Topics

1

20.1 Production Series / Questions about updates

« on: February 11, 2020, 03:42:16 am »

I have an OPNsense installation running with release type development. The version is OPNsense 20.1.r_6-amd64.

If I check for updates, two choices are offered. The first choice consists of 32 updates, including downgrading the base from 20.1 to 19.7, upgrading some packages, reinstalling some packages and removing some packages, including opnsense-devel. The other choice is to unlock 20.1.r1.

If I select the first choice, this message appears in the log

Code: [Select]

***GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (29 candidates): .......... done
Processing candidates (29 candidates): .......... done
Checking integrity... done (1 conflicting)
  - openssl102-1.0.2u conflicts with openssl-1.1.1d,1 on /usr/local/bin/c_rehash
Cannot solve problem using SAT solver, trying another plan
Checking integrity... done (0 conflicting)
The following 30 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
opnsense-update-20.1
opnsense-devel-20.1.r_6
openssl-1.1.1d,1

New packages to be INSTALLED:
openssl102: 1.0.2u

Installed packages to be UPGRADED:
py37-urllib3: 1.25.6,1 -> 1.25.7,1
py37-setuptools: 41.4.0_1 -> 44.0.0
liblz4: 1.9.2,1 -> 1.9.2_1,1
isc-dhcp44-server: 4.4.1_4 -> 4.4.2
isc-dhcp44-relay: 4.4.1 -> 4.4.2

Installed packages to be REINSTALLED:
wpa_supplicant-2.9 (options changed)
unbound-1.9.6 (direct dependency changed: openssl102)
syslog-ng325-3.25.1 (direct dependency changed: openssl102)
strongswan-5.8.2_1 (direct dependency changed: openssl102)
squid-4.9 (direct dependency changed: krb5)
python37-3.7.6 (direct dependency changed: openssl102)
py37-cryptography-2.6.1 (direct dependency changed: openssl102)
php72-openssl-7.2.26 (direct dependency changed: openssl102)
openvpn-2.4.8 (direct dependency changed: openssl102)
openssh-portable-8.1.p1,1 (direct dependency changed: openssl102)
openldap-sasl-client-2.4.48 (direct dependency changed: cyrus-sasl)
ntp-4.2.8p13_6 (direct dependency changed: openssl102)
mpd5-5.8_10 (direct dependency changed: openssl102)
monit-5.26.0 (direct dependency changed: openssl102)
lighttpd-1.4.54 (direct dependency changed: openssl102)
libevent-2.1.11 (direct dependency changed: openssl102)
ldns-1.7.1_1 (direct dependency changed: openssl102)
krb5-1.17.1 (direct dependency changed: openssl102)
hostapd-2.9 (direct dependency changed: openssl102)
cyrus-sasl-2.1.27_1 (direct dependency changed: openssl102)
curl-7.68.0 (direct dependency changed: ca_root_nss)

Number of packages to be removed: 3
Number of packages to be installed: 1
Number of packages to be upgraded: 5
Number of packages to be reinstalled: 21

The operation will free 22 MiB.
pkg-static: Cannot delete vital package: opnsense-devel!
pkg-static: If you are sure you want to remove opnsense-devel,
pkg-static: unset the 'vital' flag with: pkg set -v 0 opnsense-devel
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***
Note the end where it says the following:

pkg-static: Cannot delete vital package: opnsense-devel!
pkg-static: If you are sure you want to remove opnsense-devel,
pkg-static: unset the 'vital' flag with: pkg set -v 0 opnsense-devel

Is this expected behaviour or does my system have a problem?

2

19.7 Legacy Series / 19.7 installation on Hyper-V hangs at the "Select Task" step.

« on: August 06, 2019, 04:47:21 am »

Just so this doesn't get left behind, I reinstalled OPNsense from scratch on my windows server 2019 hyper-v and I experienced the same freezing as in the previous version. The first time was at the point of selecting guided setup. At this point, I interrupted using CTRL-C and logged in again as installer. It happened once or twice again further on. I'm using a generation 2 vm with secure boot disabled. The settings are default.

If you would like me to test anything, let me know.

3

19.7 Legacy Series / Problems with 19.7

« on: July 28, 2019, 09:30:50 pm »

I updated my release system to 19.7 today. There are two problems, which were both present in the pre-release versions.

The firmware reporter is reporting, "Unfortunately we have detected at least one programming bug."

Here is the error:

Code: [Select]

[28-Jul-2019 11:37:05 America/Vancouver] PHP Warning:  vsprintf(): Too few arguments in /usr/local/etc/inc/util.inc on line 986
The other problem is that Gateway Monitor (WAN_DHCP6) is not starting. There are no errors in any of the logs that appear to be related to this problem (although it could be that I'm not looking in the right place for the smoking gun). There is only one instance of dpinger running and that is for WAN_DHCP.

I also noticed that every time I try to start the gateway monitor, another instance of the above PHP warning is issued.

My offer still stands to make the system available for someone to take a look at.

4

General Discussion / No unsolicited RA from ISP edge router

« on: July 08, 2019, 01:09:48 am »

My ISP has an issue with some of their edge routers where they are not sending periodic unsolicited RA messages. This is happening with their Juniper edge routers. For their Alcatel/Nokia edge routers, unsolicited RA messages are sent every 20-30 minutes. The Juniper edge routers will respond to RS messages.

I'm not sure how this behaviour started. It may be that Juniper or one of their customers decided it was a feature. However, recently, Juniper started offering "no unsolicited ra" as selectable "Enhanced Subscriber Management feature". Here is a link: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-unsolicited-ra-edit-enhanced-universal-edge-overrides.html.

The behaviour of the other *sense is inconsistent. Sometimes IPv6 will drop after 2 hours. If you save / apply the WAN I/F, it will restart. Other times, it will continue to work.

What is the behaviour of OPNsense if the edge router doesn't send an unsolicited RA? Is there a way to trigger OPNsense to send a solicited RS message for situations such as this? I would try this myself, but it's working properly for me.

5

19.1 Legacy Series / Windows Server 2019 Hyper-V Installation

« on: June 22, 2019, 06:18:58 pm »

I had to rebuild my hyper-v server, so I did a clean installation of OPNsense using the latest download, which is OPNsense-19.1.4-OpenSSL-dvd-amd64.iso. I created a generation 2 VM with secure boot disabled, two processors and 2048 of memory. On both NICs, VMQ, IPsec task offloading (512) and SR-IOV are enabled and all of the "advanced features" are disabled. Both NICS are connected to virtual switches.

I had to use CTRL-C a couple of times during the installation because the installer hung.

Aside from that, the installation was successful.

6

19.7 Legacy Series / LAN_TRACK6 Gateway with Unknown / Pending Status

« on: April 14, 2019, 06:33:04 pm »

I'm running OPNsense 19.7.a_516-amd64. I noticed a LAN_TRACK6 gateway with unknown status on the dashboard and pending status on the gateway status. I have never noticed this gateway before. The client has an IPV6 lease and IPv6 seems to be working properly.

Does anyone know what this gateway is for and why it has unknown / pending status?

7

General Discussion / RIPE Atlas

« on: March 17, 2019, 05:38:17 pm »

If you've never heard of the Atlas project, here is a link: https://atlas.ripe.net/.

Here is some information:

With your help, the RIPE NCC is building the largest Internet measurement network ever made. RIPE Atlas employs a global network of probes that measure Internet connectivity and reachability, providing an unprecedented understanding of the state of the Internet in real time.

The project is looking for people to host probes that will help to fill in gaps in the coverage. I believe they prefer dual-stack, but it probably depends on the situation. I got one of the probes a few weeks ago and it's interesting to see the information it's providing to the project. The probe is very small. I comes with a USB power supply, but I'm powering my probe with a USB port on one of my servers. If you're interested in contributing, it's very easy to apply for a probe.

8

General Discussion / OPNsense Command Prompt

« on: March 13, 2019, 02:50:43 am »

Does OPNsense have a command prompt, like pfSense Diagnostics / Command Prompt?

9

19.7 Legacy Series / Problem building 19.7a

« on: February 09, 2019, 05:44:28 am »

I'm currently running 19.7a_39. Trying to update but can't get make upgrade to complete.

Here is the shell output:

Code: [Select]

root@OPNsense:/usr # rm -rf core
root@OPNsense:/usr # opnsense-code core
Cloning into '/usr/core'...
remote: Enumerating objects: 189, done.
remote: Counting objects: 100% (189/189), done.
remote: Compressing objects: 100% (124/124), done.
remote: Total 120845 (delta 101), reused 119 (delta 57), pack-reused 120656
Receiving objects: 100% (120845/120845), 64.08 MiB | 2.04 MiB/s, done.
Resolving deltas: 100% (86578/86578), done.
root@OPNsense:/usr # cd core
root@OPNsense:/usr/core # make upgrade
pkg: No package(s) matching squid
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'squid' have been found in the repositories
*** Error code 70

Stop.
make: stopped in /usr/core
root@OPNsense:/usr/core #

Any suggestions?

10

18.7 Legacy Series / ntp Questions

« on: December 15, 2018, 06:16:50 pm »

I have two opnsense systems, both running on windows server 2012r2 hyper-v. One system is running the latest release and the other is running 19.1b. I've noticed on both systems that the ntp service is taking longer to start up after rebooting than it used to. Both systems are using the default ntp settings.

I took a look at the status and I have some questions.

Here are the messages in the log, beginning after restarting the ntp service:

Dec 15 09:13:09   ntpd[84257]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
Dec 15 09:13:09   ntpd[84257]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
Dec 15 09:13:09   ntpd[84257]: mlockall(): Cannot allocate memory
Dec 15 09:13:09   ntpd[84257]: Listening on routing socket on fd #26 for interface updates
Dec 15 09:13:09   ntpd[84257]: Listen normally on 5 hn0 162.156.75.11:123
Dec 15 09:13:09   ntpd[84257]: Listen normally on 4 hn0 [fe80::215:5dff:fe5c:e233%5]:123
Dec 15 09:13:09   ntpd[84257]: Listen normally on 3 lo0 127.0.0.1:123
Dec 15 09:13:09   ntpd[84257]: Listen normally on 2 lo0 [::1]:123Dec 15 09:13:09   ntpd[84257]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Dec 15 09:13:09   ntpd[84257]: Listen and drop on 0 v6wildcard [::]:123
Dec 15 09:13:09   ntpd[84257]: restrict: 'monitor' cannot be disabled while 'limited' is enabled
Dec 15 09:13:09   ntpd[84257]: proto: precision = 0.100 usec (-23)
Dec 15 09:13:09   ntpd[84036]: Command line: /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
Dec 15 09:13:09   ntpd[84036]: ntpd 4.2.8p12@1.3728-o Mon Sep 17 00:37:07 UTC 2018 (1): Starting
Dec 15 09:13:09   ntpd[77483]: 206.108.0.134 local addr 162.156.75.11 -> <null>
Dec 15 09:13:09   ntpd[77483]: 2001:6a0:0:31::2 local addr fe80::215:5dff:fe5c:e233%5 -> <null>
Dec 15 09:13:09   ntpd[77483]: 162.248.221.109 local addr 162.156.75.11 -> <null>
Dec 15 09:13:09   ntpd[77483]: 54.39.173.225 local addr 162.156.75.11 -> <null>
Dec 15 09:13:09   ntpd[77483]: ntpd exiting on signal 15 (Terminated)

One of the message refers to memory. The system is currently using only 20% of memory.

Also, it appears that one of the default servers is not reachable. Refer to the screen capture.

11

18.7 Legacy Series / Anyone having problems with dhcpd6?

« on: December 15, 2018, 06:04:41 pm »

I have two opnsense systems, both running on windows server 2012r2 hyper-v. One system is running the latest release and the other is running 19.1b. Yesterday, I updated both of them and now dhcpd6 is broken on both of them.

My ISP provides a /56 prefix. I also have two other *sense systems running on the same hyper-v server. Both are working properly, so I don't think this issue is related to my ISP.

Here is a message from the general log:

opnsense: /usr/local/etc/rc.newwanipv6: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid hn1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.4.1 Copyright 2004-2018 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 15: network mask too short prefix6 2001:560:74b0:2800:: 2001:560:74b0:2800::/48; ^ Configuration file errors encountered -- exiting If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging. exiting.'

Note, the message is referring to /48. Not sure where that comes from.

12

19.1 Legacy Series / Anyone having problems with dhcpd6?

« on: December 15, 2018, 05:56:05 pm »

I have two opnsense systems, both running on windows server 2012r2 hyper-v. One system is running the latest release and the other is running 19.1b. Yesterday, I updated both of them and now dhcpd6 is broken on both of them.

My ISP provides a /56 prefix. I also have two other *sense systems running on the same hyper-v server. Both are working properly, so I don't think this issue is related to my ISP.

Here is a message from the general log:

opnsense-devel: /usr/local/etc/rc.newwanipv6: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid hn1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.4.1 Copyright 2004-2018 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 15: network mask too short prefix6 2001:560:74c0:b800:: 2001:560:74c0:b800::/48; ^ Configuration file errors encountered -- exiting If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging. exiting.'

Note, the message is referring to /48. Not sure where that comes from.

13

19.1 Legacy Series / Installer hangs at "Select Task" on Hyper-V Generation 2 VM

« on: November 03, 2018, 05:40:32 pm »

There is a thread about Hyper-V Generation 2 VMs in the 18.1 Legacy Series forum: https://forum.opnsense.org/index.php?topic=7128.0.

I'm starting a new thread here, because the specific issue of font incompatibility in that thread seems to be different with the 19.1b snapshot. Changing from the default font to 8x14 no longer makes any difference. The installer hangs at the "Select Task" step. I tried using set hw.vga.textmode="0" and that also made no difference.

I'm testing on Windows Server 2012R2 Hyper-V.

14

18.7 Legacy Series / Text Sizing Problem on Services: DHCPv6: Leases

« on: September 08, 2018, 09:26:20 pm »

There is a text sizing problem on Services: DHCPv6: Leases. Depending on the zoom setting of the browser, the text goes off the screen.

Here is a screen capture:

15

18.7 Legacy Series / Update Questions

« on: July 21, 2018, 05:27:37 pm »

I am currently running this release:

OPNsense 18.7.r_10-amd64
FreeBSD 11.1-RELEASE-p11
OpenSSL 1.0.2o 27 Mar 2018

When I click check for updates, I get this message: This software release has reached its designated end of life. The next major release is: 18.7.r1

Often when I click check for updates, there is a message that the package manager is not running. If I click it again, the message goes away.

Right now, it's saying there are 10 packages. If I upgrade them, it's as if I didn't upgrade. It still gives the message, This software release has reached its designated end of life, the next major release is 18.7.r1.

Is something wrong with my installation? I was previously running the release version. Maybe when I switched to the development version it did not install properly?