Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - arkanoid

#1
Hello

I want to have opnsense web config served on LAN and WG interfaces, and leave WAN for haproxy, but if a wireguard interface is selected in "System: Settings: Administration" as listening interface for HTTPS it is ignored at boot, but it works when applied manually after boot.

"sockstat -4 -l" shows that lighttps is NOT listening on wireguard interface after boot

So I have a configuration that works before rebooting, and works again after boot if and only if I reapply the very same listening knterfaces preferences.

how can I fix this?

Thanks
#2
Current WireGuard integration kills all existing connection states on WireGuard network(s) as soon as "apply" is clicked in web GUI, for example when adding or removing a peer from an existing network. This is quite disruptive.

WireGuard is capable of applying a new configuration on a running configuration via the syncconf command, see

https://man.freebsd.org/cgi/man.cgi?query=wg-quick&apropos=0&sektion=0&manpath=FreeBSD+12.2-RELEASE+and+Ports&arch=default&format=html


https://serverfault.com/questions/1101002/wireguard-client-addition-without-restart
#3
Hello

like the title says, seems that opn is trying to start zabbix_agentd before the interfaces it's listening on are up.

I solve this by just clicking the play button in home dashboard after the firewall is up.

Question is what's the proper way to fix this:
- listen on all local ips but add a firewall rule (removes the need of binding completely)
- reorder service start or apply preconditions (how?)

considering it's an opnsense package and there's even a web gui for it, I'd say it requires a more general solution.

Thanks
#4
As title says, I have to reboot my firewall every ~7 days as the OOM Killer kicks in and kills all processes, leaving only kernel and nothing else (ssh and web interface are killed too)

OPNsense 22.1.2_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1m 14 Dec 2021

Please find attached the result of these commands executed with an uptime of 30h

df -h

vmstat -z | tail +3 | awk -F '[:,] *' 'BEGIN { total=0; cache=0; used=0 } {u = $2 * $4; c = $2 * $5; t = u + c; cache += c; used += u; total += t; name=$1; gsub(" ", "_", name); print t, name, u, c} END { print total, "TOTAL", used, cache } ' | sort -n | perl -a -p -e 'while (($j, $_) = each(@F)) { 1 while s/^(-?\d+)(\d{3})/$1,$2/; print $_, " "} print "\n"' | column -t

vmstat -o | sort -nr | head -n 3000

vmstat -m | sort -rk3


more attachments in the next posts
#5
Hello

Whenever I need to change a firewall rule table while using a mobile device (over vpn, of course  :P) I find myself struggling with a web page that refuses to work properly.

I am using a mobile device that has a higher resolution (and obviously higher DPI) than my fullhd desktop, but no matter if I use the "desktop mode" on mobile, or different mobile browsers, or landscape mode, the rules table shows only "Protocol", "Source" and "Description" and buttons columns and doesn't scroll to the right.
I end up having to guess the right rule according to only these info.

Apart from that, it works, but please I'd be happy to exchange "Description" with "Destination" column, at least.  :'(

Is there anything I can do? Thanks
#6
I've been trying to track down a problem that causes my OPNsense box *Intel(R) Xeon(R) Gold 6130 CPU @ 2.10GHz (1 cores, 1 threads), 4GB ram* running in VMware to suddenly go into killing spree and kill all processes (including ssh access), forcing me to hard reboot it.

The problem is impossible to predict: it happened today at 4:45 AM (GMT+1) when load was relatively low compared to daytime.
Before this event, I had it twice one month ago. After that I doubled the amount of ram (2GB -> 4GB), disabled swap (to exluded if from causes), and upgraded OPNsense to last version. But the problem is still here.

Please find attached a screenshot of the terminal before hard-restarting the virtual machine that clearly shows the killing spree. This is the only proof I have of the event, as the logs have no track of the problem: # grep -r swap /var/log/ returns nothing, and manual exploration of log files both via terminal and web gui shows no relevant events before the time of the incident, but the VGA screenshot shows it (I guess the killing spree kills the logging too?)

The firewall has swap file disabled (System: Settings: Miscellaneous)
This is /etc/fstab:
# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/gpt/rootfs /               ufs     rw,noatime      1       1


No IDS, no IPS, just wireguard running and many peers connected and exchanging data.

The firewall is externally monitored by:
- hypervisor (VMware)
- zabbix
So I have minute-by-minute graphs of the memory usage for weeks from both sources, that clearly confirm the firewall uses <1GB ram the whole time. Please find attached both memory charts for the day of the incident (zabbix shows a large hole, that's just zabbix agent not starting automatically at boot so I executed manually later).

The single CPU has an average idle time > 40% according to zabbix ad web gui (but always 100% according to hypervisor, yet to understand why). Please find attached the relative chart.

This is what I've found so far that seems linked to the problem, but actually I've zero clue:
- https://lists.freebsd.org/pipermail/freebsd-current/2019-September/074310.html
  - and this mail in particular: https://lists.freebsd.org/pipermail/freebsd-current/2019-September/074322.html
- https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241048
- https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231457

I've no clear idea about what's happening here, so I'm just guessing and applying potential solutions. What I'm trying now is:
# sysctl vm.pfault_oom_attempts=10
vm.pfault_oom_attempts: 3 -> 10


Any idea? Thanks