Messages

Found this in the logs today:

Code Select Expand


Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 06
fault virtual address = 0xc
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff8070b1b4
stack pointer         = 0x28:0xfffffe0232213280
frame pointer         = 0x28:0xfffffe02322132a0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 31124 (W#01-re0)
version.txt06000016713203656554  7630 ustarrootwheelFreeBSD 11.1-RELEASE-p2 #0 c967ed374(master): Tue Oct 17 20:39:21 CEST 2017
    root@sensey64:/usr/obj/usr/src/sys/SMP

Must be from when Suricata was enabled.

Full crash dump is herE:
https://paste.ubuntu.com/26014885/

Unusable when Suricata in IPS mode (+ promiscuous) is enabled on VLANs. This is on a Zotac CI323 with Realtek chips.
Endless reboots until Suricata is turned off.

Couldn't find anything in dmesg, so it seems to be a different issue than the kernel crashes that used to happen.

On a more positive note, FreeBSD 11.1 seems to boot normally on that hardware. It used to be that the card reader would hang the boot process for 1-2 minutes.

I think I've found the problem. Seems like the firewall is not running despite what it says on the Diagnostics page.
The logs I was seeing were from just before the upgrade.
When restarting pf, I get a notification:
There were errors loading the rules: no IP address found for vlan2

So apparently, now the firewall is taken down when such an error is encountered.

vlan2's interface is disabled, so I don't know why the firewall should care though.

Tried:
* adding the Gateway
* removing the DNS
* looking for a SSDP rul (does not exist)

Nothing worked. DNS requests never get an answer.

Yes, a reboot didn't fix it unfortunately. Everything looks green, so I'm not sure where to look for an answer.
This was an upgrade from 17.1.4.
"own DNS" means custom external nameservers are defined for the VLAN under "DNS servers" in DHCP server.

After the upgrade to 17.1.5, name resolution doesn't work for VLAN members.
Using the tools from the GUI, everything works fine.
The firewall is not blocking the outgoing requests, but it seems the answers never make it back.

VLAN define their own (external) nameservers
VLAN uses OpenVPN link as a gateway.
Nothing special in the logs.
All gateways and services up.
No proxy, no IDS.

What's the best way to debug this?

Do not turn on IPS mode in Suricata when using the new re driver because emulated netmap crashes the OS.

See: https://redmine.openinfosecfoundation.org/issues/1688

What we need is a patched Realtek driver with netmap support.
I didn't manage to patch it last year, but I'm not a driver engineer.

The alternative would be to let people pick the driver they want to use.

>The problem is: updates from anything before 16.7.14 will fail hard.

That's probably the problem then. I think I was on one of the first 16.7 releases.

>What was the original issue that led to typing the upgrade command copied from another thread? We're missing something...

An issue I often had. When manually updating packages, I often end up with a broken PHP because phalcon is not loaded any more. I can re-install from a backed up package, but this time phalcon had a problem with a missing pdo symbol and configd would no longer run.
Installing the vanilla packages seemed like a better option than trying to fix things.

Then there is a bigger problem because I don't see a timeout or login prompt. As soon as the stick is selected, the OS is loaded.

In my case I never see the installer.
I'm offered to boot to HD or USB (F1 or F5). Pressing F5 boots the USB stick, there is no installer menu. It would be strange if this was hardware related. My boot is set to legacy mode.

The image is still broken. No installation menu is being offered. The stick boots and becomes the router/firewall.

OK, so the whole system is broken.
I enabled the vga console and changed the root password. That allowed me to login, but then nothing works as all the rc.initial files are missing. Copying them doesn't help as the dependencies are missing.
Trying to run opnsense-update doesn't help. It tells me everything is up to date.
I installed opnsense-stable-17.1 to see if it would give me the missing files and it kicked me out, preventing me from logging in again and re-installed all packages at next boot.

Unfortunately, no :(

Can this be reverted in the boot console or in single-user mode?

So the solution is to not burn the image using Windows...

I've compared the burn logs between 2 images, one from OPNsense and one from the competition, which works.

OPNsense

Code Select Expand

Disk type: Removable, Sector Size: 512 bytes
Cylinders: 971, TracksPerCylinder: 255, SectorsPerTrack: 63
Partition type: MBR, NB Partitions: 1
Disk ID: 0x00000000
Drive has an unknown Master Boot Record
Partition 1:
  Type: GPT Protective MBR (0xee)
  Size: 895.5 MB (939001344 bytes)
  Start Sector: 1, Boot: No


Competition

Code Select Expand

Disk type: Removable, Sector Size: 512 bytes
Cylinders: 971, TracksPerCylinder: 255, SectorsPerTrack: 63
Partition type: MBR, NB Partitions: 1
Disk ID: 0x90909090
Drive has an unknown Master Boot Record
Partition 4:
  Type: FreeBSD (0xa5)
  Size: 24.4 MB (25600000 bytes)
  Start Sector: 0, Boot: Yes

The OPNsense image is not bootable. Same with 16.7