Topics

Hello there,

I have a strange thing with my opnsense firewall.

Here a health report with System tab selected:


https://imgur.com/6fyTEiS

The symptom were multiple.
I was connected to the VPN and I get disconnected. I cannot reconnect during few seconds.

The memory, states, processor, free disk and everything are fine (even the uptime 80 days since my last maintenance).
It is far from being overwhelmed.

It seems that any traffic can go trough the firewall here an internal interface monitoring. We have the same hang everywhere on Packet and Traffic tab.


http://imgur.com/JAD1u7Q

I can't find anything in the logs.
I checked on the management interface of the server and everything is green.

Any idea on what I'm missing ?

Thanks
Romain

Hello,

I have a strange behavior with my OPNsense box.
I configured a lagg on two network cards. It seems to works great but at every boot, the lagg stay down/inactive. I need to go to Interfaces > Other types > LAGG and edit my lag.
Once validate (without any change), the lagg goes up/active and everything is working again.

I have some CARP VIP address set up on the lagg but I don't find anything why the lagg is not up and running (that I understand) from the boot of the firewall.

Any idea ?

Thank you
Romain

Hello,

I'm trying to update my firewalls and I would like to install my Emulex network card (OCE1102NT).

Based on the editor website, the default driver given in the FreeBSD image should do the job.

How can I included them on my OPNsense installation ?

Thank you
Romain

Hello,

Is there a way to download an old version of OPNsense ?

I'm looking for a 16.7 latest iso.

Thank you
Romain

Hi,

I have few questions on how the carp protocol works.

Let's say I have two firewalls which are identical. 4 physicals network ports and 10 vlans on it.

I would like to configure one of my firewalls to be the master on each VLAN. So all the VIP will be actives on the master ?  If I shutdown a vlan interface, the VIP goes directly on the backup but the whole firewall switch to the backup one.

I only tested the carp system with one interface and that was working great. I'm loosing only one ping.

Is this how carp work (active /passive) or is there a way to make active /active scenario ? For example 5 VIP will be active on the first firewall and the second part on the second one ? However in this scenario, how that NAT / routing works ?

Which are the criteria to switch to the backup ? If an interface goes down ? Is it possible to add a weight ? If I have the WAN that go down switch, but if I have the MGMT interface continue to work for example ?

Let me know if I'm not clear.

Thanks !

Hi everyone,

Is there a way to download the 15.7.25 version. I will upgrade my main firewall and want to be sure I can still come back to the old version if needed.

Thank you
Romain

Hello,

I'm in 15.7.24 and I have this following error all the time:

Code Select Expand

Jan 19 10:32:20 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 10:32:21 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:50 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:51 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:51 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:54 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:54 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:55 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:23:06 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:23:07 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:23:07 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:24:51 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:24:52 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:24:52 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 12:10:55 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 12:10:55 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 12:10:56 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 12:10:56 opnsense kernel: pfr_update_stats: assertion failed.

Any idea ?
Thanks

Hello there,

It seems that in certain case we need to change the keepalive mode to a ping manually timeout specified (ping, ping-exit, ping-restart).

However, there is no way to disable this functionnality. The instruction keepalive is automatically added. It should be a good improvement to disable it in order to specify the ping value manually.

Do you think it could be possible ?

Thank you and best wishes for this new year !

Hello there,

I have some strange behaviour with my openvpn. I have several timeouts and not related to my internet connection.

I have a low latency (6/10ms max) but sometime and without any explanations, I got ping with high latency 200/500 ms and few timeout. During these latency storm my internet is quite good (I still have 5/6 ms on different websites).

I tried to change tun vs tap and set the sndbuf and rcvbuf to 0 but nothing seems to be working.

The only thing I can do is to restart the service to be okay for few hours.

I changed the verobosity of the client and server log but I don't see anything.

Any idea on what's going on and what can I look into ?

Thank
Romain

Hello there,

I would like to know if there is a best way to install Zabbix Agent 2.4 on my OPNsense firewalls. Today, I will download an agent from the repository and configure it to load automatically (linux 2.6).

Does a package is already available and I can install directly through shell maybe ?

Thank you !
Romain

Hello,

I have a php error when I reload my filter :

Code Select Expand

Fatal error: Uncaught exception 'Exception' with message 'Timeout (120) executing :filter reload' in /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php:100 Stack trace: #0 /usr/local/etc/inc/legacy_bindings.inc(38): OPNsense\Core\Backend->configdRun('filter reload', false) #1 /usr/local/etc/inc/filter.inc(119): configd_run('filter reload') #2 /usr/local/www/firewall_rules.php(52): filter_configure() #3 {main} thrown in /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php on line 100

It seems it take really long time to apply it. If I go to Status > Filter Reload. I can see that my rules are applying one by one every 3 secondes. I also notice that when I boot the firewall it takes really long time to succeed Configuring Firewall (around 5 minutes).

Any idea ?

I'm on the latest version :

Code Select Expand

Fatal error: Uncaught exception 'Exception' with message 'Timeout (120) executing :filter reload' in /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php:100 Stack trace: #0 /usr/local/etc/inc/legacy_bindings.inc(38): OPNsense\Core\Backend->configdRun('filter reload', false) #1 /usr/local/etc/inc/filter.inc(119): configd_run('filter reload') #2 /usr/local/www/firewall_rules.php(52): filter_configure() #3 {main} thrown in /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php on line 100


I have a strange bug and I don't know where to look.

The symptom are very clear but I don't know how to reproduce it.

After some time / traffic (I don't know what is the source of the trouble yet), our service seems to go down (email exchange, netscaler access gateway to connect remotely to our desktop). The endpoint lost connection for few seconds.

The strange thing is that the PING is good and stable. I can access to the firewall through SSH or web but it seems to be very slow. For example, the history of the command take few seconds to display. I don't timeout but it's slow for few seconds / minutes.

It seems that some buffer is getting full and empty itself after few seconds (10/20). During this time, the ping is okay, the SSH session is very slow and on some service like RDP, we loose our connection.

I test the connection directly by using the VPN without going through our netscaler and same results.

I also check the health of the firewall and there is nothing. The CPUs and the RAM are fine. The number of sessions is okay (around 1300/2500 max). No error nowhere.

I don't have particular error on the interface level. I let the default MTU and MSS but I have any error which can tell me to change these seetings.

I try to look into Sync ACK but I didn't see anything particular. There is some but nothing more when the timeout / struggle time is on.

The datacenter provider don't see anything on it side. I test from different localisation and endpoint and always get these results.

Do you have any idea in which direction I can have a look ?  :-\

Thank you
Romain

Hello there,

I have a strange behaviour with the openvpn (connection from windows openvpn gui).

When I use it and after some time, I got plenty of timeout. If I wait few seconds it came back for few minutes.

I tested from differente locations and my internet connection is working even during the timeout.

I can't see anything on the firewall side and on the log. I restart sometimes the process openvpn and it works again for few minutes (sometimes 5, sometimes 30).

Do you have any idea of what's going on ?

I'm on the opnsense 15.7.16.

Thank you.

Hello,

I'm on the OPNsense 15.7.15-amd64. I have an issu with the IP alias.

I created an VIP IP Alias :



On the FreeBSD side, there is no VIP:

Code Select Expand

cns : flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:90:fa:9d:29:d8
        inet6 fe80::290:faff:fe9d:29d8%lagg0_vlan2010 prefixlen 64 scopeid 0x13
        inet 10.20.201.14 netmask 0xfffffff0 broadcast 10.20.201.15
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        vlan: 2010 parent interface: lagg0

If I need it, I must add it through command line :

ifconfig cns 10.20.201.10 255.255.255.240 alias

I also notice that I can't choose anymore the mask size related to the IP when I create the IP Alias through the interface.

Is-it normal ?

Thank you.
Romain

Hello,

I'm a little bit worry. I was creating a new alias and a new nat and everything was fine.

Now if I go to Alias session, everything is empty.

I didn't apply my last nat and all my service are still up and running.

What's going on ?   :-\ :'(

Thank you for your help

Hello there,

I still have a trouble with LAGG, VLAN and CARP for high-availability.

I setuped a simple lab like this in the vlan 1001 and there is a failover lagg between my firewalls and a switch :

192.168.111.1              192.168.111.2
-------------                 ------------
-    FW1    ---------------    FW 2  -
-------------                 -------------
                        | VIP : 192.168.111.3
                        |
                        |
                        |
               ---------------
               -      SW1     -
               ---------------
              192.168.111.4

The only test i've done is to ping from FW2 to the switch and it only didn't work when the source IP is the VIP. In this case the FW2 is the master and I tested with deactivated firewall to be sure this not a trouble related to some filtering.

I can see the multicast announcement without any troubles  on both side (FW1 and FW2) :

Code Select Expand

root@FW2:~ #  tcpdump -npi lagg0_vlan1001 -T CARP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lagg0_vlan1001, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
10:16:28.417090 IP 192.168.111.2 > 224.0.0.18: CARPv2-advertise 36: vhid=1 advbase=1 advskew=100 authlen=7 counter=14985732001005176251
10:16:29.839085 IP 192.168.111.2 > 224.0.0.18: CARPv2-advertise 36: vhid=1 advbase=1 advskew=100 authlen=7 counter=10997560983974190372
10:16:31.238086 IP 192.168.111.2 > 224.0.0.18: CARPv2-advertise 36: vhid=1 advbase=1 advskew=100 authlen=7 counter=16271606076571394589
10:16:32.645086 IP 192.168.111.2 > 224.0.0.18: CARPv2-advertise 36: vhid=1 advbase=1 advskew=100 authlen=7 counter=14406240274046045491
10:16:34.046085 IP 192.168.111.2 > 224.0.0.18: CARPv2-advertise 36: vhid=1 advbase=1 advskew=100 authlen=7 counter=17719711089369943554

If I ping from the .2 to .4 it's working well :

Code Select Expand

root@FW2:~ # ping -S 192.168.111.2 192.168.111.4
PING 192.168.111.4 (192.168.111.4) from 192.168.111.2: 56 data bytes
64 bytes from 192.168.111.4: icmp_seq=0 ttl=64 time=5.870 ms
64 bytes from 192.168.111.4: icmp_seq=1 ttl=64 time=1.932 ms

The packet are okay (tcpdump -ni lagg0 -s0 -w from-interface-ip.pcap) :



If I do the same from the .3, it's not working anymore  :

Code Select Expand

root@FW2:~ # ping -S 192.168.111.3 192.168.111.4
PING 192.168.111.4 (192.168.111.4) from 192.168.111.3: 56 data bytes
^C
--- 192.168.111.4 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

The packet seems to be okay (tcpdump -ni lagg0 -s0 -w from-vip.pcap) :



If I look deeper in the packet and add the filter vlan.id == 1001, you can see that in the first case all packet are still there and in the second case, all packet are not containing the vlan id.

Form the Interface IP



From the VIP :



It seems that the vlan id is not added to the packet when the source IP is the VIP.

It seems that the setup is correct on my side. Moreover if I shutdown the FW2, the FW1 become master directly. What can I do ?

Hello,

I have this error in my console : An error occurred while attempting XMLRPC sync with username root and https://192.168.250.2:8888/xmlrpc.php parse error. not well formed

When I run the command :  /usr/local/etc/rc.filter_synchronize

I see that there is some PHP Warning and so the xml is not well formed :

Code Select Expand


Warning: Illegal string offset 'vip' in /usr/local/etc/inc/xmlrpc/legacy.inc on line 304

Warning: Invalid argument supplied for foreach() in /usr/local/etc/inc/xmlrpc/legacy.inc on line 304

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/etc/inc/xmlrpc/legacy.inc:304) in /usr/local/opnsense/contrib/IXR_Library.php on line 464

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/etc/inc/xmlrpc/legacy.inc:304) in /usr/local/opnsense/contrib/IXR_Library.php on line 465

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/etc/inc/xmlrpc/legacy.inc:304) in /usr/local/opnsense/contrib/IXR_Library.php on line 466

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/etc/inc/xmlrpc/legacy.inc:304) in /usr/local/opnsense/contrib/IXR_Library.php on line 467
<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
      <boolean>1</boolean>
      </value>
    </param>
  </params>
</methodResponse>
error >>>
parse error. not well


I don't know where to looking for, any idea ?
Thank you

Hello,

I have two synchronized opensense host. They have their own hostname and I setup the alternate name that I want to use but I still have the error.

A little bug or I'm doing something wrong ?
Romain

Hello,

i would like to develop a basic web page where a user can give his username, old password and new password twice in order to change it password for openvpn.

I'm pretty sure there is already something code in opensense and I would like to use the same function to be really compliant. I tried to look in the code but I would like your point of view on what I'm trying to do.

Maybe if you can help me by tell me what's function would be great to do it ?

Thank you !
Romain