Topics

1

High availability / realtek failures

« on: August 20, 2023, 08:15:00 pm »

I have a few OPNsense HA installs on very cheap hardware to test HA on my homelab  (some beelinks and other small cheap computers with at minimum two network ports).  At some point on all of them, some more often than others, they go null route or something peculiar.  If I log in to the machine directly with a keyboard and monitor the thing seems to be just fine but the networking is dead.  The one thing that seems to be common amongst them all is the realtek hardware. Plus I have not seen this on more expensive hardware, though I would be interested if anyone has seen these sort of issues on any other hardware.  To mitigate this I have made a small script that tries to ping out to 3 different ips and reboot the machine if all three fail three times in a row.

Code: [Select]

#!/usr/bin/env bash
ips='ip1 ip2 ip3'

test () {
  ping -t 5 -c 1 $1
  if [[ $? -eq 0 ]]; then
    echo good
    # any successful ping means networking is still working
    exit 0
  else
    ((++count))
  fi
}

count=0
while [[ $count -lt 3 ]]; do
  for i in $ips
  do
    test $i
  done
done

# only reboot if all pings fail
reboot

Ugly I know, I'd be happy to hear about more elegant solutions.  For now I paired this with an action:

Code: [Select]

# cat /usr/local/opnsense/service/conf/actions.d/actions_testnet.conf
[check]
command:/root/testnet.sh
parameters:
type:script
message:testing network
description:network test

And have that running as a cronjob every 5 minutes.

2

Documentation and Translation / User has obtained sshlockout how to remove?

« on: November 14, 2022, 06:47:43 pm »

I see these in my audit log:
   /firewall_rules.php: Web GUI authentication error for 'user12' from 10.0.0.7

I see sshlockout for that address in my firewall live view, the user can no longer load the UI at all.

How do I remove the ban hammer from that address?

3

20.1 Legacy Series / Metallb and Kubernetes

« on: February 06, 2020, 03:09:21 am »

I am having issues again with metallb and opnsense.  Everything seems to be working on the kubernetes side,

Code: [Select]

k get svc -n ingress-nginx
NAME            TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   LoadBalancer   10.110.93.202   10.20.16.88   80:30420/TCP,443:30472/TCP   12m

However, from any machine on the same 10.20.16.0/24 network I cannot reach that address:

Code: [Select]

sudo arping -I br0 10.20.16.88
ARPING 10.20.16.88
Timeout
Timeout
Timeout
Timeout
^C
--- 10.20.16.88 statistics ---
5 packets transmitted, 0 packets received, 100% unanswered (0 extra)

curl 10.20.16.88/echo -v -H Host:echo1.yourdomain.com
*   Trying 10.20.16.88...
* TCP_NODELAY set
* connect to 10.20.16.88 port 80 failed: No route to host
* Failed to connect to 10.20.16.88 port 80: No route to host
* Closing connection 0
curl: (7) Failed to connect to 10.20.16.88 port 80: No route to host


Of note, I had this exact same issue last year:
https://forum.opnsense.org/index.php?topic=12878.msg59918#msg59918

I got around this ar one point by switching back to layer2 and not using BGP.  However, even then only one address worked, not all addresses (otherwise I would've posted back success in that issue).

I'm willing to try both methods again, or anything else that might work.

Also, another similar issue I'd like to point out:
https://forum.opnsense.org/index.php?topic=14654.msg67006#msg67006

Any suggestion on what I might do to solve this issue?

4

19.1 Legacy Series / WAN port forward to static host on LAN

« on: May 28, 2019, 03:35:47 pm »

In my NAT port forwarding rules I have:

A host that gets its IP address from DHCP:

Code: [Select]

WAN TCP * * WAN address 2222 10.2.0.19 22 (SSH)

And another with a static IP address:

Code: [Select]

WAN TCP * * WAN address 2322 10.2.0.220 22 (SSH)

I can ssh through the WAN to the first host by port 2222, but not the second host by 2322

Curiously from the first host I can ssh to the second host (behind the firewall) by port 22, so I am fairly certain that the second host has correctly set it's static IP.  The only difference that I can discern is that the first host is DHCP and the second is static.