1
22.7 Production Series / ping?
« on: November 30, 2022, 06:22:05 pm »
https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc
...anything to be done/known on this?
...anything to be done/known on this?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
22.7 Production Series / Error: DEVD: Ethernet attached
« on: November 26, 2022, 11:57:26 am »
Hi!
Have here a "Service" interface on a OPNsense (yesterday updated from 22.7.7_1 to 22.7.8 btw) which is only used from time to time (as the name might insinuate). Today I plugged in a client to interface and got a
...which reset all my other interfaces, interrupting traffic, due to flapping interface some seconds later:
Annoying... :-(
Have here a "Service" interface on a OPNsense (yesterday updated from 22.7.7_1 to 22.7.8 btw) which is only used from time to time (as the name might insinuate). Today I plugged in a client to interface and got a
Code: [Select]
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)...which reset all my other interfaces, interrupting traffic, due to flapping interface some seconds later:
Code: [Select]
2022-11-26T11:03:41 Notice flowd_aggregate.py vacuum done
2022-11-26T11:01:00 Notice root reload filter for configured schedules
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: 10.100.10.99) (interface: Service[opt3]) (real interface: igb1).
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)
2022-11-26T11:00:46 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt3(igb1)
2022-11-26T11:00:11 Notice opnsense plugins_configure newwanip (execute task : webgui_configure_do(,opt3))
2022-11-26T11:00:11 Notice opnsense plugins_configure newwanip (execute task : vxlan_configure_do())
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: warning: ignoring missing default tunable request: debug.pfftpproxy
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : unbound_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : openssh_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : opendns_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : ntpd_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : dyndns_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : dnsmasq_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (,opt3)
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface Service.
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (execute task : openvpn_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (execute task : ipsec_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (,opt3)
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: IP address renew, killing all previous states
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: Adding static route for monitor 1.1.1.1 via xx.xxxx.xxx.xxx
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: Removing static route for monitor 1.1.1.1 via 83.248.112.1
2022-11-26T11:00:09 Notice opnsense plugins_configure monitor (execute task : dpinger_configure_do(,))
2022-11-26T11:00:09 Notice opnsense plugins_configure monitor (,)
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: skipping IPv4 default route
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'opt3'
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: 10.0.1.199) (interface: Service[opt3]) (real interface: igb1).
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)Annoying... :-(
3
22.7 Production Series / openSSL 3.0.7 - any timelines yet?
« on: November 01, 2022, 11:15:58 am »4
22.7 Production Series / OS ddclient - How to use an URL provided by the DynDNS service in "custom"?
« on: October 03, 2022, 12:48:59 pm »
Hy!
As an extenstion to this here:
https://forum.opnsense.org/index.php?topic=26446.299
In "custom" (GUI) there is absolutely no way to add a single update URL-Username-PW-Domain provided by the DynDNS service of my choice?
Can anybody help out on this?
Is it possible to install both old and new plugin at the same time and use both?
As an extenstion to this here:
https://forum.opnsense.org/index.php?topic=26446.299
In "custom" (GUI) there is absolutely no way to add a single update URL-Username-PW-Domain provided by the DynDNS service of my choice?
Can anybody help out on this?
Is it possible to install both old and new plugin at the same time and use both?
5
22.1 Legacy Series / Switch to openSSL failed - system borked
« on: July 10, 2022, 12:30:55 pm »
Hy!
I was on LibreSSL 22.1.10 and wanted to switch to openSSL from GUI, but something failed:
I waited 15 min, went in via serial and rebooted. Comes back, but
- tunnels work only in one direction
- "starting webGUI.... failed" (no acces to GUI)
etc pp
I tried
rebooted and afterwards updated from console again, reboot, same difference, starting webGUI fails and FW not fully functional.
Is there any way to validate all packages from serial and re-install if necessary?
I was on LibreSSL 22.1.10 and wanted to switch to openSSL from GUI, but something failed:
Code: [Select]
***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.10 (amd64/LibreSSL) at Sun Jul 10 10:49:15 CEST 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (45 candidates): .......... done
Processing candidates (45 candidates): ...... done
The following 27 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
openssl: 1.1.1q,1
Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl)
curl-7.84.0 (direct dependency changed: openssl)
cyrus-sasl-2.1.28 (direct dependency changed: openssl)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl)
hostapd-2.10_5 (direct dependency changed: openssl)
isc-dhcp44-server-4.4.2P1_1 (direct dependency changed: openssl)
krb5-1.20 (direct dependency changed: openssl)
ldns-1.8.1 (direct dependency changed: openssl)
libevent-2.1.12 (direct dependency changed: openssl)
libfido2-1.11.0 (direct dependency changed: openssl)
lighttpd-1.4.65 (direct dependency changed: openssl)
monit-5.32.0 (direct dependency changed: openssl)
mpd5-5.9_9 (direct dependency changed: openssl)
ntp-4.2.8p15_5 (direct dependency changed: openssl)
openldap24-client-2.4.59_4 (direct dependency changed: openssl)
openssh-portable-8.9.p1_4,1 (direct dependency changed: openssl)
openvpn-2.5.7 (direct dependency changed: openssl)
opnsense-update-22.1.9 (direct dependency changed: openssl)
php74-openssl-7.4.30 (direct dependency changed: openssl)
py39-cryptography-3.4.8 (direct dependency changed: openssl)
python39-3.9.13 (direct dependency changed: openssl)
squid-4.15 (direct dependency changed: openssl)
strongswan-5.9.6_2 (direct dependency changed: openssl)
syslog-ng-3.37.1 (direct dependency changed: openssl)
unbound-1.16.0 (direct dependency changed: openssl)
wpa_supplicant-2.10_6 (direct dependency changed: openssl)
Number of packages to be installed: 1
Number of packages to be reinstalled: 26
The process will require 14 MiB more space.
36 MiB to be downloaded.
[1/27] Fetching wpa_supplicant-2.10_6.pkg: .......... done
[2/27] Fetching unbound-1.16.0.pkg: .......... done
[3/27] Fetching syslog-ng-3.37.1.pkg: .......... done
[4/27] Fetching strongswan-5.9.6_2.pkg: .......... done
[5/27] Fetching squid-4.15.pkg: .......... done
[6/27] Fetching python39-3.9.13.pkg: .......... done
[7/27] Fetching py39-cryptography-3.4.8.pkg: .......... done
[8/27] Fetching php74-openssl-7.4.30.pkg: ........ done
[9/27] Fetching opnsense-update-22.1.9.pkg: ..... done
[10/27] Fetching openvpn-2.5.7.pkg: .......... done
[11/27] Fetching openssh-portable-8.9.p1_4,1.pkg: .......... done
[12/27] Fetching openldap24-client-2.4.59_4.pkg: .......... done
[13/27] Fetching ntp-4.2.8p15_5.pkg: .......... done
[14/27] Fetching mpd5-5.9_9.pkg: .......... done
[15/27] Fetching monit-5.32.0.pkg: .......... done
[16/27] Fetching lighttpd-1.4.65.pkg: .......... done
[17/27] Fetching libfido2-1.11.0.pkg: .......... done
[18/27] Fetching libevent-2.1.12.pkg: .......... done
[19/27] Fetching ldns-1.8.1.pkg: .......... done
[20/27] Fetching krb5-1.20.pkg: .......... done
[21/27] Fetching isc-dhcp44-server-4.4.2P1_1.pkg: .......... done
[22/27] Fetching hostapd-2.10_5.pkg: .......... done
[23/27] Fetching cyrus-sasl-gssapi-2.1.28.pkg: .... done
[24/27] Fetching cyrus-sasl-2.1.28.pkg: .......... done
[25/27] Fetching curl-7.84.0.pkg: .......... done
[26/27] Fetching cpdup-1.22.pkg: .... done
[27/27] Fetching openssl-1.1.1q,1.pkg: .......... done
Checking integrity... done (1 conflicting)
- openssl-1.1.1q,1 conflicts with libressl-3.3.6 on /usr/local/bin/openssl
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 28 package(s) will be affected (of 0 checked):
Installed packages to be REMOVED:
libressl: 3.3.6
New packages to be INSTALLED:
openssl: 1.1.1q,1
Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl)
curl-7.84.0 (direct dependency changed: openssl)
cyrus-sasl-2.1.28 (direct dependency changed: openssl)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl)
hostapd-2.10_5 (direct dependency changed: openssl)
isc-dhcp44-server-4.4.2P1_1 (direct dependency changed: openssl)
krb5-1.20 (direct dependency changed: openssl)
ldns-1.8.1 (direct dependency changed: openssl)
libevent-2.1.12 (direct dependency changed: openssl)
libfido2-1.11.0 (direct dependency changed: openssl)
lighttpd-1.4.65 (direct dependency changed: openssl)
monit-5.32.0 (direct dependency changed: openssl)
mpd5-5.9_9 (direct dependency changed: openssl)
ntp-4.2.8p15_5 (direct dependency changed: openssl)
openldap24-client-2.4.59_4 (direct dependency changed: openssl)
openssh-portable-8.9.p1_4,1 (direct dependency changed: openssl)
openvpn-2.5.7 (direct dependency changed: openssl)
opnsense-update-22.1.9 (direct dependency changed: openssl)
php74-openssl-7.4.30 (direct dependency changed: openssl)
py39-cryptography-3.4.8 (direct dependency changed: openssl)
python39-3.9.13 (direct dependency changed: openssl)
squid-4.15 (direct dependency changed: openssl)
strongswan-5.9.6_2 (direct dependency changed: openssl)
syslog-ng-3.37.1 (direct dependency changed: openssl)
unbound-1.16.0 (direct dependency changed: openssl)
wpa_supplicant-2.10_6 (direct dependency changed: openssl)
Number of packages to be removed: 1
Number of packages to be installed: 1
Number of packages to be reinstalled: 26
The operation will free 5 MiB.
[1/28] Deinstalling libressl-3.3.6...
[1/28] Deleting files for libressl-3.3.6: .......... done
[2/28] Installing openssl-1.1.1q,1...
[2/28] Extracting openssl-1.1.1q,1: .......... done
[3/28] Reinstalling cyrus-sasl-2.1.28...
*** Updated user `cyrus'.
[3/28] Extracting cyrus-sasl-2.1.28: .......... done
ld-elf.so.1: Shared object "libcrypto.so.46" not found, required by "libsasl2.so.3"
WARNING: Users SASL passwords are in /usr/local/etc/sasldb2.db, keeping this file
[4/28] Reinstalling krb5-1.20...
[4/28] Extracting krb5-1.20: .......... done
[5/28] Reinstalling cyrus-sasl-gssapi-2.1.28...
[5/28] Extracting cyrus-sasl-gssapi-2.1.28: .......... done
[6/28] Reinstalling python39-3.9.13...
[6/28] Extracting python39-3.9.13: .......... done
[7/28] Reinstalling openldap24-client-2.4.59_4...
[7/28] Extracting openldap24-client-2.4.59_4: .......... done
[8/28] Reinstalling libfido2-1.11.0...
[8/28] Extracting libfido2-1.11.0: .......... done
[9/28] Reinstalling libevent-2.1.12...
[9/28] Extracting libevent-2.1.12: .......... done
[10/28] Reinstalling ldns-1.8.1...
[10/28] Extracting ldns-1.8.1: .......... done
[11/28] Reinstalling curl-7.84.0...
[11/28] Extracting curl-7.84.0: .......... done
[12/28] Reinstalling wpa_supplicant-2.10_6...
[12/28] Extracting wpa_supplicant-2.10_6: ....... done
[13/28] Reinstalling unbound-1.16.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[13/28] Extracting unbound-1.16.0: .......... done
[14/28] Reinstalling syslog-ng-3.37.1...
[14/28] Extracting syslog-ng-3.37.1: .......... done
[15/28] Reinstalling strongswan-5.9.6_2...
[15/28] Extracting strongswan-5.9.6_2: .......... done
[16/28] Reinstalling squid-4.15...
===> Creating groups.
Using existing group 'squid'.
===> Creating users
Using existing user 'squid'.
===> Creating homedir(s)
===> Pre-installation configuration for squid-4.15
[16/28] Extracting squid-4.15: .......... done
[17/28] Reinstalling py39-cryptography-3.4.8...
[17/28] Extracting py39-cryptography-3.4.8: .......... done
[18/28] Reinstalling php74-openssl-7.4.30...
[18/28] Extracting php74-openssl-7.4.30: ....... done
[19/28] Reinstalling opnsense-update-22.1.9...
[19/28] Extracting opnsense-update-22.1.9: .......... done
[20/28] Reinstalling openvpn-2.5.7...
===> Creating groups.
Using existing group 'openvpn'.
===> Creating users
Using existing user 'openvpn'.
[20/28] Extracting openvpn-2.5.7: .......... done
[21/28] Reinstalling openssh-portable-8.9.p1_4,1...
[21/28] Extracting openssh-portable-8.9.p1_4,1: .......... done
[22/28] Reinstalling ntp-4.2.8p15_5...
[22/28] Extracting ntp-4.2.8p15_5: .......... done
[23/28] Reinstalling mpd5-5.9_9...
[23/28] Extracting mpd5-5.9_9: .......... done
[24/28] Reinstalling monit-5.32.0...
[24/28] Extracting monit-5.32.0: ....... done
[25/28] Reinstalling lighttpd-1.4.65...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[25/28] Extracting lighttpd-1.4.65: .......... done
[26/28] Reinstalling isc-dhcp44-server-4.4.2P1_1...
===> Creating groups.
Using existing group 'dhcpd'.
===> Creating users
Using existing user 'dhcpd'.
[26/28] Extracting isc-dhcp44-server-4.4.2P1_1: .......... done
[27/28] Reinstalling hostapd-2.10_5...
[27/28] Extracting hostapd-2.10_5: ....... done
[28/28] Reinstalling cpdup-1.22...
[28/28] Extracting cpdup-1.22: ..... done
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
=====
Message from strongswan-5.9.6_2:
--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
You may need to manually remove /usr/local/etc/squid/squid.conf if it is no longer needed.
=====
Message from php74-openssl-7.4.30:
--
===> NOTICE:
This port is deprecated; you may wish to reconsider installing it:
Upstream Security Support ends on 2022-11-28.
It is scheduled to be removed on or after 2022-11-29.
=====
Message from openvpn-2.5.7:
--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.
It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/wpa_supplicant-2.10_6~e6514d9294.pkg
/var/cache/pkg/unbound-1.16.0~b0ce98a62f.pkg
/var/cache/pkg/wpa_supplicant-2.10_6.pkg
/var/cache/pkg/syslog-ng-3.37.1.pkg
/var/cache/pkg/unbound-1.16.0.pkg
/var/cache/pkg/syslog-ng-3.37.1~98768026d4.pkg
/var/cache/pkg/strongswan-5.9.6_2~6260112c56.pkg
/var/cache/pkg/squid-4.15~c27086003b.pkg
/var/cache/pkg/strongswan-5.9.6_2.pkg
/var/cache/pkg/python39-3.9.13.pkg
/var/cache/pkg/squid-4.15.pkg
/var/cache/pkg/python39-3.9.13~b5d0f3716f.pkg
/var/cache/pkg/py39-cryptography-3.4.8~6ddce83b0d.pkg
/var/cache/pkg/openvpn-2.5.7~01aca630fd.pkg
/var/cache/pkg/py39-cryptography-3.4.8.pkg
/var/cache/pkg/php74-openssl-7.4.30~9669450425.pkg
/var/cache/pkg/php74-openssl-7.4.30.pkg
/var/cache/pkg/opnsense-update-22.1.9~8c1dd641be.pkg
/var/cache/pkg/opnsense-update-22.1.9.pkg
/var/cache/pkg/openvpn-2.5.7.pkg
/var/cache/pkg/openssh-portable-8.9.p1_4,1~fdb7116663.pkg
/var/cache/pkg/ntp-4.2.8p15_5~719fdd4cdd.pkg
/var/cache/pkg/openssh-portable-8.9.p1_4,1.pkg
/var/cache/pkg/openldap24-client-2.4.59_4~ecb33470b6.pkg
/var/cache/pkg/openldap24-client-2.4.59_4.pkg
/var/cache/pkg/cyrus-sasl-2.1.28.pkg
/var/cache/pkg/ntp-4.2.8p15_5.pkg
/var/cache/pkg/mpd5-5.9_9~de33bbccee.pkg
/var/cache/pkg/mpd5-5.9_9.pkg
/var/cache/pkg/monit-5.32.0~a3aefc50bd.pkg
/var/cache/pkg/monit-5.32.0.pkg
/var/cache/pkg/lighttpd-1.4.65~3e4378e989.pkg
/var/cache/pkg/lighttpd-1.4.65.pkg
/var/cache/pkg/libfido2-1.11.0~f3c0e296a0.pkg
/var/cache/pkg/libfido2-1.11.0.pkg
/var/cache/pkg/libevent-2.1.12~fa7d00b681.pkg
/var/cache/pkg/libevent-2.1.12.pkg
/var/cache/pkg/ldns-1.8.1~aab843e76a.pkg
/var/cache/pkg/ldns-1.8.1.pkg
/var/cache/pkg/krb5-1.20~db1413ee8e.pkg
/var/cache/pkg/krb5-1.20.pkg
/var/cache/pkg/isc-dhcp44-server-4.4.2P1_1~5ce4420159.pkg
/var/cache/pkg/hostapd-2.10_5~883681eac4.pkg
/var/cache/pkg/isc-dhcp44-server-4.4.2P1_1.pkg
/var/cache/pkg/hostapd-2.10_5.pkg
/var/cache/pkg/cyrus-sasl-gssapi-2.1.28~d91ea901ff.pkg
/var/cache/pkg/cyrus-sasl-2.1.28~6c510e1dc7.pkg
/var/cache/pkg/cyrus-sasl-gssapi-2.1.28.pkg
/var/cache/pkg/curl-7.84.0~69faf323b5.pkg
/var/cache/pkg/curl-7.84.0.pkg
/var/cache/pkg/cpdup-1.22~60e1aeeb9f.pkg
/var/cache/pkg/cpdup-1.22.pkg
/var/cache/pkg/openssl-1.1.1q,1~9c143ff4ad.pkg
/var/cache/pkg/openssl-1.1.1q,1.pkg
The cleanup will free 36 MiB
Deleting files: ........
I waited 15 min, went in via serial and rebooted. Comes back, but
- tunnels work only in one direction
- "starting webGUI.... failed" (no acces to GUI)
etc pp
I tried
Code: [Select]
opnsense-revert -r 22.1.9 opnsenserebooted and afterwards updated from console again, reboot, same difference, starting webGUI fails and FW not fully functional.
Is there any way to validate all packages from serial and re-install if necessary?
6
22.1 Legacy Series / updated to 22.1.8 - DEVD em detached for WAN every minute
« on: May 26, 2022, 01:05:14 pm »
...what a nightmare.
7
22.1 Legacy Series / No GUI access with Palemoon - Webserver sends no Change Cipher Spec
« on: March 24, 2022, 05:53:48 pm »
Hi!
Firefox latest connects fine to GUI of 22.1.3 Libressl (only TLS 1.3 CHACHA20Poly allowed as Cipher), but Palemoon 29.4.5 doen't get an adquate handshake and throws an error (SSL_ERROR_NO_CIPHER_OVERLAP).
Did a pc with Wireshark on FF and Palemoon, the obvious difference is that FF get a "Change Cipher Spec" package (package no. 8 ) on handshake and establishes the connection, while opnsense sends some strange package to Palemoon after Server Hello (package no. 13) , see attached.
Any ideas what is going wrong here?
Firefox latest connects fine to GUI of 22.1.3 Libressl (only TLS 1.3 CHACHA20Poly allowed as Cipher), but Palemoon 29.4.5 doen't get an adquate handshake and throws an error (SSL_ERROR_NO_CIPHER_OVERLAP).
Did a pc with Wireshark on FF and Palemoon, the obvious difference is that FF get a "Change Cipher Spec" package (package no. 8 ) on handshake and establishes the connection, while opnsense sends some strange package to Palemoon after Server Hello (package no. 13) , see attached.
Any ideas what is going wrong here?
8
22.1 Legacy Series / No traffic on LAN?
« on: March 20, 2022, 11:27:00 pm »
Hi!
Fresh install of 22.1 yesterday, switched to LibreSSL, suricata active, updated to 22.1.3 and imported imported my config (running on hardware, no VLANs).
Today suddenly no traffic on LAN between clients on LAN and GUI of opnsense not reachable. Other networks on opnsense doing fine.
I power-cycled the switches on LAN, not working, no access to GUI of opnsense or other clients on LAN.
Fun fact: client connected to LAN via wireguard tunnel from other opnsense could reach GUI of opnsense.
After reboot all back to normal. Nothing in the general logs (general, DHCP...). Any ideas where to look?
Fresh install of 22.1 yesterday, switched to LibreSSL, suricata active, updated to 22.1.3 and imported imported my config (running on hardware, no VLANs).
Today suddenly no traffic on LAN between clients on LAN and GUI of opnsense not reachable. Other networks on opnsense doing fine.
I power-cycled the switches on LAN, not working, no access to GUI of opnsense or other clients on LAN.
Fun fact: client connected to LAN via wireguard tunnel from other opnsense could reach GUI of opnsense.
After reboot all back to normal. Nothing in the general logs (general, DHCP...). Any ideas where to look?
9
22.1 Legacy Series / DHCPv4 won't start - error with unknown subnet
« on: January 30, 2022, 12:33:26 pm »
Hi!
I did a fresh install of 22.1 and imported my config from 21.7.7 (after changing interface names in config.xml, to adjust to new hardware). No GUI on interfaces. Reset to factory, switched to Libressl, installed all plugins present in the 21.7 install, imported config.xml and I got a GUI.
But DHCPv4 won't start, complaining:
the 10.20.20.2 is a legit IP in one of the subnets, however, the 192.168.169.0 is on NO interface configured, it's not even mentioned in config.xml.
Any ideas where to start?
I did a fresh install of 22.1 and imported my config from 21.7.7 (after changing interface names in config.xml, to adjust to new hardware). No GUI on interfaces. Reset to factory, switched to Libressl, installed all plugins present in the 21.7 install, imported config.xml and I got a GUI.
But DHCPv4 won't start, complaining:
Code: [Select]
bad range, 10.20.20.2 not in subnet 192.168.169.0 netmask 255.255.224 the 10.20.20.2 is a legit IP in one of the subnets, however, the 192.168.169.0 is on NO interface configured, it's not even mentioned in config.xml.
Any ideas where to start?
10
21.7 Legacy Series / Strange 250 states pattern...
« on: December 02, 2021, 05:23:31 pm »
Hi!
Have an install (WAN fiber with DHCP) with 1 openVPN and 1 WG tunnel and a Gigaset SIP phone as known, constant "activities" on the different LAN nets. All fine on latest 21.7.6. By chance I discovered today a strange pattern of states (250 at max) created for about 30 min, then "silence" for about 15 min. Day and night, see attached.
Any ideas what might cause this?
Have an install (WAN fiber with DHCP) with 1 openVPN and 1 WG tunnel and a Gigaset SIP phone as known, constant "activities" on the different LAN nets. All fine on latest 21.7.6. By chance I discovered today a strange pattern of states (250 at max) created for about 30 min, then "silence" for about 15 min. Day and night, see attached.
Any ideas what might cause this?
11
General Discussion / Why I don't like openssl...
« on: November 29, 2021, 04:47:09 pm »
https://www.openssl.org/blog/blog/2021/11/24/hiring-manager-and-developer/
No further questions....
Quote
...
Advantageous, but not required are:
an understanding of Cryptography;
an ability to write secure code;...
No further questions....
12
21.7 Legacy Series / DNS-over-TLS - are ISPs interfering?
« on: September 30, 2021, 06:16:15 pm »
Hi!
Have here two OPNsense latest (LibreSSL), both with DoT configured for longer time.
One simply fails to resolve from the beginning:
Therefore the other OPNsense is configured as DNS via a tunnel. This worked until today. Then this afternoon all of a sudden DNS failed on the other OPNsense completely, although 5 DoT servers are configured.
When I add 9.9.9.9 or mulvad DNS it starts to work again an the remote DNS (but not on the OPNsense initially failing during TLS handshake).
When I do a package capture on WAN (port 853) it looks like normal TLS 1.2 and 1.3 traffic with at least one remote IP (95.216.212.177), but DNSleaktest.com reports no functional DNS servers and in browser nothing loads (again: my usually working 5 DoT servers still configured).
The OPNsense is located in Northern Europe, most DNS servers I configured are located in Central Europe, but is there some kind of iron curtain for DoT troughout Europe?
WHY? Is the ISP interfering with DoT?
Have here two OPNsense latest (LibreSSL), both with DoT configured for longer time.
One simply fails to resolve from the beginning:
Code: [Select]
2021-09-30T17:59:02 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:02 unbound[30141] [30141:1] notice: ssl handshake failed 185.95.218.42 port 853
2021-09-30T17:59:02 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:01 unbound[30141] [30141:1] notice: ssl handshake failed 185.95.218.42 port 853
2021-09-30T17:59:01 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:01 unbound[30141] [30141:1] notice: ssl handshake failed 185.95.218.42 port 853
2021-09-30T17:59:01 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:01 unbound[30141] [30141:1] notice: ssl handshake failed 185.95.218.42 port 853
2021-09-30T17:59:01 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:01 unbound[30141] [30141:1] notice: ssl handshake failed 185.95.218.42 port 853
2021-09-30T17:59:01 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:01 unbound[30141] [30141:1] info: generate keytag query _ta-4f66. NULL IN
2021-09-30T17:59:01 unbound[30141] [30141:1] notice: ssl handshake failed 185.150.99.255 port 853
2021-09-30T17:59:01 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:01 unbound[30141] [30141:1] notice: ssl handshake failed 185.150.99.255 port 853
2021-09-30T17:59:01 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:01 unbound[30141] [30141:1] notice: ssl handshake failed 5.9.164.112 port 853
2021-09-30T17:59:01 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:01 unbound[30141] [30141:1] notice: ssl handshake failed 5.9.164.112 port 853
2021-09-30T17:59:01 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:00 unbound[30141] [30141:1] notice: ssl handshake failed 5.9.164.112 port 853
2021-09-30T17:59:00 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:00 unbound[30141] [30141:1] notice: ssl handshake failed 5.9.164.112 port 853
2021-09-30T17:59:00 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:00 unbound[30141] [30141:1] notice: ssl handshake failed 5.1.66.255 port 853
2021-09-30T17:59:00 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:00 unbound[30141] [30141:1] notice: ssl handshake failed 5.1.66.255 port 853
2021-09-30T17:59:00 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:00 unbound[30141] [30141:1] notice: ssl handshake failed 185.150.99.255 port 853
2021-09-30T17:59:00 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:00 unbound[30141] [30141:1] notice: ssl handshake failed 185.150.99.255 port 853
2021-09-30T17:59:00 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:00 unbound[30141] [30141:1] notice: ssl handshake failed 5.1.66.255 port 853
2021-09-30T17:59:00 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:59:00 unbound[30141] [30141:1] notice: ssl handshake failed 5.1.66.255 port 853
2021-09-30T17:59:00 unbound[30141] [30141:1] error: ssl handshake failed crypto error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
2021-09-30T17:58:58 unbound[30141] [30141:0] info: start of service (unbound 1.13.2).Therefore the other OPNsense is configured as DNS via a tunnel. This worked until today. Then this afternoon all of a sudden DNS failed on the other OPNsense completely, although 5 DoT servers are configured.
When I add 9.9.9.9 or mulvad DNS it starts to work again an the remote DNS (but not on the OPNsense initially failing during TLS handshake).
When I do a package capture on WAN (port 853) it looks like normal TLS 1.2 and 1.3 traffic with at least one remote IP (95.216.212.177), but DNSleaktest.com reports no functional DNS servers and in browser nothing loads (again: my usually working 5 DoT servers still configured).
The OPNsense is located in Northern Europe, most DNS servers I configured are located in Central Europe, but is there some kind of iron curtain for DoT troughout Europe?
WHY? Is the ISP interfering with DoT?
13
21.7 Legacy Series / 21.7.3. - high CPU and MEM usage
« on: September 22, 2021, 03:59:49 pm »
Hi!
Updated 2 OPNsense to 21.7.3 about an hour ago. No reboot. Had to start syslog_ng manually from the Dashboard afterwards.
Now I get frequent (preconfigured...) warning emails that CPU and MEM usage is very high on both machines with no major throughput.
In Diagnostics - Activity I have
Anyone?
Updated 2 OPNsense to 21.7.3 about an hour ago. No reboot. Had to start syslog_ng manually from the Dashboard afterwards.
Now I get frequent (preconfigured...) warning emails that CPU and MEM usage is very high on both machines with no major throughput.
In Diagnostics - Activity I have
Code: [Select]
OPNsense 1
47519 root 102 0 6352 5414 CPU1 1 69:35 98.78% /usr/local/bin/python3 /usr/local/opnsense/service/configd_ctl.py -e -t 0.5 system event config_changed (python3.8)
36687 root 52 0 27 3836 RUN 1 0:45 43.36% /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -p /var/run/syslog-ng.pid{syslog-ng}
--------------------------
OPNsense 2
92636 root 83 0 32 8724 CPU0 0 1:06 35.60% /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -p /var/run/syslog-ng.pid{syslog-ng}
69153 root 103 0 5091 4559 CPU3 3 68:37 100.00% /usr/local/bin/python3 /usr/local/opnsense/service/configd_ctl.py -e -t 0.5 system event config_changed (python3.8)Anyone?
14
21.7 Legacy Series / DynDNS (spdyn.de) complaining about TLS version
« on: August 23, 2021, 01:56:12 pm »
Hi!
Have a dynDNS provider that keeps complaining about the TLS version of opnsense dyndns client:
Anthing that can be done about this? I'm on latest version (LibreSSL)....
Have a dynDNS provider that keeps complaining about the TLS version of opnsense dyndns client:
Code: [Select]
Die TLS Version () die zum Update verwendet wurde, ist veraltet. Bitte aktualisieren Sie Ihren Dyndns-Client. Eine korrekte Funktion des Updates mit dieser TLS-Version kann zukü?nftig nicht garantiert werden Anthing that can be done about this? I'm on latest version (LibreSSL)....
15
General Discussion / "Secure connection failed" via openVPN tunnels with palemoon
« on: August 21, 2021, 11:23:11 am »
HI
I have two OPNsense (LibreSSL) latest (different locations), connected to a pfSense (latest) via an openVPN tunnel each.
Accessing these OPNsenses from respective LAN via palemoon (latest) works just fine, only cipher allowed in OPNsense is CHACHA20-Poly1305-sha256 for reaching the sense GUI.
When I try to access the GUIs from then LAN of the pfsense via the openVPN tunnel, palemoon refuses to connect (Error code: SSL_ERROR_NO_CYPHER_OVERLAP), although it works fine from LAN.
Iirc the problems started with 21.7, this has been working for months before. Firefox (latest) complains about the certificate but makes a connection to the opnsense after making an exception.
I have two OPNsense (LibreSSL) latest (different locations), connected to a pfSense (latest) via an openVPN tunnel each.
Accessing these OPNsenses from respective LAN via palemoon (latest) works just fine, only cipher allowed in OPNsense is CHACHA20-Poly1305-sha256 for reaching the sense GUI.
When I try to access the GUIs from then LAN of the pfsense via the openVPN tunnel, palemoon refuses to connect (Error code: SSL_ERROR_NO_CYPHER_OVERLAP), although it works fine from LAN.
Iirc the problems started with 21.7, this has been working for months before. Firefox (latest) complains about the certificate but makes a connection to the opnsense after making an exception.