Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - IsaacFL

Pages: [1] 2 3

24.1 Legacy Series / Update Firmware Status, keeps hanging

« on: February 26, 2024, 10:02:58 pm »

When I check the update status, keeps hanging with spinning wheel. Here is attached status.
It does eventually comes back with ***DONE*** after many minutes.

Code: [Select]

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.1.2_1 at Mon Feb 26 12:48:35 PST 2024
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/128592 bytes
Updating OPNsense repository catalogue...
Waiting for another process to update repository OPNsense
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.

23.7 Legacy Series / Unbound Whitelist not working

« on: January 05, 2024, 06:46:09 pm »

I have decided to try the block list functionality of unbound after previously using pihole.

Using the OISD - Domain Blocklist Big. I know from using pihole that for this list i need to whitelist the trace.svc.ui.com.

I add trace.svc.ui.com to whitelist, but when i go to Interfaces: Diagnostics: DNS Lookup i get:
trace.svc.ui.com. 3600 IN A 0.0.0.0

I also see via dig on other machine that it is indeed being blocked.

So whitelist under unbound does not work?

23.7 Legacy Series / Auto Generated Rules pull down will not open on LAN interfaces

« on: August 13, 2023, 08:36:20 pm »

Since the update to 23.7, in Firewall: Rules: for any of the LAN interfaces, the pull down for the "Automatically generated rules" will not open and shows an excess (43) number of rules.

The WAN interface does not have this issue, and it shows a more reasonable 25 rules. When I count them it is 25.

When I look at Floating rules, the Automatically generated rules shows 16 and it will open the pull down.

I have a Interface Group, and the Automatically generated rules shows 34 rules, but when I click the pull down there only 16, same as the Floating rules.

23.7 Legacy Series / Services: DHCPv6: Leases are not showing.

« on: August 01, 2023, 06:22:42 am »

Updated earlier today, an none of the DHCPv6 leases are showing at Services: DHCPv6: Leases.
It has "No results found!"

I can see in the log that the leases are being issued and the clients are getting their leases renewed.

23.1 Legacy Series / Has there been a change to the Intel X520 driver in the last few months

« on: July 26, 2023, 06:50:23 pm »

I am getting hard crashes just by applying any change to the WAN interface.

My interface is a dual 10gb SFP+ interface:

Code: [Select]

# sysctl -a | grep -E 'dev.(ix).*.%desc:'
dev.ix.1.%desc: Intel(R) X520 82599ES (SFI/SFP+)
dev.ix.0.%desc: Intel(R) X520 82599ES (SFI/SFP+)

My WAN interface is ix0, I have setup ix1 as opt1 with multiple vlans.

I don't change the WAN often, but when crowdsec came out, I installed the plugin and it worked fine. Later, I changed something on the WAN interface and it had a hard crash. So I blamed crowdsec and removed it.

Later, I had the same issue, and I thought it was something to do with NUT and the USB driver, so I removed NUT.

Lately I have been testing "Block bogons" and that is when I have noticed that I can change anything on the WAN, that when I apply changes it crashes with a wall of text on the console that ends with:

cpu_reset: Restarting BSP
cpu_reset_proxy: Stopped CPU 2

At that point only thing to do is hold power switch. Even ctl-alt-del doesn't work. And after it boots, I send the crash report in.

This is a Dell OptiPlex 5050 connect via SFP+ to a Brocade ICX6450.

I have noted that applying changes to a vlan interface riding on top of the ix1 interface does not cause a crash.

Could this be a hardware failure starting? Or has there been a change in the driver or firmware?

23.1 Legacy Series / Why does the IPv6 Link Local get added to Firewall Groups?

« on: July 20, 2023, 09:54:01 pm »

I was cleaning up my firewall rules and noticed that the ipv6 Link Local (fe80::/10) is being added now to my group networks.

I have a Firewall Group, called IG_LOCAL which is all of my local interfaces. When I create a rule using the IG_LOCAL network, it is adding link local i.e. {(IG_LOCAL:network),fe80::/10}

I have attached a screenshot of some of my rules for the group. Here is the corresponding portion of the rules.debug file.

Code: [Select]

pass in log on IG_LOCAL inet6 proto {tcp udp} from {(IG_LOCAL:network),fe80::/10} to {!(IG_LOCAL:network),fe80::/10} port $PORT_EXT_DEF keep state label "769c1d81297045f5995b9e417dcec7ee" # IG: Default Allowed External Traffic
pass in on IG_LOCAL inet proto {tcp udp} from {(IG_LOCAL:network)} to {!(IG_LOCAL:network)} port $PORT_EXT_DEF_UNLOG keep state label "d6b7a1daa9884ab1063b3b2befdd9697" # IG: Unlogged External Traffic
pass in on IG_LOCAL inet6 proto {tcp udp} from {(IG_LOCAL:network),fe80::/10} to {!(IG_LOCAL:network),fe80::/10} port $PORT_EXT_DEF_UNLOG keep state label "d6b7a1daa9884ab1063b3b2befdd9697" # IG: Unlogged External Traffic
pass in quick on IG_LOCAL inet proto {tcp udp} from {(IG_LOCAL:network)} to {(self)} port {53} keep state label "e8b2d18b60eddedbc37a8affc7ad3295" # IG: DNS - Firewall
pass in quick on IG_LOCAL inet6 proto {tcp udp} from {(IG_LOCAL:network),fe80::/10} to {(self)} port {53} keep state label "e8b2d18b60eddedbc37a8affc7ad3295" # IG: DNS - Firewall
pass in quick on IG_LOCAL inet proto {tcp udp} from {(IG_LOCAL:network)} to $HOST_PIHOLE port {53} keep state label "7040cc54c75732b0eaf93823601201df" # IG: DNS - PiHole
pass in quick on IG_LOCAL inet6 proto {tcp udp} from {(IG_LOCAL:network),fe80::/10} to $HOST_PIHOLE port {53} keep state label "7040cc54c75732b0eaf93823601201df" # IG: DNS - PiHole
block return in log quick on IG_LOCAL inet proto {tcp udp} from {(IG_LOCAL:network)} to $EXT_PUBLIC_DNS port $PORT_EXT_PUBLIC_DNS label "e265696d9b53cf10cb05969a0a9c7613" # IG: DNS - Block Public DNS List
block return in log quick on IG_LOCAL inet6 proto {tcp udp} from {(IG_LOCAL:network),fe80::/10} to $EXT_PUBLIC_DNS port $PORT_EXT_PUBLIC_DNS label "e265696d9b53cf10cb05969a0a9c7613" # IG: DNS - Block Public DNS List
pass in quick on IG_LOCAL inet proto udp from {(IG_LOCAL:network)} to {(self)} port {123} keep state label "a8527e22120951fabfb8ab4a1159c11b" # IG: Firewall NTP

This is seems to be a new thing, at least since June which was the last time I downloaded rules.debug. Prior, it would just be {(IG_LOCAL:network)} for both inet and inet6.

Is there a reason for this?

23.1 Legacy Series / Blocking Bogons on an interface seems to also block DHCP

« on: June 06, 2023, 10:21:43 pm »

When I moved from the other "sense", I used to block bogons with no impact, but always seem to have problems with opnsense. I kind of gave up blocking bogons, but was debugging today, and I see in the log:

Code: [Select]

50IOT		2023-06-06T12:55:41-07:00	0.0.0.0:68	255.255.255.255:67	udp	Block bogon IPv4 networks from 50IOT	
50IOT		2023-06-06T12:55:40-07:00	0.0.0.0:68	255.255.255.255:67	udp	Block bogon IPv4 networks from 50IOT

When I look in the auto rules I see that indeed the DHCP rules fall after the block private and block bogon rules. Interestingly on the WAN, the DHCP rules are before all of the other interfaces have the block bogons before the allow DHCP rule.

I think that block bogons and block private should be the last of the automatically generated rules.

I also note that the bogonsv6 does not exclude the private ULA addresses, whereas the bogonsv4 does. So they are not consistant. Bogonsv6 alias has an entry for 8000::/1 which is inclusive of the fc00::/7 ULA subnet. It would be nice if blocking bogons does not preclude using ULAs.

23.1 Legacy Series / Errors in Unbound Log

« on: March 30, 2023, 12:59:55 am »

After the update today, I decided to reboot the router. I saw the following errors, which i've never seen. Unbound seems to work ok. I am using it in resolver mode with no blocklists.

Code: [Select]

2023-03-29T15:51:43-07:00	Informational	unbound	[34475:0] info: dnsbl_module: attempting to open pipe	
2023-03-29T15:51:43-07:00	Informational	unbound	[34475:3] info: dnsbl_module: Logging backend closed connection. Closing pipe and continuing.	
2023-03-29T15:51:43-07:00	Error	unbound	duckdb.ConversionException: Conversion Error: Could not convert string 'None' to INT32	
2023-03-29T15:51:43-07:00	Error	unbound	db.connection.append('query', pandas.DataFrame(self.buffer))	
2023-03-29T15:51:43-07:00	Error	unbound	File "/usr/local/opnsense/scripts/unbound/logger.py", line 167, in _read	
2023-03-29T15:51:43-07:00	Error	unbound	if not callback(key.fileobj, mask):	
2023-03-29T15:51:43-07:00	Error	unbound	File "/usr/local/opnsense/scripts/unbound/logger.py", line 216, in run_logger	
2023-03-29T15:51:43-07:00	Error	unbound	r.run_logger()	
2023-03-29T15:51:43-07:00	Error	unbound	File "/usr/local/opnsense/scripts/unbound/logger.py", line 223, in run	
2023-03-29T15:51:43-07:00	Error	unbound	run(inputargs.pipe, inputargs.flush_interval)	
2023-03-29T15:51:43-07:00	Error	unbound	File "/usr/local/opnsense/scripts/unbound/logger.py", line 239, in <module>	
2023-03-29T15:51:43-07:00	Error	unbound	Traceback (most recent call last):	
2023-03-29T15:50:02-07:00	Informational	unbound	[34475:0] info: dnsbl_module: successfully opened pipe	
2023-03-29T15:50:02-07:00	Informational	unbound	[34475:0] info: dnsbl_module: attempting to open pipe	
2023-03-29T15:50:02-07:00	Informational	unbound	[34475:0] info: generate keytag query _ta-4f66. NULL IN	
2023-03-29T15:50:00-07:00	Notice	unbound	Backgrounding unbound logging backend.

23.1 Legacy Series / New Errors in RADVD radvd can't join ipv6-allrouters on em0

« on: March 21, 2023, 05:03:49 pm »

After todays update I see the following in my logs and others have reported issues with ipv6

Code: [Select]

radvd can't join ipv6-allrouters on vlan07
radvd can't join ipv6-allrouters on vlan06
radvd can't join ipv6-allrouters on vlan05
radvd can't join ipv6-allrouters on vlan04
radvd can't join ipv6-allrouters on vlan01
radvd can't join ipv6-allrouters on vlan03
radvd can't join ipv6-allrouters on vlan02
radvd can't join ipv6-allrouters on em0

23.1 Legacy Series / Isn't this a bug? Block Bogons also blocks DHCP

« on: February 25, 2023, 08:29:35 pm »

If I enable Block Bogons on an interface I see in the logs that DHCP traffic is getting blocked:

If I look at the Auto Rules generated, I see that Block Bogon rule is before the Allow DHCP rules.

It seems to me that the Block Bogon rules should fall after the DHCP rules.

23.1 Legacy Series / NUT plugin does not work after upgrade to 23.1

« on: February 22, 2023, 01:01:44 am »

I can not get NUT plugin to work, since upgrading to 23.1. This worked prior to the update to 23.1. The nut_daemon crashes

I thought there was potentially a problem with the UPS itself, and bout a new UPS, and still having the same error.

I did a new fresh install of the Router, using old config.
I tried uninstalling the NUT plugin and reinstalling. It just doesn't work consistently.

Code: [Select]

2023-02-21T15:53:10-08:00	Error	upsmon	upsmon parent: read	
2023-02-21T15:53:10-08:00	Error	upsd	mainloop: Interrupted system call	
2023-02-21T15:53:09-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:53:07-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:53:06-08:00	Error	upsmon	Poll UPS [CyberPower] failed - Data stale	
2023-02-21T15:53:05-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:53:03-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:53:01-08:00	Error	upsmon	Poll UPS [CyberPower] failed - Data stale	
2023-02-21T15:53:01-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:52:59-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:52:57-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:52:56-08:00	Error	upsmon	Poll UPS [CyberPower] failed - Data stale	
2023-02-21T15:52:55-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:52:53-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:52:51-08:00	Error	upsmon	Poll UPS [CyberPower] failed - Data stale	
2023-02-21T15:52:51-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything	
2023-02-21T15:52:49-08:00	Warning	usbhid-ups	libusb1: Could not open any HID devices: insufficient permissions on everything

22.7 Legacy Series / Many Unbound Log Errors after updating to 22.7.10

« on: December 21, 2022, 05:13:18 pm »

I'm seeing multiple of these in the unbound logs:

Code: [Select]

2022-12-21T08:09:58-08:00	Error	unbound	[67156:3] error: pythonmod: python error: Traceback (most recent call last):	
2022-12-21T08:09:58-08:00	Error	unbound	[67156:3] error: pythonmod: Exception occurred in function operate, event: module_event_new	
 	 	 	AttributeError: 'NoneType' object has no attribute 'query_reply'	
 	 	 	if reply_list.query_reply:	
 	 	 	File "dnsbl_module.py", line 168, in filter_query	
 	 	 	return ctx.filter_query(id, qstate, qdata)	
 	 	 	File "dnsbl_module.py", line 281, in operate

22.7 Legacy Series / Unbound blocklist does not seem to be working since update to 22.7.9

« on: December 03, 2022, 10:45:09 pm »

I use unbound in resolver mode and for blocklist i use the URL method to download https://dbl.oisd.nl/.

I see in the log that it is downloading "blocklist download https://dbl.oisd.nl/ (lines: 980762 exclude: 0 block: 980754)"

But sites in the list are not being blocked. This had worked prior to the update.

22.7 Legacy Series / I can't get the wildcard Alias type to work

« on: September 19, 2022, 06:47:12 pm »

From the documentation, it states that you can create a wildcard alias. Example is 192.168.0.1/0.0.255.0.

When I try to create this as a network, I get an error as attached picture.

I am trying to create an Alias for Broadcast. I use 10.23.x.x/16 for my internal networks, so I am trying to create a BROADCAST alias, using the wildcard 10.23.0.255/0.0.255.0 but this didn't work, and neither did the example from the documentation.

Is there a better way to create rules dealing with broadcasts?

22.7 Legacy Series / None of my VLAN interfaces are working after upgrade to 22.7

« on: July 28, 2022, 05:00:09 pm »

Just what the subject says. No connectivity at all to opnsense from VLAN interfaces.

WAN ix0 works
LAN em0 works

VLANs all on ix1, none work, but they show on list of interfaces as up.

Pages: [1] 2 3