Messages

When it happens again, can you try to see if the configctl trick will fix this too?

You are using DHCP on WAN with a modem in front? If yes take a look at this:

https://forum.opnsense.org/index.php?topic=9050.0


Cheers,
Franco

I will give that command a try next time it occurs.

Yes to the modem in front of opnsense.  I do have gateway monitoring enabled using a far DNS ip address and it does not autorecover the wan interface when it goes down.

But everything keeps working?

It's alleged that this will trigger it...

# configctl interface reconfigure wan

.. and everything is still fine?


Cheers,
Franco

Yes, or so it seems.

However I still have issues with my internet connection randomly dropping out with OPNsense usually once a week but sometimes more often.  It's probably an issue or configuration problem.  The ISP and modem are fine.  An interface disable/enable or opnsense reboot always fixes it. 

Does this happen after a clean reboot? Or during reconfiguring OpenVPN on the GUI as well?

I think it is happening from an overnight cron job or overnight connection issue... it is fine booting and during the day... if I log into the firewall GUI in the morning, it will show the error detected, and ask me to send a report.  I know its not the periodic interface reset one, since I just added that.



0   4   *   *   *   Renew Let's Encrypt certificates   
0   3   *   *   *   Automatic firmware update   
0   *   *   *   *   Firmware changelog update   
0   5   *   *   *   Periodic interface reset (WAN)
5   *   *   *   *   Dynamic DNS Update   
0   2   *   *   *   Update and reload intrusion detection rules   

No, just tracking it. I've fixed the error parsing here, but it still boils down to: "no IP address found for ovpnc2:0"

Is ovpnc2 tun or tap? It comes up late, forcing the error on rules reload because it doesn't have an address for one reason or another.



Cheers,
Franco

They are both Tun.

Not sure if it matters but,
The client above is TCP4
The server above  is UDP4

Do you have an OpenVPN client assigned to an interface and use that for outbound NAT?


Cheers,
Franco

Yes, should it not be?

[Private Internet Access VPN Client]

I think I found the source of the error, but not sure why it is there. It does not make sense...


Private Internet Access VPN Client

Code Select Expand

opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: no IP address found for ovpnc2:0 - The line in question reads [0]:


Local OpenVPN SSLVPN Server

Code Select Expand

opnsense: /usr/local/etc/rc.filter_configure: New alert found: There were error(s) loading the rules: no IP address found for ovpns3:network - The line in question reads [network]:

Try this patch https://github.com/opnsense/core/commit/78d84c70a via

# opnsense-patch 78d84c70a

But you also need to provide output of the error "There were error(s) loading the rules ..." that you seem to be having to be sure...

The second thing is a LibreSSL problem in the ports. It should not happen on OpenSSL flavour.

You last question, this should help...

# configctl interface reconfigure wan

You can also use this a a cron job if you want to know how to set this up from the GUI. But gateway monitoring should do this for you also if properly configured.


Cheers,
Franco

Thanks... I still had that error this morning after applying the patch.

PHP Warning:  A non-numeric value encountered in /usr/local/etc/inc/filter.inc on line 467

Is there a log file stored somewhere that would contain what is causing this error that I can open via WinSCP?



For your second suggestion... is that cron job the Periodic Interface Reset or are you referring to something else/making my own?

Thanks!

Has anyone seen these errors and have any ideas on what causes/how to fix?

OPNsense 18.1.10-amd64
FreeBSD 11.1-RELEASE-p10
LibreSSL 2.6.5
Running on Hyper-V Gen 2 with 3 NICs (Intel I350)


PHP Warning:  A non-numeric value encountered in /usr/local/etc/inc/filter.inc on line 467


opnsense: unable to dlopen /usr/local/lib/sasl2/libotp.so.3: /usr/local/lib/sasl2/libotp.so.3: Undefined symbol "EVP_MD_CTX_free"
opnsense: unable to dlopen /usr/local/lib/sasl2/libotp.so.3: /usr/local/lib/sasl2/libotp.so.3: Undefined symbol "EVP_MD_CTX_free"
opnsense: unable to dlopen /usr/local/lib/sasl2/libntlm.so.3: /usr/local/lib/sasl2/libntlm.so.3: Undefined symbol "HMAC_CTX_new"
opnsense: unable to dlopen /usr/local/lib/sasl2/libntlm.so.3: /usr/local/lib/sasl2/libntlm.so.3: Undefined symbol "HMAC_CTX_new"


Also I run into an issue where my WAN connection will randomly go down (Comcast) and I have to manually Go into interfaces, uncheck the box to disable, recheck the box to enable, then hit apply changes (basically forcing an interface reload) when the internet goes down.   I notice it does this more often when I am using PrivateInternetAccess VPN frequently on its own separate Interface... Is there a Cron or script of sorts that can do this automatically if the Gateway checker apinger or now dpinger detects a failed gateway?  I have already tried: supersede dhcp-server-identifier 255.255.255.255    but now I don't think it is a DHCP lease issue, although when I fix it, I generally have a different IP - especially if it was down for a couple hours without noticing.

Would calling /usr/local/etc/rc.newwanip    do this for me?

Same issue here... when my OPNSense does its nightly backups to Google Drive.

Is there a spot that shows the date and time a WAN DHCP release is up and will renew?  I looked in the interfaces -> Overview section of the dashboard but didn't see anything.

Thanks

Do I have to run that patch command then do the hotfix. Or can I just wait for the hotfix and not need to run that command?

My ClamAV service plugin wont start since the .2 upgrade.  I will mess with it more to attempt to resolve.  Curious if anyone else has same issue?

Nice find...

I just did a search and found this article which confirms what you said:
https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

Looks like wildcard will only support DNS validation instead of HTTPS validation for issuing cert.

I use google domains so it would be nice to see API support added... or the ability to generate and manually add a TXT DNS record for validation purposes which the regular ACME plugin supports but the OPNSense GUI does not appear to.

Has anyone else on 18.1 had issues with issuing Let's Encrypt certs using the ACME plugin?
HTTP Challenge Type

First I had to change my OPNSense firewall HTTPS port from a custom one back to 443.
Then I originally had a multi domain (SAN) filled out with a few subdomains.

Whenever I issued the cert it would have validation failed.
However, when I edited the cert just to be the main domain with no SAN's, it completed successfully.
I never had this issue before and always had a full multi-domain cert on prior releases.


Notes: All the subdomains are just CNAME entries pointing to the main domain IP to resolve through DNS.

Just done my first fresh install on hyper-v and had no issues - Just as a comment :)

Did you use a Generation 2 VM when you created yours? or was it a Generation 1?