Topics

1

24.7 Production Series / No LAN connectivity with radvd sendmsg: No buffer space available

« on: October 14, 2024, 08:56:51 pm »

Hi,

I run OPNSense 24.7.6. Last evening, IPv4 network connectivity broke. Restarting all services from the console menu did not help. A reboot was required.

This is what the General Log reveals:

Every 30 minutes, dhcp6c logs dhcp6c_script: RENEW on igb0 executing. igb0 is the WAN interface. Then, suddenly, radvd reports about 17 minutes later: sendmsg: No buffer space available. This message repeats every 5 seconds.

Pinging the LAN interface via IPv4(!) does not work. Neither can I reach any host on the LAN from OPNSense.

Only rebooting OPNSense brings operations back to normal. I had this once before with the previous version.

There are several reports of this issue in the forum but with little to no response nor solution. I am willing to contribute logs, configuration etc. to help solving the issue.

Kind regards,
Boris

2

24.7 Production Series / [Solved] OPNsense suddenly unreachable - How to debug (other issue)

« on: August 22, 2024, 01:21:04 pm »

Dear all,

it randomly occurs that my OPNSense is suddenly not reachable any more. I am currently (still) on OPNsense 24.7.1-amd64 but had these issues say once every quarter for long.

It just occured ten minutes ago. I had to power the device down and back on. I read the thread with the same subject from today but it did not help. There is only the latest log showing entries since the last boot at 13:03 in /var/log/system. What I need are the logs from the previous run. Where have they gone? System | Settings | Logging, Tab "Local" is set to keep 31 log files.

Any help would be appreciated.

Best regards,
Boris

3

Hardware and Performance / Use SOPHOS SG 430 Management Port?

« on: June 22, 2024, 03:20:27 pm »

Hi,

I bought a used SOPHOS SG 430 Firewall Appliance and replaced the SOPHOS operating system by OPNSense 24.1. This runs all fine, including the LCD.

But I cannot use the MGMT ethernet port. It does not appear in the devices list (dmesg) and I also cannot access it via its default IP address 10.0.1.1 (https://10.0.1.1:4444). I did not find a mentioning of the management port in the web other than on the SOPHOS help page.

Any hints?

Kind regards
Boris

4

22.1 Legacy Series / [Solved] Where are the Router Advertisement settings?

« on: June 21, 2022, 12:56:30 pm »

Hello,

this OPNsense 22.1.8_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o 3 May 2022.

This might sound stupid but I am missing the Services | Router Advertisement menu entry:

https://docs.opnsense.org/manual/radvd.html?highlight=advertisments#

radvd is happily running.

What can I do?

Kind regards,
Boris

5

21.1 Legacy Series / [SOLVED] syslog-ng legacy configuration

« on: July 05, 2021, 07:54:43 am »

Hello,

I am currently using OPNsense 21.1.7_1-amd64.

A few weeks ago I migrated the LAN of my OPNsense box from 192.168.31.0/24 to 192.168.11.0/24, thereby dropping the remote syslog server 192.168.31.2. Though, syslog-ng still tries to connect to 192.168.31.2. Since I did not find any trace of this setting in the GUI, I browsed through the config files and found /usr/logal/etc/syslog-ng.conf.d/legacy-remote.conf dated Apr 24 2020 still containing the entry.

Can I safely delete both legacy.conf and legacy-remote.conf in that directory? Is this a leftover from a previous update?

Kind regards
Boris

6

General Discussion / WiFi: multiple SSIDs with different networks?

« on: February 18, 2019, 09:21:22 pm »

Hi,

did not find the docs on wireless lan nor could I look it up in my current configuration due to lack of wireless adapter:

Is it possible with OPNsense to span 3 wireless networks with different SSIDs and connect them to 3 different firewall zones (LAN, Guest, IoT) on the same one and only wireless network card?

Kind regards,
Boris

7

General Discussion / NFS server and/or syncthing under OPNsense

« on: February 18, 2019, 07:35:48 pm »

Hi,

has somebody already setup a NFS server and/or syncthing under OPNsense?

I know this is not actually the job of a firewall so here is why I'm asking: I would like to use OPNsense on APU 4C4 board in a second home mainly for caching and filtering out ads (and because it is fun). The APU 4C4 equipped with a 500 GB SSD could readily also be used as file storage for home directory and for synchronization with the NAS in the primary location.

In my opinion, the straightforward way would be a jail with NFS server and syncthing installed manually. But maybe there are other suggestions out or warnings to better drop that idea. Happy to know.

Best regards,
Boris

8

19.7 Legacy Series / Move to FreeBSD 12?

« on: February 17, 2019, 03:30:53 pm »

Hi,

what plans there are for moving OPNsense to FreeBSD 12?

I am asking because I consider buying a box with WLE900VX WLAN module which requires 802.11ac support.

Kind regards
Boris

9

18.7 Legacy Series / External IPv6 DNS Servers are sometimes passed to client but should not

« on: September 08, 2018, 11:23:15 pm »

Hi,

this is the relevant configuration of opnsense box:

OPNsense 18.7.1_3-amd64
DHCPv6 is off
DNSmasq DNS is off
Unbound DNS is on, in Forwarding Mode, local zone type= transparent
Settings | General | DNS servers: set to Google IPv4 and IPv6 webservers

My Ubuntu 18.04 workstation is set to static IPv4. IPv6 is autoconfigured (opnsense box internal network "home" tracks WAN).

During the last months I have seen the following behavior on my workstation:
- In normal operation, the IPv4 and IPv6 addresses of the opnsense box are passed as DNS servers to the workstation.
- From time to time, the IPv6 addresses of the Google DNS servers are passed to the workstation as well, thus bypassing the resolution of the hostnames in the internal network configured in Unbound DNS Server overrides. This happens spontaneously, i.e. the workstation boots up in the desired state and spontaneously transitions into the undesired state.

When the issue is present, systemd-resolve --status on the workstation gives (shortened):

Code: [Select]

Global
          DNS Domain: home.mydomain.de
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      ...
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (enp0s25)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.31.1         <---- opnsense box
                      2001:4860:4860::8888   <----  Google DNS server
                      2001:4860:4860::8844  <----  Google DNS server
                      2a02:...:fe5d:4ca1     <---- opnsense box
          DNS Domain: home.mydomain.de

I suspect that this behavior occurs when the external IP address of the opnsense box changes (DSLight Unitymedia cable connection).

How can I trace the issue to its root cause and remedy it? Your help would be greatly appreciated, thanks in advance.
Boris

10

18.1 Legacy Series / [SOLVED] 18.1.5: IPv6 interface tracking does not work for me any more

« on: March 22, 2018, 08:32:13 pm »

Hi,

upgraded from 18.1.3 to 18.1.5 recently. Now my LAN interfaces do not get IPv6 addresses any more as they did previously in the 18.1 series. The LAN interfaces are set to IPv6 Configuration Type: Track Interface (WAN). WAN has IPv6 address.

Rebooted several times, even with suricata turned off, without success. What logs should I have a look into on the search for the cause?

Kind regards
Boris

11

Web Proxy Filtering and Caching / Transparent SSL Proxy and Letsencrypt Certificate

« on: February 17, 2018, 09:58:00 pm »

Hi,

as more and more sites on the internet use HTTPS for delivering content, I would like to make Squid cache encrypted connections as well. I had this setup once but dropped it soon because I did not want to install the self-signed certificate on any PC, smartphone, ... in my local net.

I am now considering using this feature in combination with the os-acme-client and the os-haproxy plugins to facilitate the automatic retrieval of Letsencrypt certificates for the man-in-the-middle OPNSense box. This will be some work, particularly because my OPNSense box sits behinds the FritzBox which connects the LAN to the internet.

Thus, three questions, please, to check if I am on the right way:
1. Is this feasible at all? I have my own DynDNS service running and can assign an offical domain name to my internet facing IPv6 address assigned by my provider.
2. What needs to be said about the hostname of the OPNSense box in relation to the domain name for which the Letsencrypt certificate is issued?
3. Won't the browser still complain since the domain in the OPNSense box's certificate does not match the remote website's domain?

Kind regards
Boris

12

17.7 Legacy Series / OpenVPN connection dropped every 30 minutes

« on: December 29, 2017, 08:55:41 am »

Hi,

I recently noticed that the OpenVPN connection from OPNsense (client) to server drops exactly every 30 minutes.

Since the OpenVPN server process complains about a reconnect of the same client when the OPNsense re-initiates the connection, I assume that the disconnect is triggered on the client end of the connection, but not necessarily caused by OPNsense or the running OpenVPN client process.

keepalive option is set. No 1800 (seconds) or 30 (minutes) in any config.

client log only shows the reconnect even at verbosity 5.

Could this be related to Issues https://github.com/opnsense/core/issues/2010 and https://github.com/opnsense/core/issues/1931 and an internal 30 minute timer at OPNsense trying to restart the client?

Regards,
Boris




client configuration (OPNsense):

Code: [Select]

root@opnsense:/var/etc # less openvpn/client1.conf
dev ovpnc1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.178.2
engine rdrand
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote s1.4nv.de 1194
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo adaptive
passtos
resolv-retry infinite
reneg-sec 0
#fragment 1428                                                                                                                                                 
mssfix 1428                                                                                                                                     

server configuration:

Code: [Select]

verb 3
#verb 6

proto udp
port 1194

dev vpn-s1
dev-type tun
# fragment 1428 # does not work with android
# mssfix
mssfix 1428
keepalive 10 60
passtos
fast-io
#compress lz4
comp-lzo adaptive

# test
reneg-sec 7200

tls-server
key /etc/openvpn/........
cert /etc/openvpn/........
ca /etc/openvpn/........
dh /etc/openvpn/........
remote-cert-eku "TLS Web Client Authentication"
cipher AES-256-CBC
tls-auth /etc/openvpn/........ 0

float  # Allow remote peer to change its IP address and/or port number, such as due to DHCP

topology subnet
server 192.168.38.0 255.255.255.0
client-config-dir /etc/openvpn/......../clients
route 192.168.30.0 255.255.255.0
route 192.168.31.0 255.255.255.0
route 192.168.178.0 255.255.255.0
client-to-client
push "route 192.168.30.0 255.255.255.0"
push "route 192.168.31.0 255.255.255.0"

push "dhcp-option DNS 192.168.31.1"

management localhost 7505

13

17.7 Legacy Series / radvd[...]: sendmsg: Permission denied

« on: December 12, 2017, 08:32:40 pm »

Hi,

I do not know since when this occurs and if it was already there before the update to 17.7.9. My routing.log gets spilled with messages. This is how the log looks like after a reboot:

Code: [Select]

Dec 12 20:05:41 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:05:45 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:05:54 opnsense radvd[12509]: version 1.15 started
Dec 12 20:07:57 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:06 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:13 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:22 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:26 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:31 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:37 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:46 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:55 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:01 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:09 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:16 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:19 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:24 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:30 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:32 opnsense radvd[12772]: Exiting, sigterm or sigint received.
Dec 12 20:09:32 opnsense radvd[12772]: sending stop adverts
Dec 12 20:09:32 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:32 opnsense radvd[12772]: removing /var/run/radvd.pid
Dec 12 20:09:36 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:40 opnsense radvd[64346]: version 1.15 started
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Permission denied
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: Exiting, sigterm or sigint received.
Dec 12 20:09:40 opnsense radvd[64868]: sending stop adverts
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: removing /var/run/radvd.pid
Dec 12 20:09:41 opnsense radvd[78492]: version 1.15 started
Dec 12 20:09:41 opnsense radvd[78845]: sendmsg: Can't assign requested address
Dec 12 20:09:41 opnsense radvd[78845]: sendmsg: Can't assign requested address
Dec 12 20:09:41 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:45 opnsense radvd[78845]: Exiting, sigterm or sigint received.
Dec 12 20:09:45 opnsense radvd[78845]: sending stop adverts
Dec 12 20:09:45 opnsense radvd[78845]: sendmsg: Permission denied
Dec 12 20:09:45 opnsense radvd[78845]: removing /var/run/radvd.pid
Dec 12 20:09:45 opnsense radvd[96804]: version 1.15 started
Dec 12 20:09:45 opnsense radvd[98771]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[98771]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[98771]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[98771]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[98771]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[98771]: removing /var/run/radvd.pid
Dec 12 20:09:46 opnsense radvd[25046]: version 1.15 started
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[25054]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: removing /var/run/radvd.pid
Dec 12 20:09:46 opnsense radvd[36299]: version 1.15 started
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[36965]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: removing /var/run/radvd.pid
Dec 12 20:09:47 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:48 opnsense radvd[69684]: version 1.15 started
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Permission denied
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: Exiting, sigterm or sigint received.
Dec 12 20:09:48 opnsense radvd[69906]: sending stop adverts
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: removing /var/run/radvd.pid
Dec 12 20:09:48 opnsense radvd[77485]: version 1.15 started
Dec 12 20:09:48 opnsense radvd[78132]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[78132]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:53 opnsense radvd[78132]: Exiting, sigterm or sigint received.
Dec 12 20:09:53 opnsense radvd[78132]: sending stop adverts
Dec 12 20:09:53 opnsense radvd[78132]: sendmsg: Permission denied
Dec 12 20:09:53 opnsense radvd[78132]: removing /var/run/radvd.pid
Dec 12 20:09:54 opnsense radvd[63529]: version 1.15 started
Dec 12 20:09:54 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:04 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:08 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:16 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:21 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:27 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:31 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:40 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:48 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:56 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:01 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:10 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:16 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:20 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:29 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:36 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:45 opnsense radvd[64432]: sendmsg: Permission denied
And from there on the message repeats all over every 4 to 6 seconds. I did not touch anything in the first 10 minutes after the reboot to let the system settle. IPv6 works well.

Anything I can do to track the cause?

Best regards,
Boris

14

17.7 Legacy Series / LAN tracks WAN IPv6 propagates DNS servers from general setup

« on: August 27, 2017, 12:13:16 pm »

Hi,

hosts in my LAN get IPv6 addresses from OPNsense LAN interface (track WAN). Besides they have
- either static IPv4 addresses and fixed IPv4 DNS servers configured
- or use the DHCP server on OPNsense to get a IPv4 lease and the IPv4 address of the DNS server.

DHCP correctly hands over the IPv4 address of OPNsense (configured to use resolver) as the DNS server. I have verified this with a tool (dhtest).

Unfortunately, the IPv6 addresses of both OPNsense and of the DNS servers entered in System: General setup are also present in the DNS configuration of the hosts that have no static DNS configured. This is undesirable because now e.g. my mobile devices use Google's name servers instead of my resolver on OPNsense as they give precedence to the IPv6 DNS server addresses.

IMHO, only the IPv6 address of OPNsense as DNS server should be propagated to the LAN and not all configured DNS servers. How can I turn this off?

Kind regards
Boris

15

17.1 Legacy Series / OpenVPN: interrupted system call

« on: April 02, 2017, 08:36:27 am »

Hi,

a previously working installation of OpenVPN on 17.1.3 stopped working after upgrade to 17.1.4. After successful initiation of the VPN tunnel, I get an interrupted system call error in the log:

Code: [Select]

...
Apr  2 01:24:40 opnsense openvpn[21132]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  2 01:24:40 opnsense openvpn[21132]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Apr  2 01:24:40 opnsense openvpn[21132]: [<server FQDN>] Peer Connection Initiated with [AF_INET]<server IP address>:1194
Apr  2 01:24:41 opnsense openvpn[21132]: event_wait : Interrupted system call (code=4)
Apr  2 01:24:41 opnsense openvpn[21132]: TCP/UDP: Closing socket
Apr  2 01:24:41 opnsense openvpn[21132]: SIGTERM[hard,] received, process exiting
...
Reverting openvpn to 17.1.2 seems to have solved the problem.

Anything I can do to help track down the cause of the issue?

Kind regards,
Boris