Topics - clarknova

Main Menu

Welcome to OPNsense Forum.
Log in
Sign up

Menu

Profile Info
- Summary
- Show stats
- Show posts

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Show posts Menu

Topics - clarknova

Pages1 2 3

#1

25.7, 25.10 Series / Periodic interface reset - renews DHCP lease?

January 20, 2026, 04:16:06 AM

OPNsense 25.7.11_2

My ISP has informed me that my assigned IP address will change at midnight. Looking at /var/db/dhclient.leases.igc0 (WAN), I see that my lease is valid for a few more days.

So I set up a cron job for shortly after midnight for periodic interface reset on wan. Will this have the desired effect of renewing the lease on the WAN and pulling the new address?

#2

25.7, 25.10 Series / Tailscale disconnects, service still running

November 13, 2025, 06:01:31 PM

OPNsense 25.7.4-amd64
Tailscale plugin 1.2 (1.88.1)

I have multiple firewalls running Tailscale. On November 1 two of these dropped off the tailnet. The hosts are still online, but when I look at their Tailscale status it shows that the service is running, but no peers are visible. I restarted the service but it's still not connecting to the tailnet. Key expiry is disabled for these hosts and they were initially connected using a pre-authentication key.

I don't see any Tailscale logs. What's the best way to troubleshoot this before I just update the firmware and reboot without knowing?

#3

25.7, 25.10 Series / [solved] CARP problems after update to 25.7.5

October 08, 2025, 05:50:53 PM

I have a pair of firewalls that I just updated from 25.7.2 to 25.7.5. As usual, I updated the backup firewall first. After it rebooted I updated the primary firewall. After it rebooted I expected the primary firewall to become CARP master, but it didn't. I then tried temporarily disabling CARP on the backup firewall, but it just generated an error "200". I got the same error trying to enter it into CARP maintenance mode.

I suppose I could just reboot the backup firewall, but I'd prefer to know what's not working properly. How to troubleshoot this further?

edit: after a few minutes the primary resumed master role. I guess more patience is all I needed in this case.

#4

General Discussion / Remote system, fairly broken

May 28, 2025, 11:49:15 PM

This host was running OPNsense 24.1.10_3, but it's in a sad state after opnsense-bootstrap failed to complete on it. I still have shell access, but the web UI is broken. It's a remote system with no console access. I'm wondering if it can be rescued.

Code Select

# opnsense-bootstrap -r 25.1
This utility will attempt to turn this installation into the latest
OPNsense 25.1 release.  All packages will be deleted, the base
system and kernel will be replaced, and if all went well the system
will automatically reboot.

Proceed with this action? [y/N]: y
fetch: https://github.com/opnsense/core/archive/stable/25.1.tar.gz: size of remote file is not known
/tmp/opnsense-bootstrap/core.tar.gz                     10 MB 8995 kBps    01s
pkg: 178 packages installed
beep-1.0_2: already unlocked
boost-libs-1.84.0: already unlocked
ca_root_nss-3.93: already unlocked
choparp-20150613_1: already unlocked
cpdup-1.22_1: already unlocked
cpustats-0.1: already unlocked
curl-8.8.0: already unlocked
cyrus-sasl-2.1.28_4: already unlocked
cyrus-sasl-gssapi-2.1.28: already unlocked
dhcp6c-20240710: already unlocked
dhcrelay-0.5: already unlocked
dnsmasq-2.90_1,1: already unlocked
dpinger-3.3: already unlocked
e2fsprogs-libuuid-1.47.1: already unlocked
easy-rsa-3.1.7,1: already unlocked
expat-2.6.2: already unlocked
expiretable-0.6_3: already unlocked
filterlog-0.7_1: already unlocked
flock-2.37.2_1: already unlocked
flowd-0.9.1_5: already unlocked
gettext-runtime-0.22.5: already unlocked
git-2.45.2_1: already unlocked
glib-2.80.3,2: already unlocked
gmp-6.3.0: already unlocked
hostapd-2.10_10: already unlocked
hyperscan-5.4.2: already unlocked
icu-74.2_1,1: already unlocked
ifinfo-13.0_1: already unlocked
iftop-1.0.p4_1: already unlocked
indexinfo-0.3.1: already unlocked
iperf3-3.17.1: already unlocked
isc-dhcp44-server-4.4.3P1_1: already unlocked
ivykis-0.43.2: already unlocked
jansson-2.14: already unlocked
json-c-0.17: already unlocked
kea-2.4.1_2: already unlocked
krb5-1.21.3: already unlocked
ldns-1.8.3_1: already unlocked
libargon2-20190702_1: already unlocked
libcbor-0.11.0: already unlocked
libcjson-1.7.18_2: already unlocked
libedit-3.1.20240517,1: already unlocked
libevent-2.1.12: already unlocked
libffi-3.4.6: already unlocked
libfido2-1.15.0: already unlocked
libiconv-1.17_1: already unlocked
libidn2-2.3.7: already unlocked
libltdl-2.4.7: already unlocked
liblz4-1.9.4_1,1: already unlocked
libmcrypt-2.5.8_4: already unlocked
libnet-1.3,1: already unlocked
libnghttp2-1.62.1: already unlocked
libpfctl-0.11: already unlocked
libpsl-0.21.5_1: already unlocked
libsodium-1.0.19: already unlocked
libucl-0.9.2: already unlocked
libunistring-1.2: already unlocked
libunwind-20240221: already unlocked
libxml2-2.11.8: already unlocked
libyaml-0.2.5: already unlocked
lighttpd-1.4.76: already unlocked
log4cplus-2.1.1: already unlocked
lzo2-2.10_1: already unlocked
monit-5.33.0_1: already unlocked
mpd5-5.9_18: already unlocked
mpdecimal-4.0.0: already unlocked
nettle-3.10_1: already unlocked
nspr-4.35: already unlocked
nss-3.101: already unlocked
ntp-4.2.8p18: already unlocked
oniguruma-6.9.9: already unlocked
openldap26-client-2.6.8: already unlocked
openssh-portable-9.8.p1,1: already unlocked
openssl-3.0.14,1: already unlocked
openvpn-2.6.11: already unlocked
opnsense-24.1.10_3: already unlocked
opnsense-installer-24.1: already unlocked
opnsense-lang-23.7.11: already unlocked
opnsense-update-24.1.8: already unlocked
os-dyndns-1.27_3: already unlocked
os-iperf-1.0_1: already unlocked
p5-Error-0.17029: already unlocked
pam_opnsense-24.1: already unlocked
pcre2-10.43: already unlocked
perl5-5.36.3_1: already unlocked
pftop-0.10_1: already unlocked
php82-8.2.20: already unlocked
php82-ctype-8.2.20: already unlocked
php82-curl-8.2.20: already unlocked
php82-dom-8.2.20: already unlocked
php82-filter-8.2.20: already unlocked
php82-gettext-8.2.20: already unlocked
php82-google-api-php-client-2.4.0: already unlocked
php82-ldap-8.2.20: already unlocked
php82-mbstring-8.2.20: already unlocked
php82-pcntl-8.2.20: already unlocked
php82-pdo-8.2.20: already unlocked
php82-pear-1.10.13: already unlocked
php82-pear-Crypt_CHAP-1.5.0_1: already unlocked
php82-pecl-mcrypt-1.0.7: already unlocked
php82-pecl-radius-1.4.0b1_2: already unlocked
php82-phalcon-5.7.0: already unlocked
php82-phpseclib-3.0.36: already unlocked
php82-session-8.2.20: already unlocked
php82-simplexml-8.2.20: already unlocked
php82-sockets-8.2.20: already unlocked
php82-sqlite3-8.2.20: already unlocked
php82-xml-8.2.20: already unlocked
php82-zlib-8.2.20: already unlocked
pkcs11-helper-1.29.0_3: already unlocked
pkg-1.19.2_1: already unlocked
py311-Babel-2.14.0: already unlocked
py311-Jinja2-3.1.3: already unlocked
py311-aioquic-1.2.0: already unlocked
py311-anyio-4.4.0: already unlocked
py311-async_generator-1.10: already unlocked
py311-attrs-23.2.0: already unlocked
py311-bottleneck-1.3.8_1: already unlocked
py311-certifi-2024.7.4: already unlocked
py311-cffi-1.16.0: already unlocked
py311-charset-normalizer-3.3.2_1: already unlocked
py311-cryptography-42.0.8_1,1: already unlocked
py311-dnspython-2.6.1,1: already unlocked
py311-duckdb-1.0.0: already unlocked
py311-h11-0.14.0: already unlocked
py311-h2-4.1.0: already unlocked
py311-hpack-4.0.0: already unlocked
py311-httpcore-1.0.5: already unlocked
py311-httpx-0.27.0_1: already unlocked
py311-hyperframe-6.0.0: already unlocked
py311-idna-3.7: already unlocked
py311-markupsafe-2.1.5_1: already unlocked
py311-netaddr-1.3.0: already unlocked
py311-numexpr-2.10.1: already unlocked
py311-numpy-1.25.0_7,1: already unlocked
py311-openssl-24.1.0,1: already unlocked
py311-outcome-1.3.0_1: already unlocked
py311-packaging-24.1: already unlocked
py311-pandas-2.0.3_2,1: already unlocked
py311-pyasn1-0.6.0: already unlocked
py311-pyasn1-modules-0.4.0: already unlocked
py311-pycparser-2.22: already unlocked
py311-pylsqpack-0.3.18: already unlocked
py311-pysocks-1.7.1_1: already unlocked
py311-python-dateutil-2.9.0: already unlocked
py311-pytz-2024.1,1: already unlocked
py311-pyyaml-6.0.1: already unlocked
py311-requests-2.32.3: already unlocked
py311-service-identity-24.1.0: already unlocked
py311-setuptools-63.1.0_1: already unlocked
py311-six-1.16.0_1: already unlocked
py311-sniffio-1.3.1: already unlocked
py311-socksio-1.0.0_1: already unlocked
py311-sortedcontainers-2.4.0: already unlocked
py311-sqlite3-3.11.9_7: already unlocked
py311-trio-0.26.0: already unlocked
py311-tzdata-2024.1: already unlocked
py311-ujson-5.10.0: already unlocked
py311-urllib3-1.26.19,1: already unlocked
py311-vici-5.9.11: already unlocked
python311-3.11.9_1: already unlocked
radvd-2.19_4: already unlocked
readline-8.2.10: already unlocked
rrdtool-1.8.0_4: already unlocked
ruby-3.1.6,1: already unlocked
ruby31-gems-3.5.14: already unlocked
rubygem-rexml-3.3.1: already unlocked
rubygem-strscan-3.1.0: already unlocked
samplicator-1.3.8.r1_1: already unlocked
sqlite3-3.46.0,1: already unlocked
strongswan-5.9.14: already unlocked
sudo-1.9.15p5_4: already unlocked
suricata-7.0.6: already unlocked
syslog-ng-4.7.1: already unlocked
tailscale-1.66.4: already unlocked
unbound-1.20.0_1: already unlocked
wpa_supplicant-2.10_10: already unlocked
zip-3.0_2: already unlocked
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 178 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
	beep: 1.0_2
	boost-libs: 1.84.0
	ca_root_nss: 3.93
	choparp: 20150613_1
	cpdup: 1.22_1
	cpustats: 0.1
	curl: 8.8.0
	cyrus-sasl: 2.1.28_4
	cyrus-sasl-gssapi: 2.1.28
	dhcp6c: 20240710
	dhcrelay: 0.5
	dnsmasq: 2.90_1,1
	dpinger: 3.3
	e2fsprogs-libuuid: 1.47.1
	easy-rsa: 3.1.7,1
	expat: 2.6.2
	expiretable: 0.6_3
	filterlog: 0.7_1
	flock: 2.37.2_1
	flowd: 0.9.1_5
	gettext-runtime: 0.22.5
	git: 2.45.2_1
	glib: 2.80.3,2
	gmp: 6.3.0
	hostapd: 2.10_10
	hyperscan: 5.4.2
	icu: 74.2_1,1
	ifinfo: 13.0_1
	iftop: 1.0.p4_1
	indexinfo: 0.3.1
	iperf3: 3.17.1
	isc-dhcp44-server: 4.4.3P1_1
	ivykis: 0.43.2
	jansson: 2.14
	json-c: 0.17
	kea: 2.4.1_2
	krb5: 1.21.3
	ldns: 1.8.3_1
	libargon2: 20190702_1
	libcbor: 0.11.0
	libcjson: 1.7.18_2
	libedit: 3.1.20240517,1
	libevent: 2.1.12
	libffi: 3.4.6
	libfido2: 1.15.0
	libiconv: 1.17_1
	libidn2: 2.3.7
	libltdl: 2.4.7
	liblz4: 1.9.4_1,1
	libmcrypt: 2.5.8_4
	libnet: 1.3,1
	libnghttp2: 1.62.1
	libpfctl: 0.11
	libpsl: 0.21.5_1
	libsodium: 1.0.19
	libucl: 0.9.2
	libunistring: 1.2
	libunwind: 20240221
	libxml2: 2.11.8
	libyaml: 0.2.5
	lighttpd: 1.4.76
	log4cplus: 2.1.1
	lzo2: 2.10_1
	monit: 5.33.0_1
	mpd5: 5.9_18
	mpdecimal: 4.0.0
	nettle: 3.10_1
	nspr: 4.35
	nss: 3.101
	ntp: 4.2.8p18
	oniguruma: 6.9.9
	openldap26-client: 2.6.8
	openssh-portable: 9.8.p1,1
	openssl: 3.0.14,1
	openvpn: 2.6.11
	opnsense: 24.1.10_3
	opnsense-installer: 24.1
	opnsense-lang: 23.7.11
	opnsense-update: 24.1.8
	os-dyndns: 1.27_3
	os-iperf: 1.0_1
	p5-Error: 0.17029
	pam_opnsense: 24.1
	pcre2: 10.43
	perl5: 5.36.3_1
	pftop: 0.10_1
	php82: 8.2.20
	php82-ctype: 8.2.20
	php82-curl: 8.2.20
	php82-dom: 8.2.20
	php82-filter: 8.2.20
	php82-gettext: 8.2.20
	php82-google-api-php-client: 2.4.0
	php82-ldap: 8.2.20
	php82-mbstring: 8.2.20
	php82-pcntl: 8.2.20
	php82-pdo: 8.2.20
	php82-pear: 1.10.13
	php82-pear-Crypt_CHAP: 1.5.0_1
	php82-pecl-mcrypt: 1.0.7
	php82-pecl-radius: 1.4.0b1_2
	php82-phalcon: 5.7.0
	php82-phpseclib: 3.0.36
	php82-session: 8.2.20
	php82-simplexml: 8.2.20
	php82-sockets: 8.2.20
	php82-sqlite3: 8.2.20
	php82-xml: 8.2.20
	php82-zlib: 8.2.20
	pkcs11-helper: 1.29.0_3
	pkg: 1.19.2_1
	py311-Babel: 2.14.0
	py311-Jinja2: 3.1.3
	py311-aioquic: 1.2.0
	py311-anyio: 4.4.0
	py311-async_generator: 1.10
	py311-attrs: 23.2.0
	py311-bottleneck: 1.3.8_1
	py311-certifi: 2024.7.4
	py311-cffi: 1.16.0
	py311-charset-normalizer: 3.3.2_1
	py311-cryptography: 42.0.8_1,1
	py311-dnspython: 2.6.1,1
	py311-duckdb: 1.0.0
	py311-h11: 0.14.0
	py311-h2: 4.1.0
	py311-hpack: 4.0.0
	py311-httpcore: 1.0.5
	py311-httpx: 0.27.0_1
	py311-hyperframe: 6.0.0
	py311-idna: 3.7
	py311-markupsafe: 2.1.5_1
	py311-netaddr: 1.3.0
	py311-numexpr: 2.10.1
	py311-numpy: 1.25.0_7,1
	py311-openssl: 24.1.0,1
	py311-outcome: 1.3.0_1
	py311-packaging: 24.1
	py311-pandas: 2.0.3_2,1
	py311-pyasn1: 0.6.0
	py311-pyasn1-modules: 0.4.0
	py311-pycparser: 2.22
	py311-pylsqpack: 0.3.18
	py311-pysocks: 1.7.1_1
	py311-python-dateutil: 2.9.0
	py311-pytz: 2024.1,1
	py311-pyyaml: 6.0.1
	py311-requests: 2.32.3
	py311-service-identity: 24.1.0
	py311-setuptools: 63.1.0_1
	py311-six: 1.16.0_1
	py311-sniffio: 1.3.1
	py311-socksio: 1.0.0_1
	py311-sortedcontainers: 2.4.0
	py311-sqlite3: 3.11.9_7
	py311-trio: 0.26.0
	py311-tzdata: 2024.1
	py311-ujson: 5.10.0
	py311-urllib3: 1.26.19,1
	py311-vici: 5.9.11
	python311: 3.11.9_1
	radvd: 2.19_4
	readline: 8.2.10
	rrdtool: 1.8.0_4
	ruby: 3.1.6,1
	ruby31-gems: 3.5.14
	rubygem-rexml: 3.3.1
	rubygem-strscan: 3.1.0
	samplicator: 1.3.8.r1_1
	sqlite3: 3.46.0,1
	strongswan: 5.9.14
	sudo: 1.9.15p5_4
	suricata: 7.0.6
	syslog-ng: 4.7.1
	tailscale: 1.66.4
	unbound: 1.20.0_1
	wpa_supplicant: 2.10_10
	zip: 3.0_2

Number of packages to be removed: 178

The operation will free 1 GiB.
[1/178] Deinstalling opnsense-24.1.10_3...
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20150402
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20160104
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20160630
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20161210
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20170625
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20171219
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20180614
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20181218
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20190702
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20200119
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20200313
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20210104
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20210629
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20210903
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20220701
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20221213
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/trusted/pkg.opnsense.org.20230717
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/fingerprints/OPNsense/trusted/pkg.opnsense.org.20240105
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/repos/FreeBSD.conf.sample
[1/178] Deleting files for opnsense-24.1.10_3:   3%
opnsense-24.1.10_3: missing file /usr/local/etc/pkg/repos/OPNsense.conf.sample
[1/178] Deleting files for opnsense-24.1.10_3: 100%
[2/178] Deinstalling py311-dnspython-2.6.1,1...
[2/178] Deleting files for py311-dnspython-2.6.1,1: 100%
[3/178] Deinstalling py311-aioquic-1.2.0...
[3/178] Deleting files for py311-aioquic-1.2.0: 100%
[4/178] Deinstalling py311-httpx-0.27.0_1...
[4/178] Deleting files for py311-httpx-0.27.0_1: 100%
[5/178] Deinstalling py311-duckdb-1.0.0...
[5/178] Deleting files for py311-duckdb-1.0.0: 100%
[6/178] Deinstalling php82-pear-Crypt_CHAP-1.5.0_1...
uninstall ok: channel://pear.php.net/Crypt_CHAP-1.5.0
[6/178] Deleting files for php82-pear-Crypt_CHAP-1.5.0_1: 100%
[7/178] Deinstalling py311-service-identity-24.1.0...
[7/178] Deleting files for py311-service-identity-24.1.0: 100%
[8/178] Deinstalling py311-pandas-2.0.3_2,1...
[8/178] Deleting files for py311-pandas-2.0.3_2,1: 100%
[9/178] Deinstalling os-iperf-1.0_1...
[9/178] Deleting files for os-iperf-1.0_1: 100%
[10/178] Deinstalling py311-httpcore-1.0.5...
[10/178] Deleting files for py311-httpcore-1.0.5: 100%
[11/178] Deinstalling py311-openssl-24.1.0,1...
[11/178] Deleting files for py311-openssl-24.1.0,1: 100%
[12/178] Deinstalling py311-cryptography-42.0.8_1,1...
[12/178] Deleting files for py311-cryptography-42.0.8_1,1: 100%
[13/178] Deinstalling py311-bottleneck-1.3.8_1...
[13/178] Deleting files for py311-bottleneck-1.3.8_1: 100%
[14/178] Deinstalling git-2.45.2_1...
[14/178] Deleting files for git-2.45.2_1: 100%
==> You should manually remove the "git_daemon" user
==> You should manually remove the "git_daemon" group
[15/178] Deinstalling php82-curl-8.2.20...
[15/178] Deleting files for php82-curl-8.2.20: 100%
[16/178] Deinstalling rrdtool-1.8.0_4...
[16/178] Deleting files for rrdtool-1.8.0_4: 100%
[17/178] Deinstalling php82-phalcon-5.7.0...
[17/178] Deleting files for php82-phalcon-5.7.0: 100%
[18/178] Deinstalling syslog-ng-4.7.1...
[18/178] Deleting files for syslog-ng-4.7.1: 100%
[19/178] Deinstalling py311-requests-2.32.3...
[19/178] Deleting files for py311-requests-2.32.3: 100%
[20/178] Deinstalling php82-ldap-8.2.20...
[20/178] Deleting files for php82-ldap-8.2.20: 100%
[21/178] Deinstalling py311-trio-0.26.0...
[21/178] Deleting files for py311-trio-0.26.0: 100%
[22/178] Deinstalling py311-h2-4.1.0...
[22/178] Deleting files for py311-h2-4.1.0: 100%
[23/178] Deinstalling py311-numexpr-2.10.1...
[23/178] Deleting files for py311-numexpr-2.10.1: 100%
[24/178] Deinstalling rubygem-rexml-3.3.1...
[24/178] Deleting files for rubygem-rexml-3.3.1: 100%
[25/178] Deinstalling suricata-7.0.6...
[25/178] Deleting files for suricata-7.0.6: 100%
==> If you are permanently removing this port, run rm -rf /usr/local/etc/suricata to remove configuration files.
[26/178] Deinstalling strongswan-5.9.14...
[26/178] Deleting files for strongswan-5.9.14: 100%
[27/178] Deinstalling php82-pear-1.10.13...
[27/178] Deleting files for php82-pear-1.10.13: 100%
[28/178] Deinstalling py311-Jinja2-3.1.3...
[28/178] Deleting files for py311-Jinja2-3.1.3: 100%
[29/178] Deinstalling py311-sqlite3-3.11.9_7...
[29/178] Deleting files for py311-sqlite3-3.11.9_7: 100%
[30/178] Deinstalling py311-anyio-4.4.0...
[30/178] Deleting files for py311-anyio-4.4.0: 100%
[31/178] Deinstalling php82-session-8.2.20...
[31/178] Deleting files for php82-session-8.2.20: 100%
[32/178] Deinstalling py311-hyperframe-6.0.0...
[32/178] Deleting files for py311-hyperframe-6.0.0: 100%
[33/178] Deinstalling py311-numpy-1.25.0_7,1...
[33/178] Deleting files for py311-numpy-1.25.0_7,1: 100%
[34/178] Deinstalling py311-python-dateutil-2.9.0...
[34/178] Deleting files for py311-python-dateutil-2.9.0: 100%
[35/178] Deinstalling php82-zlib-8.2.20...
[35/178] Deleting files for php82-zlib-8.2.20: 100%
[36/178] Deinstalling php82-dom-8.2.20...
[36/178] Deleting files for php82-dom-8.2.20: 100%
[37/178] Deinstalling php82-simplexml-8.2.20...
[37/178] Deleting files for php82-simplexml-8.2.20: 100%
[38/178] Deinstalling py311-pyasn1-modules-0.4.0...
[38/178] Deleting files for py311-pyasn1-modules-0.4.0: 100%
[39/178] Deinstalling py311-pyyaml-6.0.1...
[39/178] Deleting files for py311-pyyaml-6.0.1: 100%
[40/178] Deinstalling php82-pdo-8.2.20...
[40/178] Deleting files for php82-pdo-8.2.20: 100%
[41/178] Deinstalling rubygem-strscan-3.1.0...
[41/178] Deleting files for rubygem-strscan-3.1.0: 100%
[42/178] Deinstalling py311-cffi-1.16.0...
[42/178] Deleting files for py311-cffi-1.16.0: 100%
[43/178] Deinstalling php82-pecl-radius-1.4.0b1_2...
[43/178] Deleting files for php82-pecl-radius-1.4.0b1_2: 100%
[44/178] Deinstalling php82-mbstring-8.2.20...
[44/178] Deleting files for php82-mbstring-8.2.20: 100%
[45/178] Deinstalling py311-pytz-2024.1,1...
[45/178] Deleting files for py311-pytz-2024.1,1: 100%
[46/178] Deinstalling py311-sortedcontainers-2.4.0...
[46/178] Deleting files for py311-sortedcontainers-2.4.0: 100%
[47/178] Deinstalling py311-vici-5.9.11...
[47/178] Deleting files for py311-vici-5.9.11: 100%
[48/178] Deinstalling py311-async_generator-1.10...
[48/178] Deleting files for py311-async_generator-1.10: 100%
[49/178] Deinstalling py311-hpack-4.0.0...
[49/178] Deleting files for py311-hpack-4.0.0: 100%
[50/178] Deinstalling php82-google-api-php-client-2.4.0...
[50/178] Deleting files for php82-google-api-php-client-2.4.0: 100%
[51/178] Deinstalling php82-sockets-8.2.20...
[51/178] Deleting files for php82-sockets-8.2.20: 100%
[52/178] Deinstalling php82-sqlite3-8.2.20...
[52/178] Deleting files for php82-sqlite3-8.2.20: 100%
[53/178] Deinstalling py311-Babel-2.14.0...
[53/178] Deleting files for py311-Babel-2.14.0: 100%
[54/178] Deinstalling py311-outcome-1.3.0_1...
[54/178] Deleting files for py311-outcome-1.3.0_1: 100%
[55/178] Deinstalling php82-pcntl-8.2.20...
[55/178] Deleting files for php82-pcntl-8.2.20: 100%
[56/178] Deinstalling php82-xml-8.2.20...
[56/178] Deleting files for php82-xml-8.2.20: 100%
[57/178] Deinstalling curl-8.8.0...
[57/178] Deleting files for curl-8.8.0: 100%
[58/178] Deinstalling py311-urllib3-1.26.19,1...
[58/178] Deleting files for py311-urllib3-1.26.19,1: 100%
[59/178] Deinstalling php82-phpseclib-3.0.36...
[59/178] Deleting files for php82-phpseclib-3.0.36: 100%
[60/178] Deinstalling php82-gettext-8.2.20...
[60/178] Deleting files for php82-gettext-8.2.20: 100%
[61/178] Deinstalling openldap26-client-2.6.8...
[61/178] Deleting files for openldap26-client-2.6.8: 100%
[62/178] Deinstalling glib-2.80.3,2...
[62/178] Deleting files for glib-2.80.3,2: 100%
[63/178] Deinstalling php82-pecl-mcrypt-1.0.7...
[63/178] Deleting files for php82-pecl-mcrypt-1.0.7: 100%
[64/178] Deinstalling py311-ujson-5.10.0...
[64/178] Deleting files for py311-ujson-5.10.0: 100%
[65/178] Deinstalling php82-ctype-8.2.20...
[65/178] Deleting files for php82-ctype-8.2.20: 100%
[66/178] Deinstalling php82-filter-8.2.20...
[66/178] Deleting files for php82-filter-8.2.20: 100%
[67/178] Deinstalling py311-h11-0.14.0...
[67/178] Deleting files for py311-h11-0.14.0: 100%
[68/178] Deinstalling unbound-1.20.0_1...
[68/178] Deleting files for unbound-1.20.0_1: 100%
[69/178] Deinstalling lighttpd-1.4.76...
[69/178] Deleting files for lighttpd-1.4.76: 100%
[70/178] Deinstalling py311-sniffio-1.3.1...
[70/178] Deleting files for py311-sniffio-1.3.1: 100%
[71/178] Deinstalling py311-pycparser-2.22...
[71/178] Deleting files for py311-pycparser-2.22: 100%
[72/178] Deinstalling py311-six-1.16.0_1...
[72/178] Deleting files for py311-six-1.16.0_1: 100%
[73/178] Deinstalling py311-charset-normalizer-3.3.2_1...
[73/178] Deleting files for py311-charset-normalizer-3.3.2_1: 100%
[74/178] Deinstalling py311-setuptools-63.1.0_1...
[74/178] Deleting files for py311-setuptools-63.1.0_1: 100%
[75/178] Deinstalling py311-idna-3.7...
[75/178] Deleting files for py311-idna-3.7: 100%
[76/178] Deinstalling cyrus-sasl-gssapi-2.1.28...
[76/178] Deleting files for cyrus-sasl-gssapi-2.1.28: 100%
[77/178] Deinstalling dnsmasq-2.90_1,1...
[77/178] Deleting files for dnsmasq-2.90_1,1: 100%
[78/178] Deinstalling py311-netaddr-1.3.0...
[78/178] Deleting files for py311-netaddr-1.3.0: 100%
[79/178] Deinstalling py311-packaging-24.1...
[79/178] Deleting files for py311-packaging-24.1: 100%
[80/178] Deinstalling py311-pysocks-1.7.1_1...
[80/178] Deleting files for py311-pysocks-1.7.1_1: 100%
[81/178] Deinstalling py311-markupsafe-2.1.5_1...
[81/178] Deleting files for py311-markupsafe-2.1.5_1: 100%
[82/178] Deinstalling libpsl-0.21.5_1...
[82/178] Deleting files for libpsl-0.21.5_1: 100%
[83/178] Deinstalling py311-attrs-23.2.0...
[83/178] Deleting files for py311-attrs-23.2.0: 100%
[84/178] Deinstalling py311-certifi-2024.7.4...
[84/178] Deleting files for py311-certifi-2024.7.4: 100%
[85/178] Deinstalling py311-tzdata-2024.1...
[85/178] Deleting files for py311-tzdata-2024.1: 100%
[86/178] Deinstalling php82-8.2.20...
[86/178] Deleting files for php82-8.2.20: 100%
[87/178] Deinstalling py311-socksio-1.0.0_1...
[87/178] Deleting files for py311-socksio-1.0.0_1: 100%
[88/178] Deinstalling openssh-portable-9.8.p1,1...
[88/178] Deleting files for openssh-portable-9.8.p1,1: 100%
[89/178] Deinstalling py311-pylsqpack-0.3.18...
[89/178] Deleting files for py311-pylsqpack-0.3.18: 100%
[90/178] Deinstalling py311-pyasn1-0.6.0...
[90/178] Deleting files for py311-pyasn1-0.6.0: 100%
[91/178] Deinstalling ruby31-gems-3.5.14...
[91/178] Deleting files for ruby31-gems-3.5.14: 100%
[92/178] Deinstalling wpa_supplicant-2.10_10...
[92/178] Deleting files for wpa_supplicant-2.10_10: 100%
[93/178] Deinstalling libidn2-2.3.7...
[93/178] Deleting files for libidn2-2.3.7: 100%
[94/178] Deinstalling nettle-3.10_1...
[94/178] Deleting files for nettle-3.10_1: 100%
[95/178] Deinstalling nss-3.101...
[95/178] Deleting files for nss-3.101: 100%
[96/178] Deinstalling openvpn-2.6.11...
[96/178] Deleting files for openvpn-2.6.11: 100%
==> You should manually remove the "openvpn" user
==> You should manually remove the "openvpn" group
[97/178] Deinstalling krb5-1.21.3...
[97/178] Deleting files for krb5-1.21.3: 100%
[98/178] Deinstalling libxml2-2.11.8...
[98/178] Deleting files for libxml2-2.11.8: 100%
[99/178] Deinstalling ruby-3.1.6,1...
[99/178] Deleting files for ruby-3.1.6,1: 100%
[100/178] Deinstalling ntp-4.2.8p18...
[100/178] Deleting files for ntp-4.2.8p18: 100%
[101/178] Deinstalling libfido2-1.15.0...
[101/178] Deleting files for libfido2-1.15.0: 100%
[102/178] Deinstalling python311-3.11.9_1...
[102/178] Deleting files for python311-3.11.9_1: 100%
[103/178] Deinstalling kea-2.4.1_2...
[103/178] Deleting files for kea-2.4.1_2: 100%
[104/178] Deinstalling opnsense-installer-24.1...
[104/178] Deleting files for opnsense-installer-24.1: 100%
[105/178] Deinstalling opnsense-update-24.1.8...
[105/178] Deleting files for opnsense-update-24.1.8: 100%
[106/178] Deinstalling hostapd-2.10_10...
[106/178] Deleting files for hostapd-2.10_10: 100%
[107/178] Deinstalling boost-libs-1.84.0...
[107/178] Deleting files for boost-libs-1.84.0: 100%
[108/178] Deinstalling monit-5.33.0_1...
[108/178] Deleting files for monit-5.33.0_1: 100%
[109/178] Deinstalling libunistring-1.2...
[109/178] Deleting files for libunistring-1.2: 100%
[110/178] Deinstalling cpdup-1.22_1...
[110/178] Deleting files for cpdup-1.22_1: 100%
[111/178] Deinstalling p5-Error-0.17029...
[111/178] Deleting files for p5-Error-0.17029: 100%
[112/178] Deinstalling libcbor-0.11.0...
[112/178] Deleting files for libcbor-0.11.0: 100%
[113/178] Deinstalling ldns-1.8.3_1...
[113/178] Deleting files for ldns-1.8.3_1: 100%
[114/178] Deinstalling tailscale-1.66.4...
[114/178] Deleting files for tailscale-1.66.4: 100%
[115/178] Deinstalling isc-dhcp44-server-4.4.3P1_1...
[115/178] Deleting files for isc-dhcp44-server-4.4.3P1_1: 100%
==> You should manually remove the "dhcpd" user. 
==> You should manually remove the "dhcpd" group 
[116/178] Deinstalling libevent-2.1.12...
[116/178] Deleting files for libevent-2.1.12: 100%
[117/178] Deinstalling iperf3-3.17.1...
[117/178] Deleting files for iperf3-3.17.1: 100%
[118/178] Deinstalling pkcs11-helper-1.29.0_3...
[118/178] Deleting files for pkcs11-helper-1.29.0_3: 100%
[119/178] Deinstalling gmp-6.3.0...
[119/178] Deleting files for gmp-6.3.0: 100%
[120/178] Deinstalling gettext-runtime-0.22.5...
[120/178] Deleting files for gettext-runtime-0.22.5: 100%
[121/178] Deinstalling cyrus-sasl-2.1.28_4...
[121/178] Deleting files for cyrus-sasl-2.1.28_4: 100%
To delete Cyrus user permanently, use 'pw userdel cyrus'
To delete Cyrus group permanently, use 'pw groupdel cyrus'
[122/178] Deinstalling sqlite3-3.46.0,1...
[122/178] Deleting files for sqlite3-3.46.0,1: 100%
[123/178] Deinstalling libffi-3.4.6...
[123/178] Deleting files for libffi-3.4.6: 100%
[124/178] Deinstalling readline-8.2.10...
[124/178] Deleting files for readline-8.2.10: 100%
[125/178] Deinstalling sudo-1.9.15p5_4...
[125/178] Deleting files for sudo-1.9.15p5_4: 100%
[126/178] Deinstalling pftop-0.10_1...
[126/178] Deleting files for pftop-0.10_1: 100%
[127/178] Deinstalling filterlog-0.7_1...
[127/178] Deleting files for filterlog-0.7_1: 100%
[128/178] Deinstalling flock-2.37.2_1...
[128/178] Deleting files for flock-2.37.2_1: 100%
[129/178] Deinstalling dpinger-3.3...
[129/178] Deleting files for dpinger-3.3: 100%
[130/178] Deinstalling mpdecimal-4.0.0...
[130/178] Deleting files for mpdecimal-4.0.0: 100%
[131/178] Deinstalling flowd-0.9.1_5...
[131/178] Deleting files for flowd-0.9.1_5: 100%
==> You should manually remove the "_flowd" user. 
==> You should manually remove the "_flowd" group 
[132/178] Deinstalling openssl-3.0.14,1...
[132/178] Deleting files for openssl-3.0.14,1: 100%
[133/178] Deinstalling libyaml-0.2.5...
[133/178] Deleting files for libyaml-0.2.5: 100%
[134/178] Deinstalling lzo2-2.10_1...
[134/178] Deleting files for lzo2-2.10_1: 100%
[135/178] Deinstalling dhcrelay-0.5...
[135/178] Deleting files for dhcrelay-0.5: 100%
[136/178] Deinstalling libiconv-1.17_1...
[136/178] Deleting files for libiconv-1.17_1: 100%
[137/178] Deinstalling json-c-0.17...
[137/178] Deleting files for json-c-0.17: 100%
[138/178] Deinstalling easy-rsa-3.1.7,1...
[138/178] Deleting files for easy-rsa-3.1.7,1: 100%
[139/178] Deinstalling choparp-20150613_1...
[139/178] Deleting files for choparp-20150613_1: 100%
[140/178] Deinstalling e2fsprogs-libuuid-1.47.1...
[140/178] Deleting files for e2fsprogs-libuuid-1.47.1: 100%
[141/178] Deinstalling cpustats-0.1...
[141/178] Deleting files for cpustats-0.1: 100%
[142/178] Deinstalling libnghttp2-1.62.1...
[142/178] Deleting files for libnghttp2-1.62.1: 100%
[143/178] Deinstalling icu-74.2_1,1...
[143/178] Deleting files for icu-74.2_1,1: 100%
[144/178] Deinstalling libmcrypt-2.5.8_4...
[144/178] Deleting files for libmcrypt-2.5.8_4: 100%
[145/178] Deinstalling dhcp6c-20240710...
[145/178] Deleting files for dhcp6c-20240710: 100%
[146/178] Deinstalling libargon2-20190702_1...
[146/178] Deleting files for libargon2-20190702_1: 100%
[147/178] Deinstalling radvd-2.19_4...
[147/178] Deleting files for radvd-2.19_4: 100%
[148/178] Deinstalling ca_root_nss-3.93...
[148/178] Deleting files for ca_root_nss-3.93: 100%
[149/178] Deinstalling os-dyndns-1.27_3...
[149/178] Deleting files for os-dyndns-1.27_3: 100%
[150/178] Deinstalling libcjson-1.7.18_2...
[150/178] Deleting files for libcjson-1.7.18_2: 100%
[151/178] Deinstalling ivykis-0.43.2...
[151/178] Deleting files for ivykis-0.43.2: 100%
[152/178] Deinstalling beep-1.0_2...
[152/178] Deleting files for beep-1.0_2: 100%
[153/178] Deinstalling libedit-3.1.20240517,1...
[153/178] Deleting files for libedit-3.1.20240517,1: 100%
[154/178] Deinstalling liblz4-1.9.4_1,1...
[154/178] Deleting files for liblz4-1.9.4_1,1: 100%
[155/178] Deinstalling iftop-1.0.p4_1...
[155/178] Deleting files for iftop-1.0.p4_1: 100%
[156/178] Deinstalling ifinfo-13.0_1...
[156/178] Deleting files for ifinfo-13.0_1: 100%
[157/178] Deinstalling libunwind-20240221...
[157/178] Deleting files for libunwind-20240221: 100%
[158/178] Deinstalling samplicator-1.3.8.r1_1...
[158/178] Deleting files for samplicator-1.3.8.r1_1: 100%
[159/178] Deinstalling log4cplus-2.1.1...
[159/178] Deleting files for log4cplus-2.1.1: 100%
[160/178] Deinstalling pcre2-10.43...
[160/178] Deleting files for pcre2-10.43: 100%
[161/178] Deinstalling nspr-4.35...
[161/178] Deleting files for nspr-4.35: 100%
[162/178] Deinstalling expiretable-0.6_3...
[162/178] Deleting files for expiretable-0.6_3: 100%
[163/178] Deinstalling jansson-2.14...
[163/178] Deleting files for jansson-2.14: 100%
[164/178] Deinstalling hyperscan-5.4.2...
[164/178] Deleting files for hyperscan-5.4.2: 100%
[165/178] Deinstalling libpfctl-0.11...
[165/178] Deleting files for libpfctl-0.11: 100%
[166/178] Deinstalling indexinfo-0.3.1...
[166/178] Deleting files for indexinfo-0.3.1: 100%
[167/178] Deinstalling pkg-1.19.2_1...
[167/178] Deleting files for pkg-1.19.2_1: 100%
[168/178] Deinstalling libnet-1.3,1...
[168/178] Deleting files for libnet-1.3,1: 100%
[169/178] Deinstalling libltdl-2.4.7...
[169/178] Deleting files for libltdl-2.4.7: 100%
[170/178] Deinstalling zip-3.0_2...
[170/178] Deleting files for zip-3.0_2: 100%
[171/178] Deinstalling mpd5-5.9_18...
[171/178] Deleting files for mpd5-5.9_18: 100%
[172/178] Deinstalling libucl-0.9.2...
[172/178] Deleting files for libucl-0.9.2: 100%
[173/178] Deinstalling libsodium-1.0.19...
[173/178] Deleting files for libsodium-1.0.19: 100%
[174/178] Deinstalling perl5-5.36.3_1...
[174/178] Deleting files for perl5-5.36.3_1: 100%
[175/178] Deinstalling oniguruma-6.9.9...
[175/178] Deleting files for oniguruma-6.9.9: 100%
[176/178] Deinstalling opnsense-lang-23.7.11...
[176/178] Deleting files for opnsense-lang-23.7.11: 100%
[177/178] Deinstalling pam_opnsense-24.1...
[177/178] Deleting files for pam_opnsense-24.1: 100%
[178/178] Deinstalling expat-2.6.2...
[178/178] Deleting files for expat-2.6.2: 100%
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-ctrl-agent.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-dhcp4.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/keactrl.conf if it is no longer needed.
You may need to manually remove /usr/local/openssl/openssl.cnf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
make: "/tmp/opnsense-bootstrap/core-stable-25.1/Makefile" line 34: warning: Cannot build without CORE_PHP set
make: "/tmp/opnsense-bootstrap/core-stable-25.1/Makefile" line 34: warning: Cannot build without CORE_PYTHON set
make: "/tmp/opnsense-bootstrap/core-stable-25.1/Makefile" line 34: warning: Cannot build without CORE_PHP set
make: "/tmp/opnsense-bootstrap/core-stable-25.1/Makefile" line 34: warning: Cannot build without CORE_PYTHON set
Bootstrapping pkg from https://pkg.opnsense.org/FreeBSD:13:amd64/25.1/latest, please wait...
pkg: Error fetching https://pkg.opnsense.org/FreeBSD:13:amd64/25.1/latest/Latest/pkg.txz: Not Found
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

#5

25.1, 25.4 Series / Reporting a plugin bug

March 20, 2025, 05:19:24 PM

OPNsense 25.1.3
os-theme-advanced 1.0_1

What's the best place to report a bug in this theme package? I see the package maintainer's email address in the package info, but I don't want to email somebody directly if there's a bug tracker set up somewhere.

I see there is a bug report on OPNsense's github, but it was closed as stale and I wonder if the maintainer doesn't look there.

https://github.com/opnsense/plugins/issues/4207

#6

General Discussion / /usr/local/etc/pkg/ missing, opnsense-bootstrap does nothing

March 20, 2025, 02:25:13 AM

I inherited a pair of firewalls running OPNsense 23.1.4_1. When I try upgrading from console or web, I get the error "Missing /usr/local/etc/pkg/repos/OPNsense.conf". I tried opnsense-bootstrap from the shell and I got this:

Code Select

Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.21.3...
package pkg is already installed, forced install
Extracting pkg-1.21.3: 100%
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
fetch: https://github.com/opnsense/core/archive/stable/23.1.tar.gz: size of remote file is not known
/tmp/opnsense-bootstrap/core.tar.gz                   7624 kB 7826 kBps    01s
pkg: 146 packages installed
beep-1.0_1: already unlocked

Is there a way to get opnsense-bootstrap working or am I stuck doing a reinstall from iso?
I also tried opnsense-bootstrap -r 25.1 and it was similarly ineffictive.

#7

25.1, 25.4 Series / Unexpected blocking and logging

February 24, 2025, 05:46:15 PM

Since upgrading to 25.1.1 (we didn't spend any time on 25.1) I'm seeing log entries that are unexpected for two reasons:

The entry indicates a block, but the rule description indicates a pass.
The indicated rule is not configured to be logged.

I didn't see these log entries on 24.7. Is this an expected change of behaviour?

#8

General Discussion / Unable to upgrade from 22.1

January 15, 2025, 05:52:45 PM

I was tasked today with upgrading a remote firewall that was running OPNsense 21.7.8. I upgraded to 22.1 in the web UI and it upgraded and rebooted without error. Now while trying to upgrade past 22.1 I get errors.

From web UI:

Code Select

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Wed Jan 15 09:40:23 MST 2025
Fetching changelog information, please wait... Missing /usr/local/etc/pkg/repos/OPNsense.conf
Repository not found: OPNsense
Updating FreeBSD repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: 
Newer FreeBSD version for package zziplib:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1304000
- running kernel: 1300523
Ignore the mismatch and continue? [y/N]: pkg: repository FreeBSD contains packages for wrong OS version: FreeBSD:13:amd64
Processing entries...
Unable to update repository FreeBSD
Error updating repositories!
pkg: Unknown repository: OPNsense
***DONE***

From shell:

Code Select

# opnsense-update -u
Missing /usr/local/etc/pkg/repos/OPNsense.conf

# opnsense-bootstrap
This utility will attempt to turn this installation into the latest
OPNsense 22.1 release.  All packages will be deleted, the base
system and kernel will be replaced, and if all went well the system
will automatically reboot.

Proceed with this action? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/latest, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.21.3...
package pkg is already installed, forced install
Extracting pkg-1.21.3: 100%
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
/tmp/opnsense-bootstrap/core.tar.gz                   7508 kB 9443 kBps    01s
pkg: 139 packages installed
beep-1.0_1: already unlocked

I also tried a health check from the GUI:

Code Select

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Wed Jan 15 09:46:54 MST 2025
>>> Check installed kernel version
Version 22.1 is correct.
Unverified consistency check for kernel: invalid /usr/local/opnsense/version/kernel.mtree.sig
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.1 is correct.
Unverified consistency check for base: invalid /usr/local/opnsense/version/base.mtree.sig
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: 
ca_root_nss-3.104: checksum mismatch for /etc/ssl/cert.pem
Checking all packages.......
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20150402
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20160104
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20160630
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20161210
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20170625
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20171219
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20180614
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20181218
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20190702
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20200119
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20200313
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20210104
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/trusted/pkg.opnsense.org.20210629
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/trusted/pkg.opnsense.org.20210903
opnsense-22.1: missing file /usr/local/etc/pkg/repos/FreeBSD.conf.sample
opnsense-22.1: missing file /usr/local/etc/pkg/repos/OPNsense.conf.sample
Checking all packages......... done
>>> Check for core packages consistency
Core package "opnsense" has 65 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.104 repository mismatch: FreeBSD
ca_root_nss-3.104 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dhcpleases-0.2 has no upstream equivalent
Checking packages: .
dnsmasq-2.86_2,1 has no upstream equivalent
Checking packages: .
dpinger-3.0 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.2P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.2P1_1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.63 has no upstream equivalent
Checking packages: .
monit-5.29.0_1 has no upstream equivalent
Checking packages: .
mpd5-5.9_6 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_4 has no upstream equivalent
Checking packages: .
openssh-portable-8.8.p1_1,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1m_1,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.5 has no upstream equivalent
Checking packages: .
opnsense-22.1 has no upstream equivalent
Checking packages: .
opnsense-installer-22.1 has no upstream equivalent
Checking packages: .
opnsense-lang-21.7.8 has no upstream equivalent
Checking packages: .
opnsense-update-22.1 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.7_9 has no upstream equivalent
Checking packages: .
php74-ctype-7.4.27 has no upstream equivalent
Checking packages: .
php74-curl-7.4.27 has no upstream equivalent
Checking packages: .
php74-dom-7.4.27 has no upstream equivalent
Checking packages: .
php74-filter-7.4.27 has no upstream equivalent
Checking packages: .
php74-gettext-7.4.27 has no upstream equivalent
Checking packages: .
php74-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php74-json-7.4.27 has no upstream equivalent
Checking packages: .
php74-ldap-7.4.27 has no upstream equivalent
Checking packages: .
php74-openssl-7.4.27 has no upstream equivalent
Checking packages: .
php74-pdo-7.4.27 has no upstream equivalent
Checking packages: .
php74-pecl-radius-1.4.0b1_1 has no upstream equivalent
Checking packages: .
php74-phalcon4-4.1.3 has no upstream equivalent
Checking packages: .
php74-phpseclib-2.0.35 has no upstream equivalent
Checking packages: .
php74-session-7.4.27 has no upstream equivalent
Checking packages: .
php74-simplexml-7.4.27 has no upstream equivalent
Checking packages: .
php74-sockets-7.4.27 has no upstream equivalent
Checking packages: .
php74-sqlite3-7.4.27 has no upstream equivalent
Checking packages: .
php74-xml-7.4.27 has no upstream equivalent
Checking packages: .
php74-zlib-7.4.27 has no upstream equivalent
Checking packages: .
pkg-1.21.3 repository mismatch: unknown-repository
pkg-1.21.3 has no upstream equivalent
Checking packages: .
py38-Jinja2-3.0.1 has no upstream equivalent
Checking packages: .
py38-dnspython2-2.2.0 has no upstream equivalent
Checking packages: .
py38-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py38-requests-2.25.1 has no upstream equivalent
Checking packages: .
py38-sqlite3-3.8.12_7 has no upstream equivalent
Checking packages: .
py38-ujson-5.0.0 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.7.2_4 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-4.15 has no upstream equivalent
Checking packages: .
strongswan-5.9.4 has no upstream equivalent
Checking packages: .
sudo-1.9.8p2 has no upstream equivalent
Checking packages: .
suricata-6.0.4_1 has no upstream equivalent
Checking packages: .
syslog-ng-3.35.1 has no upstream equivalent
Checking packages: .
unbound-1.14.0 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***

Where do I go from here? I'm off site, so any remote rescue option is preferred at this point and the firewall is still running and accesscible. If I brick the thing I can get remote hands, but I'd prefer not to delegate a fresh install from USB if I can avoid it.

#9

24.7, 24.10 Legacy Series / Feature Request: XMLRPC Sync should not copy NAS ID

November 30, 2024, 12:33:14 AM

To reproduce (tested on OPNsene 24.7.9_1 and Windows NPS):

Configure a pair of OPNsense hosts in HA and set "Auth Servers" to sync in System: High Availability: Settings
Configure a RADIUS server in System: Access: Servers
Configure a RADIUS server and add both OPNsense hosts as clients
Synchronise config to backup in System: High Availability: Status
Attempt to log into configuration master with a RADIUS account, then into the peer

Result:
The RADIUS logs will show two login attempts, one from each client, and both with identical NAS Identifier. Even if the first login attempt is successful, the second one will fail due to the duplicated NAS ID.

Expected Result:
If I use HA/XMLRPC sync to keep my Authentication Server settings synchronised between two hosts, the NAS ID should not be copied.

Recommended Change:
The second peer should have some mechanism to generate its own unique NAS ID if a RADIUS server is created by XMLRPC sync.

#10

24.7, 24.10 Legacy Series / Default Login shell for new user

November 29, 2024, 11:24:47 PM

I have my RADIUS server set to automatically create users. This works fine, except the user is created with a shell of /usr/sbin/nologin Is there a way to make this something different so a new user can log in via SSH without first having to log into the web UI and change the shell?

#11

General Discussion / Firewall rules in vs out direction and processing order

November 21, 2024, 05:31:14 PM

OPNsense 24.7.7

This firewall host has a WAN interface (lagg0_vlan17) with a publicly routable IPv4 address and multiple LAN interfaces. I created a floating rule to prevent packets with rfc5735 (local and invalid) destination addresses from being leaked on to the internet. I also created an outbound rule on the WAN as a last-resort catch-all rule for the same purpose. These two rules look like this:

Code Select

block return in inet from any to <rfc5735> label "c66bd7ebe022fedb2fdd2d7bdfbf7ee5"
block drop out log quick on lagg0_vlan17 inet from any to <rfc5735> label "f8905c704b9481e346fca8eebfa98578"

To my surprise, I'm seeing packets logged by the second rule. I believed that packets would be evaluated against 'in' rules as they entered an interface, and against 'out' rules as they exited an interface. If this assumption is correct, then only packets originating from the firewall itself should match the second rule, as any packets from local hosts should have matched the first rule at ingress and been dropped. Yet I'm seeing packets in the log that did not originate from the firewall. So what have I got wrong?

#12

24.7, 24.10 Legacy Series / Dashboard graphs and reverse proxy

November 13, 2024, 12:13:43 AM

I set up an nginx reverse proxy to handle requests to OPNsense's web UI. This appears to work well so far, except that the CPU, Firewall and Traffic graphs on the dashboard don't display any data. This isn't my area of expertise, so can anyone recommend any modifications to my nginx config to get these graphs to display properly?

Code Select

server {
	listen	80;
	server_name	opnsense.example.org;
	return	301	https://$host$request_uri;
}
server {
	listen	443	ssl http2;
	server_name	opnsense.example.org;

	location / {
		proxy_pass http://172.31.0.1;
	}
}

#13

24.7, 24.10 Legacy Series / Fresh Install: "gpart: autofill: No space left on device

November 11, 2024, 09:26:28 PM

OPNsense 24.7 DVD/ISO installer on Vmware 7.0U2 v19 virtual machine

I created a new VM and booted it from the installer ISO in UEFI mode. It boots fine, then I log in as "installer". It asks me on which device to install OPNsense, and I choose a ZFS install type "stripe". I choose the only device available, da0, which is an 8-GB virtual disk that I created as new with the VM. It warns me that the disk will be wiped and I select YES. Then I get the attached error (also quoted in subject).

Some web searches didn't turn up much, so I shut down the VM, increased the disk size to 10 GB and tried again. This time the installer succedded, but 'zpool list' shows that ZROOT is only 2 GB. What do I have to do to get the installer to use the whole virtual disk?

#14

24.7, 24.10 Legacy Series / ISC DHCP secondary pool

November 04, 2024, 09:45:42 PM

I have an OPNsense pair configured in HA. I have an existing subnet with a CARP IP and ISC DHCP server running:

Code Select

Interface: opt14
CARP address: 10.13.4.1/24
VHID: 134
DHCP Range: 10.13.4.100 - 10.13.4.199

So far this works as expected and the DHCP server serves leases on the primary subnet.

I need to run a second DHCP pool on this same interface but a different subnet. I created a VIP on the new subnet using the same VHID as the CARP interface:

Code Select

Interface: opt14
VIP: 172.31.0.254/24
VHID: 134

Then I added a secondary pool to the DHCP server on this interface:

Code Select

Range: 172.31.0.16 - 172.31.0.32

As soon as I save the change, the DHCP service stops and the log shows:

Quotebad range, address 172.31.0.16 not in subnet 10.13.4.0 netmask 255.255.255.0

What am I doing wrong?
Is there a way to achieve what I'm trying to do?

#15

General Discussion / Download historical configs

November 01, 2024, 07:51:29 PM

When I navigate to System > Configuration > History I can see a long history of config changes. I know I can select them 1 by 1 and download them, but is there a way to grab all of them off the filesystem? Are they stored individually?

#16

24.7, 24.10 Legacy Series / ISC DHCP bind interfaces

October 15, 2024, 11:59:27 PM

The documentation says

QuoteIf you want to tryout KEA in OPNsense, just disable the legacy dhcp server on the specific interface and go to the KEA DHCP menu available under Services ‣ Kea DHCP.

This is incorrect in my experience, as I disabled ISC DHCP server on a single interface and then enabled KEA DHCP server on the same interface. Clients failed to get a lease and the KEA log shows this:

Code Select

2024-10-15T17:31:45-04:00	Warning	kea-dhcp4	WARN [kea-dhcp4.dhcpsrv.0x13d887012000] DHCPSRV_NO_SOCKETS_OPEN no interface configured to listen to DHCP traffic	
2024-10-15T17:31:45-04:00	Warning	kea-dhcp4	WARN [kea-dhcp4.dhcpsrv.0x13d887012000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface lagg0_vlan152, reason: failed to bind fallback socket to address 10.15.2.1, port 67, reason: Address already in use - is another DHCP server running?

This is confirmed in the shell:

Code Select

# sockstat -l4 | grep 67
dhcpd    dhcpd      42491 23  udp4   *:67                  *:*

Is there a way to force ISC DHCP server to bind only to interfaces where it is enabled so that KEA can be bound to others?

#17

24.7, 24.10 Legacy Series / tailscaled service doesn't start on boot

September 26, 2024, 06:35:15 PM

I have 4 OPNsense firewalls with tailscale installed from mimugmail's repository. 3 of them work as expected, where the tailscaled service starts after boot. The 4th does not, and I have to get remote hands to start it for me.

The main difference I'm aware of between this one and the other three is that the other three had tailscale built from ports before I switched them to mimugmail's repo.

I have run service tailscaled enable and I can see tailscaled_enable="YES" in /etc/rc.conf. I'm not sure what else to check. What else should I be looking for to see why the service doesn't start at boot?

#18

Hardware and Performance / Dell Sonicwall SuperMassive 9800 CPU architecture

May 28, 2024, 04:55:23 PM

I'm trying to find out what CPU architecture the Sonicwall Supermassive 9800 has, and more specifically, whether one might have any hope of installing OPNsense on it, but this information is elusive, and as far as I can tell nobody has talked publicly about trying it.

It appears the rest of the 9000 series uses a Marvel Octeon chip, but not the 9800. Anybody know what's in this behemoth?

(Octeon in the 9600) https://www.itpro.com/server/20258/dell-sonicwall-supermassive-9600-review

(64 cores in the 9800) https://www.sonicwall.com/medialibrary/en/datasheet/datasheet-sonicwall-supermassive-series.pdf

(Up to 32 cores in Octeon) https://www.marvell.com/products/data-processing-units.html

(9800 is different from 9000 series) https://www.reddit.com/r/sonicwall/comments/oa732o/supermassive_9800/

#19

Hardware and Performance / 2.5 GBE card recommendation

September 14, 2023, 09:40:56 PM

I've just ordered an internet upgrade. The new cable modem includes a 2.5 GBE LAN port, so my trusty OPNsense firewall is going to need an expansion card to connect. What is the consensus on good hardware? I know some users have reported problems with certain Intel chipsets, and I'm not interested in cheap hardware a la Realtek, TP Link or whatever.

Here are my priorities:

Compatibility (currently using a Cisco ASA 5525-X with a PCIe slot)
Stability
Performance
Efficiency
Upgradability (10 GBE compatibility?)
Price

What do people recommend? Alternatively, am I better off just ditching the ASA for something with 2.5 GBE on board? I don't want to spend a bundle, but I know the ASA isn't super power efficient. I do like having lots of physical ports though.

#20

23.1 Legacy Series / [SOLVED] Attempts to update time out with RSS enabled

May 19, 2023, 01:42:48 AM

OPNsense 23.1.6-amd64

I have not been able to get the latest update. I've tried every method I know of, but they all time out.

Web UI:

Code Select

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1.6 at Thu May 18 17:25:10 MDT 2023
Fetching changelog information, please wait... Missing /usr/local/etc/pkg/repos/OPNsense.conf
fetch: transfer timed out
Updating FreeBSD repository catalogue...
pkg: http://pkgmir.geo.freebsd.org/FreeBSD:13:amd64/quarterly/meta.txz: Operation timed out
repository FreeBSD has no meta file, using default settings
pkg: http://pkgmir.geo.freebsd.org/FreeBSD:13:amd64/quarterly/packagesite.pkg: Operation timed out
pkg: http://pkgmir.geo.freebsd.org/FreeBSD:13:amd64/quarterly/packagesite.txz: Operation timed out
Unable to update repository FreeBSD
Error updating repositories!
pkg: Unknown repository: OPNsense
***DONE***

Code Select

# /usr/local/opnsense/scripts/firmware/connection.sh
Checking connectivity for host: mirror.sfo12.us.leaseweb.net -> 209.58.135.187
PING 209.58.135.187 (209.58.135.187): 1500 data bytes
1508 bytes from 209.58.135.187: icmp_seq=0 ttl=58 time=45.525 ms
1508 bytes from 209.58.135.187: icmp_seq=1 ttl=58 time=45.178 ms
1508 bytes from 209.58.135.187: icmp_seq=2 ttl=58 time=45.760 ms
1508 bytes from 209.58.135.187: icmp_seq=3 ttl=58 time=45.671 ms

--- 209.58.135.187 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 45.178/45.534/45.760/0.222 ms
Checking connectivity for repository (IPv4): http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...

Code Select

# opnsense-bootstrap
This utility will attempt to turn this installation into the latest
OPNsense 23.1 release.  All packages will be deleted, the base
system and kernel will be replaced, and if all went well the system
will automatically reboot.

Proceed with this action? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.19.1_1...
package pkg is already installed, forced install
Extracting pkg-1.19.1_1: 100%
Updating FreeBSD repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
pkg: http://pkgmir.geo.freebsd.org/FreeBSD:13:amd64/quarterly/packagesite.pkg: Operation timed out
pkg: http://pkgmir.geo.freebsd.org/FreeBSD:13:amd64/quarterly/packagesite.txz: Operation timed out
Unable to update repository FreeBSD
Error updating repositories!

Code Select

# opnsense-update -bkp
Missing /usr/local/etc/pkg/repos/OPNsense.conf

I can ping the mirror, pkg.freebsd.org and any other internet host from the OPNsense shell no problem. LAN hosts have functioning internet. I'm not sure how I got here, but I suppose the next step is to install from USB with config recovery unless somebody has a better suggestion.

Pages1 2 3