Topics

1

23.7 Legacy Series / pppoe MTU not being set correctly.

« on: August 21, 2023, 05:28:13 pm »

I've been setting the NIC MTU to 1508 and the pppoe setting was (on an earlier version of OPNsense) also being set to 1500. I was checking some other settings recently and I noticed that the pppoe interface was now only set to 1492.

This is for the current OPNsense 23.7.1_3-amd64 release:

Code: [Select]

igc0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
igc1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
igc2: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
igc3: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
igc4: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=0<> metric 0 mtu 1500
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33160
pppoe3: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
ovpnc1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1500
Have I missed something or is this an error?

2

22.7 Legacy Series / Update to 22.7.4 - is this correct

« on: September 09, 2022, 01:16:50 pm »

I've recently done the update to 22.7.4 but when I ran an audit I get what seems to be contradictory information.

The following shows I have 2.7.4 and a vulnerability in python:

Code: [Select]

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 22.7.4 (amd64/OpenSSL) at Fri Sep  9 10:59:51 UTC 2022
vulnxml file up-to-date
python39-3.9.13 is vulnerable:
  Python -- multiple vulnerabilities
  CVE: CVE-2020-10735
  WWW: https://vuxml.FreeBSD.org/freebsd/80e057e7-2f0a-11ed-978f-fcaa147e860e.html

1 problem(s) in 1 installed package(s) found.
***DONE***
The following Health report tells me I'm running 22.7.4  and that  I have 22.7.3 kernel and base, is this correct?

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7.4 (amd64/OpenSSL) at Fri Sep  9 11:01:20 UTC 2022
>>> Check installed kernel version
Version 22.7.3 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7.3 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-intrusion-detection-content-pt-open 1.0_1
os-maltrail 1.9
os-theme-rebellion 1.8.8
os-vmware 1.5_1
os-wireguard 1.12
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: ................................................................. done
***DONE***

3

22.7 Legacy Series / Upgrade always fails...

« on: August 18, 2022, 11:39:27 am »

For quite a while I've been having problems running updates to OPNsense, they always fail with a "signature invalid" with the 'latest 'base'. If it happens for the major releases I just download the installation DVD, do that as a clean install and import my backed-up settings.

I'm currently on an ADSL pppoe connection without any problems other than this one. I have Zyxel VMG8924-B10A router that's in Bridge mode and all is working fine, I also have used a Fritzbox router with the pppoe connection in 'passthru' mode and that had the same problem.

Is there any way to determine what's causing this problem?

As usual, the latest 22.7.2 also failed at the same point after downloading the latest 'base', I've also tried various alternative mirrors both in the UK and further afield, all with the same result.

Code: [Select]

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.7.1 (amd64/OpenSSL) at Wed Aug 17 18:35:34 UTC 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (100 candidates): .......... done
Processing candidates (100 candidates): ... done
The following 20 package(s) will be affected (of 0 checked):

The cleanup will free 12 MiB
Deleting files: .......... done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-22.7.2-amd64.txz:
... failed, signature invalid
***DONE***


4

22.1 Legacy Series / Upgrade fails with "signature invalid"

« on: January 29, 2022, 01:34:38 pm »

I've been trying to update to the latest release without success, it keeps failing with a "signature invalid". I've used the default settings and several different mirrors and all of them are failing with the same error.

This is the truncated output:

Code: [Select]

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 21.7.8 (amd64/OpenSSL) at Sat Jan 29 10:04:36 UTC 2022
Fetching packages-22.1-OpenSSL-amd64.tar: ... failed, signature invalid
***DONE***
This instance of OPNsense is a VM (on VMware) and I've never had any problems upgrading in the past. What can I do to debug or fix this problem?

Regards


Bill

5

21.7 Legacy Series / IPv6 & zen.co.uk

« on: August 25, 2021, 05:31:33 pm »

I'm following the documentation for setting-up the IPv6 config on the current 21.7 version of OPNsense. The documentation here: https://docs.opnsense.org/manual/how-tos/IPv6_ZenUK.html states that I should add a Gateway via the System: Gateways All but that doesn't exist any more, could some kind soul give me a clue as to where I need to put that entry - would it be in the System: Gateways: Group or is that only for load balancing?

6

21.7 Legacy Series / [Solved] PPPoE & forwarding rules

« on: August 20, 2021, 01:50:24 pm »

Hi Everyone

I've just moved back to the UK and my ISP is Zen. Unfortunately I'm stuck in an area with ADSL, this has worked find using their FritZbox and I'm now trying to get OPNsense working 'correctly' with a ZyXel VMG8924-B10A in Bridge mode.

I've finally got the connection up and running with internet access but I'm having a problem with inbound 'open' prots which I've had for ages. My previous configuration worked fine on my French Fibre connection but now I've moved this server to the UK with the same rules configured nothing is being forwarded to my internal servers. Am I likely to have missed some config changes that i should have made now I'm on a PPPoE connection?

FWIW, the connection correctly shows the fixed IP plus the PPPoE gateway address. I'm slightly lost here so could someone point me in the right direction, please.

PS I forgot to mention that this was a fully working system when I had my French ISP fibre connection. The only thing that changed was moving to a PPPoE connection via zen and the configuration that required.

7

19.7 Legacy Series / Logging/targets - a comment and a question

« on: August 31, 2019, 03:49:56 pm »

I've just been looking at using the Logging/Targets and (to me) it seems rather odd to have a drop-down box on the page that has "Nothing selected",  to me that seems to imply that no 'Applications/log levels/facilities have been selected.

If you look at the Full Help and see that it says this:

Choose which levels to include, omit to select all

I would guess that the definition of 'omit' in this usage wouldn't be that clear to most people and perhaps it would  be better to have "All Selected" (and have them ticked in the drop-down) as the initial 'selection' to make it clear that all of the items in the drop down list have been selected?

8

19.7 Legacy Series / [Resolved] Problem running cron job

« on: August 14, 2019, 08:01:12 pm »

I currently have the 19.7.2 release installed and it seems getting a cron job to run has changed since I last did this.

Because of a problem with my 'box' that connects me to the internet where I occasionally lose all outside contact I need to reboot this at that point to regain my connection.

First of all I went to the UI and System/Settings/cron and tried to add a new job there only to find a pre-existing list of command that couldn't be modified or new ones added. Checked the documentation here https://docs.opnsense.org/manual/settingsmenu.html?highlight=cron#cron which basically confirmed I was looking at the correct screen.

It was only when I found this site http://kb.unixservertech.com/other/networking/opnsense/cron-jobs that I discovered configd is now used.

I have a script that checks my connection to the internet by basically sending a ping to several sites and if it fail it will reboot my 'box' to restore the connection. I duly recreated a new config file for configd, restarted the service and tested that it ran my script correctly, it did and entered several entries in the log file. I'd also created a new cron job using my config file a the 'job' and set it to be run every five minutes. After that, nothing! The script does not run and no further entries appear in the log file.
I've currently placed my script in "/etc/rc.conf.d/scripts" (is there somewhere more appropriate?) and the config file contains this:

Code: [Select]

[reload]
command:/etc/rc.conf.d/scripts/freebox-check
parameter: %s
type:script
message:Check Freebox Internet Connection
description:Freebox Connectivity Check
Is there something obvious I might have missed or anything else that needs to be checked to get this cron job working?

Sorry about the long post.

9

18.1 Legacy Series / [SOLVED] Telegraf plugin error

« on: January 30, 2018, 11:07:15 am »

When I was checking the telegraf plugin/output page and hit save it gave me an error message "text validation error" on the Graylog & Graphite server boxes even though neither of the functions are enabled.  putting a single character in there and hitting save has got it restarted, is anyone else seeing this?

10

General Discussion / How pathetic!!

« on: November 24, 2017, 02:48:05 pm »

I really couldn't believe this when I read it: https://forum.opnsense.org/index.php?topic=6466.msg27740

I knew the were a bunch of arrogant !!!!!!! (put you own comment in there) but I didn't think they'd be that desperate. You guys must be doing something right, keep up the good work.

I, for one, am pleased I installed OPNsense and hang around these much more friendly forums and I congratulate the team for a great product and great support.

11

17.7 Legacy Series / IPv6 Dual-stack and Outbound rules

« on: November 20, 2017, 07:22:13 pm »

I'm still (slowly )working my way through implementing IPv6 on my LAN. I've got to the stage that I have everything set-up, whether it's correct or not is a moot point but my initial question is this: do I need to make any change to  outbound NAT rule generation?

I still have IP4 so this is a NAT scenario with fixed IPs for IPv6 on the OPNsense WAN & LAN (plus wi-fi) NICs, everything else is automatically assigned (for now). The thing that concerns me is that a port scan shows several other port that are open on my mail server other than the required 25, 587 and 443 for web mail access - perhaps I'm missing something obvious but how does one close or restrict access to these open ports on IPv6?

12

17.7 Legacy Series / Telegraf logging errors for netstat, missing lsof

« on: November 19, 2017, 10:03:43 am »

I'm seeing the following errors in the telegraf log:

Code: [Select]

2017-11-18T15:52:58Z E! Error in plugin [inputs.system]: open /var/run/utmp: no such file or directoryFrom what I've read (hopefully correctly) this is a problem with a missing lsof but that's not supplied in OPNsense, is it? I can't see anywhere that netstat is input is defined in the config file, is there any way to disable that message or does something need fixing?

13

General Discussion / IPv6 security & OPNsense

« on: November 14, 2017, 04:26:28 pm »

While I was doing some searching on the internet about IPv6 I came across this article:

https://www.secfu.net/2017/04/16/opnsense-as-an-ipv6-firewall-testing-ipv6-security-devices-part-1/

Not understanding the technical details of that article I was wondering if that is of any concern to OPNsense users?

14

General Discussion / IPv6 Privacy Extensions

« on: November 14, 2017, 04:23:47 pm »

As a new(ish) owner of a native IPv6 delegation I'm guessing that it's advisable to enable IPv6 privacy extensions on my LAN VMs? Would it be a good idea if these settings were changed to enabled by default?

15

General Discussion / Single WAN: CARP/HA possible?

« on: October 13, 2017, 09:56:28 am »

I only have a single WAN connection, is it possible to configure an HA solution with this set-up? I have seen an article about this using pfsense on a French blog here: https://voiprovider.wordpress.com/2017/03/26/la-ha-avec-pfsense-et-1-seule-ip-wan/  would this work in OPNsense?