Messages

Hi,

We have thought about macro expansions at one time, but haven't managed to come up with something functional yet.
The flexibility of OPNsense also makes it difficult to come up with a pattern that "just works", but you never know, maybe in a future release.

The issue around the central API key not sticking around does sound like a bug from our end, an omission caused by the major redesign of the user manager. If you drop us an email at support@opnsense.com and refer this post, I'll see if I can send you a version to test before a new minor release is out.

Best regards,

Ad

I haven't seen issues earlier to be honest, when suspecting a bug you can always open a ticket on GitHub.

My community support time is too limited to try to reproduce this on my end at the moment.
When hooks are triggered, I believe a log entry is triggered as well.

Best regards,

Ad

Hi Ulf,

That might depend on configured settings, these events are triggered when connected properly to the child instead of a static id:

https://github.com/opnsense/core/blob/3c2ad5d6b3c53f27d747bbde7b6ff81dc4bb7e5f/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php#L246


Best regards,

Ad

Hi,

When using both legacy and new at the same time, overlaps may happen as mentioned https://docs.opnsense.org/manual/vpnet.html#combining-legacy-tunnels-and-connections

You can either lock the reqid's on the new connections too or force the numbering to start with an offset.

The latter should be possible by adding a file /usr/local/etc/strongswan.opnsense.d/reqid-base.conf containing

Code Select Expand

charon {
    reqid_base = 8192
}

Given we recently refactored the charon configuration to new mvc code, I also don't mind adding the option in the ui, just open a ticket requesting the feature here https://github.com/opnsense/core/issues

Best regards,

Ad

Hi Patrick,

I think I found the culprit, can you paste the following in a text file on the OPNcentral node:

Code Select Expand

diff --git a/deciso/OPNcentral/src/opnsense/mvc/app/models/Deciso/OPNcentral/Central.php b/deciso/OPNcentral/src/opnsense/mvc/app/models/Deciso/OPNcentral/Central.php
index 02c77910d..1e80df3bb 100644
--- /usr/local/opnsense/mvc/app/models/Deciso/OPNcentral/Central.php
+++ /usr/local/opnsense/mvc/app/models/Deciso/OPNcentral/Central.php
@@ -63,7 +63,7 @@ class Central extends BaseModel
                    $auth_groups[] = (string)$groupNode->gid;
                } else {
                    foreach ($groupNode->children() as $itemKey => $node) {
-                        if ($itemKey == 'member' && (string)$node != "" && (string)$node == $this_uid) {
+                        if ($itemKey == 'member' && in_array($this_uid, explode(',', (string)$node))) {
                            $auth_groups[] = (string)$groupNode->gid;
                        }
                    }


assuming the file is called /tmp/opncentral.patch, next run :

Code Select Expand

patch -p0 < /tmp/opncentral.patch

If this fixes your issue, we'll schedule a minor upgrade as soon as possible.

Best regards,

Ad

Hi Patrick,

Which user is logged in at the central node? are there any host groups configured? if not, does the browser console show any errors?

Best regards,

Ad

I expect nat reflection is enabled (Firewall: Settings: Advanced) in which case https://github.com/opnsense/core/commit/25b2716325951a7cbd93bc42ca21179f46519c10 is likely the culrpit.

To install use the following:

Code Select Expand

opnsense-patch 25b2716325


We currently don't offer the option indeed (https://github.com/search?q=repo%3Aopnsense%2Fcore%20tls-crypt-v2&type=code)

Best check which process is busy first, from the (ssh) console, you can use the following command:

Code Select Expand

ps -axfu


https://docs.opnsense.org/troubleshooting/hardening.html#spectre-and-meltdown ?

You can not, but as far as I can find the documentation also doesn't suggest you can.

Hi,

You can nest aliases and exclude addresses in the inherited alias, see https://docs.opnsense.org/manual/aliases.html#nesting (and the FireHOL_with_exclusions example)

Best regards,

Ad

Hi Steve,

If I'm not mistaken, the disable serial console option is not available in the menu.
When you are able to reach the bios, make sure to check these settings https://docs.opnsense.org/hardware/serial_connectivity.html#legacy-uart-vs-uefi-serial , older OPNsense versions handled eif differently.


Best regards,

Ad

best check from the gui, if it doesn't crash there, it's in.

It looks like we missed a spot there, the delete action wasn't implemented. Just added it in https://github.com/opnsense/core/commit/59b4defd5b8de19f886d57ef55d0a3a05f048ec9

Best regards,

Ad