Topics

After the upgrade to 17.1.5, name resolution doesn't work for VLAN members.
Using the tools from the GUI, everything works fine.
The firewall is not blocking the outgoing requests, but it seems the answers never make it back.

VLAN define their own (external) nameservers
VLAN uses OpenVPN link as a gateway.
Nothing special in the logs.
All gateways and services up.
No proxy, no IDS.

What's the best way to debug this?

Do not turn on IPS mode in Suricata when using the new re driver because emulated netmap crashes the OS.

See: https://redmine.openinfosecfoundation.org/issues/1688

What we need is a patched Realtek driver with netmap support.
I didn't manage to patch it last year, but I'm not a driver engineer.

The alternative would be to let people pick the driver they want to use.

I've tried to burn the vga image of 17.1 on Windows using the utility described in the doc.

Code Select Expand

1048576/939001344 bytes writtenWrite error after 1048576 bytes.

I've also tried with rufus, which doesn't complain, but the stick doesn't boot. The error messages says something about a corrupt GPT or invalid checksum.

I've also tried to burn the cdrom image, but rufus can't burn it because of an unknown compression scheme being used.

Has anybody managed to burn an image on Windows?

I upgraded via

Code Select Expand

# opnsense-update -ur 17.1 -l.

The box rebooted a couple of times.

Side effects:

• The boot picture is gone
• There is no console menu any more
• root password is refused
• network is not configure properly

This means that I'm locked out and the router seems to be bricked. The line above the login prompt is on point... : <something>/Amnesia

Update: It's working, but it's just non-standard from my pov, so I've opened a Github issue: https://github.com/opnsense/core/issues/966

-----------
I've followed the documentation and generated a code for the root account, but I'm never presented a form to enter my OTP code after my password has been validated.

Is this feature not yet available?

I've followed the steps in the doc, but left the destination blank.
I added wan, a gateway and a vlan as a test
I left the version at v9, even though IPv6 is disabled since it's not entirely disabled according to the list of sockets I see.

If I go to the "Insight" page, the graphs are empty: "no data available"

The logs are spammed with

May 19 17:48:00   configd.py: [f300521e-863a-4cd3-97fa-0bad73b2ca06] request netflow data aggregator metadata
May 19 17:47:59   configd.py: [ef199544-de3e-46c2-8093-d3e1a46f1cac] request netflow data aggregator top usage for FlowInterfaceTotals
May 19 17:47:59   configd.py: [df958d68-9646-4f2b-a8b8-35cab2fbff88] request netflow data aggregator top usage for FlowInterfaceTotals
May 19 17:47:59   configd.py: [2a413224-0022-48c8-a8d8-de948bce05ee] request netflow data aggregator top usage for FlowSourceAddrTotals
May 19 17:47:59   configd.py: [4d36559a-6244-43c8-a5a0-8492686bb371] request netflow data aggregator top usage for FlowDstPortTotals
May 19 17:47:59   configd.py: [0f664e35-f9e2-4273-880a-bd80d66e5230] request netflow data aggregator timeseries for FlowInterfaceTotals

I have a gateway group with 3 tiers.
Traffic fails to switch to tier2 when tier1 is down.

I get lots of these errors in the logs:

Code Select Expand

May 11 13:28:22 apinger: Error while starting command form alarm(down) on target(8.8.4.4-VPN_TCP_VPNV4)
May 11 13:28:12 apinger: ALARM: VPN_TCP_VPNV4(8.8.4.4) *** down ***

which seem to indicate that the tier switch action fails to be triggered

And also these

Code Select Expand

apinger: command (al/opnsense/service/configd_ctl.py -m 'dyndns reload VPN_TCP_VPNV4' 'ipsecdns reload' 'openvpn reload VPN_TCP_VPNV4' 'filter reload' ) exited with status: 127

But that could be because it's trying to reload ipsec when ipsec has not even been setup.

The VLAN has a set of firewall rules which say:
* VLANnet to VLANnet -> * GW
* VLANnet to 127.0.0.1:3128 -> * GW (We can't change this GW, the rule comes from Port Forward)
* VLANnet to  ! VLANnet -> VPN_GW

VPN_GW is a group. Within this group the default GW is set to "Never"

We can't pick a GW for the proxy, so I'm guessing it follows the rules set by the firewall, but this might be where there is a problem.

There are also a bunch of outbound NAT rules in hybrid mode for 127.0.0.0 and VLANnet (VPN rules first and the automated rules at the bottom).

In System: Settings: Miscellaneous, there is a setting which is called: Skip rules when gateway is down

By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down

I've ticked this box since this is exactly the behaviour I want to avoid

Everything is working fine, traffic is routed correctly, through the proxy and through one of the VPN GW, but if I stop one of the VPN connections, then all traffic is routed through the default GW.

It seems that when a VPN connection is taken down, routes are altered, but the system setting is not having the expected effect and the default gateway is used.

The current process to build and install core, as I understand it is as follows:

• Update all ports
• cd /usr/tools
• Build ports missing from the packages "image" using "make ports"
• make core

make core does this:

• Unpack all packages, mix with compiled missing ports
• Build core
• Update contrib with files from packages?
• Create new packages image

For people using `opnsense/ports` to compile all their ports, there are a few problems:

• All missing ports have to be compiled again, although all those ports have been installed already
• The rest of the packages used are vanilla packages which have not been compiled for the current architecture. It's only a problem is those files are actually used
• If contrib is updated using vanilla packages, then it might introduce some changes compared to what is installed

If the only reason packages are downloaded and unpacked to build core is to update contrib, then only those packages should be used.
Those packages don't even need to be compiled, they're already installed and the needed files can be fetched from the filesystem. pkg info can tell the script if the version is what is expected.

Am I correct and the whole process can be simplified for people using the ports tree?

This is what I get when trying to install the generated packages

Code Select Expand


# cd /usr/tools
# make base
# cd /tmp/sets
# pkg add -f base-16.7.a_15-amd64.txz
pkg: base-16.7.a_15-amd64.txz is not a valid package: no manifest found

Failed to install the following 1 package(s): base-16.7.a_15-amd64.txz

I think it's very dangerous to have an image which auto installs its content on a hard drive after having finished booting. If we're not careful after a reboot, we can lose all the content of the hard drive in the test system.

Ever since on 16.1.1, I can't enable Suricata in IDS mode any more without it blocking all traffic. Was the firewall grouping feature purely a visual feature or did it change something in the way rules are loaded?

The setup is as follows:
LAN -> VPN GW
VLAN1 -> VPN GW
VLAN1 has a DHCP with its own DNS, located on the outside

I've set Suricata to use analyse LAN
As soon as it's on, connections to the outside world are blocked. Disabling HW acceleration has no effect.

Also, when it was working, the VPN connection had to be restarted after each reboot, but that doesn't work any more.

This is for people maintaining their ports themselves and who wish to be able to manually update the GUI without overwriting anything else.


WARNING: That will only work from 16.1.7 as you need an updated makefile in /usr/core


Get the source code

Code Select Expand

# pkg install git gettext-tools
# cd /usr
# rm -rf src ports
# git clone https://github.com/opnsense/ports
# git clone https://github.com/opnsense/core


Updating

Update all ports

Code Select Expand

# cd /usr/ports
# git checkout 16.1.8


Use the latest tagged release instead of 16.1.8.
Then update all your ports the way you usually do it. Per example with portmaster it would be

Code Select Expand

# portmaster -a

Install the updated OPNsense GUI.

Code Select Expand

# cd /usr/core
# git checkout 16.1.8
# make package
# pkg add -f opnsense-16.1.8.txz


Update base and kernel

Code Select Expand

# opensense-update -bkr 16.1.8

Reboot

make.conf contains

Code Select Expand

WRKDIRPREFIX= /usr/obj

which builds ports in /usr/obj/usr/ports/folder/port/work

The comment says "move work area out of unionfs".

What does it mean?

Squid can't shut up and is hammering

Code Select Expand

/tmp/PHP_errors.log

Code Select Expand

Fatal error: Class 'Phalcon\DI\FactoryDefault' not found in /usr/local/opnsense/mvc/script/load_phalcon.php on line 32
2016/01/28 22:50:03 kid1| helperHandleRead: unexpected read from basicauthenticator #Hlpr39932, 120 bytes '
2016/01/28 22:50:03 kid1| helperOpenServers: Starting 1/5 'squid.auth-user.php' processes
2016/01/28 22:50:03 kid1| Starting new helpers
2016/01/28 22:50:03 kid1| Too few basicauthenticator processes are running (need 1/5)
2016/01/28 22:50:03 kid1| WARNING: basicauthenticator #Hlpr39931 exited

I've tried killing it, restarting it, nothing works. Is the code broken or is this a know problem with a workaround?

The thread about testing the dev version mentions that if we ever need to go back to stable, we would simply need to do

Code Select Expand

# pkg install -y opnsense

It seems to work but tries to download the next alpha at the same time

Code Select Expand

Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        opnsense: 16.1
        py27-netaddr: 0.7.18

The process will require 35 MiB more space.
10 MiB to be downloaded.
Fetching opnsense-16.1.txz: 100%    9 MiB 259.0kB/s    00:37
Fetching py27-netaddr-0.7.18.txz: 100%    1 MiB 263.7kB/s    00:04
Checking integrity... done (1 conflicting)
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 4 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        py27-netaddr: 0.7.18
        opnsense: 16.1

The process will require 35 MiB more space.
Fetching opnsense-devel-16.7.a_52.txz: 100%    9 MiB 245.7kB/s    00:39
[1/4] Installing py27-netaddr-0.7.18...
[1/4] Extracting py27-netaddr-0.7.18: 100%
[2/4] Deinstalling opnsense-devel-15.7.99_2050...
[3/4] Installing opnsense-16.1...
[3/4] Extracting opnsense-16.1: 100%
[3/4] Installing opnsense-devel-16.7.a_52...
pkg: opnsense-devel-16.7.a_52 conflicts with opnsense-16.1 (installs files into the same place).  Problematic file: /usr/local/opnsense/contrib/mobile-broadband-provider-info/serviceproviders.xml


It's all in the title. I'm just wondering why it isn't set up that way.

I've just noticed that suricata isn't compiled with SIMD support per example and obviously the Makefiles have to be kept generic and can't be optimized for every architecture, so if we end up compiling all the packages using a custom make.conf, how do we get notified of updates?

Code Select Expand


# pkg version -Ivl"<"
pkg: Can't access /usr/ports/INDEX-10: No such file or directory

Do we have to recompile everything every time a new release is announced?

powerd seems to work fine, I can see it adjust the clock when I'm monitoring it in the shell, but my CPU's burst clock is 2.08Ghz and the limit in OPNsense is set at 1.6Ghz.
Is it safe to set it right?

You can see the artificial limit being set in "dev.cpu": 1601/2000 1600/2000 1520/1900
The burst mode is disabled.

I've read that pfsense doesn't support that configuration. The PPTP WAN is to be used exclusively to connect to an ISP. Is it the same on OPNsense?