Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - fraenki

#1
Moin,

wer Lust auf einen Job im OPNsense/FreeBSD-Umfeld hat, kann sich gerne unsere aktuelle Stellenausschreibung mal anschauen:

"Systemadministrator (m/w/d) in Voll- oder Teilzeit"
https://www.markt.de/contentId,jobs/inhalt.htm

Wir entwickeln und pflegen einige OPNsense Plugins und arbeiten auch an anderen Projekten im FreeBSD-Umfeld:
https://github.com/andeman/opn-cli
https://github.com/andeman/puppet-opnsense
https://forge.puppet.com/fraenki

Unser Ziel wäre es natürlich, dass ein möglicher Kandidat uns in diesen und anderen Projekten unterstützen möchte.


Ciao
- Frank
#2
Hi,

I've seen a service crashing (HAProxy) and was wondering: What's the meaning of these HBSD messages?

Dec 30 11:08:05 kernel: pid 53076 (haproxy), uid 80: exited on signal 11
Dec 30 11:08:05 kernel: [HBSD SEGVGUARD] [haproxy (53076)] Suspension expired.
Dec 30 11:08:05 kernel: -> pid: 53076 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>


Is this crash related to one of these HBSD security features? Is there a way to disable them during runtime?


Thanks
- Frank
#3
17.7 Legacy Series / [SOLVED] slow IPsec performance
August 29, 2017, 03:45:36 PM
Hi,

I have deployed a new OPNsense cluster that shows abysmal IPsec performance:

- traffic over IPsec: ~1-2 Mbps
- traffic without IPsec: full speed

SSH file transfers will start at ~25 Mbps, but will immediately drop to 3 Mbps and drop even further within a few seconds.
HTTPS file transfers may even stall completely (this being our main issue). Other connections with "large" data transfers will also abort/stall.

There's no significant load shown in "top" when utilizing the IPsec tunnel.
Tunnel config is pretty old fashioned: AES256/SHA256/DH Group 2 (same for Phase 1+2)

Enable/disable HW offloading does not make any difference.
Hardware is a Intel x5-Z8350 SOC with a Realtek NIC (UP board).

I've seen a lot similar reports for pfSense:
https://superuser.com/questions/570049/pfsense-firewall-blocking-some-outbound-web-packets-large-http-downloads-just
https://forum.pfsense.org/index.php?topic=74159.msg405436
https://forum.pfsense.org/index.php?topic=123823.msg683776
(Just google for "pfsense ipsec speed"...)

We have some other OPNsense clusters that don't show this issue.

FWIW, this is the only location with a PPPoE router. I've tested the same PPPoE router (Zyxel VMG1312-B30A) at another location with no issues. So I don't think it's the router that causes this issue.

Any ideas?


Thanks
- Frank
#4
Hi,

how do I handle (complex) data migrations for plugins and core components? Can someone provide an example?

For example, I have the following model:

<model>
    <mount>//OPNsense/FooBar</mount>
    <items>
        <dummies>
            <dummy type="ArrayField">
                <value_a type="OptionField">
                    <OptionValues>
                        <option1>Option No. 1</option1>
                        <option2>Option No. 2</option2>
                        <option3>Option No. 3</option3>
                    </OptionValues>
                </value_a>
                <field1 type="TextField">
                    <Required>N</Required>
                </field1>
                <field2 type="TextField">
                    <Required>N</Required>
                </field2>
            </dummy>
        </dummies>
    </items>
</model>


And I want to migrate it to be more like this:

<model>
    <mount>//OPNsense/FooBar</mount>
    <items>
        <dummies>
            <dummy type="ArrayField">
                <value_a type="OptionField">
                    <OptionValues>
                        <option1>Option No. 1</option1>
                        <option2>Option No. 2</option2>
                        <option3>Option No. 3</option3>
                    </OptionValues>
                </value_a>
                <option1_field1 type="TextField">
                    <Required>N</Required>
                </option1_field1>
                <option2_field1 type="TextField">
                    <Required>N</Required>
                </option2_field1>
                <option2_field2 type="TextField">
                    <Required>N</Required>
                </option2_field2>
                <option3_field1 type="TextField">
                    <Required>N</Required>
                </option3_field1>
                <option3_field2 type="TextField">
                    <Required>N</Required>
                </option3_field2>
                <option3_field3 type="TextField">
                    <Required>N</Required>
                </option3_field3>
            </dummy>
        </dummies>
    </items>
</model>


What will be changed? Instead of two multi-purpose fields "field1" and "field2" the updated model will have separate fields for each available option.

In my book the data migration of the config.xml would work something like this:


FOREACH dummy
    IF value_a == 'option1'
      # option1 expects only input in "field1", drop other field
      RENAME field1 TO option1_field1
      DELETE field2
    ELIF value_a == 'option2'
      # option2 expects input in both fields
      RENAME field1 TO option2_field1
      RENAME field2 TO option2_field2
    ELIF value_a == 'option3'
      # option3: introduce a 3rd field
      RENAME field1 TO option3_field1
      RENAME field2 TO option3_field2
      CREATE option3_field3 WITH default_value
    END
END


How would I do this in the OPNsense MVC framework? I've seen migration files in opnsense/core, but none of them performs any complex task like this. I'd be grateful for some hints or a working example. Thanks!

Regards
- Frank
#5
Hi,

I've got a Multi WAN setup running for some time now. Unfortunately, if one of the WAN gateways goes down, OPNsense will endlessly restart my IPsec tunnel(s):

Oct  6 11:49:20 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 11:49:20 fw1 opnsense: /usr/local/etc/rc.newipsecdns: MONITOR: WAN2GW is down, removing from routing group GW_FAILOVER
Oct  6 11:49:20 fw1 ipsec_starter[51952]: configuration 'con3' unrouted

Oct  6 11:49:49 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 11:49:49 fw1 opnsense: /usr/local/etc/rc.newipsecdns: MONITOR: WAN2GW is down, removing from routing group GW_FAILOVER
Oct  6 11:49:49 fw1 ipsec_starter[51952]: configuration 'con3' unrouted

Oct  6 11:50:08 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 11:50:08 fw1 opnsense: /usr/local/etc/rc.newipsecdns: MONITOR: WAN2GW is down, removing from routing group GW_FAILOVER
Oct  6 11:50:08 fw1 ipsec_starter[51952]: configuration 'con3' unrouted

Oct  6 11:50:37 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 11:50:37 fw1 opnsense: /usr/local/etc/rc.newipsecdns: MONITOR: WAN2GW is down, removing from routing group GW_FAILOVER
Oct  6 11:50:37 fw1 ipsec_starter[51952]: configuration 'con3' unrouted


I find this rather odd (and annoying)... is this the expected behaviour or does this point to a misconfiguration on my side?

OPNsense 16.7.5-amd64
FreeBSD 10.3-RELEASE-p9
OpenSSL 1.0.2j 26 Sep 2016

Thanks
- Frank
#6
Development and Code Review / OPNsense API
January 05, 2016, 04:09:55 PM
Hi,

is there any further information available regarding the OPNsense API?


  • examples on how to use the API
  • some sort of client code or example code or even a ready-to-use library (I don't want to reinvent the wheel)
  • a reference for all API calls?


Thanks
- Frank
#7
Hi,

I'm running two nodes of OPNsense in HA node with pfsync and CARP. The master is a physical server and the slave is a virtual machine. After starting the slave node everything is fine for ~15-45 minutes. But after this time, the system load increases dramatically on both nodes:


last pid: 37844;  load averages:  0.19,  0.07,  0.03                                                                                            up 0+00:36:01  15:18:51
176 processes: 3 running, 123 sleeping, 50 waiting
CPU:  0.0% user,  0.0% nice,  0.0% system, 10.8% interrupt, 89.2% idle
Mem: 73M Active, 64M Inact, 107M Wired, 568K Cache, 86M Buf, 719M Free
Swap:

  PID USERNAME   PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root       155 ki31     0K    32K RUN     1  35:45 100.00% idle{idle: cpu1}
   11 root       155 ki31     0K    32K CPU0    0  35:32  81.98% idle{idle: cpu0}
   12 root       -92    -     0K   800K WAIT    0   0:12  23.00% intr{irq257: virtio_p}


Once this happens all(?) networks will experience massive packet loss. Any ideas?
If running only the master node (with slave node shutdown) everything is fine.


Thanks
- Frank
#8
General Discussion / Wireless hardware recommendation?
December 02, 2015, 12:11:11 AM
Hi,

I was thinking about extending the functionality of my OPNsense firewall to act as a wireless access point too. I know wireless on FreeBSD may require a specific wireless chipset to perform well... any recommendations?


Thanks
- Frank
#9
Hi,

is it possible to downgrade to a previous release within the 15.7.x series?
For example, if I upgrade to 15.7.20 and notice a breaking bug, is it possible
to downgrade to 15.7.19 or even 15.7.18? How?


Thanks
- Frank
#10
Hi,

I've been debugging a rather simple application issue and was using the GUI Logs Status -> System logs -> Firewall. But there haven't been any blocked packets regarding our application. So I started digging deeper and used tcpdump on both ends...

Once I've started using the CLI on the firewall to debug it even further I've finally noticed some blocked packets:

# tcpdump -n -e -ttt -i pflog0
00:00:00.000000 rule 3..16777216/0(match): block in on enc0: XXX.46799 > YYY.58459: Flags [S], seq 2685257746, win 29200, options [mss 1460,sackOK,TS val 1598981567 ecr 0,nop,wscale 7], length 0


Note that this traffic is on enc0 and is routed through an IPsec tunnel.

And I've starting wondering... why didn't this show up on the GUI in the first place? Several questions/thoughts on this:


  • Is there some sort of limit to how many log entries are processed from within the GUI?
  • May any rule or configuration prevent those blocked packets from showing up in the (pf/GUI) logs at all?

I've wasted a lot of time on this and would like to understand how to prevent this in the future.  :D

- Frank
#11
Hm. Where do I find the OPNsense installer? I was unable to find it in the opnsense/core and opnsense/tools repositories. In pfsense/tools there was a directory "installer"...


Thanks
- Frank
#12
15.1 Legacy Series / Add-Ons/Plugins/Packages
January 14, 2015, 10:51:26 AM
Hi,

just installed OPNsense and made a few tests. Looks very promising and I really hope this project will attract many more people.

I've got a question regarding Add-Ons/Packages, because I've noticed that the item "Packages" is missing from OPNsense' menu. Packages in pfSense are a great way to enhance functionality and make it possible to even add new components to the WebGUI.

Do you plan to offer a similar Plugin/Add-On functionality? I'd love to contribute a Plugin or two. ;-)


Thanks
- Frank