Topics

1

24.1 Legacy Series / Puzzled

« on: March 14, 2024, 12:39:51 am »

I can't figure out why one remote IP cannot reach the server. The only clue I have is the absence of a label and different rule number. I have both packets captured in the attachments. The bad pic  cannot get to the server. How do I find the rulenr, as I suspect the rule the bad packet is using is different.

2

23.7 Legacy Series / dropping internet last few days

« on: October 24, 2023, 01:35:43 am »

I have been experiencing intermittent internet loss. not sure if it is the firewall. I did have some errors at the same time this happened today in the OPNsense log. Does this point to anything? I am on the latest OPNsense version.

2023-10-23T16:24:35-07:00   Error   api   no active session, user not found   
2023-10-23T16:18:34-07:00   Error   configd.py   [872b9217-6625-4f0b-9e90-f1e42cc38724] Script action failed with Command '/usr/local/opnsense/scripts/firmware/query.sh remote ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 44, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/firmware/query.sh remote ' returned non-zero exit status 1.   
2023-10-23T16:18:34-07:00   Error   configd.py   Timeout (120) executing : firmware tiers   

Also the general log shows this
2023-10-23T16:24:29-07:00   Error   opnsense   /usr/local/etc/rc.newwanip: The command '/bin/kill -'TERM' '57694''(pid:/var/run/unbound.pid) returned exit code '1', the output was 'kill: 57694: No such process'   
2023-10-23T16:24:23-07:00   Error   dhcp6c   transmit failed: Can't assign requested address   
2023-10-23T16:24:23-07:00   Warning   opnsense   /usr/local/etc/rc.bootup: dhcpd_radvd_configure(auto) found no suitable IPv6 address on lan(ixl0)   
2023-10-23T16:22:14-07:00   Error   opnsense   /usr/local/etc/rc.newwanipv6: The command '/bin/kill -'TERM' '76961''(pid:/var/dhcpd/var/run/dhcpdv6.pid) returned exit code '1', the output was 'kill: 76961: No such process'   
2023-10-23T16:19:22-07:00   Warning   opnsense   /usr/local/etc/rc.linkup: dhcpd_radvd_configure(auto) found no suitable IPv6 address on lan(ixl0)   
2023-10-23T16:18:53-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:37-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:36-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:35-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:29-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:28-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:28-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:25-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:24-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:24-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:23-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:22-07:00   Error   dhcp6c   transmit failed: Network is down   
2023-10-23T16:18:22-07:00   Error   dhcp6c   transmit failed: Network is down

I am running 2 WAN's in the OPNsense box. Only one WAN died. The ISP said there was no outage.
Problem happens once a day. Problem always points to dhcp6. the WAN that works only uses IPv4. Should I disable IPv6 on the problem LAN? I am using Prefix delegation size of 64. Is that a problem. ISP is Cox

Any help is appreciated.

3

23.7 Legacy Series / Firewall randomly going down.

« on: August 16, 2023, 12:53:30 am »

This appears in the log when the firewall goes down. This happens 4-8 times a day.
Funny thing is. this system does not use IPv6 at all, so where could this come from? What does this mean?
Firewall uses a static IP on the WAN. No DHCP

2023-08-15T10:34:33-04:00   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '77804''(pid:/var/dhcpd/var/run/dhcpdv6.pid) returned exit code '1', the output was 'kill: 77804: No such process'

Any help is greatly appreciated.

4

23.7 Legacy Series / Monit email not working

« on: August 14, 2023, 11:51:20 pm »

Running 23.7.1_3
I tried every email address I have, local and remote, and all I get is this

023-08-15T10:36:15-07:00   Error   monit   Aborting event   
2023-08-15T10:36:15-07:00   Error   monit   Mail: Delivery failed -- no mail server is available   
2023-08-15T10:36:15-07:00   Error   monit   Cannot open a connection to the mailserver 192.168.100.5:465
2023-08-15T10:36:15-07:00   Error   monit   Cannot connect to [192.168.100.5]:465 -- Connection timed out   

I cannot find any email service to work with Monit. Tried Gmail, Yahoo, Local emails. Nothing works.
Apparently you can no longer use Gmail or Yahoo due to new security on those sites, so I am stuck with using the local account. Not sure if I need a firewall rule to do this.

Monit itself works fine. Just won't send email messages from my main site.
I gave up and just disabled Monit. Not really useful if I can't get messages.

Any ideas on how to get it to work on the same machine as the email servers. Do I need a new firewall rule?

5

23.7 Legacy Series / Repeating error in my logs

« on: August 14, 2023, 05:35:44 pm »

My logs are filled with errors. Using v23.7.1_3
This is a repeating error every second in the logs there are actually thousands of these. Using DHCP on the WAN
How can I fix this?

2023-08-08T08:46:36-04:00   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '77804'' returned exit code '1', the output was 'kill: 77804: No such process'   
2023-08-08T08:45:53-04:00   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '77804'' returned exit code '1', the output was 'kill: 77804: No such process'   
2023-08-08T08:45:42-04:00   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '77804'' returned exit code '1', the output was 'kill: 77804: No such process'   
2023-08-08T08:44:37-04:00   Error   opnsense   /usr/local/etc/rc.linkup: The command '/bin/kill -'TERM' '77804'' returned exit code '1', the output was 'kill: 77804: No such process'   
2023-08-08T08:44:31-04:00   Error   opnsense   /usr/local/etc/rc.routing_configure: ROUTING: refusing to set inet gateway on addressless wan(igc0)   

6

23.1 Legacy Series / Bind states to interface

« on: July 07, 2023, 05:28:31 pm »

Quick question.
Should I use "Bind states to interface" if I have two isolated WAN's. One static and one dynamic.
I am not using failover or load balancing.

7

Virtual private networks / Changing IP's

« on: July 03, 2023, 06:45:15 pm »

I have a working IPsec VPN. I want to use my alternate WAN Interface to connect to it. If I change the IP in my DNS Record I get a policy Error when trying to connect. The certificate uses my OPNsense Hostname and not an IP. I did make sure the Firewall rules were duplicated for the second WAN, LAN, and NAT.

I have created another VPN connection using the new local IP's and it works fine, but changing the DNS record to the secondary WAN does not work.

Any ideas?

8

Virtual private networks / IPsec Local IP

« on: July 03, 2023, 06:06:46 pm »

I have VPN working fine, but I want to change the Local IP as shown in the VPN Status Overview page.
Where can I do that? Or more specifically, how does OPNsense determine the Local IP for VPN IPsec?

When I try to connect via my other WAN Interface, I get a Policy Error.

9

23.1 Legacy Series / When to use Multi-WAN?

« on: July 01, 2023, 06:35:17 pm »

I could not find a scenario chart of when Multi-WAN is useful. My goal is to get as much redundancy as possible.
My question is basically if I should use Multi-WAN. Would it benefit me with the following setup?
First of I want to state that I did try to set up a failover Multi-Wan configuration following the online documentation to the letter. It was not successful as I had many stalled internet accesses. I removed it.

This OPNsense box has 2 WAN's. The business Internet has a 100/20MB Mbps static IP (WAN1), and the other a 1000/50MB Mbps dhcp residential connection (WAN2).
WAN1 is used for incoming SMTP and business websites.
WAN2 is for residential internet, IMAP and SMTP outgoing, IPsec VPN to a local server, FTP, RSYNC, and video streaming server because of it's faster connection. WAN 2 also uses Dynamic DNS

I basically just use WAN1 for ports not allowed by my ISP residential service.

Now the big question. Is Multi-WAN an option for this scenario? Seems to me I have set IP's to do most connections, so I assume failover can't handle that.

I am also having LTE failover installed in a few day on WAN1. That is external to OPNsense.

Your thoughts?

10

23.1 Legacy Series / Reset state table using Cron

« on: June 23, 2023, 07:00:49 pm »

I have been unsuccessful trying to reset the state table using cron. All I get is 'returned exit status 127'
can anyone help with my code? Here is what I did

/usr/local/opnsense/service/conf/actions.d/actions_ResetST.conf

Code: [Select]

[start]
command:/usr/local/etc/rc.d/rstate.sh
parameters:%s
type:script
message:starting reset_state_table
description:Reset State Table

usr/local/etc/rc.d/rstate.sh

Code: [Select]

#!/bin/sh
pfctl -F states

Then ran 'service configd restart' in shell and setup the time in cron.

What am I doing wrong?
Thanks

11

23.1 Legacy Series / Slower over time

« on: June 18, 2023, 12:44:24 am »

Using 23.1.9. Very basic generic setup. One LAN, one DHCP WAN.
Internet speeds come to a crawl. If I reboot speeds come back, but withing a few hours, back to crawling. I can barely remote into the WebGUI when it is slow.
Resources look fine. Memory is at 14% when slow and 7% when rebooted.

Anything I should be looking at? Nothing meaningful in any logs.

This is a new box that I installed OPNsense on and just restored the config. The old box had a minor disk issue. This slowdown issue is since I put this new box in.

12

23.1 Legacy Series / Need help on a remote firewall

« on: June 10, 2023, 07:38:27 pm »

I was doing updates on all my remote OPNsense firewall when one of them would not update so I started investigating.
I tried to do it via SSH and get Input/output error. Shell not working with same error.
Reboot doesn't work
When I try update from WebGUI I get
Checking integrity...Child process pid=30552 terminated abnormally: Bus error

Funny thing is, firewall is working. I just can't do anything.
Using ZFS, but can't run scrub from cron.

All services are running. This is a vanilla install with no additional features.
If I try a reboot via console I get
/usr/local/etc/rc.reboot: /sbin/shutdown: Input/output error

Any suggestions? This firewall is 300 miles away. I really do not want to make a trip there.

13

General Discussion / NAT rules to specific gateway

« on: April 01, 2023, 07:08:38 pm »

How do I assign a specific gateway to a NAT rule?
Is this determined by the NAT Outbound?
The WAN rules that are not NAT'ed I can specify the gateway. NAT rules I cannot.

14

General Discussion / Add isolated gateway.

« on: April 01, 2023, 12:19:22 am »

Hi all,
I am now running 2 OPNsense boxes where box one has a DHCP WAN, and a LAN (192.168.100.0/24).
Box two has a static WAN and LAN (192.168.20.0/24). Both work fine right now.

My goal is to eliminate box two since the only task on that box is to NAT port 25 to the email server on the LAN.
This email server has another NIC which connects to the LAN subnet on box one (192.168.100.5).

I tried moving the box two WAN to box one WAN2. Then using a NAT rule on box one to forward WAN2 port 25 connections to the email server. This does not work.
The WAN2 gateway is online. I can ping WAN2.
The box one LAN rule is matched to the one from Box 2
WAN2   TCP   *   *   WAN2 address    25    192.168.100.5    25

I assumed all I needed to do was install the WAN2 interface/gateway on OPT1, then NAT WAN2 to port 25 to the email server.
Am I missing something? Is there something else I need to do to isolate these gateways?
Please reply if you need more info.

15

23.1 Legacy Series / Hourly Internet outage.

« on: March 29, 2023, 10:17:12 pm »

Here is a real mystery. Need advice.
For the past few days the internet has been going down for one minute at exactly 57-58 minutes after the hour. Not every hour, but about 15 times a day.
Internet is fine at full speed when working. All logs show nothing. I use an outside monitor to ping my IP and the gateway IP every minute. The IP goes down but the gateway is still ok.
The only indication of an issue in OPNsense is the Reporting Quality report which shows high loss during these outages. Not sure if the loss is reporting an issue or just the connection drop itself. The ISP says there are no issues on their end, but did slip once to admit some packet loss to me.
I have replaced the complete firewall, with all network hardware. There are no cron jobs running at this time and I do have DynamicDNS updating the DNS provider, but that doesn't have indications it is running at that time. This is a basic WAN/LAN setup with no plugins or Suricata running. No VLAN's
The fact that it happens at a consistent time does not seem like a hardware issue.

Any suggestions on what I can look at to try and pin this down?