Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - mircsicz

#1
Hi all,

this morning I got an Email from my WiFi-WAN Provider, asking to restore power to the AP on my roof. As I'm currently not in the EU and couldn't reach my Dad who is housesitting I started to dig into the issue:

Found this in the Unbound log:

2023-04-08T14:10:57 Critical unbound [31257:0] fatal error: could not complete write: /root.key: No space left on device
2023-04-08T14:10:56 Error unbound [31257:0] error: could not fflush(/root.key): No space left on device
2023-04-08T14:10:51 Warning unbound PTR record already exists for unifi.mydom.de(10.yy.xxx.14)


So I checked the FS via SSH:

mircsicz@router:~ $ uptime
2:12PM  up  4:06, 1 user, load averages: 0.42, 0.35, 0.28
mircsicz@router:~ $ df -h
Filesystem                  Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs              14G     13G   -153M   101%    /


Damn it so my APU's 16GB SSD is full! And here's the offender:

mircsicz@router:~ $ sudo du -h /var/log
88K    /var/log/lighttpd
4.0K    /var/log/suricata
4.0K    /var/log/ntp
5.1M    /var/log/audit
8.7G    /var/log/filter


So I rm'd some of those:

mirco@router:~ $ sudo ls -lh /var/log/filter
total 18213184
-rw-------  1 root  wheel   143M Mar 10 00:00 filter_20230309.log
-rw-------  1 root  wheel   154M Mar 11 00:00 filter_20230310.log
-rw-------  1 root  wheel   127M Mar 12 00:00 filter_20230311.log
-rw-------  1 root  wheel   153M Mar 13 00:00 filter_20230312.log
-rw-------  1 root  wheel   132M Mar 14 00:00 filter_20230313.log
-rw-------  1 root  wheel   130M Mar 15 00:00 filter_20230314.log
-rw-------  1 root  wheel   140M Mar 15 23:59 filter_20230315.log
-rw-------  1 root  wheel   130M Mar 17 00:00 filter_20230316.log
-rw-------  1 root  wheel   145M Mar 18 00:00 filter_20230317.log
-rw-------  1 root  wheel   126M Mar 19 00:00 filter_20230318.log
-rw-------  1 root  wheel   125M Mar 20 00:00 filter_20230319.log
-rw-------  1 root  wheel   144M Mar 21 00:00 filter_20230320.log
-rw-------  1 root  wheel   131M Mar 22 00:00 filter_20230321.log
-rw-------  1 root  wheel   117M Mar 23 00:00 filter_20230322.log
-rw-------  1 root  wheel   150M Mar 24 00:00 filter_20230323.log
-rw-------  1 root  wheel   295M Mar 25 00:00 filter_20230324.log
-rw-------  1 root  wheel   502M Mar 25 23:59 filter_20230325.log
-rw-------  1 root  wheel   462M Mar 27 00:00 filter_20230326.log
-rw-------  1 root  wheel   502M Mar 28 00:00 filter_20230327.log
-rw-------  1 root  wheel   515M Mar 29 00:00 filter_20230328.log
-rw-------  1 root  wheel   517M Mar 30 00:00 filter_20230329.log
-rw-------  1 root  wheel   344M Mar 31 00:00 filter_20230330.log
-rw-------  1 root  wheel   320M Apr  1 00:00 filter_20230331.log
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:18 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log

root@router:/var/log/filter # rm filter_202303*
root@router:/var/log/filter # ls -lh
total 6938944
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:19 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log


Then I checked through my Filter rules but all of them are like that.

So long story short question: Is there a way to check for Filter rules that have logging enabled in the config?
#2
Hi all,

os-dyndns stopped to work for me when I was using No-Ip Group Passwd's. So I had to revert to my Master Passwd for all machines using that account a while ago. That is why I was happy to read the os-ddclient is gonna replace os-dyndns!

Now that we're about to transition to 22.7 I looked into migration my setup's to os-ddclient but am facing some issue's with ddlcient:

I've already read this thread and also this thread

with my setup I see the followong in the logs:


2022-06-22T15:59:41 Notice ddclient[98565] 93904 - [meta sequenceId="7"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:35 Notice ddclient[52758] 73674 - [meta sequenceId="6"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:10 Notice ddclient[771] 37236 - [meta sequenceId="5"] WARNING: unable to determine IP address
2022-06-22T15:59:10 Notice ddclient[771] 35027 - [meta sequenceId="4"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:07 Notice ddclient[98070] 17061 - [meta sequenceId="3"] WARNING: unable to determine IP address
2022-06-22T15:59:07 Notice ddclient[98070] 16274 - [meta sequenceId="2"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:00 Notice ddclient[95522] 19804 - [meta sequenceId="1"] WARNING: found neither ipv4 nor ipv6 address


So far I've tried the following "Check ip method's"

  • noip-ipv4
  • interface

But the log doesn't change...

This is what my ddclient.conf looks like:

daemon=300
syslog=yes                  # log update msgs to syslog
pid=/var/run/ddclient.pid   # record PID in file.
ssl=yes


use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i pppoe0 -t 1 -s noip-ipv4",
protocol=noip, \
login=MYUSER, \
password=MYPASSWD \
foo.ddns.me


I'm hoping one of you spot's the missing link...

I've also read this hint and tried to run it from ssh like this:

# sudo ddclient -daemon=0 -debug -verbose -noquiet
#3
Hi all,

just wanted to migrate from IPsec to WG using his guide, but the issue's won't let me...

A FW rule is in place


Checking the config it seems fine:




Except that it doesn't show Config nor handshake



On the dashboard I can see that the service isn't started:


When I check the *.conf using SSH it seems fine:

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = LOCALPRIVKEY
Address = 172.160.x.2/24
ListenPort = xx822

[Peer]
PublicKey = PEERSPUBKEY
Endpoint = 185.x.x.x:21822
AllowedIPs = 10.160.x.x/24,172.160.x.x/24
PersistentKeepalive = 60


And when I try to start the WG Service from the Dashboard this show's up in system.log:

Jul 24 16:56:33 router kernel: tun0: link state changed to UP
Jul 24 16:56:33 router kernel: tun0: changing name to 'wg0'
Jul 24 16:56:33 router kernel: wg0: link state changed to DOWN
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: entering configure using defaults
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: IPv4 default gateway set to opt2
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: setting IPv4 default route to 185.x.x.x
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: keeping current default gateway '185.x.x.x
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (1)
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (execute task : dpinger_configure_do(1))
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_PPPOE monitor address is empty, skipping.
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_DHCP_DHCP monitor address is empty, skipping.
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode disabled
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode enabled


And I've already restored the config: downloaded the xml removed all WireGuard Contents from the file and restored it as a backup...

Hope one of you has a hint!

BTW: all this is on 21.1.8_1
#4
After upgrading from 21.1.5 to .6 last night No-IP do no longer work...

First thing I recognized were broken IPsec Tunnels, then I tried to SSH in and got timeouts. So I used anydesk to check on the webif's from the other side of the WAN...

I could see that the "Cached IP" is red, so I tried a forced Update, here's what the log said:

May 28 15:57:16 router config[49757]: /services_dyndns_edit.php: Dynamic DNS (my.dns.xx): (Unknown Response)

or during bootup (right after the upgrade):

May 28 03:22:50 router opnsense[11052]: /usr/local/etc/rc.newwanip: Dynamic DNS (my.dns.xx): (Unknown Response)


So I tried setting the passwd, and got success, at least I thought so, the WebIF told me that it updated the cached IP to the actual WAN-IP...

Now I just realized I still can't SSH into the router, so I pinged and saw that No-IP still holds the old IP... Double checked their WebIF which stat's the same.

OPNsense Plugin WebIF seems happy with changed cached-IP but No-Ip doesn't get/receive that change!

@franco hope you've got a hint... ;-)
#5
Hi all,

just installed speedtest-cli:

pkg update ; pkg install -y py37-speedtest-cli

Problem is it won't run:

Quote
$ sudo speedtest-cli
Password:
Retrieving speedtest.net configuration...
Traceback (most recent call last):
  File "/usr/local/bin/speedtest-cli", line 11, in <module>
    load_entry_point('speedtest-cli==2.1.2', 'console_scripts', 'speedtest-cli')()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1986, in main
    shell()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1875, in shell
    secure=args.secure
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1091, in __init__
    self.get_config()
  File "/usr/local/lib/python3.7/site-packages/speedtest.py", line 1174, in get_config
    map(int, server_config['ignoreids'].split(','))
ValueError: invalid literal for int() with base 10: ''

Is there someone out there that got speedtest to work?
#6
Hi all, I'm well aware of: https://forum.opnsense.org/index.php?topic=5276.0 but lower and upper case both seem to be ignored...






$ sudo grep "authorization successful" /var/log/ppps.log|grep ^Mar
Mar  1 03:46:52 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  1 03:54:25 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  2 18:09:07 router ppp[52767]: [opt1_link0] LCP: authorization successful
Mar  5 02:09:34 router ppp[52767]: [opt1_link0] LCP: authorization successful


I've tried lower case as posted by franco in the above mentioned thread.

Hope one of you has a hint...
#7
There seems to be a bug left from the 4->5 upgrade:

root@router:/home/mirco # zabbix_agentd -c /usr/local/etc/zabbix_agentd.conf -f
zabbix_agentd [16577]: Warning: EnableRemoteCommands parameter is deprecated, use AllowKey=system.run
  • or DenyKey=system.run
  • instead
    Starting Zabbix Agent [router.xxx.lan]. Zabbix 5.0.3 (revision 6e02cfb1cf).
    Press Ctrl+C to exit.

    after manually removing the line:
    EnableRemoteCommands=0

    I still get the following error:
    listener failed: bind() for [[10.10.xx.1]:10050] failed: [49] Can't assign requested address

    But there's nothing running on that port...

    Hope one of U has a hint...
#8
Hi all,

I've added an LDAP server and can successfully test the passwd of a locally non existing user. But as soon as the user exists on the OPNsense local User-DB (even if I set a scrambled Passwd) I get the following error:



Hope one of you has hint?
#9
I've just tried to check for upgrades and ran into issue's, first failure was:

QuoteCould not authenticate the selected mirror.

Then I google'd and found:
https://forum.opnsense.org/index.php?topic=12550.0

But checking on the console my cert.pem sized isn't 0.

Google'd again and found:
https://forum.opnsense.org/index.php?topic=4081.msg14836#msg14836

So I tried as follow's:

fetch https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz
file packagesite.txz


what I got was:
packagesite.txz: HTML document, UTF-8 Unicode text


Using HTTPS I got this
fetch https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz
No server SSL certificate
fetch: https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD%3A11%3Aamd64/19.1/latest/packagesite.txz: Authentication error


So at this point I'm lost and hoping for hints...

EDIT:

tried once more after a reboot:

QuoteUpdating OPNsense repository catalogue...
pkg-static: repository meta /var/db/pkg/OPNsense.meta has wrong version or wrong format
pkg-static: Repository OPNsense load error: meta cannot be loaded No such file or directory
Fetching meta.txz: 100%    5 KiB   4.7kB/s    00:01
pkg-static: No signature found
repository OPNsense has no meta file, using default settings
Fetching packagesite.txz: 100%    5 KiB   4.7kB/s    00:01
pkg-static: No signature found
Unable to update repository OPNsense
Error updating repositories!
#10
Hi all,

I've read and followed those three thread's: https://forum.opnsense.org/index.php?topic=448.0 and https://forum.opnsense.org/index.php?topic=7299.msg32981#msg32981. Especially the last one has a very specific solution but sadly that does not help with the current version of 3CX

This is what the test tells:


This is what I've setup in OPNsense (BTW: 19.1.7)


This is the Forwardings:

Doesn't make a difference if I disable or enable those rule's...

And yes as this is Multi-WAN there's a rule to tell the 3CX to only use VDSL:


The Document supplied by 3CX neither isn't very supportive, it's just telling in detail why the test is correct: https://www.3cx.com/docs/firewall-checker/

So I'm kinda lost with this, and 3CX totally refuses any further support until firewall test gets "GREEN"

#11
Hi hi,

I've got two APU based OPNsense's which are connected using Ipsec



After I've added MultiWAN with a failover config on location#1:


I modified the firewall rules like so:


But I still can't connect from location #1 to location #2, whilst the opposite direction still works fine. To be clear: IPsec phase 1 & 2 are connected just fine!

BTW: "CS net" is 10.10.2.0/24 an "DS net" is 10.10.5.0/24

Hope one of you spot's my failure...
#12
I've setup shaping in another firewall, I cloned the settings from another machine.

On the clone source (which was setup while running 18.7) I could setup the rule entering a port list:



The target is now running 19.1.4 and doesn't any longer allow me to enter a list of ports:


Could some please tell me if this is intended, or if there's still a way to define several ports in one rule?
#13
Hi all,

just upgraded a bunch of machines using SSH. I've seen similar probs during 18.7 upgrades but never took the time to post...



Being dropped to such a limited shell I'm kinda lost, I can't use sudo or su, so I can't reboot the machine. And as the webinterface doesn't load through my usual SSH tunnel I can't even reboot from there!!! So pls help! :-(

If I remember correctly I didn't post when having that issue in 18.7 because back then I could use the webinterface.
#14
I'm aware of this Posting. And if there's no way around that issue I need to drive quite a few km's.

There's also an older Posting which describes how I did it when setting up the Router...

But how the f... could that working setting be destroyed during the upgrade path. For me it's a basic security setting to disable root and allow only key login to the other user's. That is how I run all my system's! And as I'm running more than two dozen OPNsense router's all over germany I'm now kind of afraid to upgrade them with a simple SSH login... Seem's I need to go to every single Webinterface and downgrade my security settings before I upgrade. Not good!

Greetz
Mircsicz
#15
As I'm currently preparing a replacement router for a client I wanted to use the offered option during Installation:


Press any key to start the configuration importer: ..


But entering the USB Stick's device name only lead's me to an error message. If I google for that message I find this Topic. And additionally I found that, but none of those solve the issue by using the offer during install.

BTW: I'm using OPNsense-18.1.6-OpenSSL-serial-amd64.img

So if I enter the drive's dev name all I get is:


Press any key to start the configuration importer: ..

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)
<Verbatim STORE N GO 5.00>         at scbus2 target 0 lun 0 (pass1,da0)
<General USB Flash Disk 1.00>      at scbus3 target 0 lun 0 (pass2,da1)

Select device to import from (e.g. ada0) or leave blank to exit: da0

No known partition layout was found for 'da0'.

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)


So for this time I'll stick with the import through the WebGUI, but for the future I'ld love to have an USB-Stick at hand that I connect in next to the installer stick and have some Client config's on that...

So my question is how has the partition layout to be like, to be able to make a use of the offered import option?
#16
Hi all,

I've got a weird situation on a freshly installed APU.

I forwarded HTTPS from an Exchange to enable ActiveSync but the nmap scan only show's the port as filtered. But my SSH HiPort and SMTP are working as expected. Exchange sends and receive's Mail as expected and I'm currently using the SSH Access to check the Router's WebIF...

Packet Capture on target's OPNsense doesn't get a single package and on my OPNsense all I get is SYN packages...

Now here comes the funny part: If I forward Exchange's 443 to 1443 I get to see the login page!

I hope one of you has a hint as I'm kind a lost here...

BTW: Aunty Google showd me that from the other pf based distri: https://forum.netgate.com/topic/121743/port-forwarding-http-and-https-dont-work-on-pfsense-2-4-0-sg2220/12 But this is a UnityMedia Business Line and they told me not to block any port... And as I'm on a UnityMedia Business connection to I could approve that by forwarding one of my internal HTTPS enabled host's and accessing it through LTE and another external device!


mircsicz@macbook-pro-wlan ~ $ nmap -sT -P0 -p443 3x.24.13.166
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-03 04:48 CEST
Nmap scan report for b2b-3x-24-13-166.unitymedia.biz (3x.24.13.166)
Host is up.

PORT    STATE    SERVICE
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
mircsicz@macbook-pro-wlan ~ $ nmap -sT -P0 -p1443 3x.24.13.166
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-03 04:49 CEST
Nmap scan report for b2b-3x-24-13-166.unitymedia.biz (3x.24.13.166)
Host is up (0.028s latency).

PORT     STATE SERVICE
1443/tcp open  ies-lm

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
#17
I've a machine with a client for a home-office. That connection drop's packages from time to time. I've not had a report for issue's last week but today I got another report...

It's monitored through Zabbix so I've got some stat's:
https://snag.gy/VvMzN2.jpg

And this is what the log gave me:
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI ce0e3334
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c9939946
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c62c0cf2
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI ce922c2b
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c6c5b97c
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space a


So what are those messages about?

I checked the Web-IF and saw that the tunnel had lot's of SPI's, so I manually stopped the tunnel and we had a call over the tunnel which only went silent for like 10 sec's... AWESOME!! When the tunnel was up again it was only the one expected SPI there...

Here's the log from the time when I diconnected the tunnel:
https://pastebin.com/m9VufWAU

So my question is how can I avoid that behaviour in the future?


#18
We're having issue's with one router where Windows client's are not receiving their leases:


May 7 09:56:03 dhcpd: DHCPACK to 10.xx.yy.77 (80:fa:5b:57:11:18) via igb1
May 7 09:56:03 dhcpd: DHCPINFORM from 10.xx.yy.77 via igb1
May 7 09:56:03 dhcpd: DHCPACK on 10.xx.yy.77 to 80:fa:5b:57:11:18 via igb1
May 7 09:56:03 dhcpd: DHCPREQUEST for 10.xx.yy.77 (10.xx.yy.1) from 80:fa:5b:57:11:18 via igb1
May 7 09:56:03 dhcpd: DHCPOFFER on 10.xx.yy.77 to 80:fa:5b:57:11:18 via igb1
May 7 09:56:03 dhcpd: DHCPDISCOVER from 80:fa:5b:57:11:18 via igb1


Windows only get's himself a 169 IP and if reboot into Linux I see the same log entry but Linux set the correct IP. As this is over several Windows machines I don't have a clue what this is about...

#19
On a newly installed machine (based on an APU1) I see the following issue:

opnsense: /services_dyndns_edit.php: Aborted IP detection: Failed to connect to checkip.dyndns.org port 80: Operation timed out

And I'm not sure why I saw the same message with this host too: dynupdate.no-ip.com Which BTW makes way more sense as I'm using NoIP...


And yes I'm aware of:
https://forum.opnsense.org/index.php?topic=4727.0
and
https://forum.opnsense.org/index.php?topic=4114.0

Greetz
Mircsicz
#20
17.7 Legacy Series / can't boot nano on QSeven Atom
January 15, 2018, 09:49:59 AM
I've an older Model of https://www.dsm-computer.de/products-solutions/products/systems/din-rail-pc/din-rail-pc-h1-a3.html which I'ld like to reuse as a router in the family...

I've flashed OPNsense-17.7.5-OpenSSL-nano-i386.img to a SD and successfully booted for the first time, assigned interface and so on. Then I rebooted and ended up with a unbootable system:

Quote
can't load kernel

was the message I was facing

I've tried tried to deal with it at the prompt. Been setting currdev & rootdev, even set it in loader.conf on SD directly. but that didn't change the behaviour...

Here are some screenshot's:

so loaddev and currdev show a different slice than lsdev, is that OK or the maybe the reason?



So if anyone has a clue why the hack it doesn't load the kernel I'ld be very grateful