Topics

The new 2.0 release of ZenArmor contains bugs that make it unreliable for my setup. Is there a way to install an older version and prevent it from being upgraded automatically during system updates?

I'm getting this sequence of warnings, and it's always the same duid:

Code Select Expand

WARN [kea-dhcp6.alloc-engine.0x1340fa505700] ALLOC_ENGINE_V6_ALLOC_FAIL_CLASSES duid=[00:03:00:01:da:c5:77:4c:86:f0], [no hwaddr info],
tid=0x41270a: Failed to allocate an IPv6 address for client with classes: ALL, UNKNOWN
WARN [kea-dhcp6.alloc-engine.0x1340fa505700] ALLOC_ENGINE_V6_ALLOC_FAIL_NO_POOLS duid=[00:03:00:01:da:c5:77:4c:86:f0], [no hwaddr info],
tid=0x41270a: no pools were available for the lease allocation
WARN [kea-dhcp6.alloc-engine.0x1340fa505700] ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET duid=[00:03:00:01:da:c5:77:4c:86:f0], [no hwaddr info],
tid=0x41270a: failed to allocate an IPv6 lease in the subnet 2a02:xxxx:xxxx::/64, subnet-id 1, shared network (none)

A ChatGPT consultation suggests the generated config has some kind of class restriction, because the client has both the classes ALL and UNKNOWN, hence it not being assigned a pool to distribute an address from. I looked in the generated config files, and it doesn't seem to use anything with classes or reservations.

This is my kea-dhcpd6.conf:

Code Select Expand

{
    "Dhcp6": {
        "valid-lifetime": 4000,
        "interfaces-config": {
            "interfaces": [
                "igc0"
            ]
        },
        "lease-database": {
            "type": "memfile",
            "persist": true
        },
        "control-socket": {
            "socket-type": "unix",
            "socket-name": "\/var\/run\/kea6-ctrl-socket"
        },
        "loggers": [
            {
                "name": "kea-dhcp6",
                "output_options": [
                    {
                        "output": "syslog"
                    }
                ],
                "severity": "INFO"
            }
        ],
        "subnet6": [
            {
                "id": 1,
                "subnet": "2a02:xxxx:xxxx::\/64",
                "option-data": [],
                "pools": [
                    {
                        "pool": "2a02:xxxx:xxxx::1000-2a02:xxxx:xxxx::2000"
                    }
                ],
                "pd-pools": [],
                "reservations": [],
                "interface": "igc0",
                "pd-allocator": "random",
                "allocator": "random"
            }
        ],
        "hooks-libraries": [
            {
                "library": "\/usr\/local\/lib\/kea\/hooks\/libdhcp_lease_cmds.so"
            }
        ]
    }

Any ideas what the issue could be, or what to try further?

I was testing the recently added DHCP support in DNSmasq and wanted to report that while IPv6 DHCP appears to be working fine, DHCPv4 was not. The service started up without issues, but no DHCPv4 requests seemed to reach it initially. After a reboot, requests started coming through, suggesting a possible firewall-related issue.

However, on the client side (Windows 11), things got even stranger: after said reboot the client received an IP address that was outside the assigned range, while an address within the assigned range was allocated as the DHCP server/DNS/Gateway. Very odd behavior.

Unfortunately, I wasn't able to investigate further because of angry users (a.k.a. my kids) demanding working internet.

I reported the issue here https://forum.opnsense.org/index.php?topic=44880.0
Created a github issue as requested: https://github.com/opnsense/core/issues/8176

Now the issue has apparently been fixed in github by kulikov-a, but the fixes never made it into OPNsense.
Could someone have a look at this?

I would like to report that starting with the latest update (25.1.2), the dashboard widgets/graphs are constantly redrawing/resizing, giving a very jittery look. I have a 27" monitor with 3840 × 2160 resolution, and this only happens when the browser is being displayed full screen. As soon as I resize the browser window, the issue is gone. Anything I can do to assist in fixing this?

I have been playing around with nginx as a reverse proxy, and noticed something peculiar: every time I enable sendfile support in the main config page, it gets disabled automatically after some time. Is this expected behavior?
I have it enabled in the individual HTTP server entries as well.

I noticed that starting with 24.7.11, the plugins and packages tabs are not populating anymore. Another thing I noticed, is the 'status' tab wheelie thing keeps spinning.
Are other people seeing this?

I recently came across the website https://www.unibet.nl/ which is apparently one the larger gambling websites in my country. Unfortunately this wasn't recognized by Zenarmor.
Every once in while I come across an URL which isn't categorized or is categorized wrongly.
This leads me to the more general question: what is the preferred way of submitting these cases for (re)classification?

The site www.hamrick.com is the website of Vuescan software. However, this is currently being classified as Botnet C&C. Could you please verify this to be correct and adjust if necessary?
They may have been hacked, or been hacked in the past and remedied this since, or perhaps this is a misclassification of some sort.

I have installed the crowdsec plugin, which seems to working alright. There is however one thing that bothers me: the ipv6 blocklist as viewed in the Firewall/Aliases page is not being populated, while the ipv4 list is. I have subscribed to the following lists: Firehol greensnow.co, botscout, and cruzit.com.
Am I missing something?

Title pretty much says it all. I'm currently using my phone to look at the OPNsense gui, and I noticed the 'Inspect' button in the firewall rules section is not visible, so I am not able to observe the evaluation and state count. Could this functionality perhaps be brought back?

Some time ago, I posted the message below to the 24.1 stable forum. One of the hypothesis is that kea fails to startup properly due to link flapping, caused by Zenarmor binding to the interface at the same time. This issue still exists with 24.7 final. When I disable Zenarmor, all is well.

A few OPNsense releases ago, I migrated from isc-dhcp4 to kea. This mostly works, however there is one nagging issue: Every once in a while, after a reboot, kea appears not to be running. In the logs, the message 'no interface configured to listen to DHCP traffic' is shown. After a manual restart of kea all is well.
The error is not readily visible on the OPNsense dashboard, as kea appears to be running, it just isn't doing anything.
As this doesn't always happen, it seems to be a timing-sensitive issue. Are other people seeing this?

Code Select Expand

2024-07-11T15:35:01 WARN [kea-dhcp4.dhcp4.0x834bcb000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 2, queue size: 64
2024-07-11T15:35:01 WARN [kea-dhcp4.dhcpsrv.0x834bcb000] DHCPSRV_NO_SOCKETS_OPEN no interface configured to listen to DHCP traffic
2024-07-11T15:35:01 WARN [kea-dhcp4.dhcpsrv.0x834bcb000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: the interface igb0 is not running
2024-07-11T15:35:01 WARN [kea-dhcp4.dhcp4.0x834bcb000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
2024-07-11T15:35:01 WARN [kea-dhcp4.dhcpsrv.0x834bcb000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.
2024-07-11T15:34:57 WARN [kea-dhcp4.dhcp4.0x834bcb000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 2, queue size: 64
2024-07-11T15:34:57 WARN [kea-dhcp4.dhcp4.0x834bcb000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
2024-07-11T15:34:57 WARN [kea-dhcp4.dhcpsrv.0x834bcb000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.


The URL https://www.teamnl.org/ is currently being classified as 'gambling'. It is however the official Dutch site covering the Olympic Games 2024 in France. Maybe the site has shown gambling ads at some point, but it isn't related to gambling in itself. Could you please recategorize it?

A few OPNsense releases ago, I migrated from isc-dhcp4 to kea. This mostly works, however there is one nagging issue: Every once in a while, after a reboot, kea appears not to be running. In the logs, the message 'no interface configured to listen to DHCP traffic' is shown. After a manual restart all is well.
The error is not readily visible on the OPNsense dashboard, as kea appears to be running, it just isn't doing anything.
As this doesn't always happen, it seems to be a timing-sensitive issue. Are other people seeing this?

Code Select Expand

2024-07-11T15:35:01 WARN [kea-dhcp4.dhcp4.0x834bcb000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 2, queue size: 64
2024-07-11T15:35:01 WARN [kea-dhcp4.dhcpsrv.0x834bcb000] DHCPSRV_NO_SOCKETS_OPEN no interface configured to listen to DHCP traffic
2024-07-11T15:35:01 WARN [kea-dhcp4.dhcpsrv.0x834bcb000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: the interface igb0 is not running
2024-07-11T15:35:01 WARN [kea-dhcp4.dhcp4.0x834bcb000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
2024-07-11T15:35:01 WARN [kea-dhcp4.dhcpsrv.0x834bcb000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.
2024-07-11T15:34:57 WARN [kea-dhcp4.dhcp4.0x834bcb000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 2, queue size: 64
2024-07-11T15:34:57 WARN [kea-dhcp4.dhcp4.0x834bcb000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
2024-07-11T15:34:57 WARN [kea-dhcp4.dhcpsrv.0x834bcb000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.


Sometimes I log into the OPNsense web interface, go to the Zenarmor dashboard page, and then I'm greeted with the message that the packet engine has been updated, and needs to be restarted manually in order to activate the new version.
I try to configure my systems so they need as little manual intervention as possible. Would it be possible to restart the packet engine (not daily, but as part of an upgrade) using cron or something? I wouldn't mind a few seconds of downtime during the night for this.

I have an ancient system where I can only use the original daytime/time protocols (at tcp ports 13 and 37). This system can't use NTP because of limited storage capacity on the device.

How do I enable OPNsense as a server providing this, preferably in a way which survives upgrades?

I have used the search, but couldn't find much because of the very generic search terms.

After the upgrade to 24.1, I get this error each hour in the backend log:

Code Select Expand

[399652ba-ab4f-4b4f-aafe-76271a90cdf7] Script action stderr returned "b'Traceback (most recent call last):
File "/usr/local/opnsense/scripts/OPNsense/Zenarmor/sensei-db-version.py", line 11, in <module>
from packaging import version ImportError: cannot import name \'version\' from \'packaging\' (unknown location)'"


This started after this error, which happened jan 27 01:00:

Code Select Expand

[e2cf332c-cec2-4d45-a457-e312330f599c] Script action failed with Command '/usr/local/zenarmor/scripts/datastore/rename_alias_elasticsearch.py
'zenarmor_0000000000_4b3100b6-c05c-4c03-bdb5-64fbea833847_'' returned non-zero exit status 1.
at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 44,
in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py",
line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError:
Command '/usr/local/zenarmor/scripts/datastore/rename_alias_elasticsearch.py 'zenarmor_0000000000_4b3100b6-c05c-4c03-bdb5-64fbea833847_'' returned
non-zero exit status 1.


I'm running a home deployment of Zenarmor, up-to-date, with sqlite logging backend.

After a reboot, I see this message in the logs. Apparently, miniupnpd is started before all network interfaces are up and running, and it doesn't like that. If I manually restart it after boot, all seems well.
Would it be possible to set a slightly delayed start, or make starting conditional on all configured network interfaces being up?

Code Select Expand

2023-11-10T08:29:23 Error miniupnpd PCPSendUnsolicitedAnnounce(sockets[0]) sendto(): No route to host
2023-11-10T08:29:23 Error miniupnpd SendNATPMPPublicAddressChangeNotification: sendto(s_udp=12, port=5351): No route to host
2023-11-10T08:29:21 Error miniupnpd PCPSendUnsolicitedAnnounce(sockets[0]) sendto(): No route to host
2023-11-10T08:29:21 Notice miniupnpd Listening for NAT-PMP/PCP traffic on port 5351
2023-11-10T08:29:21 Warning miniupnpd no HTTP IPv6 address, disabling IPv6
2023-11-10T08:29:21 Notice miniupnpd HTTP listening on port 2189
2023-11-10T08:29:21 Warning miniupnpd Cannot get IP address for ext interface pppoe0. Network is down
2023-11-10T08:29:21 Error miniupnpd ioctl(s, SIOCGIFADDR, ...): Can't assign requested address


I had a case of disk corruption lately, so I regularly run a health check. Today I got these errors:

Code Select Expand

Checking all packages: .....
os-sensei-1.14.1: checksum mismatch for /usr/local/opnsense/mvc/app/library/OPNsense/Zenarmor/StaticConfig.php
os-sensei-1.14.1: checksum mismatch for /usr/local/opnsense/mvc/app/models/OPNsense/Zenarmor/Menu/Menu.xml
Checking all packages........ done


I just upgraded to 23.1.11 and rebooted, and after checking the logs I noticed that unbound restarted 6 times during boot. Is this expected behavior?
In case it matters: my internet connection is pppoe (ipv4) and dhcpv6 (ipv6). I have DHCP hostname registration disabled at the moment.