Topics

1

22.7 Legacy Series / unbound errors starting with 22.7.10

« on: January 18, 2023, 04:06:27 pm »

Ever since 22.7.10, after a reboot I get this dnsbl error in unbound, which refuses to start. I believe this to be patched in a later version, and I presume also in 22.7.11.
Do I need to reinstall something to get rid of this?

Code: [Select]

<27>1 2023-01-18T15:48:06+01:00 router.haanjdj.ddns.net unbound 82519 - [meta sequenceId="8"] [82519:1] error: pythonmod: python error: Traceback (most recent call last):
  File "dnsbl_module.py", line 281, in operate
    return ctx.filter_query(id, qstate, qdata)
  File "dnsbl_module.py", line 168, in filter_query
    if reply_list.query_reply:
AttributeError: 'NoneType' object has no attribute 'query_reply'


2

Zenarmor (Sensei) / ZenArmor eastpect filesystem full error

« on: November 12, 2022, 04:37:15 pm »

I am seeing these error messages in my logs:

pid 22 (eastpect), uid 0 inumber 8 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 8 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 11 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 11 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 18 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 18 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 23 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 23 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 28 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 28 on /usr/local/sensei/output/active/temp: filesystem full
pid 22 (eastpect), uid 0 inumber 30 on /usr/local/sensei/output/active/temp: filesystem full

Is this something to be concerned about? Anything I should change in the settings?
I have never seen these before, so this seems to coincide with the 1.12 release of ZenArmor, or the 22.7.7 release of OPNsense.

3

22.7 Legacy Series / radvd shown as not started in dashboard while no IPV6 configuration at all

« on: August 02, 2022, 08:11:29 pm »

I have played around with IPV6, but couldn't get it to work right for reasons outside OPNsense*. So I disabled all IPV6 in interfaces. The only thing I'm stuck with is radvd which is shown in red (not running) in the OPNsense dashboard. But before I enabled IPV6 it wasn't there at all. Did I forget to disable something?

* the issue I'm running into is that my provider uses multicast based IPTV, and recommends the use of network switches with IGMP snooping enabled. But as I found out, most consumer grade switches that offer IGMP snooping use an implementation that is not compatible with IPV6.

4

22.7 Legacy Series / Switching back from development to community release yields error message

« on: July 29, 2022, 11:07:20 am »

Because of the release of 22.7 I switched back from development to community release. It gives me the following error during the install:

Code: [Select]

/usr/local/opnsense/mvc/app/config/services_api.php:91: Class "OPNsense\Core\Routing" not found

5

Zenarmor (Sensei) / errors after update to 22.7-rc1

« on: July 13, 2022, 07:46:40 pm »

I got these errors after upgrade to 22.7-rc1:

Code: [Select]

[13-Jul-2022 19:42:33 Europe/Amsterdam] PHP Deprecated:  Required parameter $licenseExclude follows optional parameter $option in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/CLI.php on line 960
[13-Jul-2022 19:42:33 Europe/Amsterdam] PHP Deprecated:  Required parameter $sensei follows optional parameter $option in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/CLI.php on line 960
[13-Jul-2022 19:42:33 Europe/Amsterdam] PHP Deprecated:  Required parameter $sensei follows optional parameter $option in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/CLI.php on line 994
and these:

Code: [Select]

Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Not Found
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: Not Found
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: Not Found
Unable to update repository SunnyValley
Error updating repositories!


6

Zenarmor (Sensei) / 22.1.10 Sensei Phalcon error?

« on: July 07, 2022, 03:56:42 pm »

I get this error when rebooting after upgrade to 22.1.10:

Code: [Select]

[07-Jul-2022 15:52:00 Europe/Amsterdam] PHP Fatal error:  Uncaught Error: Class 'Phalcon\Config' not found in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php:113
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(364): OPNsense\Sensei\Sensei->init()
#1 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Aliases.php(73): OPNsense\Base\BaseModel->__construct()
#2 /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Aliases.php(224): Aliases->__construct()
#3 {main}
  thrown in /usr/local/opnsense/mvc/app/models/OPNsense/Sensei/Sensei.php on line 113

The ZenArmor menu is also unaccessible.

7

22.1 Legacy Series / Unbound resolves the hostname of the router to all of its IP address

« on: March 11, 2022, 04:23:51 pm »

I am having the difficulty that Unbound resolves the hostname of the router to all of its IP addresses, in random order, like this:

Code: [Select]

;; ANSWER SECTION:
xxx.ddns.net.       3600    IN      A       192.168.X.X
xxx.ddns.net.       3600    IN      A       77.164.X.X
xxx.ddns.net.       3600    IN      A       10.33.X.X

How do I get it to return only the external IP address?
The current behavior messes up local access to the router, because the 10.x.x.x network is only configured on the router, and not otherwise in the LAN.

8

Zenarmor (Sensei) / support for OPNsense firewall aliases

« on: February 25, 2022, 08:05:54 pm »

I was wondering if somehow OPNsense firewall aliases are supported in the Zenarmor policy configuration. It has been suggested before, because in some older postings, I have read that it has been added to the wish / to-do list, but apparently it hasn't materialized yet?
It would really simplify configuration and maintenance, because of not having to modify things in 2 places.

9

Development and Code Review / how to force a download of accidentally deleted files?

« on: November 28, 2021, 09:32:53 pm »

I have done this:

Code: [Select]

    # pkg install git
    # cd /usr
    # git clone https://github.com/opnsense/tools
    # cd tools
    # make update

After that, I have made some local changes to build a custom kernel, which worked fine.
However, I accidentally removed some files. How do I download them again? If I do 'make update' it recognizes them as locally deleted, but doesn't seem to offer an option to re-download them.

10

Zenarmor (Sensei) / ZenArmor 1.10 version differences between free and subscription?

« on: October 16, 2021, 11:27:07 am »

I have 2 OPNsense boxes, one with a ZenArmor subscription and one without. After the upgrade to 1.10 I noticed the following version differences:

Free:
UI Version:   21.10.15
Database Version:   1.10.21101416

Subscription:
UI Version:   21.10.14
Database Version:   1.9.21053108

Is this OK?

11

Zenarmor (Sensei) / Sensei database recommendations for about 7 days of traffic

« on: September 20, 2021, 09:41:39 am »

I would like to have about 7 days of traffic data to base reporting on. The Sensei installer classifies my router as low-end hardware, and only allows to install a local Mongodb or a remote Elasticsearch instance.
When configuring Sensei, the GUI recommends to use Mongodb with up to 2 days of traffic data, and use Elasticsearch for longer periods, but as said, the installer won't let me install it.

I'm a bit stuck here. Should I - against the recommendations - use Mongodb with a longer retention period, or should I somehow seek to install Sensei with Elasticsearch?

The system is a Barracuda F18 (dual Atom-based, memory and storage upgraded to 8 GB RAM, 128GB SSD) and Sensei is its main task, it's not running any other resource-heavy services.

12

Zenarmor (Sensei) / mongodb warning in log file

« on: September 20, 2021, 01:10:58 am »

I'm seeing this warning in the mongodb log file:

Code: [Select]

2021-09-20T00:51:34.619+0200 I CONTROL  [initandlisten] ** WARNING: soft rlimits too low. rlimits set to 12157 processes, 233793 files. Number of processes should be at least 116896 : 0.5 times number of files.

This limit can increased by setting a sysctl tunable: kern.maxprocperuid

I'm not sure if this is a limit you'll ever run into, but maybe it's a good idea to set this during install.

13

21.7 Legacy Series / ZFS install - tuning determined at install or at each reboot?

« on: September 08, 2021, 09:18:08 pm »

When 21.7 came out, I reinstalled my system using the ZFS filesystem. The system back then had only 4 GB of RAM, and I vaguely remember the installer stating that certain settings related to ZFS had been applied, this being a 'low memory' system.
I have since upgraded the RAM to 8 GB. Do I need to change any of these settings manually to adjust to the new situation, or are these all dynamically determined at each reboot of the machine?

14

21.7 Legacy Series / overview of default sysctl settings

« on: September 01, 2021, 01:06:22 am »

I seem to have carried over some tunables from earlier versions of OPNsense, some of which may not be applicable anymore because they were specific to FreeBSD 11 and earlier, and are not available or useful on 12.
I would like to clean them up. Where can I find the list of default sysctl tunables as setup in a fresh install, so I can compare my settings with that?

15

21.7 Legacy Series / unbound not able to use tcp

« on: August 22, 2021, 09:19:38 pm »

I have been running unbound with loglevel 3 to see what it does, and I get quite a lot of these messages:

debug: outnettcp got tcp error -1

It seems unbound wants to use tcp but fails to do so, and then falls back to udp. I am not blocking tcp connections in the firewall rules AFAIK, and this behavior does persist when I set Sensei to bypass mode.
If I enable DNS over TLS I occasionally get messages like these:

debug: tcp error for address 9.9.9.9 port 853

I have checked the firewall state table, and noticed multiple tcp connections to the same hosts in the time_wait state, see the screenshot. Apparently it's trying something but I'm not sure what exactly.

What could I further do to investigate this?