Topics

Hello folks!

Is there a way to download the installer packages on another machine, and transfer it to the opnsense machine via USB or similar transfer method. So in case the opnsense machine has no internet access during the update (for whatever reason you can imagine), the update could still be initiated using the files transferred to the opnsense machines filesystem, instead of going out to the internet for the download?

Checking the docs for the Update section did not reveal any such details.

Hello folks,

I tried to setup VPN remote access based on IPSEC.
I would like to use the following remote access clients:
- Android phone 9, using the google stock built-in ipsec client, but Strongswan is also accepted if absoletely mandatory due to stock google ipsec client defects
- Windows 10 (whatever version and edition), using the built-in MSFT ipsec client, I would rather avoid 3rd party ipsec client, unless it turns out the msft client is a junk

I already managed to setup site-2-site ipsec tunnel between 2 opnsense router, based on the guide I found on docs.opnsense.com (some more verbose guide would have been better, but thats the only 1 I managed to find, on youtube only pfsense videos are made, nothing useful based on opnsense). The site2site connection works more or less reliable, but because of the dynamic WAN IP, I had to hack a strongswan restart monit setup, otherwise the tunnel never comes up after a dynamic IP change, which the guides dont talk a single word, very disappointing.
But the remaijing step, the remote access, roadwarrior, android and windows scenarios are a big mess for me on docs.opnsense.com. Has anyone a better, more detailed, and EXPLAINED guide in this subject, not just 5 screenshots with 0 description? Or ipsec is a deadend for remote access on opnsense?

Hi folks, wondering if there is any 1st party or 3rd party explanation what exactly the os-igmp-proxy does, and how it works in Opnsense?
Unfortunately, docs.opnsense is not a help, I only found 1 single article about this topic: "Orange IPTV"

I am planning to route DLNA traffic across a VPN tunnel, and wondering if IGMP proxy is the way to do. But for that I would need some reading material to figure it out. Search in old threads on this forum revealed some 1-question 0-answer abandoned hope topics.

Hi all, is it just me, or others have also ntp problem after 20.7.5? Both of my routers are unable to sync time via ntp.
I discovered it after upgrade to 20.7.5. Both worked fine in the past. Ntp log is not that helpful, firewall also seems to allow outbound NTP/UDP123, I dont recall changing anything related to NTP. Added multiple NTP servers (e.g. time.windows.com) but all behave the same way:

Unreach/Pending  162.159.200.1   .INIT.   16   u   -   64   0   0.000   +0.000   0.000



2020-11-24T09:25:03   ntpd[76735]   162.159.200.1 8011 81 mobilize assoc 25092
2020-11-24T09:25:03   ntpd[76735]   DNS pool.ntp.org -> 162.159.200.1
2020-11-24T09:25:03   ntpd[76735]   51.105.208.173 8011 81 mobilize assoc 25091
2020-11-24T09:25:03   ntpd[76735]   DNS time.windows.com -> 51.105.208.173
2020-11-24T09:25:03   ntpd[76735]   0.0.0.0 c016 06 restart
2020-11-24T09:25:03   ntpd[76735]   0.0.0.0 c012 02 freq_set kernel 49.289 PPM
2020-11-24T09:25:03   ntpd[76735]   kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
2020-11-24T09:25:03   ntpd[76735]   0.0.0.0 c01d 0d kern kernel time sync enabled
2020-11-24T09:25:03   ntpd[76735]   kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
2020-11-24T09:25:03   ntpd[76735]   148.6.0.1 8011 81 mobilize assoc 25090
2020-11-24T09:25:03   ntpd[76735]   Listening on routing socket on fd #31 for interface updates
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 10 pppoe0 85.238.77.125:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 9 pppoe0 [fe80::618d:21c:59ca:f801%8]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 8 pppoe0 [fe80::20d:b9ff:fe4b:b5c%8]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 7 lo0 127.0.0.1:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 6 lo0 [fe80::1%5]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 5 lo0 [::1]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 4 igb2 [fe80::20d:b9ff:fe4b:b5e%3]:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 3 igb2 192.168.1.1:123
2020-11-24T09:25:03   ntpd[76735]   Listen normally on 2 igb0 [fe80::20d:b9ff:fe4b:b5c%1]:123
2020-11-24T09:25:03   ntpd[76735]   Listen and drop on 1 v4wildcard 0.0.0.0:123
2020-11-24T09:25:03   ntpd[76735]   Listen and drop on 0 v6wildcard [::]:123
2020-11-24T09:25:03   ntpd[76735]   restrict: 'monitor' cannot be disabled while 'limited' is enabled
2020-11-24T09:25:03   ntpd[76735]   gps base set to 2020-08-23 (week 2120)
2020-11-24T09:25:03   ntpd[76735]   basedate set to 2020-08-20
2020-11-24T09:25:03   ntpd[76735]   proto: precision = 0.694 usec (-20)
2020-11-24T09:25:03   ntpd[82932]   ----------------------------------------------------
2020-11-24T09:25:03   ntpd[82932]   available at https://www.nwtime.org/support
2020-11-24T09:25:03   ntpd[82932]   corporation. Support and training for ntp-4 are
2020-11-24T09:25:03   ntpd[82932]   Inc. (NTF), a non-profit 501(c)(3) public-benefit
2020-11-24T09:25:03   ntpd[82932]   ntp-4 is maintained by Network Time Foundation,
2020-11-24T09:25:03   ntpd[82932]   ----------------------------------------------------
2020-11-24T09:25:03   ntpd[82932]   Command line: /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
2020-11-24T09:25:03   ntpd[82932]   ntpd 4.2.8p15@1.3728-o Tue Sep 1 03:15:17 UTC 2020 (1): Starting

[with static public IP addresses]

Hi folks,

I have 2 Opnsense routers, RouterA on SiteA, and RouterB on SiteB. Both RouterA and RouterB has dynamic WAN IP (both WAN is PPPoE), so I used 2x Dynamic DNS FQDN for the tunnel endpoint (instead of the temporary WAN IP address). I did the config based on this guide:
https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html

I did every step like in the guide. The tunnel becomes UP. But after a couple of days, the tunnel usually breaks, and does not come up. I have to restart the IPSEC service on RouterA (I dont have access to RouterB as it is on a remote site with no qualified staff), and sometimes it restores the tunnel. Sometimes I have to restart Unbound, as it seems the problem may be with the DDNS FQDN<-->WAN IP mapping (as explained at the top the WAN IP is dynamic, the ISP changes the WAN IP after every reconnect, or after 2 weeks of WAN uptime).

The guide did not describe the additional parameters, but I have enabled the following Tunnel parameter:

Dynamic gateway    Allow any remote gateway to connect
Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or update time.

--> to be honest I dont understand whether this setting is really needed, or just introduce some decreased security by allowing literally ANYBODY to connect to this tunnel, the text is not that great to explain if its mandatory for local/remote dynamic tunnel endpoint or not.

The reference guide only says a short description about this scenario:

Site to site VPNs connect two locations with static public IP addresses and allow traffic to be routed between the two networks. This is most commonly used to connect an organization's branch offices back to its main office, so branch users can access network resources in the main office.

I understand and acknowledge that during WAN IP change time period, there will be a DNS TTL-lenght outage in the tunnel, but this scenario can auto-recover from such tunnel endpoint update, or thats completely impossible with this setup?
I see similar things in the log on RouterA:

2020-11-18T13:03:03   charon[95260]   12[IKE] <con1|3> received AUTHENTICATION_FAILED notify error
2020-11-18T13:03:03   charon[95260]   12[ENC] <con1|3> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2020-11-18T13:03:03   charon[95260]   12[NET] <con1|3> received packet: from [ROUTER-B-WAN_IP][4500] to [ROUTER-A-WAN_IP][4500] (80 bytes)
2020-11-18T13:03:03   charon[95260]   12[NET] <con1|3> sending packet: from [ROUTER-A-WAN_IP][4500] to [ROUTER-B-WAN_IP][4500] (320 bytes)
2020-11-18T13:03:03   charon[95260]   12[ENC] <con1|3> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2020-11-18T13:03:03   charon[95260]   12[IKE] <con1|3> establishing CHILD_SA con1{4} reqid 1
2020-11-18T13:03:03   charon[95260]   12[IKE] <con1|3> authentication of '[ROUTER-A-WAN_IP]' (myself) with pre-shared key
2020-11-18T13:03:03   charon[95260]   12[CFG] <con1|3> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-11-18T13:03:03   charon[95260]   12[ENC] <con1|3> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
2020-11-18T13:03:03   charon[95260]   12[NET] <con1|3> received packet: from [ROUTER-B-WAN_IP][500] to [ROUTER-A-WAN_IP][500] (472 bytes)
2020-11-18T13:03:02   charon[95260]   12[NET] <con1|3> sending packet: from [ROUTER-A-WAN_IP][500] to [ROUTER-B-WAN_IP][500] (464 bytes)
2020-11-18T13:03:02   charon[95260]   12[ENC] <con1|3> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2020-11-18T13:03:02   charon[95260]   12[IKE] <con1|3> initiating IKE_SA con1[3] to [ROUTER-B-WAN_IP]
2020-11-18T13:03:02   charon[95260]   14[KNL] creating acquire job for policy [ROUTER-A-WAN_IP]/32 === [ROUTER-B-WAN_IP]/32 with reqid {1}

If I try to trigger / force the tunnel establishment under IPSEC \ Status overview, I get the same results as seen in the log. After 1-2 days, the issue recovers by itself. But its difficult to troubleshoot the remote tunnel endpoint while I cannot reach it, so it would be really great if somebody can point to what is the basic mistake in my config.

This one seems no longer possible:
https://forum.opnsense.org/index.php?topic=9354.0

# sysctl -a | grep -E 'dev.(igb|ix|em).*.%desc

It no longer returns driver version, only the generic string:
"Intel(R) PRO/1000 Network Connection"

I recently found the following bugreport in Freebsd 12.1:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249191

Is opnsense 20.7 affected?

Hi folks!

I prepared this thread as a community contributed gathering place for anyone out there who is running Opnsense on any of the PCEngines APU2/3/4 boards. Since Opnsense 20.7 is a big jump from the old FreeBSD/HardenedBSD 11.x to the new FreeBSD/HardenesBSD 12.1, I expect many compatibility, driver, and performance issues. So I definitely resist upgrading. I let others share their experience first :)

- what Coreboot BIOS you are currently using? Did Core Performance Boot (CPB), the Watchdog, PCIE energy saving, AMDTEMP CPU temperature sensor driver, APULED driver, CPU sysctls gone after Coreboot upgrade, and other recent features broke anything in your firewall?
- are you planning to compare the speed benchmark before 20.7 upgrade and after 20.7 upgrade? E.g. WAN throughput, VPN throughput, OpenSSL -EVP (AES-NI) speed test etc.
- Any igb NIC driver issues observed? Manual sysctl / tuned config file entries?
- ECC functions properly with the new 12.1 BSD? How can you prove it really works?
- does the new 12.1 BSD firmware boot-time microcode update works now properly? How can you prove?
- dmidecode output under 12.1 BSD versus dmidecode under 11.x BSD shows correct ACPI entries, RAM ECC-capable flag(s), RAM module speed vs bus speed reporting discrepancy, etc?
- the infamous terrible PPPoE performance has any improvement, or still limited to 200-400 Mbit max on a 1Gbit fibre WAN + NAT + pf?

And any other issues that are not obvious catch, if you dont have a proper testing checklist after every upgrade performed ("it works for me fine after the update" is a clear sign of no checklist used).

Known issues and limitations:

o legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are longer available

Are NO longer available, im I right? :)

I have a small 16GB SSD running in the APU2 router, and I am concerned about how long does it live before wearing out. I have set up TMPFS for /var and /tmp, but some other services are writing lot of data to the /rootfs.

I checked SMARTmontools: it gives strange result

241 Lifetime_Writes_GiB     0x0012   100   100   000    Old_age   Always       -       157

That would mean 157 GB written? Thats unreallistic.

I installed Monit --> under system stats it shows written: 7,5 GB. But as far as I can understand, that only counts a single run of the operating system, when I reboot this value resets back to zero. Also I am not sure if it counts writes to /rootfs, does it exclude writes to the /var and /tmp partitions, which both are TMPFS, therfore they dont contribute to the wearing of the SSD? Cannot figure out what to do here...

Hi opnsense folks!
I want to utilize the most of the RAM sitting in my router, and mostly idle (the dashboard says 600MB of the 4096MB is utilized, the rest looks not used.
I set up tmpfs for /var and /tmp, but thats only minimal size of files.
I use unbound DNS to cache records in memory, but thats also very minimal amount.
I use maltrail, but due to the current setup, it stores its files not under /var or /tmp,  but under /root, so its torturing the underlying ssd, and not the RAM.
I enabled netflow in the past, it consumed a significant amount of RAM, but the python scripts running in the background killed the already underpowered CPU as well, so I stopped it.
What other service(s) enabled would benefit from the plenty of available RAM, while keeping the CPU usage still low?

Hello all,

tried to find answers for my questions on maltrail site (https://github.com/stamparm/maltrail ), but without success.

0) this is rather an improvement request: please make the password change for the admin maltrail account less painful, as it is currently via the main opnsense admin GUI

1) the maltrail creates their files under /.maltrail, and also writes to /root/var/log instead of /var. My /var and /tmp is on TMPFS to reduce the killing of the small SSD with constant log-related writes. Is there a plan to put maltrail pkg files under proper location, and utilize standard /var and /tmp for anything frequently written log files? I cannot really measure how much disk write traffic is generated to the rootfs due to maltrail writing their files there, MONIT most probably summarizes both true rootfs write traffic and tmpfs write traffic, so that can be misleading for me.

2) it seems memory usage has skyrocketed in the past days (uptime is currently around 1 month), even after I restarted the maltrail server service. Is there any way to see if the memory usage is "normal" or something is leaking memory / should I schedule a maintenance reboot of the whole router someday?

3) Can some maltrail threats marked manually to bypass, as those are false positives, and harmless? Due to the amount they are reported frequently and cause lot of noise.

In general, I am looking for some more in-depth tutorials, how to fine-tune maltrail. The official github page is talking about things from a different perspective, and dont help to solve the real-world questions one will ask about this software.

Hello,
I tried to check the GENERAL log under Logging.

It stuck in "loading..." state. I checked BACKEND log, and I see the following:

configd.py: [a57cd679-67bc-4e18-b1f0-7973db58e4d9] Script action failed with Command '/usr/local/opnsense/scripts/systemhealth/queryLog.py --limit '-1' --offset '0' --filter '' --module 'core' --filename 'system'' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 484, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/systemhealth/queryLog.py --limit '-1' --offset '0' --filter '' --module 'core' --filename 'system'' returned non-zero exit status 1.

This looks chinese to me unfortunately. The /var/log/system.log dows exist, and contains valid log entries.
I had a power outage a week ago, the only thing I suspect that the filesystem may got damaged but not sure how to confirm this.

Hello Opnsense folks,

https://forum.opnsense.org/index.php?topic=9503.msg48562#msg48562

is this something that we can expect to be supported? VNSTAT database to be kept across reboots, when /var is on MFS.

I found in 19.7 under the Unbound settings that "Custom options" will be deprecated in the future. Can the team share the plans how the not-so-common parameters be still used if "custom options" input box will no longer be available?

Hi all,

is hyperthreading (HTT) available in opnsense 19.1.x? The APU2 I have seems to have HTT capability as per the dmesg CPU feature flags:

CPU: AMD GX-412TC SOC                                (998.15-MHz K8-class CPU)
  Origin="AuthenticAMD"  Id=0x730f01  Family=0x16  Model=0x30  Stepping=1
  Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT>  -> see at the very end

FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s)

and sysctl machdep.hyperthreading_allowed: 1 allows it.

Still, I only see 4 physical CPU cores according to:

hw.ncpu: 4

Are there any settings in the OS that prohibit the usage of HTT? Or is this a coreboot BIOS defect?

Hello all,

I am trying to find any documentation about the storage requirement for Netflow + the Insight collector, and the CPU load it generates to deal with this type of workload.

If I recall correctly, I read somewhere (unfortunately I am unable to find it anymore, where exactly) that the max storage that the /var/netflow/ files occupy should be max. around 100 MB. In contrast, for the moment it is about total of 700 MB after a week of run. There is 1 file (I cant recall its name) which is 500+ MB, the rest are much smaller.
I use tmpfs on /var, and also tried to disable the backup of netflow data during reboot, as it takes ages to backup this 700+ MB before shutdown and restore again when it boots, plus it wears my tiny 16 GB SSD.

The second part of my question: there is a periodic load spike, when a python process eats 1 of the 4 cores for 5-6 seconds, then goes down to 0. After 10-12 seconds, it is repeated. Happens during low traffic periods as well. I assume that python process has to do something with this Netflow/Insight workload. Is it taking such huge CPU load due to the large 700 MB+ database, and should decrease if the database is much smaller (e.g. after a fresh reboot with 0 database content)?

Hello all,

I am trying to find the log that contains all the "cron" output, but I am unable to find it anywhere.

/var/log does not hold any file that contains the string "cron" as content. Also
1) system/settings/logging
2) system/settings/cron
neither contain option to activate such cron logging.

Can someone point me to any documentation about this topic?

[n every available IPv4 and IPv6 address]

Hello,

just wanted to record this as a note to anyone, who falls into the same trap:

If you wanted to be on the safe side, and worried about the default config:

Services \ Unbound DNS \ General \ Network interfaces:

Interface IPs used by the DNS Resolver for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

So I wanted to allow access only from the LAN, and don't want to provide any access to my local DNS sourced from the WAN. In this case, make sure you add both the "LAN" and the "localhost" to the "Network interfaces"!

If you forget adding "localhost" into the Network intefaces, you will break the opnsense box itself from getting working name resolution, as by default opnsense assumes 127.0.0.1 as the primary nameserver.
Unless System \  Settings \ General \ "Do not use the local DNS service as a nameserver for this system" is enabled. (By default localhost (127.0.0.1) will be used as the first nameserver when e.g. Dnsmasq or Unbund is enabled, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers. )

Hello all,

If I check the Interface \ WAN settings, I have the following choices: to selectively block Private networks AND/OR Bogus networks from connecting to my router.

Block Private network has the following help text:

Block private networks    
When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8). This option should only be set for WAN type interfaces that use public IP address space.

Actually, 10/8 in its entirety is not considered to be private anymore, as according to RFC6598 CGN has been officially allocated to 100.64.0.0/10 (reference: https://tools.ietf.org/html/rfc6598)

So while it is still advisable to block non-routable private address space on a public-IP WAN connection, CGN peers should be allowed to come through. Disabling the block of Private networks opens a possible security hole for spoofed IP attacks, while Blocking private networks blocks many hosts that are located behind the same ISP as my router.

I think it would make sense to either exclude the CGNAT range from 10/8, or create a new third category: "Block CGNAT networks". What do you think?