Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - gothbert

#1
Hi,

I run OPNSense 24.7.6. Last evening, IPv4 network connectivity broke. Restarting all services from the console menu did not help. A reboot was required.

This is what the General Log reveals:

Every 30 minutes, dhcp6c logs dhcp6c_script: RENEW on igb0 executing. igb0 is the WAN interface. Then, suddenly, radvd reports about 17 minutes later: sendmsg: No buffer space available. This message repeats every 5 seconds.

Pinging the LAN interface via IPv4(!) does not work. Neither can I reach any host on the LAN from OPNSense.

Only rebooting OPNSense brings operations back to normal. I had this once before with the previous version.

There are several reports of this issue in the forum but with little to no response nor solution. I am willing to contribute logs, configuration etc. to help solving the issue.

Kind regards,
Boris
#2
Dear all,

it randomly occurs that my OPNSense is suddenly not reachable any more. I am currently (still) on OPNsense 24.7.1-amd64 but had these issues say once every quarter for long.

It just occured ten minutes ago. I had to power the device down and back on. I read the thread with the same subject from today but it did not help. There is only the latest log showing entries since the last boot at 13:03 in /var/log/system. What I need are the logs from the previous run. Where have they gone? System | Settings | Logging, Tab "Local" is set to keep 31 log files.

Any help would be appreciated.

Best regards,
Boris
#3
Hi,

I bought a used SOPHOS SG 430 Firewall Appliance and replaced the SOPHOS operating system by OPNSense 24.1. This runs all fine, including the LCD.

But I cannot use the MGMT ethernet port. It does not appear in the devices list (dmesg) and I also cannot access it via its default IP address 10.0.1.1 (https://10.0.1.1:4444). I did not find a mentioning of the management port in the web other than on the SOPHOS help page.

Any hints?

Kind regards
Boris
#4
Hello,

this OPNsense 22.1.8_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o 3 May 2022.

This might sound stupid but I am missing the Services | Router Advertisement menu entry:

https://docs.opnsense.org/manual/radvd.html?highlight=advertisments#

radvd is happily running.

What can I do?

Kind regards,
Boris



#5
Hello,

I am currently using OPNsense 21.1.7_1-amd64.

A few weeks ago I migrated the LAN of my OPNsense box from 192.168.31.0/24 to 192.168.11.0/24, thereby dropping the remote syslog server 192.168.31.2. Though, syslog-ng still tries to connect to 192.168.31.2. Since I did not find any trace of this setting in the GUI, I browsed through the config files and found /usr/logal/etc/syslog-ng.conf.d/legacy-remote.conf dated Apr 24 2020 still containing the entry.

Can I safely delete both legacy.conf and legacy-remote.conf in that directory? Is this a leftover from a previous update?

Kind regards
Boris

#6
Hi,

did not find the docs on wireless lan nor could I look it up in my current configuration due to lack of wireless adapter:

Is it possible with OPNsense to span 3 wireless networks with different SSIDs and connect them to 3 different firewall zones (LAN, Guest, IoT) on the same one and only wireless network card?

Kind regards,
Boris

#7
Hi,

has somebody already setup a NFS server and/or syncthing under OPNsense?

I know this is not actually the job of a firewall so here is why I'm asking: I would like to use OPNsense on APU 4C4 board in a second home mainly for caching and filtering out ads (and because it is fun). The APU 4C4 equipped with a 500 GB SSD could readily also be used as file storage for home directory and for synchronization with the NAS in the primary location.

In my opinion, the straightforward way would be a jail with NFS server and syncthing installed manually. But maybe there are other suggestions out or warnings to better drop that idea. Happy to know.

Best regards,
Boris
#8
19.7 Legacy Series / Move to FreeBSD 12?
February 17, 2019, 03:30:53 PM
Hi,

what plans there are for moving OPNsense to FreeBSD 12?

I am asking because I consider buying a box with WLE900VX WLAN module which requires 802.11ac support.

Kind regards
Boris
#9
Hi,

this is the relevant configuration of opnsense box:

OPNsense 18.7.1_3-amd64
DHCPv6 is off
DNSmasq DNS is off
Unbound DNS is on, in Forwarding Mode, local zone type= transparent
Settings | General | DNS servers: set to Google IPv4 and IPv6 webservers

My Ubuntu 18.04 workstation is set to static IPv4. IPv6 is autoconfigured (opnsense box internal network "home" tracks WAN).

During the last months I have seen the following behavior on my workstation:
- In normal operation, the IPv4 and IPv6 addresses of the opnsense box are passed as DNS servers to the workstation.
- From time to time, the IPv6 addresses of the Google DNS servers are passed to the workstation as well, thus bypassing the resolution of the hostnames in the internal network configured in Unbound DNS Server overrides. This happens spontaneously, i.e. the workstation boots up in the desired state and spontaneously transitions into the undesired state.

When the issue is present, systemd-resolve --status on the workstation gives (shortened):

Global
          DNS Domain: home.mydomain.de
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      ...
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (enp0s25)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.31.1         <---- opnsense box
                      2001:4860:4860::8888   <----  Google DNS server
                      2001:4860:4860::8844  <----  Google DNS server
                      2a02:...:fe5d:4ca1     <---- opnsense box
          DNS Domain: home.mydomain.de


I suspect that this behavior occurs when the external IP address of the opnsense box changes (DSLight Unitymedia cable connection).

How can I trace the issue to its root cause and remedy it? Your help would be greatly appreciated, thanks in advance.
Boris
#10
Hi,

upgraded from 18.1.3 to 18.1.5 recently. Now my LAN interfaces do not get IPv6 addresses any more as they did previously in the 18.1 series. The LAN interfaces are set to IPv6 Configuration Type: Track Interface (WAN). WAN has IPv6 address.

Rebooted several times, even with suricata turned off, without success. What logs should I have a look into on the search for the cause?

Kind regards
Boris
#11
Hi,

as more and more sites on the internet use HTTPS for delivering content, I would like to make Squid cache encrypted connections as well. I had this setup once but dropped it soon because I did not want to install the self-signed certificate on any PC, smartphone, ... in my local net.

I am now considering using this feature in combination with the os-acme-client and the os-haproxy plugins to facilitate the automatic retrieval of Letsencrypt certificates for the man-in-the-middle OPNSense box. This will be some work, particularly because my OPNSense box sits behinds the FritzBox which connects the LAN to the internet.

Thus, three questions, please, to check if I am on the right way:
1. Is this feasible at all? I have my own DynDNS service running and can assign an offical domain name to my internet facing IPv6 address assigned by my provider.
2. What needs to be said about the hostname of the OPNSense box in relation to the domain name for which the Letsencrypt certificate is issued?
3. Won't the browser still complain since the domain in the OPNSense box's certificate does not match the remote website's domain?

Kind regards
Boris
#12
Hi,

I recently noticed that the OpenVPN connection from OPNsense (client) to server drops exactly every 30 minutes.

Since the OpenVPN server process complains about a reconnect of the same client when the OPNsense re-initiates the connection, I assume that the disconnect is triggered on the client end of the connection, but not necessarily caused by OPNsense or the running OpenVPN client process.

keepalive option is set. No 1800 (seconds) or 30 (minutes) in any config.

client log only shows the reconnect even at verbosity 5.

Could this be related to Issues https://github.com/opnsense/core/issues/2010 and https://github.com/opnsense/core/issues/1931 and an internal 30 minute timer at OPNsense trying to restart the client?

Regards,
Boris




client configuration (OPNsense):

root@opnsense:/var/etc # less openvpn/client1.conf
dev ovpnc1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.178.2
engine rdrand
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote s1.4nv.de 1194
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo adaptive
passtos
resolv-retry infinite
reneg-sec 0
#fragment 1428                                                                                                                                                 
mssfix 1428                                                                                                                                     


server configuration:

verb 3
#verb 6

proto udp
port 1194

dev vpn-s1
dev-type tun
# fragment 1428 # does not work with android
# mssfix
mssfix 1428
keepalive 10 60
passtos
fast-io
#compress lz4
comp-lzo adaptive

# test
reneg-sec 7200

tls-server
key /etc/openvpn/........
cert /etc/openvpn/........
ca /etc/openvpn/........
dh /etc/openvpn/........
remote-cert-eku "TLS Web Client Authentication"
cipher AES-256-CBC
tls-auth /etc/openvpn/........ 0

float  # Allow remote peer to change its IP address and/or port number, such as due to DHCP

topology subnet
server 192.168.38.0 255.255.255.0
client-config-dir /etc/openvpn/......../clients
route 192.168.30.0 255.255.255.0
route 192.168.31.0 255.255.255.0
route 192.168.178.0 255.255.255.0
client-to-client
push "route 192.168.30.0 255.255.255.0"
push "route 192.168.31.0 255.255.255.0"

push "dhcp-option DNS 192.168.31.1"

management localhost 7505

#13
Hi,

I do not know since when this occurs and if it was already there before the update to 17.7.9. My routing.log gets spilled with messages. This is how the log looks like after a reboot:

Dec 12 20:05:41 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:05:45 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:05:54 opnsense radvd[12509]: version 1.15 started
Dec 12 20:07:57 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:06 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:13 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:22 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:26 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:31 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:37 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:46 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:55 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:01 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:09 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:16 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:19 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:24 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:30 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:32 opnsense radvd[12772]: Exiting, sigterm or sigint received.
Dec 12 20:09:32 opnsense radvd[12772]: sending stop adverts
Dec 12 20:09:32 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:32 opnsense radvd[12772]: removing /var/run/radvd.pid
Dec 12 20:09:36 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:40 opnsense radvd[64346]: version 1.15 started
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Permission denied
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: Exiting, sigterm or sigint received.
Dec 12 20:09:40 opnsense radvd[64868]: sending stop adverts
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: removing /var/run/radvd.pid
Dec 12 20:09:41 opnsense radvd[78492]: version 1.15 started
Dec 12 20:09:41 opnsense radvd[78845]: sendmsg: Can't assign requested address
Dec 12 20:09:41 opnsense radvd[78845]: sendmsg: Can't assign requested address
Dec 12 20:09:41 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:45 opnsense radvd[78845]: Exiting, sigterm or sigint received.
Dec 12 20:09:45 opnsense radvd[78845]: sending stop adverts
Dec 12 20:09:45 opnsense radvd[78845]: sendmsg: Permission denied
Dec 12 20:09:45 opnsense radvd[78845]: removing /var/run/radvd.pid
Dec 12 20:09:45 opnsense radvd[96804]: version 1.15 started
Dec 12 20:09:45 opnsense radvd[98771]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[98771]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[98771]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[98771]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[98771]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[98771]: removing /var/run/radvd.pid
Dec 12 20:09:46 opnsense radvd[25046]: version 1.15 started
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[25054]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: removing /var/run/radvd.pid
Dec 12 20:09:46 opnsense radvd[36299]: version 1.15 started
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[36965]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: removing /var/run/radvd.pid
Dec 12 20:09:47 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:48 opnsense radvd[69684]: version 1.15 started
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Permission denied
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: Exiting, sigterm or sigint received.
Dec 12 20:09:48 opnsense radvd[69906]: sending stop adverts
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: removing /var/run/radvd.pid
Dec 12 20:09:48 opnsense radvd[77485]: version 1.15 started
Dec 12 20:09:48 opnsense radvd[78132]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[78132]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:53 opnsense radvd[78132]: Exiting, sigterm or sigint received.
Dec 12 20:09:53 opnsense radvd[78132]: sending stop adverts
Dec 12 20:09:53 opnsense radvd[78132]: sendmsg: Permission denied
Dec 12 20:09:53 opnsense radvd[78132]: removing /var/run/radvd.pid
Dec 12 20:09:54 opnsense radvd[63529]: version 1.15 started
Dec 12 20:09:54 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:04 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:08 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:16 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:21 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:27 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:31 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:40 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:48 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:56 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:01 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:10 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:16 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:20 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:29 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:36 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:45 opnsense radvd[64432]: sendmsg: Permission denied


And from there on the message repeats all over every 4 to 6 seconds. I did not touch anything in the first 10 minutes after the reboot to let the system settle. IPv6 works well.

Anything I can do to track the cause?

Best regards,
Boris
#14
Hi,

hosts in my LAN get IPv6 addresses from OPNsense LAN interface (track WAN). Besides they have
- either static IPv4 addresses and fixed IPv4 DNS servers configured
- or use the DHCP server on OPNsense to get a IPv4 lease and the IPv4 address of the DNS server.

DHCP correctly hands over the IPv4 address of OPNsense (configured to use resolver) as the DNS server. I have verified this with a tool (dhtest).

Unfortunately, the IPv6 addresses of both OPNsense and of the DNS servers entered in System: General setup are also present in the DNS configuration of the hosts that have no static DNS configured. This is undesirable because now e.g. my mobile devices use Google's name servers instead of my resolver on OPNsense as they give precedence to the IPv6 DNS server addresses.

IMHO, only the IPv6 address of OPNsense as DNS server should be propagated to the LAN and not all configured DNS servers. How can I turn this off?

Kind regards
Boris
#15
Hi,

a previously working installation of OpenVPN on 17.1.3 stopped working after upgrade to 17.1.4. After successful initiation of the VPN tunnel, I get an interrupted system call error in the log:

...
Apr  2 01:24:40 opnsense openvpn[21132]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  2 01:24:40 opnsense openvpn[21132]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Apr  2 01:24:40 opnsense openvpn[21132]: [<server FQDN>] Peer Connection Initiated with [AF_INET]<server IP address>:1194
Apr  2 01:24:41 opnsense openvpn[21132]: event_wait : Interrupted system call (code=4)
Apr  2 01:24:41 opnsense openvpn[21132]: TCP/UDP: Closing socket
Apr  2 01:24:41 opnsense openvpn[21132]: SIGTERM[hard,] received, process exiting
...


Reverting openvpn to 17.1.2 seems to have solved the problem.

Anything I can do to help track down the cause of the issue?

Kind regards,
Boris
#16
Hi,

I had this working once but I am unsure if I screwed up the configuration or the update from 17.1.1 to 17.1.2 was the cause. I am now on 17.1.3.

Details:

Configuration in web interface is
WAN interface: Basic, Directly send SOLICIT, DHCPv6 Prefix Delegation size 64, Send IPv6 prefix hint
LAN interface: Track IPv6 Interface WAN, IPv6 Prefix ID 0

WAN interface gets 64bit prefix from upstream stateless DHCPv6 server:
inet6 2a02:908:x:x:x:x:x:f83 prefixlen 64 autoconf

LAN interface only has link-local address
inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x1

LAN interface does not get an IPv6 address from the delegated prefix.

The following reports may or may not be related:
https://forum.opnsense.org/index.php?topic=4774.msg18598#msg18598
https://forum.opnsense.org/index.php?topic=4404.msg16570#msg16570

Any ideas other than filing an issue?

Best regards
Boris
#17
Hello,

searched the Internet before and found similar issues but the solutions did not apply. So please bear with me for asking here. In spite of having easy and manual firewall rules to make (all) traffic pass between LAN and OPT1, I can only reach port 80 on a host at OPT1 network from my workstation at LAN network. Please see below for details.

What do I need to do to enable full TCP connectivity from LAN network to OPT1 network? Any help would be appreciated.

Kind regards
Boris



OPNsense 17.1.2-amd64

LAN 192.168.31.0/24
     opnsense at 192.168.31.1
     my workstation at 192.168.31.8

OPT1 192.168.30.0/24
     opnsense at 192.168.30.254
     a host at 192.168.30.1

my workstation ---------------- opnsense ----------------------- host
192.168.31.8            192.168.31.1      192.168.30.254         192.168.30.1

From opnsense I can ping host at 192.168.30.1 and reach all open TCP ports.
From my workstation at 192.168.31.8 I can connect to port 80 of host 192.168.30.1.
From my workstation at 192.168.31.8 I cannot ping host 192.168.30.1 and not reach any other TCP port than 80.

Firewall: Log Files: Normal View shows that ICMP from 192.168.31.8 to 192.168.30.1 is blocked.
I add easy rule from the view to enable ICMP from 192.168.31.8 to 192.168.30.1.
Still cannot ping.
I add firewall rule for OPT1 to enable all traffic/all protocols between LAN and OPT1 networks.
Still cannot ping. Even not after a reboot.

"Block private/bogon networks" is unchecked for both LAN and OPT1.

The dashboard shows increasing packet count in at OPT1 for the pings but no packet count out.




#18
Hi,

after successful testing in a virtual machine, I replaced IPFire by OPNSense today on the real hardware. The box has a retail mainboard with only one ethernet NIC put in a 1U chassis in my rack which precludes adding more PCIe NICs. I therefore use USB Ethernet adapters for additional LAN connectivity.

My Delock 62417 adapter has the ASIX AX88179 chip and is listed as a supported device unter FreeBSD. It is detected, axge driver is loaded, an IP address can be assigned but it cannot reach anything on the LAN nor can it be reached. I successfully tested the adapter under Linux to ensure that the adapter and cabling is all right.

There is another report about malfunction in this forum but probably went unnoticed because it is in Spanish.

Is this an issue with OPNSense and if so, is there a chance that it will be fixed soon?

If not, could someone please recommend a USB 3.0 Gigabit ethernet adapter that is proven to work? TPLink UE300 is not detected, Logilink UA0144 works but is only Fast Ethernet on USB 2.0.

Thank you,
Boris