Topics

1

24.7 Production Series / zfs bootcode upgrade "not enough space"

« on: November 16, 2024, 08:07:34 am »

Hi all,

After upgrading to OPNsense 24.7.8, zfs complains about not all features being enabled.
After running

Code: [Select]

zpool upgrade zrootthe system advises to update the boot code as well.
However, running

Code: [Select]

gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 2 nda0results in: gpart: /dev/nda0p2: not enough space
Since the system boots via UEFI (I think), this may be irrelevant, but why did the installer partition the disk like this:

Code: [Select]

gpart show
=>        3  500118181  nda0  GPT  (238G)
          3     532480     1  efi  (260M)
     532483        311     2  freebsd-boot  (156K)
     532794  482344960     3  freebsd-zfs  (230G)
  482877754   17240430     4  freebsd-swap  (8.2G)

156K looks like deliberately setting the size to exactly what was needed at the time without any kind of reserve for future changes?

2

24.7 Production Series / Dashboard firewall widget "Waiting for data"

« on: November 16, 2024, 07:47:32 am »

Hi all,

I have recently upgraded my two OPNsense firewalls to 24.7 (running 24.7.8 to be precise).
On one the firewall dashboard widget works perfectly.
On the other (*very* busy FW - there are loads of logs available), the widget will endlessly display 'Waiting for data...'

I tried to compare the settings and everything seems identical on the two setups except the one where the widget works is a 'normal' setup while the one where the widget does not work is a 'transparent filtering bridge' type setup.

Also noteworthy: All other visualizations concerning FW-related stuff like Insight or the Firewall:Log Files:Overview work perfectly on both systems.

Any ideas what I may be missing / how to get this to work?

Thanks,
Martin

3

20.7 Legacy Series / inconsistent tunables?

« on: December 27, 2020, 01:14:10 pm »

Hi all,
I just noticed that the default settings for tunables do not seem to match:

net.inet.ip.redirect = 0

but

net.inet6.ip6.redirect = 1


Is there a reason for disabling redirects for ipv4 but not ipv6? Or are the tunables similar only in name but not function (which would be bad, too, I guess.)

Thanks,

Martin

4

20.7 Legacy Series / Traffic shaper and ACK packets

« on: May 23, 2020, 11:43:11 am »

Hi there,

I noticed something weird when trying to prioritize ACK packages.
Selecting "tcp (ACK packets only)" in the proto drop-down results in almost all tcp traffic being matched.
Doing something similar in m0n0wall or even the firewall solution that shall not be named, did not result in comparable behavior.
Though, with those solutions I could (and did) specify the packet size to something very small so only empty ACKs where prioritized. That does not seem to be an option in the OPNsense shaper currently?

If "tcp (ACK packets only)" matches any packet having the ACK flag set, then that is not (to me at least) particularly useful...

5

20.1 Legacy Series / flowd not working after upgrade.

« on: February 01, 2020, 09:50:17 pm »

Hi all,

I upgraded a firewall from 19.7 to 20.1 yesterday.
The upgrade itself went well, but afterwards, flowd is not working.

The passage in config.xml

Code: [Select]

    <Netflow version="1.0.1">
      <capture>
        <interfaces>lan,opt7,opt10,opt1,opt2</interfaces>
        <egress_only>opt1,opt2</egress_only>
        <version>v9</version>
        <targets>127.0.0.1:2056</targets>
      </capture>
      <collect>
        <enable>1</enable>
      </collect>
      <activeTimeout>1800</activeTimeout>
      <inactiveTimeout>15</inactiveTimeout>
    </Netflow>

/var/log/flowd.log is empty

and the flowd process has zero CPU usage despite running for hours and there being a lot of traffic:

Code: [Select]

gw01:~ # ps ax | grep flow
 6611  -  Is      0:00.00 flowd: net (flowd)
57722  -  Is      0:00.00 flowd: monitor (flowd)

Reboots and deleting the flowd.log and /var/netflow/* files have not made a difference.

I have a very similar setup on another box where this still works even after the upgrade to 20.1

Any ideas what else to try?

6

17.7 Legacy Series / [SOLVED] c-icap, clamav & size limit

« on: September 19, 2017, 11:52:46 pm »

Hi there,

Just saw the following on my firewall at home (OPNsense 17.7.3-amd64):
I have enabled c-icap, clamav and transparent squid (for SSL too) like detailed in the online manual.
What happened is that a large download (XCode update on my Mac) was not bypassed but written to /var/tmp/CI_TMP_XXXX and filled up the disk completely. (the download in question is >5G in size).
Should the configured size-limits for both c-icap and clamav not prevent this sort of thing?