Topics

1

20.7 Legacy Series / [SOLVED] After Upgrade unreachable

« on: August 13, 2020, 10:51:30 am »

for who it may concern, after updating our backup box, it could not be reached on any interface anymore. Several reboots didn´t help so we reversed to factory settings and reinstalled our latest config backup. Now we´re happy again... (what was the frase, no backup - no sympathy...)

2

19.7 Legacy Series / GeoIP not Updating

« on: January 16, 2020, 04:31:07 pm »

after updating to 19.7.9_1, creating an account with mindmap, generating a license key and entering the url,
we still (after 3 days) have not been able to retrieve the zip file.

testing with python from the cli we see the following errors popping up:

Code: [Select]

Python 3.7.6 (default, Jan  7 2020, 01:19:35)
[Clang 6.0.0 (tags/RELEASE_600/final 326565)] on freebsd11
Type "help", "copyright", "credits" or "license" for more information.
>>> from geoip import download_geolite
>>> download_geolite()
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
    cnx.do_handshake()
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error
    raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (32, 'EPIPE')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 394, in connect
    ssl_context=context,
  File "/usr/local/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket
    raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: SysCallError(32, 'EPIPE')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='download.maxmind.com', port=443): Max retries exceeded with url: /app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<KEY>&suffix=zip (Caused by SSLError(SSLError("bad handshake: SysCallError(32, 'EPIPE')")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/opnsense/scripts/filter/lib/geoip.py", line 62, in download_geolite
    r = requests.get(url)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='download.maxmind.com', port=443): Max retries exceeded with url: /app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<KEY>&suffix=zip (Caused by SSLError(SSLError("bad handshake: SysCallError(32, 'EPIPE')")))
>>>
it looks like there is a problem starting a ssl session from python but as we`re no python specialists...

The download from a browser work fine by the way so the url is working correctly.
Edit (fabian) remove license key and add code tags

3

19.1 Legacy Series / ipSec Routes missing after interface restart

« on: July 18, 2019, 08:51:47 am »

Hi all,
since 19.1.8 we see that after the daily restart of our wan link (pppoe) all 7 tunnels come back up again but the routes to those tunnels are missing. We have to recycle strongswan to get the entries back.

An additional cron-job could do this but there is no option for such a target right now.

4

18.1 Legacy Series / RADVD Problem on PPPeO link without public IPv6 address

« on: February 14, 2018, 10:15:10 am »

Our ISP does NOT provide ipv6 address but uses Lokal-Link address on the PPPoE link, which results in radvd not starting.
Looking at the generated /var/etc/radvd.conf for the WAN interface shows the problem:

# Automatically Generated, do not edit
# Generated for DHCPv6 Server wan
interface igb0 {
   AdvSendAdvert on;
   MinRtrAdvInterval 200;
   MaxRtrAdvInterval 600;
   AdvLinkMTU 1470;
   AdvDefaultPreference medium;
   prefix / {
      DeprecatePrefix on;
      AdvOnLink off;
      AdvAutonomous off;
      AdvRouterAddr on;
   };
   route ::/0 {
      RemoveRoute on;
   };
   DNSSL my.domain { };
};

In the prefix block, no range nor subnet mask is specified, causing radvd to crash.

Adding a virtual ip address to the wan interface results radvd to crash as well. The generated radvd.conf now
shows 2 prefix blocks, one for the virtual and one for the default, non existing ip address:

# Automatically Generated, do not edit
# Generated for DHCPv6 Server wan
interface igb0 {
   AdvSendAdvert on;
   MinRtrAdvInterval 200;
   MaxRtrAdvInterval 600;
   AdvLinkMTU 1470;
   AdvDefaultPreference medium;
   prefix / {
      DeprecatePrefix on;
      AdvOnLink off;
      AdvAutonomous off;
      AdvRouterAddr on;
   };
   prefix 2001:1234:5678::/48 {
      DeprecatePrefix on;
      AdvOnLink off;
      AdvAutonomous off;
      AdvRouterAddr on;
   };
   route ::/0 {
      RemoveRoute on;
   };
   DNSSL my.domain { };
};

Again, radvd crashes on the missing address and subnet in the first prefix block

Removing the first prefix block and manually starting radvd gets us going.

in /usr/local/etc/inc/service.inc, the following section seems to set these prefix blocks

        $stanzas = array();
        $ifcfgsnv6 = get_interface_subnetv6($dhcpv6if);
        $subnetv6 = gen_subnetv6($ifcfgipv6, $ifcfgsnv6);
        $stanzas[] = "{$subnetv6}/{$ifcfgsnv6}";

        $viparr = &config_read_array('virtualip', 'vip');
        foreach ($viparr as $vip) {
            if ($vip['interface'] == $dhcpv6if && is_ipaddrv6($vip['subnet'])) {
                $ifcfgsnv6 = $vip['subnet_bits'];
                $subnetv6 = gen_subnetv6($vip['subnet'], $ifcfgsnv6);
                $stanzas[] = "{$subnetv6}/{$ifcfgsnv6}";
            }
        }

If $ifcfgsnv6 if checked for an empty value, the config file is generated correctly and radvd runs fine:

        $stanzas = array();
        $ifcfgsnv6 = get_interface_subnetv6($dhcpv6if);
      if ($ifcfgsnv6) {
          $subnetv6 = gen_subnetv6($ifcfgipv6, $ifcfgsnv6);
          $stanzas[] = "{$subnetv6}/{$ifcfgsnv6}";
      }
   
Resulting radvd.conf:

# Automatically Generated, do not edit
# Generated for DHCPv6 Server wan
interface igb0 {
   AdvSendAdvert on;
   MinRtrAdvInterval 200;
   MaxRtrAdvInterval 600;
   AdvLinkMTU 1470;
   AdvDefaultPreference medium;
   route ::/0 {
      RemoveRoute on;
   };
   DNSSL my.domain { };
};
   
Please review the code to eliminate this error condition, thanks.

5

17.1 Legacy Series / [SOLVED] DNS requests do not enter IPsec tunnel

« on: May 30, 2017, 04:48:14 pm »

DNS requests made to the dns resolver (unbound) do not go through the ipsec tunnel for domain-overrides.
These DNS requests follow the routing table which states for the network on the other side of the ipsec tunnel to go via the wan interface. I don´t understand how traffic from any workstation other then the oünsense box and destinated to the remote ipsec network can find its way through the tunnel but packets originating from the opnsense box itself are routed via the wan interface bypassing the ipsec tunnel.

6

17.1 Legacy Series / radvd on ppoe interface problem

« on: May 04, 2017, 12:09:29 pm »

Situation:
2 OPNsense firewall in Master-Slave configuration

wan interface PPPoE to ISP Titan Networks Germany
IPv4 and IPv6 configured and running
IPv6 settings:
- DHCPv6
- Request Prefix only (no static IPv6 address)
- Prefix-Length = 48

The wan link will come up with local-link addresses

lan interface set up with static address and a 64 Prefix-Length

Routing advertizements on the wan link cannot be configured as it has no static address
Routing advertizements on the lan link are turned to unmanaged so attached workstations will use SLAAC to get their IPv6 configuration ( ip address, prefix length, dns server etc)

due to a bug in the services.inc file, route advertizements are turned ON in radvd.conf for the wan interface. This causes radvd to crash (no prefix address nor netmask is returned)

work around: add an additional section to cancel the wan configuration in services.inc as follows (last elseif):

    /* handle manually configured DHCP6 server settings first */
    foreach ($config['dhcpdv6'] as $dhcpv6if => $dhcpv6ifconf) {
        if (!isset($config['interfaces'][$dhcpv6if]['enable'])) {
            continue;
        } elseif (isset($blacklist[$dhcpv6if])) {
            /* Do not put in the config an interface which is down */
            continue;
        } elseif (!isset($dhcpv6ifconf['ramode']) || $dhcpv6ifconf['ramode'] == 'disabled') {
            continue;
        } elseif (get_real_interface($dhcpv6if, "inet6") == 'igb0') {
         continue;
        }

please advise how to replace the last check to directly check up on the ppoe interface as igb0 is obviously hardware dependent.

7

16.7 Legacy Series / access to internal host ipv6 result in destionation unreachable

« on: January 11, 2017, 09:55:50 am »

Situation:

dual-stack pppoe link to ISP with local link addresses
outgoing Ipv4 and Ipv6 work without a problem (floating rule Ipv6-ICMP on LAN and WAN)
incoming Ipv4 also no problem (NATted hosts are reachable)

rule to allow incoming Ipv6 http on WAN to a host called „2001:Target“
rule to alow ALL Ipv6 on LAN („2001:LAN“)

incoming request reaches „2001:Target“ but the answer back to host „2a01:Requestor“ result in a  destination unreachable message: (2001:LAN is the LAN Address of the OPNsense box)

IP6 "2a01:Requestor".65170 > „2001:Target“.80: tcp 0
IP6 „2001:LAN“ > „2001:Target“: ICMP6, neighbor solicitation, who has „2001:Target“, length 32
IP6 „2001:Target“ > ff02::1:ff00:11: ICMP6, neighbor solicitation, who has „2001:LAN“, length 32
IP6 „2001:Target“ > „2001:LAN“: ICMP6, neighbor advertisement, tgt is „2001:Target“, length 32
IP6 „2001:Target“.80 > "2a01:Requestor".65170: tcp 0
IP6 „2001:LAN“ > „2001:Target“: ICMP6, destination unreachable, unreachable address "2a01:Requestor", length 84

We suspect that there is a problem with the default routing as we do NOT see one for Ipv6 under System – Route – Status

on the console, there IS a default route:

Internet6:
Destination        Gateway            Flags      Netif Expire
default               fe80::211:bcff:feb9:4c08%pppoe0 UGS      pppoe0

8

16.7 Legacy Series / RADVD config empty after update to 16.7.12

« on: January 02, 2017, 09:46:53 am »

Last noght, we updated our 2 OPNsense firewalls (CARP) to 16.7.12
On the pimary, unbound did not start from itself, a manual start worked.

Also on the primary, radvd did not start (on the secondary machine all is fine)
We found that the radvd.conf file in /var/etc/ was empty, in contrary to the same file on the secondary machine.
Changing settings in the advertisement or dhcp6 server page did not create any entries to the file (on the secondary, it did)
We then copied the contents of radvd.conf from the secondary to the primary and were able to start the service but any mpdification from the webinterface, empties the file again.
We have not enabled the dhcp6 server, only radvd as unmanaged service.
Everything worked until the update.
What concerns us, is the fact that it works on one machine but not on the other although they are both on the same sw level.