Messages

151

24.7 Production Series / Re: 24.10 BE upgrade CRL errors

« on: November 08, 2024, 12:39:07 pm »

CRL auto fetch is a workaround for an empty CRL file, but basically you are left without a valid CRL download which we need to debug (and I'm having a deja-vu here writing this).

What's the content of the libfetch_crl file in the error case?

HTTP(S)_PROXY should work in upper and lower case according to the Python code itself.


Cheers,
Franco

152

General Discussion / Re: Missing .crt Download Option in CA Management (OPNsense 24.7)

« on: November 08, 2024, 12:35:59 pm »

In general ".pem" means PEM format, ".crt" means PEM or DER format, but as Cedrik said some applications expect only DER for .crt and worst case a PEM in MS line ending format. OpenSSL conversion utilities are your friend here.

https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/


Cheers,
Franco

153

24.7 Production Series / Re: 24.10 BE upgrade CRL errors

« on: November 08, 2024, 08:24:39 am »

After editing the script to run fine try to delete the old crl files:

# rm /tmp/libfetch_crl.*

And try the GUI again.


Cheers,
Franco

154

24.7 Production Series / Re: 24.10 BE upgrade CRL errors

« on: November 08, 2024, 08:21:10 am »

Thanks, looking into it now.


Cheers,
Franco

155

General Discussion / Re: Nominate OPNsense and FreeBSD Foundation for Proton's Fundraiser (Big Reward)!!

« on: November 08, 2024, 08:20:44 am »

Thanks all for the support <3

156

General Discussion / Re: Boot from imported boot environment failed

« on: November 08, 2024, 08:16:55 am »

Yes, a fresh install with 24.7 has newer ZFS options/features introduced.

It's been so long on FreeBSD 13 that it was probably not noticeable before because all resulting systems behaved the same.


Cheers,
Franco

157

24.7 Production Series / Re: Disk read errors

« on: November 08, 2024, 08:07:18 am »

It's in effect for all systems beginning with 23.7.12 unless the sysctl is overwritten. Note this lowers the writes but does not eliminate them. IMO this is a ZFS design flaw flushing metadata for an unchanged file system, it's probably keeping track of itself more than the actual data, but it is what it is.


Cheers,
Franco

158

24.7 Production Series / Re: WAN gateway not going back up after Internet outage

« on: November 08, 2024, 08:04:31 am »

Someone may have taken the time to find out what the actual issue is:

https://github.com/opnsense/core/issues/7635#issuecomment-2462066123

leading to

https://github.com/opnsense/core/issues/7027#issuecomment-2462108325


Cheers,
Franco

159

24.1 Legacy Series / Re: Kea DHCP IPv6?

« on: November 08, 2024, 08:01:13 am »

https://kasiviswanathanblog.wordpress.com/2017/06/04/dnsmasq-a-simple-dhcpv6-server-for-embedded-devices/

FWIW, Dnsmasq rework moves further into 2025 territory. Just too much other priorities at the moment.


Cheers,
Franco

160

24.7 Production Series / Re: IPv6 prefix delegation not working with 24.7.1-.3

« on: November 08, 2024, 07:57:50 am »

Well if you see any of those messages in the log and then it stops then maybe. If you don't see the log messages code that isn't executed is likely not the issue. Every change was confirmed by the respective reporter, too. It feels like playing whac-a-mole: fix one provider break another, but then again it has always been this way.

I still think the random number changes are the culprit (from "random" static to actually random as per RFC), but for the right reasons and not the wrong ones. If anyone wants to poke at this be my guest. Most I have seen is ISPs not repying meaning that they probably don't like the timings which is unfortunate but impossible to debug from the client side.


Cheers,
Franco

161

General Discussion / Re: Latest version 24.7.8 in continuous update loop?

« on: November 07, 2024, 02:29:28 pm »

Try to move /boot/kernel.old to somewhere else. UFS corruption?

# mv /boot/kermel.old /tmp

That's how I usually deal with defunct inodes.


Cheers,
Franco

162

General Discussion / Re: Why bother downloading Bogons v6 when they're not used?

« on: November 07, 2024, 08:22:01 am »

Yeah, valid concern in any case. The script has other issues but let's just fix the wording:

https://github.com/opnsense/core/commit/671f4d44159


Thanks,
Franco

163

24.7 Production Series / Re: Is there a practical limitation on the number of ipsec tunnels?

« on: November 07, 2024, 08:07:51 am »

Which version? How much IPsec traffic on average?


Cheers,
Franco

164

General Discussion / Re: Why bother downloading Bogons v6 when they're not used?

« on: November 07, 2024, 08:06:27 am »

Mostly to bridge the gap between disabling and enabling IPv6 and getting the correct values on the switch. The file on the mirror is 90 kb and contains both IPv4 and IPv6 anyway


Cheers,
Franco

165

24.7 Production Series / Re: Is there a practical limitation on the number of ipsec tunnels?

« on: November 06, 2024, 07:46:31 pm »

From experience three digit situations should be more than workable. In practice... it depends like Cedrik mentions.


Cheers,
Franco