Topics

1

20.1 Legacy Series / SOLVED: Auto-Re-connect WAN after cable modem re-connects

« on: July 29, 2020, 04:24:00 pm »

Summary: When the WAN connection goes down, it does not re-request DHCP for the WAN address, so OPNsense has no WAN gateway and can't communicate with the Internet until the OPNsense box is restarted.
 
Does anyone know of a setting or script that could detect los of WAN address (a good symptom seems to be no WAN gateway) and keep trying to re-request  WAN DHCP until a result is received?

I have Comcast and sometimes the cable modem goes offline and comes back on.  When this happens my OPNsense box loses connectivity to the WAN.  The cable modem status shows that it has connectivity, so all that is needed is for the OPNsense box to re-request DHCP for the WAN connection.  I don't know of a way to automatically trigger this.  I also don't know the best way to trigger a WAN re-request of DHCP via a script.  Has anyone solved this or does anyone have info on the best way to trigger a WAN re-request via a script/cron job?

UPDATE: I've added this script as a cron job on my OPNsense box that runs every minute, and it seems to work (probably needs more testing, but at least it worked for the common case that impacts me).    I hope this helps someone else, and if you see a better way to do this, please reply with your suggestions.

Caveat: I only have one WAN link and it is the default route for my OPNsense box.

Note: I have entered my WAN interface as a string in the script (wanInterface="em0").

Question: Does anyone know of a good way to get the WAN interface by looking at config files and/or via some shell command?  I'd rather not have hard-coded interface names in my script.

Code: [Select]

#!/bin/sh
gatewayIP=$(netstat -4rn | grep default | awk '{print $2}')
wanInterface="em0"

echo "Gateway: $gatewayIP"
echo "WAN Interface: $wanInterface"
if [ -z $gatewayIP ]
then
  echo "NO Gateway"
  #Bring the interface down then up to renew the WAN DHCP
  ifconfig $wanInterface down
  ifconfig $wanInterface up
else
  # if return = 0 then host is reachable
  ping -c 1 $gatewayIP > /dev/null
  if [ $? -eq 0 ]
  then
    echo "Gateway Reachable"
  else
    echo "Gateway Unreachable"
    #Bring the interface down then up to renew the WAN DHCP
    ifconfig $wanInterface down
    ifconfig $wanInterface up
  fi
fi



2

20.1 Legacy Series / RESOLVED: Periodic Reboot--Fatal trap 12-**only with traffic shaper enabled**

« on: May 27, 2020, 11:32:28 pm »

I'd appreciate some help with this please.
I recently started using traffic shaping and I'm getting a periodic fatal trap and reboot of my OPNSense box (see below).  It's running on a Protectli box with Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz (4 cores)

Does anyone have any suggestions for tracking this down and resolving it?

This seems to occur only when traffic shaper rules are enabled.  As a test, I disabled the traffic shaper rules and the firewall has run for 14 hours without rebooting. Enabling traffic shaper rules results in a reboot within 30m-3 hours.

Here is the version info off the dashboard:
OPNsense 20.1.7-amd64
FreeBSD 11.2-RELEASE-p20-HBSD
OpenSSL 1.1.1g 21 Apr 2020
-----------------------------------
Fatal trap 12: page fault while in kernel mode

cpuid = 2; apic id = 02
fault virtual address   = 0xffffffff00040061
fault code      = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80d9c2e3
stack pointer           = 0x28:0xfffffe0232b352a0
frame pointer           = 0x28:0xfffffe0232b352a0

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xffffffff00040061
fault code      = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80daa0b3
stack pointer           = 0x28:0xfffffe0232dee7a0
frame pointer           = 0x28:0xfffffe0232dee7f0
code segment      = base 0x0, limit 0xfffff, type 0x1b
         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process      = 0 (dummynet)
version.txt0600007013663554527  7550 ustarrootwheelFreeBSD 11.2-RELEASE-p20-HBSD  07ef86ce9ca(stable/20.1)

UPDATE: Resolved.
After backing up the configuration, then re-installing OPNsense and restoring the configuration, my OPNsense box has not encountered a crash/random reboot with traffic shaping enabled. The re-install installed 20.1 then upgraded to 20.1.7. I've been running for over 14 hours without a crash.

Note: Before re-installing, I had performed a Firmware audit several times and everything checked out, but I was still encountering periodic crashes and reboots only when traffic shaping was enabled. 
I also tried re-installing key packages including opnsense, but I continued to encounter random crashes and reboots only when traffic shaping was enabled.
Conclusion: Successful completion of firmware audit does not provide a comprehensive check of the integrity of the OPNSense install.

3

18.1 Legacy Series / IPsec Road Warrior VPN question: Should the status indicator be green?

« on: January 27, 2018, 02:13:37 pm »

Hi,
I'd like your help please.
I'm trying to get the IPsec Road Warrior VPN working.

On my VPN server, in the VPN->IPsec->Status Overview, my status icon at the right of the display is orange.  Should it be green? 

I couldn't find any info on this in the documentation.

4

18.1 Legacy Series / Help Needed Please: IPsec VPN RoadWarrior config--now with a VPN Log

« on: January 18, 2018, 12:58:19 am »

Hi Folks,
I'm using OPNsense 18.1.r_15-amd64. and I'm trying to get IPsec Road Warrior VPN configured.

I'm following the steps here:
https://docs.opnsense.org/manual/how-tos/ipsec-road.html
 
And on Step 4 (Add IPsec Users) it says:
"Add privilege User - VPN - IPsec xauth Dialin by pressing the + under Effective Privileges."

I don't see a "+" under Effective Privileges.  Under Effective Privileges the only button is an edit button (pencil)--If I press this, then I get a list of GUI components, and none of them say "IPsec xauth Dialin".  In fact none of the options have xauth in the title.  I have these selected:

• GUI VPN: IPsec and
• GUI VPN: IPsec: Mobile

Am I doing something wrong, or have the options changed since the documentation was created?

When I configure the native client in OS X, I get this error when I try to connect:  "The VPN server did not respond. Verify the server address and try reconnecting."

Would someone please point me to some updated docs or steps to try to diagnose this issue?

Also, just checking, should the IPsec VPN be working with OPNsense 18.1.r_15
I've applied the patch: opnsense-patch 0ec330d7
per this thread: https://forum.opnsense.org/index.php?topic=6843.0

I would greatly appreciate any tips or pointers.

Thanks!

5

18.1 Legacy Series / Not getting hostnames on insight reports

« on: January 06, 2018, 09:49:39 pm »

Hi Folks,
I'd like some help please.
I'm running 18.1.b, and I can't get hostnames to show up on the Insight reports--I just see IP addresses.

I've followed the steps here:  https://github.com/opnsense/core/issues/1854

I am looking at the Insight->Totals->Top usage ports/sources for the lan

I'm running dnsmasq, and I have these dnsmasq options enabled:

• Enable DNS Forwarder
• Register DHCP leases in DNS forwarder
• Register DHCP static mappings in DNS forwarder
• Resolve DHCP mappings first

And in Systems->Settings->General I have ensured that this option is not enabled:
[ ] Do not use the DNS Forwarder/Resolver as a DNS server for the firewall

Is there anything else that I need to do to get the IP addresses to resolve to hostnames?

Also, should the IPs (both local and remote) on the Insight Details report also resolve to hostnames?



OK I was not seeing the option because I was using the Beta and not the dev version, and these changes apparently have not made it to the Beta yet.

After I perform (in a shell on the OPNsense box):
opnsense-update -t opnsense-devel

and restart I see the Reverse-Lookup option