Messages

Ok, the switch to master worked. Let me try to reproduce the issue.

Should i run 'opnsense-update -t opnsense' and then 'make upgrade CORE_ABI=18.1 CORE_NAME=opnsense' ?

Hi Franco,

In the meantime i've switched back to devel and updated to 18.1.r15.
Same issue though... I also needed to apply the OpenVPN patch as well.

I just tried to update to master, but:

Code Select Expand


root@gateway:~ # opnsense-code core
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        git: 2.15.1
        p5-Error: 0.17025
        cvsps: 2.1_2

Number of packages to be installed: 3

The process will require 27 MiB more space.
4 MiB to be downloaded.
[1/3] Fetching git-2.15.1.txz: 100%    4 MiB   4.5MB/s    00:01
[2/3] Fetching p5-Error-0.17025.txz: 100%   19 KiB  19.3kB/s    00:01
[3/3] Fetching cvsps-2.1_2.txz: 100%   41 KiB  41.6kB/s    00:01
Checking integrity... done (0 conflicting)
[1/3] Installing p5-Error-0.17025...
[1/3] Extracting p5-Error-0.17025: 100%
[2/3] Installing cvsps-2.1_2...
[2/3] Extracting cvsps-2.1_2: 100%
[3/3] Installing git-2.15.1...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
Extracting git-2.15.1: 100%
Message from cvsps-2.1_2:

===>   NOTICE:

The cvsps port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
Message from git-2.15.1:

------------------------------------------------------------------------
*************************** GITWEB *************************************
If you installed the GITWEB option please follow these instructions:

In the directory /usr/local/share/examples/git/gitweb you can find all files to
make gitweb work as a public repository on the web.

All you have to do to make gitweb work is:
1) Copy the files /usr/local/share/examples/git/gitweb/* to a directory on
   your web server (e.g. Apache2) in which you are able to execute
   CGI-scripts.
2) In gitweb.cgi, adjust the variable $projectroot to point to
   your git repository (that is where you have your *.git project
   directories).
*************************** GITWEB *************************************

*************************** CONTRIB ************************************
If you installed the CONTRIB option please note that the scripts are
installed in /usr/local/share/git-core/contrib. Some of them require
other ports to be installed (perl, python, etc), which you may need to
install manually.
*************************** CONTRIB ************************************
------------------------------------------------------------------------
Cloning into '/usr/core'...
remote: Counting objects: 93291, done.
remote: Compressing objects: 100% (36/36), done.
remote: Total 93291 (delta 15), reused 28 (delta 12), pack-reused 93242
Receiving objects: 100% (93291/93291), 56.53 MiB | 4.96 MiB/s, done.
Resolving deltas: 100% (66667/66667), done.
root@gateway:~ # cd /usr/core
root@gateway:/usr/core # make upgrade CORE_ABI=18.1 CORE_NAME=opnsense
pkg: No package(s) matching opnsense
>>> Cannot find package.  Please run 'opnsense-update -t opnsense'
*** Error code 1

Stop.
make: stopped in /usr/core



Think i did something stupid.. i'm not a newbie as a user of freebsd firewalls, i'm a total newbie in freebsd though, i never did go deeper than the GUI up until now :-) Sorry for the headaches.

Can i delete this exact reply? Accidentally quoted myself :) Anyway, is the verbosity level ok?

I have sent you a wetransfer download link in your PM with both.

Thanks Franco!

I'm also confident that the alerts reflected the reality, as it blocked eicar for example, or other wicar tests or other custom rules with both versions...

Rebooted the box twice after applying the patch (1-console, 2-GUI)
First time it worked, the second it didn't...

Sure Franco, any time.

I sent you the diff in a PM, it has some data i would not like to be made public...

Only OpenVPN, which i use to connect with clients from my workplace and phone. I'm pushing all the traffic through the tunnel on the clients, but on the server it's a standard setup with "redirect gateway" enabled...

Not using ddns as my ISP provides this service for me.

Do you want me to open another thread for the pf restart issue and post the diff there, not to mix the thread with other stuff? The OpenVPN issue was fixed anyway...

Another strange thing i noticed after upgrading to 18.1.r1:

With 18.1.r1, IDS+IPS enabled, download speed decreased to about half ~550Mbit/s. Disabling IDS+IPS i'm back to my full speed ~980Mbit/s
Same IDS+IPS rules, same everything, but with 17.7.11: ~980Mbit/s

IDS+IPS was up and running in both cases, as i could see my own rules being blocked, some other rules being blocked, exceptions being passed and so on...

This https://forum.opnsense.org/index.php?topic=6590.0 actually made things worse for me so i deleted the stuff i added (while i was on 17.7.11)...

And so i removed the patch once again (basically trying again what you previously asked me, removing the patch).
It didn't work this time. I did not got logged out from the GUI and i still needed to restart pf...

So..

Code Select Expand


Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From 50e53ab4a0698f08c21f1b8efefb10622224483a Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Sat, 16 Sep 2017 17:57:46 +0200
|Subject: [PATCH] interfaces: reload filter before reloading plugins for
| connectivity
|
|PR: https://forum.opnsense.org/index.php?topic=4727.0
|PR: https://github.com/opnsense/core/issues/1403
|---
| src/etc/rc.newwanip   | 7 ++++---
| src/etc/rc.newwanipv6 | 7 ++++---
| 2 files changed, 8 insertions(+), 6 deletions(-)
|
|diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip
|index 8271b8476..486d3e2a5 100755
|--- a/src/etc/rc.newwanip
|+++ b/src/etc/rc.newwanip
--------------------------
Patching file etc/rc.newwanip using Plan A...
Reversed (or previously applied) patch detected!  Assuming -R.Hunk #1 succeeded                                                                                                                                                              at 162.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6
|index 6d1259713..1438c4f51 100755
|--- a/src/etc/rc.newwanipv6
|+++ b/src/etc/rc.newwanipv6
--------------------------
Patching file etc/rc.newwanipv6 using Plan A...
Reversed (or previously applied) patch detected!  Assuming -R.Hunk #1 succeeded                                                                                                                                                              at 143.
done
All patches have been applied successfully.  Have a nice day.



After applying the patch, i logged in the GUI. After ~30secs got logged out automatically (something has restarted/reloaded stuff which logged me out) from the GUI, but on the other hand, on the LAN side things started to work again without pf restart.

And so i reapplied the patch, and back to the issue, reproduced again.

What kind of WAN link do you use? Does this affect IPv4 and IPv6 or just one of them? Can you ping the Internet from the OPNsense box before restarting pf?


Cheers,
Franco

It's a PPPoE link. Disabling IPv6 on the WAN didn't help, so IPv4 for sure is affected. I can reproduce every time.

I can ping from the OPNsense box, i can't from the LAN clients, not until i restart pf. This was not an issue with 17.7.11 (latest stable from the 17 branch, i guess this is it).

Update:

https://github.com/opnsense/core/commit/60e4e8080 seems to have fixed the alias problem.

I still need to restart pf in order to get the internet working...

Confirming that d215ab49 vpn patch works fine:

• VPN clients connected
• Internet connection up & running (my server has "redirect gateway" enabled)
• Local clients browsable (on the vpn server side)

Issues remaining on my side: the alias resolution and the strange need to restart pf after OPNsense reboot...