Topics

Same issue as this user had with 20.1 still exists in 20.7: https://forum.opnsense.org/index.php?topic=17190.msg78161

Interestingly the IPv6 address of each interface is returned but only the IPv4 interface of one  ???

Is there a config option to control the automatic DNS entry generation for the firewall itself?

Flows from Internet to WAN interface are missing in Insight, for example flows from an Internet host to haProxy listening on the WAN interface.
The connection from haProxy to the inside host via the LAN interface are there but of course only show the LAN interface IP.
My Netflow configuration is to listen on all interfaces (including WAN and LAN) and the Internet facing 'WAN' interface is the only configured under 'WAN interfaces'.
I guess the IPv4 double counting prevention for NAT swallows those.

For me the upgrade went fine without any problems via GUI.
I'm running the following services:

• IPv4/IPv6 dual stack PPPoE WAN (DSL)
• Internal network is untagged, guest and DMZ tagged on the same Realtek NIC
• DHCPv4 and DHCPv6 server
• Traffic shaper against bufferbloat
• OpenVPN Server
• IKEv2 Client VPN Server
• HAProxy
• Network Time
• Unbound DNS

After updating today to 18.1.5 no through-the-firewall connection worked, the error I've found in the log was:

Code Select Expand

Mar 26 18:47:01 firewall opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: no IP address found for <!DOCTYPE

The number of states also remained at zero.
After disabling my spamhaus.org deny rules which are using a downloaded IP list via an alias, the error still remained.

A reboot didn't solve the issue either.

I then remembered that OPNsense has a checkbox for blocking bogons, after I've disabled it everything worked again.

I've checked /usr/loca/etc/bogons which was fine, but /usr/local/etc/bogonsv6 contained HTML!

I've further found:

Mar 21 03:01:00 firewall root: rc.update_bogons is starting up
Mar 21 03:01:00 firewall root: rc.update_bogons is sleeping for 86 seconds
Mar 21 03:02:26 firewall root: rc.update_bogons is beginning the update cycle
Mar 21 03:02:26 firewall root: Not updating IPv4 bogons (increase table-entries limit)
Mar 21 03:02:26 firewall root: Not saving or updating IPv6 bogons (increase table-entries limit)
Mar 21 03:02:26 firewall root: rc.update_bogons is ending the update cycle

From which URL are the bogons downloaded? Can you implement a safety check which validates the received list?
Thanks, Alex

I had to reinstall my firewall because the OCZ Vertex 3 SSD lost SATA connection every few days.
The Samsung 850 Evo I had in the box before using Sophos XG worked and works flawless.
After restoring the backup haProxy didn't start and doing so on the cli it turned out it logs the following error:

Code Select Expand


[ALERT] 092/220547 (13988) : parsing [/usr/local/etc/haproxy.conf:37] : 'bind 1.2.3.4:443' : unable to load SSL private key from PEM file '/var/etc/haproxy/ssl/58924ec1d2166.pem'.
[ALERT] 092/220547 (13988) : parsing [/usr/local/etc/haproxy.conf:56] : 'bind 1.2.3.4:4443' : unable to load SSL private key from PEM file '/var/etc/haproxy/ssl/58924ec1d2166.pem'.
[ALERT] 092/220547 (13988) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 092/220547 (13988) : Proxy 'fqdn_A': no SSL certificate specified for bind '1.2.3.4:443' at [/usr/local/etc/haproxy.conf:37] (use 'crt').
[ALERT] 092/220547 (13988) : Proxy 'fqdn_B': no SSL certificate specified for bind '1.2.3.4:4443' at [/usr/local/etc/haproxy.conf:56] (use 'crt').
[ALERT] 092/220547 (13988) : Fatal errors found in configuration.


This comes from the following line in the generated pem file:

Code Select Expand

-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----

When I put in a linefeed inbetween haproxy starts but the pem file is overwritten each time I start haproxy from the WebUI.

What made troubleshooting hard is the fact that those errors aren't shown in the WebUI haProxy log.

I *think* his happened already in the last 16.7 version after I'm renamed the 6in4 interface description.
After upgrading to 17.1 the issue still exists.
The 6in4 interface is shown as down, disabling the interface, saving, enabling it again, saving and applying brings it back up.

I found some log messages that might be related to this:

opnsense: /usr/local/etc/rc.bootup: The command '/sbin/route delete -inet6 'default' '2001:f00:9e:99::1'' returned exit code '1', the output was 'route: route has not been found delete net default: gateway 2001:f00:9e:99::1 fib 0: not in table'
opnsense: /usr/local/etc/rc.bootup: ROUTING: setting IPv6 default route to 2001:f00:9e:99::1
opnsense: /usr/local/etc/rc.bootup: The command '/sbin/ifconfig gif0 tunnel '216.66.86.122'' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments'
kernel: gif0: link state changed to DOWN

I haven't tried deleting the whole 6in4 interface, gateway and gif interface as I don't want to lose my interface specific firewall rules.
If there is a way to backup and restore those I'll just try that.

I can't get transparent proxy to work with IPv6.
The port forwarding rule goes to ::1 instead of 127.0.0.1 for IPv6, the rest is identical. As soon as I enable this no tcp/80 or tcp/443 traffic via IPv6 works and I can't find any indication why in the logs.