracting opnsense-25.7.1: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Creating group 'wwwonly' with gid '789'
Creating user 'wwwonly' with uid '789'
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
You may need to manually remove /usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/config.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/local_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/online_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/console.yaml if it is no longer needed.
=====
Message from opnsense-25.7.1:
--
Some will win, some will lose, some are born to sing the blues
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/re2-20250722~807cc5b2ff.pkg
/var/cache/pkg/boost-libs-1.88.0_2.pkg
/var/cache/pkg/re2-20250722.pkg
/var/cache/pkg/boost-libs-1.88.0_2~84617ed6cb.pkg
/var/cache/pkg/os-crowdsec-1.0.11_1~e147a5ce92.pkg
/var/cache/pkg/nss-3.114~812be4dfd0.pkg
/var/cache/pkg/os-crowdsec-1.0.11_1.pkg
/var/cache/pkg/crowdsec-1.6.10.pkg
/var/cache/pkg/nss-3.114.pkg
/var/cache/pkg/crowdsec-1.6.10~4045a53d44.pkg
/var/cache/pkg/jq-1.8.1~e0b39fe77a.pkg
/var/cache/pkg/jq-1.8.1.pkg
/var/cache/pkg/crowdsec-firewall-bouncer-0.0.32_3~1284af5676.pkg
/var/cache/pkg/curl-8.15.0.pkg
/var/cache/pkg/abseil-20250127.1~005dabc6d3.pkg
/var/cache/pkg/crowdsec-firewall-bouncer-0.0.32_3.pkg
/var/cache/pkg/py311-certifi-2025.7.14.pkg
/var/cache/pkg/abseil-20250127.1.pkg
/var/cache/pkg/ivykis-0.43.2_1~4da3330166.pkg
/var/cache/pkg/ivykis-0.43.2_1.pkg
/var/cache/pkg/py311-certifi-2025.7.14~73c57b1c68.pkg
/var/cache/pkg/curl-8.15.0~7af54c810b.pkg
/var/cache/pkg/nspr-4.37~20f3aef2fd.pkg
/var/cache/pkg/libucl-0.9.2_2.pkg
/var/cache/pkg/nspr-4.37.pkg
/var/cache/pkg/libucl-0.9.2_2~f9e1ab6893.pkg
/var/cache/pkg/opnsense-25.7.1~0101b30d6c.pkg
/var/cache/pkg/py311-duckdb-1.3.2.pkg
/var/cache/pkg/opnsense-25.7.1.pkg
/var/cache/pkg/py311-duckdb-1.3.2~de5609ff62.pkg
/var/cache/pkg/py311-typing-extensions-4.14.1~2889561de3.pkg
/var/cache/pkg/sudo-1.9.17p2~f6409351aa.pkg
/var/cache/pkg/py311-typing-extensions-4.14.1.pkg
/var/cache/pkg/sudo-1.9.17p2.pkg
The cleanup will free 88 MiB
Deleting files: .......... done
All done
Nothing to do.
Starting web GUI...done.
***DONE***Here is the output (with jumbo frame size of 1522 on both the managed switches) from the firmware -> Status -> Run an audit -> Connectivity command after I did the update to Opnsense 25.7.1:
Code Select
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.7.1 (amd64) at Thu Jul 31 12:33:07 EDT 2025
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
--- 89.149.222.99 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 898 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***Is my Opnsense 25.7.1 software corrupted or is it OK. From the output of the update everything appears to be ok but I can not figure out why I get this "Non-recoverable resolver failure" error from the firmware -> Status -> Run an audit -> Connectivity command. If someone could point me to information on a setting in Opnsense to fix this issue I would appreciate it. I have set the jumbo frame size on all the switch in my network to the lowest jumbo size I could. I can not turn the jumbo frame feature off on these managed switches. Please any help that can point me in the correct direction would be very much appreciated. My worry is that my Opnsense Software is corrupted and the system does not know it.
BTW, I am NOT using any VPN on this system. The only tunnel I am aware of: I "Enable DNSSEC Support" for Unbound. Is there some OPNsense system settings tunables I need to adjust? If so which tuneables should I be looking at?
