Topics

Hello,


Starting with 23.1.10_1 and continuing with 23.1.11, I am unable to add entries into BIND.  I can see the entries are written into the config.xml (multiple entries for the same A record are allowed as well), but they do not make into the .db files under either master/ or primary/.  The entries also do not appear on the GUI.


It appears that the entries are being written into the .db file for the last zone in the list instead of the selected zone.


Brian

Hello,


The Bind service (NAMED) will not start after upgrading to 23.1.  Attempting to start the service from the GUI, the screen comes back almost immediately and the service does not start.  There are no logs.


I tried this from the command line (service named start) and I see the following error:

/usr/local/etc/namedb/named.conf:92: /usr/local/lib/named/filter-aaaa.so: plugin check failed: failure
/usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed


On that line of the file, I see the following:


plugin query "/usr/local/lib/named/filter-aaaa.so" {
                   filter-aaaa-on-v4 yes;
           };

I can remove those three lines and the service starts.

Clicking on Services > Bind > Configuration > Disable IPV6 brings back the problem of the service not starting, but removing (unchecking) it does not fix the problem.

Anyone seen anything similar?

Hi All,

Starting with the 22.8 update, I started getting this error when OPNSense tries to start nut_daemon:

Network UPS Tools - UPS driver controller 2.8.0
Network UPS Tools - Generic HID driver 0.47 (2.8.0)
USB communication driver (libusb 1.0) 0.43
libusb1: Could not open any HID devices: no USB buses found
No matching HID UPS found
Driver failed to start (exit status=1)
/usr/local/etc/rc.d/nut: WARNING: failed precmd routine for nut

My configuration specifies to use the USBHID driver with port=auto for configuration.  I don't see any other errors.  USB keyboard works fine, so I know the USB system is working.  Anyone seeing the same?

Brian

Hello,


Looks like after the upgrade to 22.1 that the DNSBL feature of Bind isn't working.  I looked in /usr/local/etc/namedb and I don't see anything in dnsbl.inc to indicate anything from the selected types of DNSBL (if this is where it would even be).


I looked in the logs and all appears normal -- no mention of anything related to this, and I can't find anything to indicate that the lists are being updated.


Any ideas where to go next?


Brian

Hello,

Since updating 19.7.9 (and _1), I've been getting the following error consistently:

01-19-20 19:59:23 [ There were error(s) loading the rules: /tmp/rules.debug:17: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [17]: table persist file /usr/local/etc/bogonsv6 ]

This message is showing up as an unread notice in the firewall GUI.  I checked the bogons and bogonsv6 tables under Firewall > Diagnostics > pftables and there is no data in the tables.  Clicking on the "Update Bogons" button on this screen doesn't restore the data.

Anyone else seeing this or have ideas on how to get this to work?

Brian

Hello,

I'm trying to set up a server and use NAT to access it but also to block access from certain subnets via firewall rules.

Here's what I have so far:
* (works as intended) NAT rules for three ports with associated firewall rules allowing access on my WAN interface
* (not working) Firewall rules on the WAN interface to block access from designated subnets; these firewall rules are higher on the priority list than the NAT allow rules

The designated subnets are defined as an alias and are attached to the WAN rule as a block from BLOCKED_SUBNETS to ANY on ANY TCP/UDP.

Looking at the rules in INSPECT mode, it appears that the rules are never getting evaluated as the Evaluations column shows N/A but the rules below it show thousands of evaluations.  The rules are enabled.

Any ideas on why the rules aren't getting evaluated any why traffic from the restricted subnets is getting through?

Brian

Hi,

I have an issue where GEOIP Aliases aren't resolving country codes to IP addresses.  I created an alias for countries I want to block and have an associated rule to block traffic from that alias.

When I click on Apply to update the alias on the firewall, I'm getting the following error in my logs:

configd.py: encode idna: unable to decode AO BF BI BJ BW CD CF CG CI CM DJ DZ EG EH ER ET GA GH GM GN GQ GW KE LR LS LY MA ML MR MW MZ NA NE NG RW SD SL SN SO SS ST SZ TD TG TN TZ UG ZA ZM ZW, return source

This seems to be new as of 19.7.6 (or at least this is the first I've noticed it).  I'm interpreting this error (from the backend logs) to mean that Opnsense is unable to process the alias and that the firewall rule is not effective.

I looked back and saw a similar defect reported in 19.7.3 and resolved in 19.7.4.  Not sure if this has resurfaced or if I'm doing something wrong.  Can someone provide some direction for me?

Brian

Hi,

I have an application that requires talking outbound on a specific port.  In my configuration, I have a LAN network where the application runs and NAT to the WAN for my outbound traffic.  Is there a way I can tell the system to reserve the specific WAN TCP port I need so that only a specific IP address on my LAN network can use it?

Brian

Hello,

Since updating to 19.7.4_1, I'm seeing this message about every minute in the logs:

vnstatd[48386]: Error: Database load failed even when using backup (Permission denied). Aborting.

I'm also not getting any Netflow data at all, and the flowd_aggregate service will not start, and I don't see any messages in the General logs for this.

Any ideas?

Brian

Hi,

I'm interested in developing some widgets to use on the Lobby page.  Are there any examples from which I can draw to get started?

Brian

Hello,

I have created two DHCP address pools specifically for some of my IoT devices for monitoring purposes.  I have added the correct partial MAC addresses for each of the pools.

For the first address pool, all of the devices with the partial MAC address are correctly being assigned to that pool (where there is a single partial MAC).  The second pool has 4 partial MAC addresses specified in MAC access control (allow) and only a handful of the devices are correct assigned to that pool -- the rest are maintaining their addresses in the main pool.

Looking at the DHCP logs, I see requests from these devices for an "unknown" lease.  However, I don't see any response in logs for this.  This example is all I see:

dhcpd: DHCPREQUEST for 192.168.1.188 (192.168.1.1) from 00:07:a6:xx:xx:xx via igb1: unknown lease 192.168.1.188

The correct pool range for partial MAC 00:07:a6 should be 192.168.1.200 to 192.168.1.232.

Not sure where to go next to try to debug my config.  Any ideas?

Hello,

I have a UPS attached to my OPNsense firewall and the NUT service seems to be working fine.  I have this networked to other devices as well and they are able to read the status of the UPS, time remaining, and the other metrics that NUT provides.  However, on the Diagnostics screen there is no information under UPS status.  Is this normal?

NOTE:  This is not unique to 19.1.7 -- have observed this behavior since installing OPNsense with version 19.1.1.

Brian