OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of mircsicz »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - mircsicz

Pages: [1] 2
1
23.1 Legacy Series / filter.log filling up my SSD, but can't find rules with enabled logging
« on: April 08, 2023, 02:44:58 pm »
Hi all,

this morning I got an Email from my WiFi-WAN Provider, asking to restore power to the AP on my roof. As I'm currently not in the EU and couldn't reach my Dad who is housesitting I started to dig into the issue:

Found this in the Unbound log:
Code: [Select]
2023-04-08T14:10:57 Critical unbound [31257:0] fatal error: could not complete write: /root.key: No space left on device
2023-04-08T14:10:56 Error unbound [31257:0] error: could not fflush(/root.key): No space left on device
2023-04-08T14:10:51 Warning unbound PTR record already exists for unifi.mydom.de(10.yy.xxx.14)

So I checked the FS via SSH:
Code: [Select]
mircsicz@router:~ $ uptime
 2:12PM  up  4:06, 1 user, load averages: 0.42, 0.35, 0.28
mircsicz@router:~ $ df -h
Filesystem                  Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs              14G     13G   -153M   101%    /

Damn it so my APU's 16GB SSD is full! And here's the offender:
Code: [Select]
mircsicz@router:~ $ sudo du -h /var/log
 88K    /var/log/lighttpd
4.0K    /var/log/suricata
4.0K    /var/log/ntp
5.1M    /var/log/audit
8.7G    /var/log/filter

So I rm'd some of those:
Code: [Select]
mirco@router:~ $ sudo ls -lh /var/log/filter
total 18213184
-rw-------  1 root  wheel   143M Mar 10 00:00 filter_20230309.log
-rw-------  1 root  wheel   154M Mar 11 00:00 filter_20230310.log
-rw-------  1 root  wheel   127M Mar 12 00:00 filter_20230311.log
-rw-------  1 root  wheel   153M Mar 13 00:00 filter_20230312.log
-rw-------  1 root  wheel   132M Mar 14 00:00 filter_20230313.log
-rw-------  1 root  wheel   130M Mar 15 00:00 filter_20230314.log
-rw-------  1 root  wheel   140M Mar 15 23:59 filter_20230315.log
-rw-------  1 root  wheel   130M Mar 17 00:00 filter_20230316.log
-rw-------  1 root  wheel   145M Mar 18 00:00 filter_20230317.log
-rw-------  1 root  wheel   126M Mar 19 00:00 filter_20230318.log
-rw-------  1 root  wheel   125M Mar 20 00:00 filter_20230319.log
-rw-------  1 root  wheel   144M Mar 21 00:00 filter_20230320.log
-rw-------  1 root  wheel   131M Mar 22 00:00 filter_20230321.log
-rw-------  1 root  wheel   117M Mar 23 00:00 filter_20230322.log
-rw-------  1 root  wheel   150M Mar 24 00:00 filter_20230323.log
-rw-------  1 root  wheel   295M Mar 25 00:00 filter_20230324.log
-rw-------  1 root  wheel   502M Mar 25 23:59 filter_20230325.log
-rw-------  1 root  wheel   462M Mar 27 00:00 filter_20230326.log
-rw-------  1 root  wheel   502M Mar 28 00:00 filter_20230327.log
-rw-------  1 root  wheel   515M Mar 29 00:00 filter_20230328.log
-rw-------  1 root  wheel   517M Mar 30 00:00 filter_20230329.log
-rw-------  1 root  wheel   344M Mar 31 00:00 filter_20230330.log
-rw-------  1 root  wheel   320M Apr  1 00:00 filter_20230331.log
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:18 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log

root@router:/var/log/filter # rm filter_202303*
root@router:/var/log/filter # ls -lh
total 6938944
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:19 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log

Then I checked through my Filter rules but all of them are like that.

So long story short question: Is there a way to check for Filter rules that have logging enabled in the config?

2
22.1 Legacy Series / [SOLVED] os-ddclient with No-Ip not finding an IP
« on: June 22, 2022, 04:11:54 pm »
Hi all,

os-dyndns stopped to work for me when I was using No-Ip Group Passwd's. So I had to revert to my Master Passwd for all machines using that account a while ago. That is why I was happy to read the os-ddclient is gonna replace os-dyndns!

Now that we're about to transition to 22.7 I looked into migration my setup's to os-ddclient but am facing some issue's with ddlcient:

I've already read this thread and also this thread

with my setup I see the followong in the logs:

Code: [Select]
2022-06-22T15:59:41 Notice ddclient[98565] 93904 - [meta sequenceId="7"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:35 Notice ddclient[52758] 73674 - [meta sequenceId="6"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:10 Notice ddclient[771] 37236 - [meta sequenceId="5"] WARNING: unable to determine IP address
2022-06-22T15:59:10 Notice ddclient[771] 35027 - [meta sequenceId="4"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:07 Notice ddclient[98070] 17061 - [meta sequenceId="3"] WARNING: unable to determine IP address
2022-06-22T15:59:07 Notice ddclient[98070] 16274 - [meta sequenceId="2"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:00 Notice ddclient[95522] 19804 - [meta sequenceId="1"] WARNING: found neither ipv4 nor ipv6 address

So far I've tried the following "Check ip method's"
  • noip-ipv4
  • interface

But the log doesn't change...

This is what my ddclient.conf looks like:
Code: [Select]
daemon=300
syslog=yes                  # log update msgs to syslog
pid=/var/run/ddclient.pid   # record PID in file.
ssl=yes


use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i pppoe0 -t 1 -s noip-ipv4",
protocol=noip, \
login=MYUSER, \
password=MYPASSWD \
foo.ddns.me

I'm hoping one of you spot's the missing link...

I've also read this hint and tried to run it from ssh like this:

# sudo ddclient -daemon=0 -debug -verbose -noquiet

3
21.1 Legacy Series / WireGuard Issue's while setting up
« on: July 24, 2021, 05:09:32 pm »
Hi all,

just wanted to migrate from IPsec to WG using his guide, but the issue's won't let me...

A FW rule is in place


Checking the config it seems fine:




Except that it doesn't show Config nor handshake



On the dashboard I can see that the service isn't started:


When I check the *.conf using SSH it seems fine:
Code: [Select]
$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = LOCALPRIVKEY
Address = 172.160.x.2/24
ListenPort = xx822

[Peer]
PublicKey = PEERSPUBKEY
Endpoint = 185.x.x.x:21822
AllowedIPs = 10.160.x.x/24,172.160.x.x/24
PersistentKeepalive = 60

And when I try to start the WG Service from the Dashboard this show's up in system.log:
Code: [Select]
Jul 24 16:56:33 router kernel: tun0: link state changed to UP
Jul 24 16:56:33 router kernel: tun0: changing name to 'wg0'
Jul 24 16:56:33 router kernel: wg0: link state changed to DOWN
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: entering configure using defaults
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: IPv4 default gateway set to opt2
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: setting IPv4 default route to 185.x.x.x
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: keeping current default gateway '185.x.x.x
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (1)
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (execute task : dpinger_configure_do(1))
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_PPPOE monitor address is empty, skipping.
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_DHCP_DHCP monitor address is empty, skipping.
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode disabled
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode enabled

And I've already restored the config: downloaded the xml removed all WireGuard Contents from the file and restored it as a backup...

Hope one of you has a hint!

BTW: all this is on 21.1.8_1

4
21.1 Legacy Series / [SOLVED] No-IP Update broke with 21.1.6 (os-dyndns 1.24)
« on: May 28, 2021, 05:38:25 pm »
After upgrading from 21.1.5 to .6 last night No-IP do no longer work...

First thing I recognized were broken IPsec Tunnels, then I tried to SSH in and got timeouts. So I used anydesk to check on the webif's from the other side of the WAN...

I could see that the "Cached IP" is red, so I tried a forced Update, here's what the log said:
Code: [Select]
May 28 15:57:16 router config[49757]: /services_dyndns_edit.php: Dynamic DNS (my.dns.xx): (Unknown Response)
or during bootup (right after the upgrade):
Code: [Select]
May 28 03:22:50 router opnsense[11052]: /usr/local/etc/rc.newwanip: Dynamic DNS (my.dns.xx): (Unknown Response)

So I tried setting the passwd, and got success, at least I thought so, the WebIF told me that it updated the cached IP to the actual WAN-IP...

Now I just realized I still can't SSH into the router, so I pinged and saw that No-IP still holds the old IP... Double checked their WebIF which stat's the same.

OPNsense Plugin WebIF seems happy with changed cached-IP but No-Ip doesn't get/receive that change!

@franco hope you've got a hint... ;-)

5
21.1 Legacy Series / [SOLVED] speedtest-cli not working
« on: April 20, 2021, 07:43:03 am »
Hi all,

just installed speedtest-cli:

Code: [Select]
pkg update ; pkg install -y py37-speedtest-cli
Problem is it won't run:

Quote
$ sudo speedtest-cli
Password:
Retrieving speedtest.net configuration...
Traceback (most recent call last):
  File "/usr/local/bin/speedtest-cli", line 11, in <module>
    load_entry_point('speedtest-cli==2.1.2', 'console_scripts', 'speedtest-cli')()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1986, in main
    shell()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1875, in shell
    secure=args.secure
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1091, in __init__
    self.get_config()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1174, in get_config
    map(int, server_config['ignoreids'].split(','))
ValueError: invalid literal for int() with base 10: ''

Is there someone out there that got speedtest to work?

6
21.1 Legacy Series / Periodic Interface reset seems to ignore my params
« on: March 05, 2021, 07:46:35 pm »
Hi all, I'm well aware of: https://forum.opnsense.org/index.php?topic=5276.0 but lower and upper case both seem to be ignored...





Code: [Select]
$ sudo grep "authorization successful" /var/log/ppps.log|grep ^Mar
Mar  1 03:46:52 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  1 03:54:25 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  2 18:09:07 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  5 02:09:34 router ppp[52767]: [opt1_link0] LCP: authorization successful

I've tried lower case as posted by franco in the above mentioned thread.

Hope one of you has a hint...

7
20.7 Legacy Series / 20.7.3 zabbix-agent 5.0.3 won't start
« on: October 04, 2020, 03:24:50 am »
There seems to be a bug left from the 4->5 upgrade:

root@router:/home/mirco # zabbix_agentd -c /usr/local/etc/zabbix_agentd.conf -f
zabbix_agentd [16577]: Warning: EnableRemoteCommands parameter is deprecated, use AllowKey=system.run
  • or DenyKey=system.run
  • instead

Starting Zabbix Agent [router.xxx.lan]. Zabbix 5.0.3 (revision 6e02cfb1cf).
Press Ctrl+C to exit.

after manually removing the line:
EnableRemoteCommands=0

I still get the following error:
listener failed: bind() for [[10.10.xx.1]:10050] failed: [49] Can't assign requested address

But there's nothing running on that port...

Hope one of U has a hint...

8
19.1 Legacy Series / External User DB from LDAP not authenticating if user exists locally
« on: July 16, 2019, 05:49:19 pm »
Hi all,

I've added an LDAP server and can successfully test the passwd of a locally non existing user. But as soon as the user exists on the OPNsense local User-DB (even if I set a scrambled Passwd) I get the following error:



Hope one of you has hint?

9
19.1 Legacy Series / [SOLVED] Can't Upgrade from GUI nor Console
« on: May 23, 2019, 01:37:39 am »
I've just tried to check for upgrades and ran into issue's, first failure was:

Quote
Could not authenticate the selected mirror.

Then I google'd and found:
https://forum.opnsense.org/index.php?topic=12550.0

But checking on the console my cert.pem sized isn't 0.

Google'd again and found:
https://forum.opnsense.org/index.php?topic=4081.msg14836#msg14836

So I tried as follow's:
Code: [Select]
fetch https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz
file packagesite.txz

what I got was:
Code: [Select]
packagesite.txz: HTML document, UTF-8 Unicode text

Using HTTPS I got this
Code: [Select]
fetch https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz
No server SSL certificate
fetch: https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz: Authentication error

So at this point I'm lost and hoping for hints...

EDIT:

tried once more after a reboot:

Quote
Updating OPNsense repository catalogue...
pkg-static: repository meta /var/db/pkg/OPNsense.meta has wrong version or wrong format
pkg-static: Repository OPNsense load error: meta cannot be loaded No such file or directory
Fetching meta.txz: 100%    5 KiB   4.7kB/s    00:01
pkg-static: No signature found
repository OPNsense has no meta file, using default settings
Fetching packagesite.txz: 100%    5 KiB   4.7kB/s    00:01
pkg-static: No signature found
Unable to update repository OPNsense
Error updating repositories!

10
19.1 Legacy Series / [SOLVED] 3CX Firewall Test fails even though Firewall > NAT > Outbound is Hybrid
« on: May 20, 2019, 06:05:51 pm »
Hi all,

I've read and followed those three thread's: https://forum.opnsense.org/index.php?topic=448.0 and https://forum.opnsense.org/index.php?topic=7299.msg32981#msg32981. Especially the last one has a very specific solution but sadly that does not help with the current version of 3CX

This is what the test tells:


This is what I've setup in OPNsense (BTW: 19.1.7)


This is the Forwardings:

Doesn't make a difference if I disable or enable those rule's...

And yes as this is Multi-WAN there's a rule to tell the 3CX to only use VDSL:


The Document supplied by 3CX neither isn't very supportive, it's just telling in detail why the test is correct: https://www.3cx.com/docs/firewall-checker/

So I'm kinda lost with this, and 3CX totally refuses any further support until firewall test gets "GREEN"


11
19.1 Legacy Series / ipsec routing problem after adding failover WAN
« on: April 04, 2019, 12:34:41 pm »
Hi hi,

I've got two APU based OPNsense's which are connected using Ipsec



After I've added MultiWAN with a failover config on location#1:


I modified the firewall rules like so:


But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!

BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24

Hope one of you spot's my failure...

12
19.1 Legacy Series / Traffic-Shaper: how to define a port range in a rule
« on: March 25, 2019, 12:04:16 pm »
I've setup shaping in another firewall, I cloned the settings from another machine.

On the clone source (which was setup while running 18.7) I could setup the rule entering a port list:



The target is now running 19.1.4 and doesn't any longer allow me to enter a list of ports:


Could some please tell me if this is intended, or if there's still a way to define several ports in one rule?

13
19.1 Legacy Series / Error during Upgrade from 19.1.2 to .4: can't use sudo nor reach the WebIF
« on: March 21, 2019, 05:25:56 pm »
Hi all,

just upgraded a bunch of machines using SSH. I've seen similar probs during 18.7 upgrades but never took the time to post...



Being dropped to such a limited shell I'm kinda lost, I can't use sudo or su, so I can't reboot the machine. And as the webinterface doesn't load through my usual SSH tunnel I can't even reboot from there!!! So pls help! :-(

If I remember correctly I didn't post when having that issue in 18.7 because back then I could use the webinterface.

14
18.7 Legacy Series / "This account is currently not available." Problem after Upgrade from 18.1.13_1
« on: September 26, 2018, 03:13:59 pm »
I'm aware of this Posting. And if there's no way around that issue I need to drive quite a few km's.

There's also an older Posting which describes how I did it when setting up the Router...

But how the f... could that working setting be destroyed during the upgrade path. For me it's a basic security setting to disable root and allow only key login to the other user's. That is how I run all my system's! And as I'm running more than two dozen OPNsense router's all over germany I'm now kind of afraid to upgrade them with a simple SSH login... Seem's I need to go to every single Webinterface and downgrade my security settings before I upgrade. Not good!

Greetz
Mircsicz

15
18.1 Legacy Series / using the configuration importer during installation
« on: June 23, 2018, 01:19:53 pm »
As I'm currently preparing a replacement router for a client I wanted to use the offered option during Installation:

Code: [Select]
Press any key to start the configuration importer: ..

But entering the USB Stick's device name only lead's me to an error message. If I google for that message I find this Topic. And additionally I found that, but none of those solve the issue by using the offer during install.

BTW: I'm using OPNsense-18.1.6-OpenSSL-serial-amd64.img

So if I enter the drive's dev name all I get is:

Code: [Select]
Press any key to start the configuration importer: ..

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)
<Verbatim STORE N GO 5.00>         at scbus2 target 0 lun 0 (pass1,da0)
<General USB Flash Disk 1.00>      at scbus3 target 0 lun 0 (pass2,da1)

Select device to import from (e.g. ada0) or leave blank to exit: da0

No known partition layout was found for 'da0'.

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)

So for this time I'll stick with the import through the WebGUI, but for the future I'ld love to have an USB-Stick at hand that I connect in next to the installer stick and have some Client config's on that...

So my question is how has the partition layout to be like, to be able to make a use of the offered import option?

Pages: [1] 2
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2