Topics

1

18.7 Legacy Series / 18.7 upgrade stories

« on: July 31, 2018, 10:48:05 pm »

For me the upgrade went fine without any problems via GUI.
I'm running the following services:

• IPv4/IPv6 dual stack PPPoE WAN (DSL)
• Internal network is untagged, guest and DMZ tagged on the same Realtek NIC
• DHCPv4 and DHCPv6 server
• Traffic shaper against bufferbloat
• OpenVPN Server
• IKEv2 Client VPN Server
• HAProxy
• Network Time
• Unbound DNS

2

18.1 Legacy Series / [SOLVED] 18.1.5 IPv6 bogons invalid after update

« on: March 26, 2018, 07:25:25 pm »

After updating today to 18.1.5 no through-the-firewall connection worked, the error I've found in the log was:

Code: [Select]

Mar 26 18:47:01 firewall opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: no IP address found for <!DOCTYPE
The number of states also remained at zero.
After disabling my spamhaus.org deny rules which are using a downloaded IP list via an alias, the error still remained.

A reboot didn't solve the issue either.

I then remembered that OPNsense has a checkbox for blocking bogons, after I've disabled it everything worked again.

I've checked /usr/loca/etc/bogons which was fine, but /usr/local/etc/bogonsv6 contained HTML!

I've further found:

Mar 21 03:01:00 firewall root: rc.update_bogons is starting up
Mar 21 03:01:00 firewall root: rc.update_bogons is sleeping for 86 seconds
Mar 21 03:02:26 firewall root: rc.update_bogons is beginning the update cycle
Mar 21 03:02:26 firewall root: Not updating IPv4 bogons (increase table-entries limit)
Mar 21 03:02:26 firewall root: Not saving or updating IPv6 bogons (increase table-entries limit)
Mar 21 03:02:26 firewall root: rc.update_bogons is ending the update cycle

From which URL are the bogons downloaded? Can you implement a safety check which validates the received list?
Thanks, Alex

3

17.1 Legacy Series / [17.1.4] haProxy certificate file error

« on: April 03, 2017, 10:14:51 pm »

I had to reinstall my firewall because the OCZ Vertex 3 SSD lost SATA connection every few days.
The Samsung 850 Evo I had in the box before using Sophos XG worked and works flawless.
After restoring the backup haProxy didn't start and doing so on the cli it turned out it logs the following error:

Code: [Select]

[ALERT] 092/220547 (13988) : parsing [/usr/local/etc/haproxy.conf:37] : 'bind 1.2.3.4:443' : unable to load SSL private key from PEM file '/var/etc/haproxy/ssl/58924ec1d2166.pem'.
[ALERT] 092/220547 (13988) : parsing [/usr/local/etc/haproxy.conf:56] : 'bind 1.2.3.4:4443' : unable to load SSL private key from PEM file '/var/etc/haproxy/ssl/58924ec1d2166.pem'.
[ALERT] 092/220547 (13988) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 092/220547 (13988) : Proxy 'fqdn_A': no SSL certificate specified for bind '1.2.3.4:443' at [/usr/local/etc/haproxy.conf:37] (use 'crt').
[ALERT] 092/220547 (13988) : Proxy 'fqdn_B': no SSL certificate specified for bind '1.2.3.4:4443' at [/usr/local/etc/haproxy.conf:56] (use 'crt').
[ALERT] 092/220547 (13988) : Fatal errors found in configuration.

This comes from the following line in the generated pem file:

Code: [Select]

-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----
When I put in a linefeed inbetween haproxy starts but the pem file is overwritten each time I start haproxy from the WebUI.

What made troubleshooting hard is the fact that those errors aren't shown in the WebUI haProxy log.

4

17.1 Legacy Series / 6in4 tunnel down after each reboot

« on: February 09, 2017, 09:31:15 pm »

I *think* his happened already in the last 16.7 version after I'm renamed the 6in4 interface description.
After upgrading to 17.1 the issue still exists.
The 6in4 interface is shown as down, disabling the interface, saving, enabling it again, saving and applying brings it back up.

I found some log messages that might be related to this:

opnsense: /usr/local/etc/rc.bootup: The command '/sbin/route delete -inet6 'default' '2001:f00:9e:99::1'' returned exit code '1', the output was 'route: route has not been found delete net default: gateway 2001:f00:9e:99::1 fib 0: not in table'
opnsense: /usr/local/etc/rc.bootup: ROUTING: setting IPv6 default route to 2001:f00:9e:99::1
opnsense: /usr/local/etc/rc.bootup: The command '/sbin/ifconfig gif0 tunnel '216.66.86.122'' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments'
kernel: gif0: link state changed to DOWN

I haven't tried deleting the whole 6in4 interface, gateway and gif interface as I don't want to lose my interface specific firewall rules.
If there is a way to backup and restore those I'll just try that.

5

17.1 Legacy Series / IPv6 transparent proxy

« on: February 01, 2017, 09:42:56 pm »

I can't get transparent proxy to work with IPv6.
The port forwarding rule goes to ::1 instead of 127.0.0.1 for IPv6, the rest is identical. As soon as I enable this no tcp/80 or tcp/443 traffic via IPv6 works and I can't find any indication why in the logs.