"
Caddy did not start after 25.4.1 update because Caddy fails to start with a no longer available DNS plugin, this also leads to a config error in the Caddy Plugin. I know this was planned due to maintanance effort, but please delay something like this in Business Edition until next major release or place a warning in the patchnotes.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Legacy Series / 25.4.1 and removed DNS providers broke Caddy an Business Edition
August 08, 2025, 08:16:10 PM #2
24.7, 24.10 Legacy Series / OPNsense 24.10.2_6 corrupting IPSec config?
March 30, 2025, 03:33:13 PM
Hi all,
since yesterday, i have a hell of a ride with my OPNsense Business installations. All of them running 24.10.2_6 and i have massive issues with IPSec connections.
One Firewall is standalone and on another site, i have a pair building an CARP Cluster. Trouble starts as soon i try to edit something on a IPSec connection or just press save in one connection, several connections fail to start, under Status Overview i can see atleast one connection always appear twice, but with the protocol Version "1" instead of IKEv1 or IKEv2. There are some connections that always work and some that always fails since then. For affected connections, i cant see any outgoing traffic on my wan interface, only incoming.
I see a lots of "charon 28998 - [meta sequenceId="18483"] 04[NET] error writing to socket: Network is down" spam in /var/log/ipsec.log
ipsec status show these strange status, these are the entrys without a proper IKE Protokol in the status windows on my screenshot.
(unnamed)[63]: CONNECTING, x.x.x.x[%any]...x.x.x.x[%any]
Same happens to my CARP Cluster, but here it only affects the master firewall where i edit connections. When i make my backup to master, all ipsec connections work fine, even after syncing from the master to my backup, connections still work.
For me it looks like editing IPSec connections corrupts something and break several existing connections.
Surricata is disabled, no filtering software, i can ping all ipsec wan endpoint. Loading an older config before that issue does not help. Atleast my CARP Backup is doing well for now.
I am out of ideas.
since yesterday, i have a hell of a ride with my OPNsense Business installations. All of them running 24.10.2_6 and i have massive issues with IPSec connections.
One Firewall is standalone and on another site, i have a pair building an CARP Cluster. Trouble starts as soon i try to edit something on a IPSec connection or just press save in one connection, several connections fail to start, under Status Overview i can see atleast one connection always appear twice, but with the protocol Version "1" instead of IKEv1 or IKEv2. There are some connections that always work and some that always fails since then. For affected connections, i cant see any outgoing traffic on my wan interface, only incoming.
I see a lots of "charon 28998 - [meta sequenceId="18483"] 04[NET] error writing to socket: Network is down" spam in /var/log/ipsec.log
ipsec status show these strange status, these are the entrys without a proper IKE Protokol in the status windows on my screenshot.
(unnamed)[63]: CONNECTING, x.x.x.x[%any]...x.x.x.x[%any]
Same happens to my CARP Cluster, but here it only affects the master firewall where i edit connections. When i make my backup to master, all ipsec connections work fine, even after syncing from the master to my backup, connections still work.
For me it looks like editing IPSec connections corrupts something and break several existing connections.
Surricata is disabled, no filtering software, i can ping all ipsec wan endpoint. Loading an older config before that issue does not help. Atleast my CARP Backup is doing well for now.
I am out of ideas.
#3
24.7, 24.10 Legacy Series / netdata broken after 24.7.6 update
October 09, 2024, 06:27:29 PM
On two OPNsense machines, netdata was broken after installing 24.7.6. Netdata is no longer starting, it looks like netdata is not properly updated and missing "libprotobuf.so.28.1.0".
"ld-elf.so.1: Shared object "libprotobuf.so.28.1.0" not found, required by "netdata""
I solved it by reinstallating the netdata package from firmware/package, that updated netdata to a new minor version, now it works again.
Installed packages to be UPGRADED:
netdata: 1.43.2_5 -> 1.43.2_6
"ld-elf.so.1: Shared object "libprotobuf.so.28.1.0" not found, required by "netdata""
I solved it by reinstallating the netdata package from firmware/package, that updated netdata to a new minor version, now it works again.
Installed packages to be UPGRADED:
netdata: 1.43.2_5 -> 1.43.2_6
#4
23.7 Legacy Series / netdata update on OPNsense Business Edition
September 26, 2023, 11:49:26 AM
Hello,
we monitor our OPNsense installation with netdata. We found that netdata.cloud complains about security issue with netdata 1.39.1 on our OPNsense Business Edition installations. We have a few with Community Editions and these are fine and have a newer installation.
Is it possible for the OPNsense Team to include netdata in the next Update? or is it possible to use the netdata package from the community edition on the business edition or does this brake the updating process?
Thanks
we monitor our OPNsense installation with netdata. We found that netdata.cloud complains about security issue with netdata 1.39.1 on our OPNsense Business Edition installations. We have a few with Community Editions and these are fine and have a newer installation.
Is it possible for the OPNsense Team to include netdata in the next Update? or is it possible to use the netdata package from the community edition on the business edition or does this brake the updating process?
Thanks
#5
22.1 Legacy Series / Issues with IPv6 traffic on dualstack tunnel after updating to 22.04
May 10, 2022, 04:42:23 PM
Hello,
i run an dualstack IPsec connection between two sites for quiete some time. Both sides run OPNsense BE. The IKEv2 policy based tunnel is running on IPv4 transport and has two phases, one for IPv4 and another one for an IPv6 Subnet.
After updating both sides to OPNsense Business Edition 22.04, IPv6 between this sites suddently stopped working. I checked every setting, rules, phases and sniffed several interfaces and found something strange in that process. My first tought was Strongswan is not sending anything at all, but then i found that everything i send reaches the remote sites server and the response reaches my local firewall, i can see reponses on enc0: but it never reaches my local LAN. I temporarly set an allow rule for everything that comes in on ipsec but no luck, traffic is stuck in the firewall.
I have a second tunnel based on Zerotier to another site that works fine with IPv4 and IPv6. I have a IKEv2 Mobile IPSEC connection on my local Firewall that works fine, both IPv4 and IPV6.
What can possibly block incoming IPv6 traffic that comes trough that IPSec tunnel? i see reponses on enc0, but never reaches out to my LAN. It all worked well on the previous version.
I am a bit lost here.
i run an dualstack IPsec connection between two sites for quiete some time. Both sides run OPNsense BE. The IKEv2 policy based tunnel is running on IPv4 transport and has two phases, one for IPv4 and another one for an IPv6 Subnet.
After updating both sides to OPNsense Business Edition 22.04, IPv6 between this sites suddently stopped working. I checked every setting, rules, phases and sniffed several interfaces and found something strange in that process. My first tought was Strongswan is not sending anything at all, but then i found that everything i send reaches the remote sites server and the response reaches my local firewall, i can see reponses on enc0: but it never reaches my local LAN. I temporarly set an allow rule for everything that comes in on ipsec but no luck, traffic is stuck in the firewall.
I have a second tunnel based on Zerotier to another site that works fine with IPv4 and IPv6. I have a IKEv2 Mobile IPSEC connection on my local Firewall that works fine, both IPv4 and IPV6.
What can possibly block incoming IPv6 traffic that comes trough that IPSec tunnel? i see reponses on enc0, but never reaches out to my LAN. It all worked well on the previous version.
I am a bit lost here.
#6
21.7 Legacy Series / 21.7.6 new port conflict between lighttpd and NGiNX
December 02, 2021, 12:55:05 PM
Hi,
i updated one of my OPNsense machines to 21.7.6 a few days ago and today i rebooted this machine. I got complains that some services are no longer available, after checking i found that NGiNX no longer startup because of a sudden port conflict between lighttpd and NGiNX. I checked the config history and no changes was made, just updating and rebooting.
I can see that lighttpd listen on a high port (that i configured) with SSL and for some reason on port 80, that is also the port that NGiNX wants to bind to. I have no idea whats broken here, lighttpd or NGiNX or maybe letsencrypt? i see two lighttps processes, one with lighty-webConfigurator.conf and another one with lighttpd-acme-challange.
I did two reboots, no success.
i updated one of my OPNsense machines to 21.7.6 a few days ago and today i rebooted this machine. I got complains that some services are no longer available, after checking i found that NGiNX no longer startup because of a sudden port conflict between lighttpd and NGiNX. I checked the config history and no changes was made, just updating and rebooting.
I can see that lighttpd listen on a high port (that i configured) with SSL and for some reason on port 80, that is also the port that NGiNX wants to bind to. I have no idea whats broken here, lighttpd or NGiNX or maybe letsencrypt? i see two lighttps processes, one with lighty-webConfigurator.conf and another one with lighttpd-acme-challange.
I did two reboots, no success.
#7
20.7 Legacy Series / Renew of ECC Let's Encrypt Certificates fails.
January 25, 2021, 09:37:06 AM
Hi,
i have several OPNsense installations that has issues renewing ECC certificates are failing, RSA certificates working without issues. It looks like the renew script is missing a parameter --ecc before running Let's Encrypt to renew the certificate.
Anyone else getting this? it doesnt matter if i use DNS or port forward authentication.
i have several OPNsense installations that has issues renewing ECC certificates are failing, RSA certificates working without issues. It looks like the renew script is missing a parameter --ecc before running Let's Encrypt to renew the certificate.
[Mon Jan 25 00:00:01 CET 2021] 'my.domain.com' is not an issued domain, skip.
[Mon Jan 25 00:00:01 CET 2021] Renew: 'my.domain.com'
[Mon Jan 25 00:00:01 CET 2021] DOMAIN_PATH='/var/etc/acme-client/home/my.domain.com'
[Mon Jan 25 00:00:01 CET 2021] The domain 'my.domain.com' seems to have a ECC cert already, please add '--ecc' parameter if you want to use that cert.
[Mon Jan 25 00:00:01 CET 2021] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Jan 25 00:00:01 CET 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Jan 25 00:00:01 CET 2021] default_acme_server
Anyone else getting this? it doesnt matter if i use DNS or port forward authentication.
#8
19.1 Legacy Series / Outbound Nat Broken in 19.1R1/2 ?
January 23, 2019, 04:00:03 PM
Hi,
i am currently trying to do an outbound nat for several internal machines to a zerotier based network on my opnsense machine. I have trouble selecting the subnet size on "source address" or "destination address" when i select "single host or network", the subnet mask dropdown is just empty. On 18.7 i am able to select the subnet size for the network i entered.
I am trying to use an alias as alternative but the result is that the outbound rule is not working. In rules.debug i see "unable to convert address, see to for details" for this rule.
i am currently trying to do an outbound nat for several internal machines to a zerotier based network on my opnsense machine. I have trouble selecting the subnet size on "source address" or "destination address" when i select "single host or network", the subnet mask dropdown is just empty. On 18.7 i am able to select the subnet size for the network i entered.
I am trying to use an alias as alternative but the result is that the outbound rule is not working. In rules.debug i see "unable to convert address, see to for details" for this rule.
Pages1
