Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mircsicz

Pages: [1] 2 3 ... 8

24.1 Legacy Series / Re: Dual WAN DPinger Error

« on: May 22, 2024, 01:36:14 am »

Are you aware of this similar topic:

https://forum.opnsense.org/index.php?topic=38603.msg199209#msg199209

24.1 Legacy Series / Re: Multi-WAN (PPPoE + Starlink) - SL Gateway falsely being marked down after outage

« on: May 22, 2024, 01:33:08 am »

I was just hit by this after upgrading to 24.1.7

Code: [Select]

2024-05-21T19:29:59-04:00	Warning	dpinger	send_interval 1000ms loss_interval 4000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 0ms loss_alarm 0% alarm_hold 10000ms dest_addr 8.8.4.4 bind_addr 100.99.yy.xx identifier "WAN_SL_DHCP "	
2024-05-21T19:29:59-04:00	Warning	dpinger	send_interval 1000ms loss_interval 4000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 0ms loss_alarm 0% alarm_hold 10000ms dest_addr 8.8.8.8 bind_addr 192.168.1.64 identifier "WAN_MX_DHCP "	
2024-05-21T19:29:59-04:00	Warning	dpinger	exiting on signal 15	
2024-05-21T19:29:59-04:00	Warning	dpinger	exiting on signal 15	
2024-05-21T19:29:59-04:00	Warning	dpinger	exiting on signal 15	
2024-05-21T19:13:59-04:00	Warning	dpinger	send_interval 1000ms loss_interval 4000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 0ms loss_alarm 0% alarm_hold 10000ms dest_addr 1.1.1.1 bind_addr 100.99.yy.xx identifier "WAN_SL_DHCP "	
2024-05-21T19:13:59-04:00	Warning	dpinger	exiting on signal 15	
2024-05-21T19:13:57-04:00	Warning	dpinger	WAN_SL_DHCP 1.1.1.1: sendto error: 22	
2024-05-21T19:13:56-04:00	Warning	dpinger	WAN_SL_DHCP 1.1.1.1: sendto error: 22

I've set the Starlink GW as a far GW for now...

Also there's another similar post

EDIT: Setting it as a far GW doesn't help at all! :-(

24.1 Legacy Series / Re: Sessions appear to be being terminated randomly post upgrade.

« on: March 20, 2024, 10:43:16 pm »

For me switching to another Repo-Mirror solved it...

For anybody else facing it: I was hit on my way from 24.1.3 to 24.1.4 ;-)

23.1 Legacy Series / Re: filter.log filling up my SSD, but can't find rules with enabled logging

« on: April 09, 2023, 03:24:54 pm »

THX a ton

23.1 Legacy Series / filter.log filling up my SSD, but can't find rules with enabled logging

« on: April 08, 2023, 02:44:58 pm »

Hi all,

this morning I got an Email from my WiFi-WAN Provider, asking to restore power to the AP on my roof. As I'm currently not in the EU and couldn't reach my Dad who is housesitting I started to dig into the issue:

Found this in the Unbound log:

Code: [Select]

2023-04-08T14:10:57	Critical	unbound	[31257:0] fatal error: could not complete write: /root.key: No space left on device	
2023-04-08T14:10:56	Error	unbound	[31257:0] error: could not fflush(/root.key): No space left on device	
2023-04-08T14:10:51	Warning	unbound	PTR record already exists for unifi.mydom.de(10.yy.xxx.14)

So I checked the FS via SSH:

Code: [Select]

mircsicz@router:~ $ uptime
 2:12PM  up  4:06, 1 user, load averages: 0.42, 0.35, 0.28
mircsicz@router:~ $ df -h
Filesystem                  Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs              14G     13G   -153M   101%    /

Damn it so my APU's 16GB SSD is full! And here's the offender:

Code: [Select]

mircsicz@router:~ $ sudo du -h /var/log
 88K    /var/log/lighttpd
4.0K    /var/log/suricata
4.0K    /var/log/ntp
5.1M    /var/log/audit
8.7G    /var/log/filter

So I rm'd some of those:

Code: [Select]

mirco@router:~ $ sudo ls -lh /var/log/filter
total 18213184
-rw-------  1 root  wheel   143M Mar 10 00:00 filter_20230309.log
-rw-------  1 root  wheel   154M Mar 11 00:00 filter_20230310.log
-rw-------  1 root  wheel   127M Mar 12 00:00 filter_20230311.log
-rw-------  1 root  wheel   153M Mar 13 00:00 filter_20230312.log
-rw-------  1 root  wheel   132M Mar 14 00:00 filter_20230313.log
-rw-------  1 root  wheel   130M Mar 15 00:00 filter_20230314.log
-rw-------  1 root  wheel   140M Mar 15 23:59 filter_20230315.log
-rw-------  1 root  wheel   130M Mar 17 00:00 filter_20230316.log
-rw-------  1 root  wheel   145M Mar 18 00:00 filter_20230317.log
-rw-------  1 root  wheel   126M Mar 19 00:00 filter_20230318.log
-rw-------  1 root  wheel   125M Mar 20 00:00 filter_20230319.log
-rw-------  1 root  wheel   144M Mar 21 00:00 filter_20230320.log
-rw-------  1 root  wheel   131M Mar 22 00:00 filter_20230321.log
-rw-------  1 root  wheel   117M Mar 23 00:00 filter_20230322.log
-rw-------  1 root  wheel   150M Mar 24 00:00 filter_20230323.log
-rw-------  1 root  wheel   295M Mar 25 00:00 filter_20230324.log
-rw-------  1 root  wheel   502M Mar 25 23:59 filter_20230325.log
-rw-------  1 root  wheel   462M Mar 27 00:00 filter_20230326.log
-rw-------  1 root  wheel   502M Mar 28 00:00 filter_20230327.log
-rw-------  1 root  wheel   515M Mar 29 00:00 filter_20230328.log
-rw-------  1 root  wheel   517M Mar 30 00:00 filter_20230329.log
-rw-------  1 root  wheel   344M Mar 31 00:00 filter_20230330.log
-rw-------  1 root  wheel   320M Apr  1 00:00 filter_20230331.log
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:18 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log

root@router:/var/log/filter # rm filter_202303*
root@router:/var/log/filter # ls -lh
total 6938944
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:19 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log

Then I checked through my Filter rules but all of them are like that.

So long story short question: Is there a way to check for Filter rules that have logging enabled in the config?

Hardware and Performance / Re: OPNsense on ARM

« on: November 22, 2022, 12:31:16 am »

I'ld love to pack a Raspberry or Banana Pi in my travel-gear to have a OPNsense for WG and alike with me...

Are there any official plans?

22.1 Legacy Series / Re: os-ddclient with No-Ip not finding an IP

« on: June 22, 2022, 11:07:16 pm »

Thx for the hint, but that method seems to be unavailable when using the webinterface to configure ddclient...

I've now checked the source code of /usr/local/opnsense/scripts/ddclient/checkip and found this list inside:

Code: [Select]

service_list = {
  'dyndns': '%s://checkip.dyndns.org/',
  'freedns': '%s://freedns.afraid.org/dynamic/check.php',
  'googledomains': '%s://domains.google.com/checkip',
  'he': '%s://checkip.dns.he.net/',
  'ip4only.me': '%s://ip4only.me/api/',
  'ip6only.me': '%s://ip6only.me/api/',
  'ipify-ipv4': '%s://api.ipify.org/',
  'ipify-ipv6': '%s://api6.ipify.org/',
  'loopia': '%s://dns.loopia.se/checkip/checkip.php',
  'myonlineportal': '%s://myonlineportal.net/checkip',
  'noip-ipv4': '%s://ip1.dynupdate.no-ip.com/',
  'noip-ipv6': '%s://ip1.dynupdate6.no-ip.com/',
  'nsupdate.info-ipv4': '%s://ipv4.nsupdate.info/myip',
  'nsupdate.info-ipv6': '%s://ipv6.nsupdate.info/myip',
  'zoneedit': '%s://dynamic.zoneedit.com/checkip.html'
}

after checking some of these I checked googledomains and that seems to work so far:

Code: [Select]

2022-06-22T23:48:17	Notice	ddclient[771]	381 - [meta sequenceId="32"] SUCCESS: foo.ddns.me: skipped: IP address was already set to 185.xxx.xx.xx.	
2022-06-22T23:48:10	Notice	ddclient[98070]	96230 - [meta sequenceId="31"] WARNING: updating bar.dynns.com: nochg: No update required; unnecessary attempts to change to the current address are considered abusive

I also realized that when switching back to "noip-ipv4" it breaks again...

@franco: as an EBI you might consider adding a hint to the list of offered services that most of those are just webservices like whatismyip.com... Because I first expected it to be specific for my above choosen Provider like noIP...

22.1 Legacy Series / [SOLVED] os-ddclient with No-Ip not finding an IP

« on: June 22, 2022, 04:11:54 pm »

Hi all,

os-dyndns stopped to work for me when I was using No-Ip Group Passwd's. So I had to revert to my Master Passwd for all machines using that account a while ago. That is why I was happy to read the os-ddclient is gonna replace os-dyndns!

Now that we're about to transition to 22.7 I looked into migration my setup's to os-ddclient but am facing some issue's with ddlcient:

I've already read this thread and also this thread

with my setup I see the followong in the logs:

Code: [Select]

2022-06-22T15:59:41	Notice	ddclient[98565]	93904 - [meta sequenceId="7"] WARNING: found neither ipv4 nor ipv6 address	
2022-06-22T15:59:35	Notice	ddclient[52758]	73674 - [meta sequenceId="6"] WARNING: found neither ipv4 nor ipv6 address	
2022-06-22T15:59:10	Notice	ddclient[771]	37236 - [meta sequenceId="5"] WARNING: unable to determine IP address	
2022-06-22T15:59:10	Notice	ddclient[771]	35027 - [meta sequenceId="4"] WARNING: found neither ipv4 nor ipv6 address	
2022-06-22T15:59:07	Notice	ddclient[98070]	17061 - [meta sequenceId="3"] WARNING: unable to determine IP address	
2022-06-22T15:59:07	Notice	ddclient[98070]	16274 - [meta sequenceId="2"] WARNING: found neither ipv4 nor ipv6 address	
2022-06-22T15:59:00	Notice	ddclient[95522]	19804 - [meta sequenceId="1"] WARNING: found neither ipv4 nor ipv6 address

So far I've tried the following "Check ip method's"

noip-ipv4
interface

But the log doesn't change...

This is what my ddclient.conf looks like:

Code: [Select]

daemon=300
syslog=yes                  # log update msgs to syslog
pid=/var/run/ddclient.pid   # record PID in file.
ssl=yes


use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i pppoe0 -t 1 -s noip-ipv4",
protocol=noip, \
login=MYUSER, \
password=MYPASSWD \
foo.ddns.me

I'm hoping one of you spot's the missing link...

I've also read this hint and tried to run it from ssh like this:

# sudo ddclient -daemon=0 -debug -verbose -noquiet

21.1 Legacy Series / Re: WireGuard Issue's while setting up

« on: July 26, 2021, 03:55:21 pm »

So I've found a reason for my instance's not activating the tunnel:

As soon as I add an additional "allowed ips" entry the tunnel goes down:

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823

brings up the tunnel without an endpoint:

Code: [Select]

$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY
  private key: (hidden)
  listening port: 21823

As soon as I add

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21823
AllowedIPs = 172.xx.xx.x/24,10.xx.xxx.0/24
PersistentKeepalive = 60

the tunnel does down:

Code: [Select]

$ sudo wg
So I thought it might be an issue with the keys, recreated them like a dozen times! Then I tried stripping the "allowed ips" from ',10.xx.xxx.0/24' Parameter and tada the tunnel come's up:

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21823
AllowedIPs = 172.xx.xx.0/24
PersistentKeepalive = 60

the tunnel come's up:

Code: [Select]

$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY
  private key: (hidden)
  listening port: 21823

peer: LOCALPUBKEY
  endpoint: 185.144.YY.YY:21823
  allowed ips: 172.xx.xx.0/24
  transfer: 0 B received, 6.94 KiB sent
  persistent keepalive: every 1 minute

Problem is the stripped IP-range is my "Main OPNSense" Subnet... And there's no handshake!

@franco you got a hint why this is happening?

BTW: Just reproduced it on a second remoteside:

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY2
Address = 172.xx.27.x/32
ListenPort = 21822

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21822
AllowedIPs = 172.x.x27.x/24
PersistentKeepalive = 60

missing ',10.xx.xxx.0/24' in AllowedIPs the tunnel come's up too:

Code: [Select]

$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY2
  private key: (hidden)
  listening port: 21822

peer: LOCALPUBKEY
  endpoint: 185.xxx.xx.xx:21822
  allowed ips: 172.xx.27.0/24
  transfer: 0 B received, 5.06 KiB sent
  persistent keepalive: every 1 minute

I don't f..ing get it.

21.1 Legacy Series / Re: WireGuard Issue's while setting up

« on: July 26, 2021, 02:01:15 pm »

That's correct, it's just different Tunnels:

21.1 Legacy Series / Re: WireGuard Issue's while setting up

« on: July 26, 2021, 01:24:04 pm »

Been using it for a while (as VPN Tunnel-Net) and never got issue's

21.1 Legacy Series / Re: WireGuard Issue's while setting up

« on: July 26, 2021, 02:18:39 am »

So what's it that deny's the (additional) tunnel to be activated?

Code: [Select]

$ sudo /usr/local/etc/rc.d/wireguard stop
wg-quick: `wg0' is not a WireGuard interface

I can run the start/restart but only get default feedback

Code: [Select]

$ sudo /usr/local/etc/rc.d/wireguard start
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.10.xx.x/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xx.x/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock

But "wg show" remains empty

Code: [Select]

$ sudo wg show
So this behaviour show now on two different machines. I've on both recreated config like 3-4 times. And I also have it on my main FW but only for the third tunnel...

Code: [Select]

$ cat /etc/rc.conf.d/wireguard
wireguard_var_script="/usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh"
wireguard_enable="YES"
wireguard_interfaces="wg0"
start_postcmd=opnsense_postcmd
opnsense_postcmd()
{
	for interface in ${wireguard_interfaces}; do
		ifconfig ${interface} group wireguard
	done
}

For me it's definitly activated, so where else could I look for the problem?!?

21.1 Legacy Series / Re: WireGuard Issue's while setting up

« on: July 25, 2021, 09:58:34 pm »

Reply to myself:

Can't get it to print a config on the WebIF, but the console give's me some more feedback:

Code: [Select]

$ sudo wg show
$ sudo wg-quick up /usr/local/etc/wireguard/wg0.conf
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.xx.xx.1/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xxx.0/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock
$ sudo ifconfig -g tun
ovpns1
$ sudo ifconfig wg create name wg0
ifconfig: SIOCIFCREATE2: Invalid argument

so this is what "/usr/local/etc/rc.d/wireguard" uses to start the service

Code: [Select]

$ sudo /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.xx.xx.1/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xxx.0/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock

Tried another target/tunnel but have the same issue then with the one above, no Config nor handshake is printed...

It's driving me crazy!

21.1 Legacy Series / Re: WireGuard Issue's while setting up

« on: July 25, 2021, 07:11:05 pm »

@bubbagump: THX for challenge me to check once more ;-)

Arggghhh, been going over those config's triple times...

But as it goes with quick saturday Couch tasks I fucked up triple!...

Rechecked the exchanged pubkeys and got the first tunnel up!!!

But there's a 2nd tunnel/target giving me a hard time:

Looking via SSH I can see the config seems to be fine:

Code: [Select]

[Interface]
PrivateKey = PRIVKEY
Address = 172.10.xx.x/24
ListenPort = xx822

[Peer]
PublicKey = PEERPUBKEY
Endpoint = 172.10.xx.x:xx822
AllowedIPs = 172.10.xx.0/24,10.10.xx.x/24
PersistentKeepalive = 60

There's no other config inside the wireguard config dir:

Code: [Select]

$ sudo ls -l /usr/local/etc/wireguard/
total 8
-rw-------  1 root  wheel  305 Jul 25 18:51 wg0.conf

But the Interface is really crooked:

Code: [Select]

--help: flags=8002<BROADCAST,MULTICAST> metric 0 mtu 1420
	options=80000<LINKSTATE>
	groups: tun
	nd6 options=103<PERFORMNUD,ACCEPT_RTADV,NO_DAD>
	Opened by PID 44943

This is a machine on which I already took the XML removed all Wireguard mentions and restored it as a backup

On my router, which already has one working tunnel to another target, I can see that there's no contact to the other side:

Code: [Select]

interface: wg1
  public key: PUBKEY
  private key: (hidden)
  listening port: xx822

peer: PEERPUBKEY
  endpoint: 185.35.xx.xx:xx822
  allowed ips: 10.10.xx.xx/24, 10.x.x.0/24, 10.x.x.0/24
  transfer: 0 B received, 31.80 KiB sent
  persistent keepalive: every 1 minute

Handshake is empty:

Code: [Select]

wg1 PEERPUBKEY 0
So as there is that interface with this highly uncommon name:

Code: [Select]

# sudo ifconfig -g tun
ovpns1
--help

how do I delete that interface?

After a reboot it's gone... So lets reconfigure this target.

21.1 Legacy Series / Re: WireGuard Issue's while setting up

« on: July 25, 2021, 03:42:21 pm »

I sure did... ;-)

But thx for asking anyways! :-)

For all the following readers I'll add a screenshot and a note to the initial posting

Pages: [1] 2 3 ... 8