Topics

1

21.1 Legacy Series / WireGuard Issue's while setting up

« on: July 24, 2021, 05:09:32 pm »

Hi all,

just wanted to migrate from IPsec to WG using his guide, but the issue's won't let me...

A FW rule is in place


Checking the config it seems fine:




Except that it doesn't show Config nor handshake



On the dashboard I can see that the service isn't started:


When I check the *.conf using SSH it seems fine:

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = LOCALPRIVKEY
Address = 172.160.x.2/24
ListenPort = xx822

[Peer]
PublicKey = PEERSPUBKEY
Endpoint = 185.x.x.x:21822
AllowedIPs = 10.160.x.x/24,172.160.x.x/24
PersistentKeepalive = 60

And when I try to start the WG Service from the Dashboard this show's up in system.log:

Code: [Select]

Jul 24 16:56:33 router kernel: tun0: link state changed to UP
Jul 24 16:56:33 router kernel: tun0: changing name to 'wg0'
Jul 24 16:56:33 router kernel: wg0: link state changed to DOWN
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: entering configure using defaults
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: IPv4 default gateway set to opt2
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: setting IPv4 default route to 185.x.x.x
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: keeping current default gateway '185.x.x.x
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (1)
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (execute task : dpinger_configure_do(1))
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_PPPOE monitor address is empty, skipping.
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_DHCP_DHCP monitor address is empty, skipping.
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode disabled
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode enabled

And I've already restored the config: downloaded the xml removed all WireGuard Contents from the file and restored it as a backup...

Hope one of you has a hint!

BTW: all this is on 21.1.8_1

2

21.1 Legacy Series / [SOLVED] No-IP Update broke with 21.1.6 (os-dyndns 1.24)

« on: May 28, 2021, 05:38:25 pm »

After upgrading from 21.1.5 to .6 last night No-IP do no longer work...

First thing I recognized were broken IPsec Tunnels, then I tried to SSH in and got timeouts. So I used anydesk to check on the webif's from the other side of the WAN...

I could see that the "Cached IP" is red, so I tried a forced Update, here's what the log said:

Code: [Select]

May 28 15:57:16 router config[49757]: /services_dyndns_edit.php: Dynamic DNS (my.dns.xx): (Unknown Response)
or during bootup (right after the upgrade):

Code: [Select]

May 28 03:22:50 router opnsense[11052]: /usr/local/etc/rc.newwanip: Dynamic DNS (my.dns.xx): (Unknown Response)

So I tried setting the passwd, and got success, at least I thought so, the WebIF told me that it updated the cached IP to the actual WAN-IP...

Now I just realized I still can't SSH into the router, so I pinged and saw that No-IP still holds the old IP... Double checked their WebIF which stat's the same.

OPNsense Plugin WebIF seems happy with changed cached-IP but No-Ip doesn't get/receive that change!

@franco hope you've got a hint... ;-)

3

21.1 Legacy Series / [SOLVED] speedtest-cli not working

« on: April 20, 2021, 07:43:03 am »

Hi all,

just installed speedtest-cli:

Code: [Select]

pkg update ; pkg install -y py37-speedtest-cli
Problem is it won't run:

$ sudo speedtest-cli
Password:
Retrieving speedtest.net configuration...
Traceback (most recent call last):
  File "/usr/local/bin/speedtest-cli", line 11, in <module>
    load_entry_point('speedtest-cli==2.1.2', 'console_scripts', 'speedtest-cli')()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1986, in main
    shell()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1875, in shell
    secure=args.secure
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1091, in __init__
    self.get_config()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1174, in get_config
    map(int, server_config['ignoreids'].split(','))
ValueError: invalid literal for int() with base 10: ''

Is there someone out there that got speedtest to work?

4

21.1 Legacy Series / Periodic Interface reset seems to ignore my params

« on: March 05, 2021, 07:46:35 pm »

Hi all, I'm well aware of: https://forum.opnsense.org/index.php?topic=5276.0 but lower and upper case both seem to be ignored...

Code: [Select]

$ sudo grep "authorization successful" /var/log/ppps.log|grep ^Mar
Mar  1 03:46:52 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  1 03:54:25 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  2 18:09:07 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  5 02:09:34 router ppp[52767]: [opt1_link0] LCP: authorization successful

I've tried lower case as posted by franco in the above mentioned thread.

Hope one of you has a hint...

5

20.7 Legacy Series / 20.7.3 zabbix-agent 5.0.3 won't start

« on: October 04, 2020, 03:24:50 am »

There seems to be a bug left from the 4->5 upgrade:

root@router:/home/mirco # zabbix_agentd -c /usr/local/etc/zabbix_agentd.conf -f
zabbix_agentd [16577]: Warning: EnableRemoteCommands parameter is deprecated, use AllowKey=system.run

• or DenyKey=system.run
• instead

Starting Zabbix Agent [router.xxx.lan]. Zabbix 5.0.3 (revision 6e02cfb1cf).
Press Ctrl+C to exit.

after manually removing the line:
EnableRemoteCommands=0

I still get the following error:
listener failed: bind() for [[10.10.xx.1]:10050] failed: [49] Can't assign requested address

But there's nothing running on that port...

Hope one of U has a hint...

6

19.1 Legacy Series / External User DB from LDAP not authenticating if user exists locally

« on: July 16, 2019, 05:49:19 pm »

Hi all,

I've added an LDAP server and can successfully test the passwd of a locally non existing user. But as soon as the user exists on the OPNsense local User-DB (even if I set a scrambled Passwd) I get the following error:



Hope one of you has hint?

7

19.1 Legacy Series / [SOLVED] Can't Upgrade from GUI nor Console

« on: May 23, 2019, 01:37:39 am »

I've just tried to check for upgrades and ran into issue's, first failure was:

Could not authenticate the selected mirror.

Then I google'd and found:
https://forum.opnsense.org/index.php?topic=12550.0

But checking on the console my cert.pem sized isn't 0.

Google'd again and found:
https://forum.opnsense.org/index.php?topic=4081.msg14836#msg14836

So I tried as follow's:

Code: [Select]

fetch https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz
file packagesite.txz

what I got was:

Code: [Select]

packagesite.txz: HTML document, UTF-8 Unicode text

Using HTTPS I got this

Code: [Select]

fetch https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz
No server SSL certificate
fetch: https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz: Authentication error

So at this point I'm lost and hoping for hints...

EDIT:

tried once more after a reboot:

Updating OPNsense repository catalogue...
pkg-static: repository meta /var/db/pkg/OPNsense.meta has wrong version or wrong format
pkg-static: Repository OPNsense load error: meta cannot be loaded No such file or directory
Fetching meta.txz: 100%    5 KiB   4.7kB/s    00:01
pkg-static: No signature found
repository OPNsense has no meta file, using default settings
Fetching packagesite.txz: 100%    5 KiB   4.7kB/s    00:01
pkg-static: No signature found
Unable to update repository OPNsense
Error updating repositories!

8

19.1 Legacy Series / [SOLVED] 3CX Firewall Test fails even though Firewall > NAT > Outbound is Hybrid

« on: May 20, 2019, 06:05:51 pm »

Hi all,

I've read and followed those three thread's: https://forum.opnsense.org/index.php?topic=448.0 and https://forum.opnsense.org/index.php?topic=7299.msg32981#msg32981. Especially the last one has a very specific solution but sadly that does not help with the current version of 3CX

This is what the test tells:


This is what I've setup in OPNsense (BTW: 19.1.7)


This is the Forwardings:

Doesn't make a difference if I disable or enable those rule's...

And yes as this is Multi-WAN there's a rule to tell the 3CX to only use VDSL:


The Document supplied by 3CX neither isn't very supportive, it's just telling in detail why the test is correct: https://www.3cx.com/docs/firewall-checker/

So I'm kinda lost with this, and 3CX totally refuses any further support until firewall test gets "GREEN"

9

19.1 Legacy Series / ipsec routing problem after adding failover WAN

« on: April 04, 2019, 12:34:41 pm »

Hi hi,

I've got two APU based OPNsense's which are connected using Ipsec



After I've added MultiWAN with a failover config on location#1:


I modified the firewall rules like so:


But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!

BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24

Hope one of you spot's my failure...

10

19.1 Legacy Series / Traffic-Shaper: how to define a port range in a rule

« on: March 25, 2019, 12:04:16 pm »

I've setup shaping in another firewall, I cloned the settings from another machine.

On the clone source (which was setup while running 18.7) I could setup the rule entering a port list:



The target is now running 19.1.4 and doesn't any longer allow me to enter a list of ports:


Could some please tell me if this is intended, or if there's still a way to define several ports in one rule?

11

19.1 Legacy Series / Error during Upgrade from 19.1.2 to .4: can't use sudo nor reach the WebIF

« on: March 21, 2019, 05:25:56 pm »

Hi all,

just upgraded a bunch of machines using SSH. I've seen similar probs during 18.7 upgrades but never took the time to post...



Being dropped to such a limited shell I'm kinda lost, I can't use sudo or su, so I can't reboot the machine. And as the webinterface doesn't load through my usual SSH tunnel I can't even reboot from there!!! So pls help! :-(

If I remember correctly I didn't post when having that issue in 18.7 because back then I could use the webinterface.

12

18.7 Legacy Series / "This account is currently not available." Problem after Upgrade from 18.1.13_1

« on: September 26, 2018, 03:13:59 pm »

I'm aware of this Posting. And if there's no way around that issue I need to drive quite a few km's.

There's also an older Posting which describes how I did it when setting up the Router...

But how the f... could that working setting be destroyed during the upgrade path. For me it's a basic security setting to disable root and allow only key login to the other user's. That is how I run all my system's! And as I'm running more than two dozen OPNsense router's all over germany I'm now kind of afraid to upgrade them with a simple SSH login... Seem's I need to go to every single Webinterface and downgrade my security settings before I upgrade. Not good!

Greetz
Mircsicz

13

18.1 Legacy Series / using the configuration importer during installation

« on: June 23, 2018, 01:19:53 pm »

As I'm currently preparing a replacement router for a client I wanted to use the offered option during Installation:

Code: [Select]

Press any key to start the configuration importer: ..

But entering the USB Stick's device name only lead's me to an error message. If I google for that message I find this Topic. And additionally I found that, but none of those solve the issue by using the offer during install.

BTW: I'm using OPNsense-18.1.6-OpenSSL-serial-amd64.img

So if I enter the drive's dev name all I get is:

Code: [Select]

Press any key to start the configuration importer: ..

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)
<Verbatim STORE N GO 5.00>         at scbus2 target 0 lun 0 (pass1,da0)
<General USB Flash Disk 1.00>      at scbus3 target 0 lun 0 (pass2,da1)

Select device to import from (e.g. ada0) or leave blank to exit: da0

No known partition layout was found for 'da0'.

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)

So for this time I'll stick with the import through the WebGUI, but for the future I'ld love to have an USB-Stick at hand that I connect in next to the installer stick and have some Client config's on that...

So my question is how has the partition layout to be like, to be able to make a use of the offered import option?

14

18.1 Legacy Series / [SOLVED] Port Forward on 443 not working but 1443 to the same machine is fine

« on: June 03, 2018, 04:12:53 am »

Hi all,

I've got a weird situation on a freshly installed APU.

I forwarded HTTPS from an Exchange to enable ActiveSync but the nmap scan only show's the port as filtered. But my SSH HiPort and SMTP are working as expected. Exchange sends and receive's Mail as expected and I'm currently using the SSH Access to check the Router's WebIF...

Packet Capture on target's OPNsense doesn't get a single package and on my OPNsense all I get is SYN packages...

Now here comes the funny part: If I forward Exchange's 443 to 1443 I get to see the login page!

I hope one of you has a hint as I'm kind a lost here...

BTW: Aunty Google showd me that from the other pf based distri: https://forum.netgate.com/topic/121743/port-forwarding-http-and-https-dont-work-on-pfsense-2-4-0-sg2220/12 But this is a UnityMedia Business Line and they told me not to block any port... And as I'm on a UnityMedia Business connection to I could approve that by forwarding one of my internal HTTPS enabled host's and accessing it through LTE and another external device!

Code: [Select]

mircsicz@macbook-pro-wlan ~ $ nmap -sT -P0 -p443 3x.24.13.166
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-03 04:48 CEST
Nmap scan report for b2b-3x-24-13-166.unitymedia.biz (3x.24.13.166)
Host is up.

PORT    STATE    SERVICE
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
mircsicz@macbook-pro-wlan ~ $ nmap -sT -P0 -p1443 3x.24.13.166
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-03 04:49 CEST
Nmap scan report for b2b-3x-24-13-166.unitymedia.biz (3x.24.13.166)
Host is up (0.028s latency).

PORT     STATE SERVICE
1443/tcp open  ies-lm

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds


15

18.1 Legacy Series / 18.1.6 IPsec with packet loss

« on: May 07, 2018, 12:35:32 pm »

I've a machine with a client for a home-office. That connection drop's packages from time to time. I've not had a report for issue's last week but today I got another report...

It's monitored through Zabbix so I've got some stat's:
https://snag.gy/VvMzN2.jpg

And this is what the log gave me:

Code: [Select]

May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI ce0e3334
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c9939946
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c62c0cf2
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI ce922c2b
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c6c5b97c
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space a
So what are those messages about?

I checked the Web-IF and saw that the tunnel had lot's of SPI's, so I manually stopped the tunnel and we had a call over the tunnel which only went silent for like 10 sec's... AWESOME!! When the tunnel was up again it was only the one expected SPI there...

Here's the log from the time when I diconnected the tunnel:
https://pastebin.com/m9VufWAU

So my question is how can I avoid that behaviour in the future?