Topics

1

17.1 Legacy Series / 17.1.5 no DNS access for VLANs

« on: April 26, 2017, 11:48:14 am »

After the upgrade to 17.1.5, name resolution doesn't work for VLAN members.
Using the tools from the GUI, everything works fine.
The firewall is not blocking the outgoing requests, but it seems the answers never make it back.

VLAN define their own (external) nameservers
VLAN uses OpenVPN link as a gateway.
Nothing special in the logs.
All gateways and services up.
No proxy, no IDS.

What's the best way to debug this?

2

17.1 Legacy Series / 17.1.2 new re driver + suricata + IPS = kernel panic

« on: March 18, 2017, 03:40:26 pm »

Do not turn on IPS mode in Suricata when using the new re driver because emulated netmap crashes the OS.

See: https://redmine.openinfosecfoundation.org/issues/1688

What we need is a patched Realtek driver with netmap support.
I didn't manage to patch it last year, but I'm not a driver engineer.

The alternative would be to let people pick the driver they want to use.

3

17.1 Legacy Series / Corrupt image and incomplete instructions to burn USB stick on Windows

« on: February 04, 2017, 06:29:15 pm »

I've tried to burn the vga image of 17.1 on Windows using the utility described in the doc.

Code: [Select]

1048576/939001344 bytes writtenWrite error after 1048576 bytes.
I've also tried with rufus, which doesn't complain, but the stick doesn't boot. The error messages says something about a corrupt GPT or invalid checksum.

I've also tried to burn the cdrom image, but rufus can't burn it because of an unknown compression scheme being used.

Has anybody managed to burn an image on Windows?

4

17.1 Legacy Series / Locked out after upgrade

« on: February 04, 2017, 06:17:08 pm »

I upgraded via

Code: [Select]

# opnsense-update -ur 17.1 -l.
The box rebooted a couple of times.

Side effects:

• The boot picture is gone
• There is no console menu any more
• root password is refused
• network is not configure properly

This means that I'm locked out and the router seems to be bricked. The line above the login prompt is on point... : <something>/Amnesia

5

16.1 Legacy Series / [Solved] 2FA still not implemented for the GUI in 16.1.15?

« on: May 26, 2016, 04:21:21 pm »

Update: It's working, but it's just non-standard from my pov, so I've opened a Github issue: https://github.com/opnsense/core/issues/966

-----------
I've followed the documentation and generated a code for the root account, but I'm never presented a form to enter my OTP code after my password has been validated.

Is this feature not yet available?

6

16.1 Legacy Series / Netflow Insight not showing any data

« on: May 19, 2016, 05:49:36 pm »

I've followed the steps in the doc, but left the destination blank.
I added wan, a gateway and a vlan as a test
I left the version at v9, even though IPv6 is disabled since it's not entirely disabled according to the list of sockets I see.

If I go to the "Insight" page, the graphs are empty: "no data available"

The logs are spammed with

May 19 17:48:00   configd.py: [f300521e-863a-4cd3-97fa-0bad73b2ca06] request netflow data aggregator metadata
May 19 17:47:59   configd.py: [ef199544-de3e-46c2-8093-d3e1a46f1cac] request netflow data aggregator top usage for FlowInterfaceTotals
May 19 17:47:59   configd.py: [df958d68-9646-4f2b-a8b8-35cab2fbff88] request netflow data aggregator top usage for FlowInterfaceTotals
May 19 17:47:59   configd.py: [2a413224-0022-48c8-a8d8-de948bce05ee] request netflow data aggregator top usage for FlowSourceAddrTotals
May 19 17:47:59   configd.py: [4d36559a-6244-43c8-a5a0-8492686bb371] request netflow data aggregator top usage for FlowDstPortTotals
May 19 17:47:59   configd.py: [0f664e35-f9e2-4273-880a-bd80d66e5230] request netflow data aggregator timeseries for FlowInterfaceTotals

7

16.1 Legacy Series / apinger completely unreliable on 16.1.13

« on: May 11, 2016, 01:47:06 pm »

I have a gateway group with 3 tiers.
Traffic fails to switch to tier2 when tier1 is down.

I get lots of these errors in the logs:

Code: [Select]

May 11 13:28:22 apinger: Error while starting command form alarm(down) on target(8.8.4.4-VPN_TCP_VPNV4)
May 11 13:28:12 apinger: ALARM: VPN_TCP_VPNV4(8.8.4.4) *** down ***
which seem to indicate that the tier switch action fails to be triggered

And also these

Code: [Select]

apinger: command (al/opnsense/service/configd_ctl.py -m 'dyndns reload VPN_TCP_VPNV4' 'ipsecdns reload' 'openvpn reload VPN_TCP_VPNV4' 'filter reload' ) exited with status: 127
But that could be because it's trying to reload ipsec when ipsec has not even been setup.

8

16.1 Legacy Series / Proxy avoids Firewall set gateway group every time a gateway (VPN) is down

« on: April 15, 2016, 06:46:44 pm »

The VLAN has a set of firewall rules which say:
* VLANnet to VLANnet -> * GW
* VLANnet to 127.0.0.1:3128 -> * GW (We can't change this GW, the rule comes from Port Forward)
* VLANnet to  ! VLANnet -> VPN_GW

VPN_GW is a group. Within this group the default GW is set to "Never"

We can't pick a GW for the proxy, so I'm guessing it follows the rules set by the firewall, but this might be where there is a problem.

There are also a bunch of outbound NAT rules in hybrid mode for 127.0.0.0 and VLANnet (VPN rules first and the automated rules at the bottom).

In System: Settings: Miscellaneous, there is a setting which is called: Skip rules when gateway is down

By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down

I've ticked this box since this is exactly the behaviour I want to avoid

Everything is working fine, traffic is routed correctly, through the proxy and through one of the VPN GW, but if I stop one of the VPN connections, then all traffic is routed through the default GW.

It seems that when a VPN connection is taken down, routes are altered, but the system setting is not having the expected effect and the default gateway is used.

9

Development and Code Review / [SOLVED] Use local ports tree instead or packages from mirror when building core

« on: March 11, 2016, 11:02:17 am »

The current process to build and install core, as I understand it is as follows:

• Update all ports
• cd /usr/tools
• Build ports missing from the packages "image" using "make ports"
• make core

make core does this:

• Unpack all packages, mix with compiled missing ports
• Build core
• Update contrib with files from packages?
• Create new packages image

For people using `opnsense/ports` to compile all their ports, there are a few problems:

• All missing ports have to be compiled again, although all those ports have been installed already
• The rest of the packages used are vanilla packages which have not been compiled for the current architecture. It's only a problem is those files are actually used
• If contrib is updated using vanilla packages, then it might introduce some changes compared to what is installed

If the only reason packages are downloaded and unpacked to build core is to update contrib, then only those packages should be used.
Those packages don't even need to be compiled, they're already installed and the needed files can be fetched from the filesystem. pkg info can tell the script if the version is what is expected.

Am I correct and the whole process can be simplified for people using the ports tree?

10

Development and Code Review / [SOLVED] Can't install base or kernel created by the tools: no manifest found

« on: March 08, 2016, 01:25:33 pm »

This is what I get when trying to install the generated packages

Code: [Select]

# cd /usr/tools
# make base
# cd /tmp/sets
# pkg add -f base-16.7.a_15-amd64.txz
pkg: base-16.7.a_15-amd64.txz is not a valid package: no manifest found

Failed to install the following 1 package(s): base-16.7.a_15-amd64.txz

11

General Discussion / Please make it the default option to launch the LiveCD

« on: February 05, 2016, 02:35:43 am »

I think it's very dangerous to have an image which auto installs its content on a hard drive after having finished booting. If we're not careful after a reboot, we can lose all the content of the hard drive in the test system.

12

16.1 Legacy Series / IDS mode blocks all connections

« on: February 05, 2016, 12:18:22 am »

Ever since on 16.1.1, I can't enable Suricata in IDS mode any more without it blocking all traffic. Was the firewall grouping feature purely a visual feature or did it change something in the way rules are loaded?

The setup is as follows:
LAN -> VPN GW
VLAN1 -> VPN GW
VLAN1 has a DHCP with its own DNS, located on the outside

I've set Suricata to use analyse LAN
As soon as it's on, connections to the outside world are blocked. Disabling HW acceleration has no effect.

Also, when it was working, the VPN connection had to be restarted after each reboot, but that doesn't work any more.

13

Documentation and Translation / How-to: Manually build and update the GUI

« on: February 02, 2016, 05:44:10 pm »

This is for people maintaining their ports themselves and who wish to be able to manually update the GUI without overwriting anything else.


WARNING: That will only work from 16.1.7 as you need an updated makefile in /usr/core


Get the source code

Code: [Select]

# pkg install git gettext-tools
# cd /usr
# rm -rf src ports
# git clone https://github.com/opnsense/ports
# git clone https://github.com/opnsense/core

Updating

Update all ports

Code: [Select]

# cd /usr/ports
# git checkout 16.1.8

Use the latest tagged release instead of 16.1.8.
Then update all your ports the way you usually do it. Per example with portmaster it would be

Code: [Select]

# portmaster -a
Install the updated OPNsense GUI.

Code: [Select]

# cd /usr/core
# git checkout 16.1.8
# make package
# pkg add -f opnsense-16.1.8.txz

Update base and kernel

Code: [Select]

# opensense-update -bkr 16.1.8
Reboot

14

Development and Code Review / Why is WRKDIRPREFIX set to /usr/obj for all ports?

« on: January 29, 2016, 12:49:29 pm »

make.conf contains

Code: [Select]

WRKDIRPREFIX= /usr/obj
which builds ports in /usr/obj/usr/ports/folder/port/work

The comment says "move work area out of unionfs".

What does it mean?

15

16.1 Legacy Series / [SOLVED] squid not happy about the update

« on: January 28, 2016, 10:53:22 pm »

Squid can't shut up and is hammering

Code: [Select]

/tmp/PHP_errors.log

Code: [Select]

Fatal error: Class 'Phalcon\DI\FactoryDefault' not found in /usr/local/opnsense/mvc/script/load_phalcon.php on line 32
2016/01/28 22:50:03 kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr39932, 120 bytes '
2016/01/28 22:50:03 kid1| helperOpenServers: Starting 1/5 'squid.auth-user.php' processes
2016/01/28 22:50:03 kid1| Starting new helpers
2016/01/28 22:50:03 kid1| Too few basicauthenticator processes are running (need 1/5)
2016/01/28 22:50:03 kid1| WARNING: basicauthenticator #Hlpr39931 exited
I've tried killing it, restarting it, nothing works. Is the code broken or is this a know problem with a workaround?