Messages

1

22.1 Legacy Series / Re: DNS problem after upgrade to 22.1.5

« on: April 09, 2022, 08:54:59 pm »

I think this is related to https://forum.opnsense.org/index.php?topic=27861.0.
If you restart the unbound manually it loads its legacy config.
21.1.5 brought a new UI for unbound. I found that at least overwrites were not migrated correctly.
Have you checked the config of unbound?
btw. if you click apply in the UI it loads the config the new way and you should see the issues again.

2

22.1 Legacy Series / Re: 22.1.5 Unbound MVC rework - loss of existing config - aliases can't be added

« on: April 09, 2022, 05:57:28 pm »

I found the logic behind

The alias are only displayed for the host selected above.
I the same manner you can create an alias, be selecting the host and clicking the + button down in Aliases the right entry gets preselected and the alias is created as expected.

I am unsure if this works as designed, because is it very hard to keep an overview which aliases are configured at all.

3

22.1 Legacy Series / Re: 22.1.5 Unbound MVC rework - loss of existing config - aliases can't be added

« on: April 09, 2022, 05:30:33 pm »

A `configctl unbound restart` or a restart of unbound from the WebUI seems to trigger some old code an generate the config from the old entries.

While `opnsene-shell reload` and "Apply" from the UI creates it in the right manner

4

22.1 Legacy Series / Re: 22.1.5 Unbound MVC rework - loss of existing config - aliases can't be added

« on: April 09, 2022, 05:11:29 pm »

Just found that a restore from backup limited to "Unbound DNS" is not writing the <unboundplus> part.
The docs already telling that partial restor is something that may get dropped.
May be this need to be removed from the list then to avoid confusion.

5

22.1 Legacy Series / Re: 22.1.5 Unbound MVC rework - loss of existing config - aliases can't be added

« on: April 09, 2022, 04:17:28 pm »

Diged a little bit deeper and compared the config backups before the update and after.

Seems that the config for the overwrites has been moved from <opnsense><unbound> to <opnsense><OPNsense><unboundplus>

My tries to create an alias did made it into the config backup:

Code: [Select]

      <aliases>
        <alias uuid="be93fc19-0ae6-43ae-b43c-2e8bb2627f68">
          <enabled>1</enabled>
          <host>73272ebc-54a3-47cf-8ce0-a7a81c8a2a1c</host>
          <hostname>signalcli-api</hostname>
          <domain>wupp</domain>
        </alias>
        <alias uuid="19a41d16-d2a5-4b8f-814b-f39a995fe6c1">
          <enabled>1</enabled>
          <host>9f748e34-fd1a-44a0-a0f7-4357d31c6b1e</host>
          <hostname>signalcli-api</hostname>
          <domain>wupp</domain>
        </alias>
        [...]

But the don't show up in the UI. The uuids for the host exist as host entries.

6

22.1 Legacy Series / 22.1.5 Unbound MVC rework - loss of existing config - aliases can't be added

« on: April 09, 2022, 03:41:31 pm »

Hi,

updated from 22.1.4 to  22.2.5 with the Unbound MVC rework.

First the existing overwrites got lost and the new overwrites dialogue was completely empty.

Recreating the overwrites manually I found the I can't add aliases.
See attached screenshot.
The list of hosts is not filled correctly, instead of the hostname or FQDN only the domain is show, which doesn't help a lot to pick the right one.

But even if I fill the dialogue and click save, no alias is show sown in the overview. Unfortunately there is also no error message or such.

Not sure how to troubleshoot further, which logs I should look at.

Bye
  Thomas

7

20.7 Legacy Series / Re: /scripts/dhcp/prefixes.php 100% CPU usage - caused by sylogd's clog

« on: February 08, 2021, 12:33:21 am »

Have you tried to reduce the logsize for this specifiv log:

`clog -s 500000 -i /var/log/dhcpd.log`

Should make it fast again. And it should stay until you change the logsize via UI again.

8

20.7 Legacy Series / Re: PHP script killing system (/usr/local/opnsense/scripts/dhcp/prefixes.php)

« on: February 08, 2021, 12:24:43 am »

Check the size of `/var/log/dhcpd.log` if it is to large the script will take to much CPU, as the script is parsing this file

9

General Discussion / Re: MDNS Repeater IPv6

« on: April 14, 2020, 10:20:33 pm »

Hi,
no new news from my side. Found that my printer won't on IPv6 in any case.

But how is pfsene handling this? May be this can be used here too.

Bye
 Thomas

10

General Discussion / [Solved] Answer Packet is not passing PF but session counter increases

« on: January 29, 2020, 05:43:24 pm »

Sorry, I have missed a few parts to explain.


The packet from 81.169.177.200 is coming in via a Wireguard tunnel.
192.168.70.1 is the local ip of the wg0 interface.

I haven't used the routing from the WireGuard plugin, but created an dedicated gateway for this wg0 interfacee with 192.168.70.1 as gateway IP.
This was working well for traffic to the opposite direction. I was able to reach 81.169.177.200 from 192.168.2.21, but not the other way round as described above.

The wireguard interface on the far end has 192.168.70.2 as IP. This was only reachable, if I have configured a route for this IP to the local wg0 interface using the gateway 192.168.70.1

The solution was to change the destination IP for the wg0 interface from the local ip 192.168.70.1 to the IP of the fart end 192.168.70.2.

Now the traffic is passing regardless of the side it was initiated.
The only address I can't make reachable is 192.168.70.2, which doesn't hurt in my case.

Bye
  Thomas

11

General Discussion / Answer Packet is not passing PF but session counter increases

« on: January 27, 2020, 12:16:47 am »

I try to ping host 192.168.2.21 from 81.169.177.200

I see the echo-request (234) with tcpdump on the inboud interface. I see the request and response on the outbound interface.
The session table shows the same.  The inbound session shows 234 packets in and out, but the out session shows twice as packets for the out counter.

Code: [Select]

all icmp 192.168.2.21:3290 <- 81.169.177.200:3290       0:0
   age 00:03:54, expires in 00:00:09, 234:468 pkts, 19656:39312 bytes, rule 507
   id: 030000005e2df8c8 creatorid: 8368a371
all icmp 81.169.177.200:3290 -> 192.168.2.21:3290       0:0
   age 00:03:54, expires in 00:00:09, 234:234 pkts, 19656:19656 bytes, rule 127
   id: 030000005e2df8c9 creatorid: 8368a371
How can I find out why the echo-response is dropped?

Code: [Select]

@127 pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
  [ Evaluations: 2132      Packets: 4173      Bytes: 1021132     States: 80    ]
  [ Inserted: uid 0 pid 82969 State Creations: 776   ]
@507 pass in log quick on wg0 reply-to (wg0 192.168.70.1) inet proto icmp from <schmu_srv03:4> to <wupp_schapp:3> keep state label "501718afceb1c0ed891df29dd33b09bf"
  [ Evaluations: 67        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 82969 State Creations: 0     ]


12

General Discussion / MDNS Repeater IPv6

« on: June 17, 2019, 10:50:10 pm »

Hi,

mdns repeater is pretty old and doesn't support IPv6.
Found that at least iPhones won't find their printer, if they are connected via dual stack.
Had to disable IPv6 on my printer to get it working again.

Is IGMP Proxy an option to forward mdns over IPv6?

Bye
  Thomas

13

18.1 Legacy Series / Re: Unbound DNS - Domain Override stops working

« on: January 29, 2019, 07:34:20 pm »

Hi,

I have the same issue here but running 18.7.10 with unbound 1.8.3.

Did you made any other change while  troubleshooting?

Thanks
  Thomas.

14

Web Proxy Filtering and Caching / add custom subnet to localnet

« on: August 14, 2018, 12:22:20 am »

Hi,

I didn't found a way to add custom networks to the acl localnet in the squid.conf.
Looks like that only networks of directly attached interfaces get added if they are added to "Proxy interfaces".
But adding e.g. an openvpn interface don't add the network to localnet.

Is there a way to add networks to localnet manually.

Thanks
  Thomas

15

General Discussion / ICMP type logging

« on: March 26, 2018, 10:27:10 pm »

Hi,

is it only me or is it in Version 18.1 that there is not ICMP type logging any more?

my log looks like this:

Code: [Select]

filterlog: 34,,,0,vmx0,match,pass,in,6,0x00,0x00000,255,ICMPv6,58,112,fe80::1:1,ff02::1,
filterlog: 92,,,0,vmx1,match,pass,in,4,0x0,,32,12590,0,none,1,icmp,60,172.20.XX.42,192.168.XX.231,datalength=40
I expect something like request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply at the end.
Not sure if it was there in the past or I have seen it in a pfsense install. Had to look into ICMP details recently and missed this information.

Can someone confirm that this is the standard behavior or was it different in former versions or is it configurable?

Thanks
 Thomas