Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - davorin

Pages1
#1
High availability / HA Sync causes to stop Kea DHCP service and agent on backup FW
March 18, 2026, 09:50:15 AM
Good morning

Running two 26.1.4 opnsense instances here virtually for testing with CARP on WAN and LAN.
Therefore I am using Kea DHCP for HA configured as per official documentation.

Now and then when I do a HA Sync on the master the Kea DHCP service doesn't start again, sometimes the Kea agent as well...
After resyncing one or two times more the Kea services are running again on the backup FW.

The last log lines show that DHCP server is started but shutdown again (or at least this is what I understand ;o):

Code Select
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="81"] INFO  [kea-dhcp4.ha-hooks.0x2dbe8985c008] HA_SERVICE_STARTED fw2: started high availability service in hot-standby mode as standby server
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="82"] INFO  [kea-dhcp4.dhcpsrv.0x2dbe8985c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for V4 leases in subnet 192.168.241.0/24
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="83"] INFO  [kea-dhcp4.dhcp4.0x2dbe8985c008] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 1, queue size: 64
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="84"] INFO  [kea-dhcp4.dhcp4.0x2dbe8985c008] DHCP4_STARTED Kea DHCPv4 server version 3.0.2 started
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="85"] INFO  [kea-dhcp4.commands.0x2dbe8985c008] COMMAND_RECEIVED Received command 'shutdown'
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-ctrl-agent 33012 - [meta sequenceId="86"] INFO  [kea-ctrl-agent.dctl.0x5794f6a71008] DCTL_SHUTDOWN Control-agent has shut down, pid: 33012, version: 3.0.2
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="87"] INFO  [kea-dhcp4.dhcp4.0x2dbe8985c008] DHCP4_SHUTDOWN server shutdown
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="88"] INFO  [kea-dhcp4.ha-hooks.0x2dbe8985c008] HA_DEINIT_OK unloading High Availability hooks library successful
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="89"] INFO  [kea-dhcp4.host-cmds-hooks.0x2dbe8985c008] HOST_CMDS_DEINIT_OK unloading Host Commands hooks library successful
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="90"] INFO  [kea-dhcp4.lease-cmds-hooks.0x2dbe8985c008] LEASE_CMDS_DEINIT_OK unloading Lease Commands hooks library successful
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="91"] INFO  [kea-dhcp4.hooks.0x2dbe8985c008] HOOKS_LIBRARY_CLOSED hooks library /usr/local/lib/kea/hooks/libdhcp_ha.so successfully closed
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="92"] INFO  [kea-dhcp4.hooks.0x2dbe8985c008] HOOKS_LIBRARY_CLOSED hooks library /usr/local/lib/kea/hooks/libdhcp_host_cmds.so successfully closed
<134>1 2026-03-18T09:00:05+01:00 fw2.internal kea-dhcp4 31801 - [meta sequenceId="93"] INFO  [kea-dhcp4.hooks.0x2dbe8985c008] HOOKS_LIBRARY_CLOSED hooks library /usr/local/lib/kea/hooks/libdhcp_lease_cmds.so successfully closed

Anyone else having this problem?

Seems there is no other options for having HA DHCP on the LAN side....

#2
High availability / Backup FW ignoring CARP for WireGuard Tunnel
March 09, 2026, 08:03:23 AM
Weird behaviour of our backup FW running 25.7.6 where WireGuard tunnel is ignoring the WAN CARP state.

The master FW shows no log entries and it stays always the master for the WireGuard tunnel.
The backup FW shows in the WireGuard logs permanently a state change of the WAN CARP and takes over the WireGuard tunnel, although the state of the WAN interface is backup.

The other side of the tunnel is also a HA setup running 26.1.2, but there is no flapping of the tunnel on the backup FW.

Anyone else seing this odd behaviour?

Problem is that I had to disable WireGuard instances and HA syncing of WireGuard configuration.

#3
German - Deutsch / WebGUI via WAN nicht möglich
February 28, 2026, 01:16:30 PM
Tag allerseits (o;

Ich habe hier eine kleine Intel Appliance mit 2 * 2.5GB und 2 * 10GB Ports und frisch OPNSEnse 26.1.2 installiert mit Standardwerten.
WAN als DHCP und LAN belassen mit 192.168.1.1/24.

Von der LAN Seite alles wunderbar. Nur wenn ich eine FW Rule einfüge, damit ich WAN-seitig hier im lokalem LAN zugreifen kann, passiert nix, dabei habe ich testweise alles WAN-seitig zur WAN-Adresse erlaubt.

In den FW Logs erscheint auch nichts. Nur wenn ich explizit z.B. nur HTTP zulasse, sehe ich in den Logs, wenn ich HTTPS zugreifen will.

LAN-seitig auf die WAN-IP zugreifen geht, also "horcht" die OPNSense WebGUI auf der WAN-Seite.


Jemand irgendeine Idee, was hier schief läuft?



#4
19.1 Legacy Series / User - VPN - IPsec xauth Dialin missing in user settings
March 03, 2019, 02:22:25 PM
Good afternoon

As I am not successful currently in bringing up a VPN to a FBox which could be setup easily with a Juniper SRX I try now to follow this guide to setup a remote ipsec client:

https://wiki.opnsense.org/manual/how-tos/ipsec-road.html

There it says under user privileges to add the user to "User - VPN - IPsec xauth Dialin"....but this option is missing in 19.1.2...I only see:

Code Select
GUI Status: IPsec
GUI Status: IPsec: Leasespage
GUI Status: IPsec: SAD
GUI Status: IPsec: SPD
GUI Status: System logs: IPsec VPN
GUI Status: System logs: IPsec VPN
GUI VPN: IPsec
GUI VPN: IPsec: Edit Phase 1
GUI VPN: IPsec: Edit Phase 2
GUI VPN: IPsec: Edit Pre-Shared Keys
GUI VPN: IPsec: Mobile
GUI VPN: IPsec: Pre-Shared Keys List

Xauth not allowed anymore in opnsense?


thanks in advance
richard
#5
19.1 Legacy Series / IPSec logs with "error writing to socket: Permission denied"
March 03, 2019, 01:14:17 PM
Good day

I am trying to migrate away a site2site VPN connection from a Fritzbox to a SRX240H.

Adding the IPsec tunnel phase1/2 and restarting IPSec I see in the logs of my 19.1.2 box:

Code Select
Mar 3 13:10:14 charon: 04[NET] error writing to socket: Permission denied
Mar 3 13:10:14 charon: 16[NET] <con1|1> sending packet: from y.y.90.159[500] to x.x.53.70[500] (176 bytes)
Mar 3 13:10:14 charon: 16[IKE] <con1|1> sending retransmit 2 of request message ID 0, seq 1
Mar 3 13:10:06 charon: 04[NET] error writing to socket: Permission denied
Mar 3 13:10:06 charon: 16[NET] <con1|1> sending packet: from y.y.90.159[500] to x.x.53.70[500] (176 bytes)
Mar 3 13:10:06 charon: 16[IKE] <con1|1> sending retransmit 1 of request message ID 0, seq 1
Mar 3 13:10:02 charon: 04[NET] error writing to socket: Permission denied
Mar 3 13:10:02 charon: 05[NET] <con1|1> sending packet: from y.y.90.159[500] to x.x.53.70[500] (176 bytes)
Mar 3 13:10:02 charon: 05[ENC] <con1|1> generating ID_PROT request 0 [ SA V V V V V ]
Mar 3 13:10:02 charon: 05[IKE] <con1|1> initiating Main Mode IKE_SA con1[1] to x.x.53.70


Any fw rule I missed here?

I just got the basic IPsec rule and the allow ESP rule towards WAN.
#6
General Discussion / opnsense as ipsec client to office network
March 01, 2019, 10:11:02 PM
Good evening

I just came across opnsense last week as I looked around to replace my old setup with srx240b2.
Before I used pfsense on an older apu device which couldn't cope with bandwidths at 500mbps.

Now my question...as I work few days from home I use an IPsec VPN client from my company
to connect to office machines and IoT devices for programming/debugging.

But as I like to be able to do so from all my hosts at home I would like to use opnsense as the IPsec client to the office network.

Can opnsense do this or does it only supports site2site VPNs?


thanks in advance
richard
Pages1