Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - s4rs

Pages: [1]

18.7 Legacy Series / opnsense freezes

« on: January 06, 2019, 01:46:33 pm »

For the last few years I have run Opnsense under KVM. For the past few months randomly Opnsense stops working. It loses the wan interface, and I can't log in fully. I can bring up an SSH session type in the user name and password but then it hangs. I have waited for up to 15 minutes but I never get to the console GUI. Trying the web admin is similar. The system is not completely unresponsive since I can reboot cleanly via virsh reboot.

Any idea how I might be able to shoot this issue? I am running 18.7.9.

18.1 Legacy Series / My upgrade experience from 17 to 18.1

« on: February 05, 2018, 04:13:26 pm »

I run Opnsense as a Fedora 26 sever KVM Guest. So far no issues. I decided to take the plunge and upgrade to 18.1 today. The upgrade was ultimately successful but I had to manually power cycle the VM 3 times before all completed. The auto reboot mechanisms didn't seem to work.

I'm just posting this as an FYI. If there are logs you want me to collect I am happy to do so. I have a backup setup running as a SmartOS KVM guest which I need to upgrade. Not sure if I will run into the same issue but if you want me to monitor something just in case I get the same hang let me know. I'll do the upgrade sometime later this week.

17.7 Legacy Series / State Table Size

« on: October 28, 2017, 03:57:19 pm »

Is there a way to show this from the command line?

17.1 Legacy Series / Can't upgrade from 17.1.3 to 17.1.4 [SOLVED]

« on: April 10, 2017, 04:29:46 pm »

I am trying to upgrade from 17.1.3 to 17.1.4 but it gets stuck. I tried from the GUI and the console without success. From the GUI I see this

There are 38 updates available, total download size is none. This update requires a reboot.

Then I hit the Upgrade Now Button

and the log shows

Code: [Select]

***GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (46 candidates): .......... done
Processing candidates (46 candidates): ........ done
Checking integrity... done (1 conflicting)
  - py27-setuptools-32.1.0_1 conflicts with py27-setuptools27-32.1.0 on /usr/local/bin/easy_install
Cannot solve problem using SAT solver, trying another plan
Checking integrity... done (0 conflicting)
The following 38 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
	py27-sqlite3-2.7.13_7
	opnsense-17.1.3
	py27-setuptools27-32.1.0

New packages to be INSTALLED:
	py27-setuptools: 32.1.0_1

Installed packages to be UPGRADED:
	squid: 3.5.24 -> 3.5.24_2
	png: 1.6.28 -> 1.6.29
	pkgconf: 1.3.0_3 -> 1.3.0,1
	php70-zlib: 7.0.16 -> 7.0.17
	php70-xml: 7.0.16 -> 7.0.17
	php70-sqlite3: 7.0.16 -> 7.0.17
	php70-sockets: 7.0.16 -> 7.0.17
	php70-simplexml: 7.0.16 -> 7.0.17
	php70-session: 7.0.16 -> 7.0.17
	php70-pdo: 7.0.16 -> 7.0.17
	php70-openssl: 7.0.16 -> 7.0.17
	php70-mcrypt: 7.0.16 -> 7.0.17
	php70-ldap: 7.0.16 -> 7.0.17
	php70-json: 7.0.16 -> 7.0.17
	php70-hash: 7.0.16 -> 7.0.17
	php70-gettext: 7.0.16 -> 7.0.17
	php70-filter: 7.0.16 -> 7.0.17
	php70-dom: 7.0.16 -> 7.0.17
	php70-curl: 7.0.16 -> 7.0.17
	php70-ctype: 7.0.16 -> 7.0.17
	php70: 7.0.16 -> 7.0.17
	opnsense-update: 17.1.3 -> 17.1.4
	opnsense-lang: 17.1.3 -> 17.1.4
	ntp: 4.2.8p9_4 -> 4.2.8p10_2
	lzo2: 2.09 -> 2.10_1

Installed packages to be REINSTALLED:
	py27-ujson-1.35 (direct dependency changed: py27-setuptools)
	py27-requests-2.11.1 (direct dependency changed: py27-setuptools)
	py27-pytz-2016.10,1 (direct dependency changed: py27-setuptools)
	py27-netaddr-0.7.18 (direct dependency changed: py27-setuptools)
	py27-MarkupSafe-1.0 (direct dependency changed: py27-setuptools)
	py27-Jinja2-2.8 (direct dependency changed: py27-Babel)
	py27-Babel-2.3.4 (direct dependency changed: py27-setuptools)
	openvpn23-2.3.14_1 (options changed)
	dnsmasq-2.76,1 (options changed)

Number of packages to be removed: 3
Number of packages to be installed: 1
Number of packages to be upgraded: 25
Number of packages to be reinstalled: 9

The operation will free 20 MiB.
pkg-static: Cannot delete vital package: opnsense!
pkg-static: If you are sure you want to remove opnsense, 
pkg-static: unset the 'vital' flag with: pkg set -v 0 opnsense
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

is it safe to run pkg set -v 0 opnsense??

16.7 Legacy Series / Opnsense VM under Fedora 25 KVM

« on: December 22, 2016, 08:28:50 pm »

I finally got a chance to test Opnsense under Fedora 25 KVM. In my case the VirtIO driver under Fedora 25 Server caused some real problems. I could ping but couldn't get any traffic through the VM. I switched to e1000 and everything worked... From reading issues with PFSense the VirtIO drivers can be an issue.. So if you deploy on KVM keep this in mind if performance is in the toilet

16.7 Legacy Series / Anyone test Opnsense running as a VMWare Guest?

« on: December 15, 2016, 11:19:21 pm »

I decided to test Opnsense running under a hypervisor and am running into performance issues. I tested SmarOS and ESXi 6.5 with the same results. If I run iperf from Opnsense/BSD as a client pointing to an iperf server on the wan or lan side I get good performance IE approx 550Mb/s. If I setup iperf as a server on Opnsense/BSD and point a client from either the wan or lan I get horrible performance IE 70Mb/s.

I tested a server on the wan and a client on the lan and vise-verse with similar results. It seems like when running under a hypervisor receiving packets are an issue. Anyone seen this and have a tweak? Its not a resource issue, CPU is low 15% and plenty of memory available.

BTW I get very similar results if I run vyos. So there is something specific about routers in a virtual setting.

16.7 Legacy Series / OpenVPN Bridge

« on: December 09, 2016, 12:43:56 pm »

Is it possible and if so is there a guide to setup and openvpn bridge instead of a tunnel? This would be a client to server not site to site.

16.7 Legacy Series / Question about OpenVPN Performance

« on: December 01, 2016, 11:59:13 pm »

I setup my OpenVPN tunnel and decided to run iPerf to see what performance penalty there was. My lab is as follows

my home lan at 192.168.1.0/24 <----> a Mikrotik RB2011i Wan Port <---> Mikrotik 1Gb Lan <---> 173.24.225.0/24 <---> Opnsense Wan Port 1Gb <---> Opnsense Lan <--- >1Gb Switch < ---> 192.168.2.0/24.

The Opnsense Wan nic has been assigned a DHCP static lease for consistency. I have two Windows clients, one on the Mikrotik 173.24.255.0 lan and one on the Opnsense 192.168.2.0 lan.

If I run iperf from the Mikrotik lan to the Opnsense wan port iPerf pushes about 600Mb/s When I start the VPN and go to a system on the Opnsense lan I get approx 100Mb/s. It seems like OpenVPN is throttled to 100Mb/s. The Opensense box CPU is not even breathing. An iPerf test from the Opensense lan to the Mikrotik lan without OpenVPN gave approx 500Mb/s

Any ideas? If I use a 100Mb switch I get approx 80Mb/s via OpenVPN connection. About the same without OpenVPN..

Another observation. If I setup a rule in Opnsense to allow the Windows box to RDP from the Opnsense Wan to the Windows box on the Opnsense lan nothing happens. All packets are blocked. Is this expected? [forget this, I looked up how to setup a pfsense NAT rule and followed the guide to get it working, getting there slowly. question still remains about OpenVPN performance if anyone has a ideas or knowledge]

16.7 Legacy Series / Help with OpenVPN [Solved]

« on: November 30, 2016, 10:18:41 pm »

I followed the OpenVPN Road Warrior guide and I get connected to the firewall but that's it. I can only ping the bridge0 interface on the router and can go no farther. If I try to ping any other device, nothing.

I setup an any firewall rule on the OpenVPN tab since the example in the Howto was confusing. If you look at the picture it shows 192.168.2.0/24, when I would expect to see 192.168.1.0/24. That said I have no idea how to set that up. It might have been a screen shot of an older version of Opnsense, and I can't figure out how to add an address. I figure that rule is now LAN net. Could someone confirm this?

I checked the client routing table and that looked good and its below. You can see a route to the 192.168.1.0/24 subnet with a gateway of 10.10.0.5. What is curious to me is I can't ping 10.10.0.5, should I be able to?

Client routing table

Code: [Select]

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     173.48.255.1     173.48.255.2     35
        10.10.0.1  255.255.255.255        10.10.0.5        10.10.0.6     25
        10.10.0.4  255.255.255.252         On-link         10.10.0.6    281
        10.10.0.6  255.255.255.255         On-link         10.10.0.6    281
        10.10.0.7  255.255.255.255         On-link         10.10.0.6    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     173.48.255.0    255.255.255.0         On-link      173.48.255.2    291
     173.48.255.2  255.255.255.255         On-link      173.48.255.2    291
   173.48.255.255  255.255.255.255         On-link      173.48.255.2    291
      192.168.1.0    255.255.255.0        10.10.0.5        10.10.0.6     25
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      173.48.255.2    291
        224.0.0.0        240.0.0.0         On-link         10.10.0.6    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      173.48.255.2    291
  255.255.255.255  255.255.255.255         On-link         10.10.0.6    281
===========================================================================

If I ssh to Opnsense I can ping the test maching 192.168.1.163 see below

Code: [Select]

0) Logout                             7) Ping host
 1) Assign Interfaces                  8) Shell
 2) Set interface(s) IP address        9) pfTop
 3) Reset the root password           10) Filter Logs
 4) Reset to factory defaults         11) Restart web interface
 5) Power off system                  12) Upgrade from console
 6) Reboot system                     13) Restore a configuration

Enter an option: 7


Enter a host name or IP address: 192.168.1.163

PING 192.168.1.163 (192.168.1.163): 56 data bytes
64 bytes from 192.168.1.163: icmp_seq=0 ttl=128 time=3.764 ms
64 bytes from 192.168.1.163: icmp_seq=1 ttl=128 time=6.272 ms
64 bytes from 192.168.1.163: icmp_seq=2 ttl=128 time=3.188 ms

attached is a picture of my Openvpn firewall rule

The lan, wlan, and bridge adapters all have a allow rule just like this.

Here is my OpenVPN client log

Code: [Select]

ov 30 19:18:00	openvpn[29096]: greg/173.48.255.2:51788 send_push_reply(): safe_cap=940
Nov 30 19:17:58	openvpn[29096]: greg/173.48.255.2:51788 MULTI_sva: pool returned IPv4=10.10.0.6, IPv6=(Not enabled)
Nov 30 19:17:58	openvpn[29096]: 173.48.255.2:51788 [greg] Peer Connection Initiated with [AF_INET]173.48.255.2:51788
Nov 30 19:17:58	openvpn: user 'greg' authenticated
Nov 30 18:29:44	openvpn[29096]: Initialization Sequence Completed
Nov 30 18:29:44	openvpn[29096]: UDPv4 link remote: [undef]
Nov 30 18:29:44	openvpn[29096]: UDPv4 link local (bound): [AF_INET]173.48.255.4:1194
Nov 30 18:29:43	openvpn[29096]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1602 10.10.0.1 10.10.0.2 init
Nov 30 18:29:43	openvpn[29096]: /sbin/ifconfig ovpns1 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.255 up
Nov 30 18:29:43	openvpn[29096]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 30 18:29:43	openvpn[29096]: TUN/TAP device /dev/tun1 opened
Nov 30 18:29:43	openvpn[29096]: TUN/TAP device ovpns1 exists previously, keep at program end
Nov 30 18:29:43	openvpn[29096]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Nov 30 18:29:43	openvpn[29096]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Nov 30 18:29:43	openvpn[29096]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 30 18:29:43	openvpn[28838]: library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Nov 30 18:29:43	openvpn[28838]: OpenVPN 2.3.13 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Nov 14 2016

and finally my Viscosity log

Code: [Select]

State changed to Creating...
Nov 30 1:48:53 PM: State changed to Disconnected
Nov 30 2:17:14 PM: State changed to Connecting
Nov 30 2:17:14 PM: Viscosity Windows 1.6.7 (1468)
Nov 30 2:17:14 PM: Running on Microsoft Windows 10 Pro
Nov 30 2:17:14 PM: Bringing up interface...
Nov 30 2:17:15 PM: Checking reachability status of connection...
Nov 30 2:17:15 PM: Connection is reachable. Starting connection attempt.
Nov 30 2:17:15 PM: OpenVPN 2.3.13 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Nov  4 2016
Nov 30 2:17:15 PM: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Nov 30 2:17:53 PM: Control Channel Authentication: using 'C:\Program Files\Common Files\Viscosity\OpenVPNConfig\greg\1\ta.key' as a OpenVPN static key file
Nov 30 2:17:53 PM: UDPv4 link local (bound): [undef]
Nov 30 2:17:53 PM: UDPv4 link remote: [AF_INET]173.48.255.4:1194
Nov 30 2:17:53 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 30 2:17:54 PM: [SSLVPN Server Certificate] Peer Connection Initiated with [AF_INET]173.48.255.4:1194
Nov 30 2:17:56 PM: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 30 2:17:56 PM: open_tun, tt->ipv6=0
Nov 30 2:17:56 PM: TAP-WIN32 device [My SSL VPN Server] opened: \\.\Global\{4C29BFA5-6B43-42BF-8C0E-8035685E30D2}.tap
Nov 30 2:17:56 PM: Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.0.6/255.255.255.252 on interface {4C29BFA5-6B43-42BF-8C0E-8035685E30D2} [DHCP-serv: 10.10.0.5, lease-time: 31536000]
Nov 30 2:17:56 PM: Successful ARP Flush on interface [38] {4C29BFA5-6B43-42BF-8C0E-8035685E30D2}
Nov 30 2:18:01 PM: Initialization Sequence Completed
Nov 30 2:18:02 PM: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
Server - 173.48.255.1:53; Lookup Type - Any; Domains - fios-router.home.

Lastly the connection only lasted an hour even though I had set the timeout value to 0. I saw in a post you need to set this value on the client. I have no idea where in Viscosity to set this. If I edit the profile I see nothing.

16.7 Legacy Series / Opnsense and wireless [SOLVED]

« on: November 28, 2016, 04:44:56 pm »

I checked the manual, google and the forum and couldn't find a howto on setting up a opnsense device as a wireless device.

I am running 16.7.9 with BSD 10.3-p11.

My wireless card is picked up fine and I have it defined. I would like it to be just another port on the switch. I am guessing I have to do some routing to join the WAP traffic to the ethernet traffic. Any pointers on how to do this?

16.7 Legacy Series / booting without a serial or vga console

« on: November 22, 2016, 03:15:53 pm »

I am new to Opensense and BSD in general. I picked up a mini PC to use as a router with the intention of using Opensense. I installed Opensense fine but I found out that it won't boot on a headless system. The mini PC I have does not have a serial port, and I want to put this in a closet without a display. How do I get this to working headless.

Pages: [1]