Messages

46

17.1 Legacy Series / Re: OpenVPN: interrupted system call

« on: April 03, 2017, 12:14:21 pm »

After another day of investigations, I found out that the issue is related to IPv6.

If and only if WAN has a global IPv6 address, OpenVPN fails.

The server log (verbosity 6) gives:

Code: [Select]

Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 PUSH: Received control message: 'PUSH_REQUEST'
Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 send_push_reply(): safe_cap=940
Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 SENT CONTROL [opnsense]: 'PUSH_REPLY,route-gateway 192.168.38.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.38.254 255.255.255.0' (status=1)
Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 WRITE [50] to [AF_INET]xxx.xxx.28.18:30875: P_ACK_V1 kid=0 pid=[ #10 ] [ 6 ]
Apr  2 21:49:21 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 WRITE [187] to [AF_INET]xxx.xxx.28.18:30875: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=7 DATA len=145
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [50] from [AF_INET]xxx.xxx.28.18:30875: P_ACK_V1 kid=0 pid=[ #13 ] [ 7 ]
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [133] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=132
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 MULTI: bad source address from client [::], packet dropped
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [133] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=132
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 MULTI: bad source address from client [::], packet dropped
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [117] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=116
Apr  2 21:49:22 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 MULTI: bad source address from client [::], packet dropped
Apr  2 21:49:24 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [149] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=148
Apr  2 21:49:31 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 WRITE [69] to [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=68
Apr  2 21:49:35 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 READ [69] from [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=68
Apr  2 21:49:41 s1 openvpn-server[10536]: opnsense/xxx.xxx.28.18:30875 UDPv4 WRITE [69] to [AF_INET]xxx.xxx.28.18:30875: P_DATA_V1 kid=0 DATA len=68
Reading the OpenVPN forums, in principle, the dropped package from [::] should not be an issue, although I would like to understand why these packets are there in the first place.

On my new physical OPNSense OpenVPN client, OpenVPN connectivity breaks after 5 such messages on the server side. The identically configured virtual OPNSense OpenVPN client only produces 3 or 4 such messages and stays connected.

Searching the WWW, I found a few reports related to the message, and only one report of a user who also could track down the issue to having an IPv6 address on his internet-facing NIC.

47

17.1 Legacy Series / Re: Issue with IPv6 on 17.1.4 - transmit failed: Can't assign requested address

« on: April 03, 2017, 11:58:59 am »

Hi,

issue seems related to

https://forum.opnsense.org/index.php?topic=4816.msg18821#msg18821
https://github.com/opnsense/core/issues/1506

Best regards
Boris

48

17.1 Legacy Series / Re: OpenVPN: interrupted system call

« on: April 02, 2017, 12:11:20 pm »

I installed OPNSense from scratch and remained on 17.1.1. The issue exists there as well.

The issue appears on my new physical machine with SuperMicro X11SBA-LN4F mainboard. There is also another issue with ntp running amok (questioning time server until rate limit kicks in).

I had to go back to OPNSense on a virtual machine. There openvpn and ntp run fine.

What can I do? Any help is appreciated.

49

17.1 Legacy Series / OpenVPN: interrupted system call

« on: April 02, 2017, 08:36:27 am »

Hi,

a previously working installation of OpenVPN on 17.1.3 stopped working after upgrade to 17.1.4. After successful initiation of the VPN tunnel, I get an interrupted system call error in the log:

Code: [Select]

...
Apr  2 01:24:40 opnsense openvpn[21132]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  2 01:24:40 opnsense openvpn[21132]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Apr  2 01:24:40 opnsense openvpn[21132]: [<server FQDN>] Peer Connection Initiated with [AF_INET]<server IP address>:1194
Apr  2 01:24:41 opnsense openvpn[21132]: event_wait : Interrupted system call (code=4)
Apr  2 01:24:41 opnsense openvpn[21132]: TCP/UDP: Closing socket
Apr  2 01:24:41 opnsense openvpn[21132]: SIGTERM[hard,] received, process exiting
...
Reverting openvpn to 17.1.2 seems to have solved the problem.

Anything I can do to help track down the cause of the issue?

Kind regards,
Boris

50

General Discussion / Re: add refresh_pattern to squid.conf

« on: March 18, 2017, 02:39:02 pm »

Hi,

same need here. I would like to cache Windows updates and Debian packages. Adding a refresh_pattern to /usr/local/etc/squid does not survive a reboot.

Apart from this, I have a 500 GB SSD in my firewall just for caching. But the default partitioning creates a 22 GB tmpfs partition for var and puts the cache there. I thus does not even survive a reboot.

Kind regards
Boris

51

17.1 Legacy Series / LAN set to Track IPv6 Interface WAN but no global IPv6 address on LAN

« on: March 18, 2017, 11:15:18 am »

Hi,

I had this working once but I am unsure if I screwed up the configuration or the update from 17.1.1 to 17.1.2 was the cause. I am now on 17.1.3.

Details:

Configuration in web interface is
WAN interface: Basic, Directly send SOLICIT, DHCPv6 Prefix Delegation size 64, Send IPv6 prefix hint
LAN interface: Track IPv6 Interface WAN, IPv6 Prefix ID 0

WAN interface gets 64bit prefix from upstream stateless DHCPv6 server:

Code: [Select]

inet6 2a02:908:x:x:x:x:x:f83 prefixlen 64 autoconf
LAN interface only has link-local address

Code: [Select]

inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x1
LAN interface does not get an IPv6 address from the delegated prefix.

The following reports may or may not be related:
https://forum.opnsense.org/index.php?topic=4774.msg18598#msg18598
https://forum.opnsense.org/index.php?topic=4404.msg16570#msg16570

Any ideas other than filing an issue?

Best regards
Boris

52

17.1 Legacy Series / Re: Issue with AX88179 USB ethernet adapter

« on: March 05, 2017, 06:23:24 pm »

WEme USB 3.0 Type C to RJ45 Gigabit Ethernet Adapter

Thank you for the information on the adapters you use. Unfortunately this item does not ship to where I live.

...
Just a heads up..

That was the last nail in the coffin. I will save me further hassle and go for the SuperMicro board given the fact that any decent adapter will amount to about 10 percent of the price of the board. And I need two adapters.

Thank you for your time and consideration. That helped me to make the decision.

Kind regards
Boris

53

17.1 Legacy Series / Re: Issue with AX88179 USB ethernet adapter

« on: March 05, 2017, 08:31:59 am »

Just so happened I ran into the same issue. I switched to a Realtek USB 3 adapter instead of the AX88179 I had and it works just fine. I have a fan-less mini pc with dual nics so I had to go the USB route when setting up my guest wireless network.

Thank you for the recommendation. Browsed a hardware price comparison portal yesterday and found that even on the manufacturer's website or in the product documentation information on the chipset is given only in some cases and then it's either Asix or confusing Do you still know the brand and model of the Realtek USB 3 adapter you use?

54

17.1 Legacy Series / Re: Traffic does not pass from LAN to OPT1 in spite of firewall "pass" rules

« on: March 04, 2017, 04:18:58 pm »

Well, great, that did the job! Rule was not there, added NAT rule to do NAT from any source (there are more subnets behind the opnsense firewall) to 192.168.30.254 on OPT1 with translation/target OPT1 address.

I learned something new. Thank you very much!

Best regards
Boris

55

17.1 Legacy Series / Re: Traffic does not pass from LAN to OPT1 in spite of firewall "pass" rules

« on: March 04, 2017, 03:55:05 pm »

Thank you, Bart, for replying.

The host 192.168.30.1 is actually an AVM Fritz!Box DSL router with its LAN ports configured for subnet 192.168.30.0/24. No chance to log in and run commands. Since the Fritz!Box is connected to the internet via DSL for telephony I wanted to silo it away.

Anyway, TCP packets from my workstation 192.168.31.8 to 192.168.30.1:80 (built-in webserver) pass the opnsense firewall and replies from the webserver are returned to my workstation. I suppose that this is related to the anti-lockout rule.

56

17.1 Legacy Series / [SOLVED] Traffic does not pass from LAN to OPT1 in spite of firewall pass rules

« on: March 04, 2017, 11:08:09 am »

Hello,

searched the Internet before and found similar issues but the solutions did not apply. So please bear with me for asking here. In spite of having easy and manual firewall rules to make (all) traffic pass between LAN and OPT1, I can only reach port 80 on a host at OPT1 network from my workstation at LAN network. Please see below for details.

What do I need to do to enable full TCP connectivity from LAN network to OPT1 network? Any help would be appreciated.

Kind regards
Boris



OPNsense 17.1.2-amd64

LAN 192.168.31.0/24
     opnsense at 192.168.31.1
     my workstation at 192.168.31.8

OPT1 192.168.30.0/24
     opnsense at 192.168.30.254
     a host at 192.168.30.1

my workstation ---------------- opnsense ----------------------- host
192.168.31.8            192.168.31.1      192.168.30.254         192.168.30.1

From opnsense I can ping host at 192.168.30.1 and reach all open TCP ports.
From my workstation at 192.168.31.8 I can connect to port 80 of host 192.168.30.1.
From my workstation at 192.168.31.8 I cannot ping host 192.168.30.1 and not reach any other TCP port than 80.

Firewall: Log Files: Normal View shows that ICMP from 192.168.31.8 to 192.168.30.1 is blocked.
I add easy rule from the view to enable ICMP from 192.168.31.8 to 192.168.30.1.
Still cannot ping.
I add firewall rule for OPT1 to enable all traffic/all protocols between LAN and OPT1 networks.
Still cannot ping. Even not after a reboot.

"Block private/bogon networks" is unchecked for both LAN and OPT1.

The dashboard shows increasing packet count in at OPT1 for the pings but no packet count out.

57

17.1 Legacy Series / Re: Issue with AX88179 USB ethernet adapter

« on: March 02, 2017, 10:52:57 pm »

The box has a retail mainboard with only one ethernet NIC put in a 1U chassis in my rack which precludes adding more PCIe NICs.

Why exactly does a 1U chassis preclude the usage of a PCIe NIC? generally you can use a riser card to use an addon card (basically puts the socket at a 90 degree angle).

In principle yes, in practice no. I checked the possibility of adding a riser card before turning to the USB solution. The issue is that the position of the PCIe socket on the mainboard (distance to as well as lateral position relative to the opening in the back of the chassis) and position of the screw hole to fasten the riser card at the back of the chassis must match to make this work mechanically. I tried one spare riser card and I could not make it fit.

I had no issues with the USB adapters under Linux and would love to find a practice-proven adapter for FreeBSD/OPNSense. If that fails I will migrate to a SuperMicro X11SBA-LN4F with 8 GB RAM for the expense of 300 EUR+.

Best regards,
Boris

58

17.1 Legacy Series / Issue with AX88179 USB ethernet adapter

« on: February 26, 2017, 06:02:39 pm »

Hi,

after successful testing in a virtual machine, I replaced IPFire by OPNSense today on the real hardware. The box has a retail mainboard with only one ethernet NIC put in a 1U chassis in my rack which precludes adding more PCIe NICs. I therefore use USB Ethernet adapters for additional LAN connectivity.

My Delock 62417 adapter has the ASIX AX88179 chip and is listed as a supported device unter FreeBSD. It is detected, axge driver is loaded, an IP address can be assigned but it cannot reach anything on the LAN nor can it be reached. I successfully tested the adapter under Linux to ensure that the adapter and cabling is all right.

There is another report about malfunction in this forum but probably went unnoticed because it is in Spanish.

Is this an issue with OPNSense and if so, is there a chance that it will be fixed soon?

If not, could someone please recommend a USB 3.0 Gigabit ethernet adapter that is proven to work? TPLink UE300 is not detected, Logilink UA0144 works but is only Fast Ethernet on USB 2.0.

Thank you,
Boris