Topics

1

22.1 Production Series / (Solved) Cron "periodic interface reset" not working

« on: February 15, 2022, 03:11:06 pm »

Hi,

I have a barely working dual WAN setup that broke further
I've set up a cronjob to do an "Periodic interface reset" every day at 05:00 that worked throughout 21.x, but seems to be broken with 22.1. Every morning the pppoe0 interface is down.

There seems to be an issue shutting down the PPP daemon:

Code: [Select]

<30>1 2022-02-15T05:00:00+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="1"] Multi-link PPP daemon for FreeBSD
<30>1 2022-02-15T05:00:00+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="2"] 
<30>1 2022-02-15T05:00:00+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="3"] process 29540 started, version 5.9
<30>1 2022-02-15T05:00:00+01:00 gateway.domain.tld ppp 71757 - [meta sequenceId="4"] caught fatal signal TERM
[...]
<30>1 2022-02-15T05:00:30+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="79"] waiting for process 71757 to die...
<30>1 2022-02-15T05:00:31+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="80"] can't lock /var/run/pppoe_wan.pid after 30 attempts
<30>1 2022-02-15T05:00:31+01:00 gateway.domain.tld ppp 71757 - [meta sequenceId="81"] [wan] Bundle: Shutdown
<30>1 2022-02-15T05:00:31+01:00 gateway.domain.tld ppp 71757 - [meta sequenceId="82"] [wan_link0] Link: Shutdown
<30>1 2022-02-15T05:00:31+01:00 gateway.domain.tld ppp 71757 - [meta sequenceId="83"] process 71757 terminated

After that, no automatic attempt to restart the daemon is made. A manual reload brings the interface back up with no issues.
I've attached the latest logfile and a screenshot of the cronjob.

2

General Discussion / Gateway Groups - Incoming traffic being responded to on wrong IF

« on: June 15, 2021, 09:12:59 pm »

Hey fellow OPNsense users!

I've set up multi WAN as a failover group as described here: https://docs.opnsense.org/manual/how-tos/multiwan.html

Attached is a screenshot of the gateway groups.

The interfaces are pppoe0 and igb3, for WAN and Vodafone respectively. I have some services running on pppoe0 (namely OpenVPN and NGINX) locally, which both broke after the upgrade. Turns out, OPNsense is answering to incoming traffic on pppoe0 via the wrong interface, igb3. I can't really make sense of it

3

Development and Code Review / security/acme-client: API token support for Cloudflare

« on: September 19, 2019, 06:25:13 pm »

acme.sh supports Cloudflares new token model, which allows fine-grained control over token permissions.
Reference: https://github.com/Neilpang/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token

I'm a huge fan of the "least-privilege" principle, so I took it upon me to take a stab at implementing it into the os-acme-client Plugin.
Here's the result: https://github.com/Alphakilo/plugins/commit/3a4edf21bcb8cc25df9b7748cee6d88dadf5f98b


It works on my lab and my productive installations, though there are some issues where I'd like some feedback on.

• Are <help>-elements appropriate in the dialogValidation.xml?
• I can't get a proper control structure around this, any advice?

Cheers!

4

General Discussion / Gandi.net API support for os-dyndns?

« on: September 07, 2018, 08:12:15 pm »

So. For my homelab I have lots and lots of domains and subdomains. Currently they are registered with Cronon (STRATO).
Since I'm pretty darn tired of STRATOs fits and general backwardness, I'd like to transfer them to a provider that actually knows what they're doing. I've evaluated some providers and settled for gandi.net.

Now comes the complicated part:

I have an dynamic public IP that changes on every reconnect, or at very least on every forced reconnect (24h). The os-dyndns is doing a great job with STRATO, at least as good as it can with that company (yes, I'm salty).

But it seems it has no option for the gandi.net API.

There's an python implementation over at GitHub, but I'd also like to keep the process of DynDNS updates on the OPNsense. While not potentially compromising my border gateway by running 3rd party stuff on it. CNAME is also not an option.

That leaves me... Well, here. Asking for help

Maybe I'm just not seeing how it can be done?
Maybe it could be implemented?

If the latter is true, welp, my PHP doesn't go far beyond <?php phpinfo(); ?>. But I'd be happy to help by testing and providing API keys.

Cheerio!

5

Documentation and Translation / Dockerized "buildsys" for the docs (Sphinx)

« on: April 19, 2018, 05:18:55 pm »

Heya!

So I wanted to give the documentation some love (sidenote: reStructuredText is an awful markup) but found myself unwilling to install Sphinx in order to get previews.
Then it hit me. This is what Docker was made for.

The result is this:
https://github.com/Alphakilo/opnsense-sphinx-doc-docker
https://hub.docker.com/r/alphakilo/opnsense-sphinx-doc/

Now instead messing around with python and its dependencies you can run

Code: [Select]

docker run --rm -v ~/src/docs:/docs alphakilo/opnsense-sphinx-doc:latest and enjoy your build.

I have a few questions about the "official" build process, since I couldn't find resources about that.
What version of Sphinx and Python is used to build for docs.opnsense.org?

I don't want nasty surprises regarding parsing or formatting that may be depending on the Sphinx version, or some stupid library.

Regards

6

General Discussion / Feature request: DHCP options per client MAC address

« on: April 19, 2018, 02:17:24 pm »

Hi!

IDK if this is the right place to state a feature request, but I couldn't figure out where to do that, so here we go:

I'd like to serve DHCP clients different Options based on their MAC address. Specific addresses or parts ("begins with", i.e.: vendor prefixes).

My use case is this: I have VoIP-Phones from multiple vendors. They require different DHCP options to do auto-provisioning.
Sometimes the same option is used for different values by different vendors or models.

Right now I'm forced to use different interfaces (VLANs) in those cases, which I'm not happy about.

Regards

7

18.1 Legacy Series / PPPoE pain

« on: March 28, 2018, 06:44:22 pm »

Hello folks.

I very recently switched from Sophos UTM to OPNsense (18.1.5). So far this journey was very painful. It makes me question whether I'm incompetent or something went horribly wrong with my deployment.

I have a slew of issues, pretty much everywhere. The thing that bothers me most currently is the stability of my one and only egress to WAN.

Let me describe my setup.
My ISP (1&1 / Versanet) provides me VDSL via PPPoE dial-in. They only accept PPPoE traffic which is tagged as VLAN 7.
So I created an interface for that (re1_vlan7) and used it for the PPP configuration (pppoe0). That resulted in the creation of the WAN interface.

re1 is connected to an Zyxel VDSL modem.

The dial-in works. Most of the time. Now to my issues:

Unable to save WAN interface

Every time I save the WAN interface, connectivity drops until I reboot OPNsense. I figured two different causes

a) My PPPoE password got URL-encoded every time I saved either the interface or PPP-config. I solved that setting a new password at my ISP.
b) NAT continues to use the old interface address as src address for new (!) connections, sporadically. In fact: it continues to use all addresses that where ever assigned to the interface during uptime in what seems to be an round-robin fashion.

24h disconnects

My ISP forces a re-dial-in every 24h, assigning a new addresses (IPv4 & v6). I used a cron job (via WebUI / System / Settings / Cron: 0 5 * * * Periodic interface reset -> pppoe0) to do that at a time where it's least bothersome. That results in broken PPPoE dial-in until I reboot OPNsense.

Broken in the sense that the dial-in works, but get's terminated after 2-4 seconds after obtaining an IP by LCP "LCP: rec'd Terminate Request #3" (Configure-NAK?).
After the reboot the dial-in works instantly and is not terminated in that fashion.

And when I fix this issue, I'm pretty sure the NAT issue from above will come back to haunt me.

Vanishing default gateways

The ISP assigned default-gateway drops out of the routing table from time to time. I haven't been able to figure out the root cause, because I don't even know where to look. The issue get's more frequent when I enable gateway-monitoring though.

DHCPv6

There are multiple DHCPv6 clients for the pppoe0 interface, resulting in "dhcp6c: XID mismatch".
I can't figure out how or why there are multiple instances for the same interface using the same configuration (and funny enough: the same PID file):

Code: [Select]

root@{{hostname}}:~ # ps x | grep "dhcp6c"
74604  -  Ss     0:00.05 /usr/local/sbin/dhcp6c -D -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0
79106  -  Ss     0:00.04 /usr/local/sbin/dhcp6c -D -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0
I'm at loss what even to do next.
It just feels so random. Every time I fix something, more problems come up.

8

Intrusion Detection and Prevention / Different rulesets per network

« on: March 23, 2018, 05:23:45 pm »

Hello,

I'm wondering if it is possible to apply different rulesets for different networks.
For instance: Drop P2P for one VLAN, while allowing it for a different.

Cheers