Messages

91

20.7 Legacy Series / Re: 20.7.3 + esxi webgui = kernel panic

« on: October 14, 2020, 09:06:41 pm »

Has nobody experienced such kernel panic?
More likely it is not related to Esxi but only to ARP Table and IP address of esxi host - I've found this bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234296 and previously seen a lot of messages: arp moved from.(mac address)... to.(other mac address)..
I think there's no other way than downgrading...


EDIT:
After restoring OPNsense to 20.1.9 and even applying 20.7.3 config backup all is fine - no kernel panic. So, obviously something is wrong with 20.7...

92

20.7 Legacy Series / 20.7.3 + esxi webgui = kernel panic

« on: October 13, 2020, 05:18:15 pm »

After updating to 20.7.3 I experience quite strange behavior: when I try to open esxi webgui (host is located in one of vlans), opnsense immediately (kernel panic) restarts itself. And when I'm connected to LAN over OpenVPN, I can open esxi webgui without problem.
I'd tried Netmap kernel and it's exactly the same:
Here it is what I've found in crash reporter:

Code: [Select]

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 02
fault virtual address = 0x0
fault code = supervisor write data, page not present
instruction pointer = 0x20:0xffffffff80e3b142
stack pointer         = 0x28:0xfffffe00403f28d0
frame pointer         = 0x28:0xfffffe00403f29a0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (if_io_tqg_1)
trap number = 12
panic: page fault
cpuid = 1
time = 1602601568
__HardenedBSD_version = 1200059 __FreeBSD_version = 1201000
version = FreeBSD 12.1-RELEASE-p10-HBSD #1  ebb8c1489c7(master)-dirty: Mon Sep 21 13:50:27 CEST 2020
    root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00403f2580
vpanic() at vpanic+0x1a2/frame 0xfffffe00403f25d0
panic() at panic+0x43/frame 0xfffffe00403f2630
trap_fatal() at trap_fatal+0x39c/frame 0xfffffe00403f2690
trap_pfault() at trap_pfault+0x49/frame 0xfffffe00403f26f0
trap() at trap+0x29f/frame 0xfffffe00403f2800
calltrap() at calltrap+0x8/frame 0xfffffe00403f2800
--- trap 0xc, rip = 0xffffffff80e3b142, rsp = 0xfffffe00403f28d0, rbp = 0xfffffe00403f29a0 ---
iflib_rxeof() at iflib_rxeof+0x542/frame 0xfffffe00403f29a0
_task_fn_rx() at _task_fn_rx+0xc0/frame 0xfffffe00403f29e0
gtaskqueue_run_locked() at gtaskqueue_run_locked+0x144/frame 0xfffffe00403f2a40
gtaskqueue_thread_loop() at gtaskqueue_thread_loop+0x98/frame 0xfffffe00403f2a70
fork_exit() at fork_exit+0x83/frame 0xfffffe00403f2ab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00403f2ab0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic

93

20.7 Legacy Series / Re: opnsense freezes and needs reboot

« on: October 03, 2020, 02:32:55 am »

I won't help much, just to let you compare. I have recently upgraded to 20.7.3 and so far, so good...
Difference is that I use ESXi 7.0, all HW offloading is enabled and OPNsense is VLAN aware; vmx0 is WAN and vmx1 is VLAN parent for LAN side:

vmx1: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
   ether 00:0c:29:d4:ba:59
   inet6 fe80::20c:29ff:fed4:ba59%vmx1 prefixlen 64 scopeid 0x2
   media: Ethernet autoselect
   status: active
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Attached are screenshots of vm switch and port group settings...

94

20.7 Legacy Series / Re: Unbound domains override - not working

« on: October 01, 2020, 06:18:36 am »

It’s working!
All was about unbound’s “Outgoing Network Interfaces”. I used to have it set to WAN and it needs to be set on lan interfaces. Thanks to [size=78%]https://forum.opnsense.org/index.php?topic=6750.0[/size]

95

20.7 Legacy Series / Re: Unbound domains override - not working

« on: October 01, 2020, 05:14:48 am »

Hi @qinohe,


The override I created is exactly the same I described

domain1
IP 172.33.1.2 (tried with @53 - doesn't help)
domain2
IP 172.33.1.2

and in manual input described above.
I have two domains I want to be resolved by "local" server (177.33.1.2) accessible over VPN. Server is accessible, when doing a query: dig page.domain1 @177.33.1.2 reply is given immediately...
I've tried options like "local-zone-override" and "private-domain" and nothing helps: stumbled upon (https://www.reddit.com/r/PFSENSE/comments/9e06kp/dns_resolver_domain_override_not_working/):

During my research I encounter this great discussion on nlnetlabs.nl. As stated, local-zones are evaluated before forward-zones and stub-zones. This feature is on purpose, to filter downstream queries before it reaches the state machine in unbound. Some of the potential solutions are:
local-zone: "example.com" transparent
OR
local-zone-override: "example.com" 127.0.0.0/8 transparent - required for localhost (pfSense) to query override
local-zone-override: "example.com" 192.168.1.0/24 transparent - covers everything else (use own network)

96

20.7 Legacy Series / Re: Unbound domains override - not working

« on: October 01, 2020, 03:48:18 am »

I tried manual input:

Code: [Select]

forward-zone:
        name: "domain1."
        forward-addr: 172.33.1.2
forward-zone:
        name: "domain2."
        forward-addr: 172.33.1.2And result is the same - it's not being forwarded...


EDIT:

As DNSSEC is enabled, I added domain-insecure option:

Code: [Select]

domain-insecure: "domain1."
domain-insecure: "domain2."
forward-zone:
        name: "domain1."
        forward-addr: 172.33.1.2
forward-zone:
        name: "domain2."
        forward-addr: 172.33.1.2Of course, nothing got changed.

97

20.7 Legacy Series / Unbound domains override - not working

« on: October 01, 2020, 03:15:31 am »

I've seen many threads about that issue and it seems it's still valid one.
I'm on 20.7.3 and want to set override for 2 domains
domain1
IP 172.33.1.2 (tried with @53 - doesn't help)



domain2
IP 172.33.1.2


And Unbound doesn't forward queries. Am I doing something wrong or Unbound is erratic?

98

Zenarmor (Sensei) / Re: Your Premium subscription have been cancelled.(?)

« on: September 30, 2020, 01:14:30 am »

Hi @mb,


I've just submitted bug report. And Netmap errors (cutting off LAN) keep coming back even more often...

99

Zenarmor (Sensei) / Your Premium subscription have been cancelled.(?)

« on: September 30, 2020, 12:48:18 am »

Today I was greeted with:

Your Premium subscription have been cancelled. Today, we've downgraded your Subscription to Free Edition.
You can always re-purchase your Sensei Premium Subscription. In the meantime, you can enjoy Sensei with Free features.

Is there any particular reason for that? I have purchased annual subscription and is valid for the next 10 months...

100

20.7 Legacy Series / Re: Backup - restore 20.1.9 in 20.7.3/4?

« on: September 29, 2020, 10:20:26 pm »

Yes, I could have deployed test instance of OPNsense. But before doing so, I would like to know what to expect and which way is better one 

101

20.7 Legacy Series / Backup - restore 20.1.9 in 20.7.3/4?

« on: September 29, 2020, 09:15:22 pm »

Currently I use 20.1.9 (awaiting final Netmap patch - Sensei/vmx) and I'm wondering whether is better to just update or do a fresh install and restore settings from backup?
Does backup include all settings for plugins and system? On the other hand, Sensei has its own backup...
What's better and more safe choice?

102

Web Proxy Filtering and Caching / Re: [TUTORIAL] Nginx as simple reverse proxy with web application firewall and SSL

« on: September 26, 2020, 08:50:39 pm »

Got exactly the same results. I will add here my WAF policy for Nextcloud. If you have something else, please post it.

103

Web Proxy Filtering and Caching / Re: WAF app/service based whitelists

« on: September 26, 2020, 08:33:50 pm »

so you get "Request Denied For Security Reasons" page and nothing in logs?
and how it works in LearningMode?

I haven't seen any Request Denied page, simply upload didn't want to commence.

In learning mode I could have seen only IDs which were already included in newly created whitelist policy - when it was not selected in location of course. Thus I thought it must be something related to browsers - I use them in and out of VPN mode (so accesing in LAN - no waf - Naxsi trusted, and from WAN - with waf on), so maybe it was something about cache. Anyway after clearing caches in Chrome and Safari it seems it works. Of course I need to monitor it because I might not have checked all options... 

104

Web Proxy Filtering and Caching / Re: WAF app/service based whitelists

« on: September 25, 2020, 11:48:47 pm »

For those who might have it found useful - attached are discovered IDs to be whitelisted for SOGo and Nextcloud...
If you know about other IDs, please share them!

105

Web Proxy Filtering and Caching / Re: WAF app/service based whitelists

« on: September 25, 2020, 09:49:46 pm »

Strange thing, once whitelist rule is enabled in location, Nginx doesn't record any new errors. I did set was whitelist policy to block, drop, allow and log (att. screenshot) and it doesn't change Nginx behavior. In rule I have set:
Description - Whitelist
ID - i.e. 1009
Rule Type - Basic
Match Type - Whitelist
Part of location block looks as following:

Code: [Select]

location  / {
    SecRulesEnabled;
    BasicRule wl:19;
    CheckRule "$policy6298af02d84e47f39f2489ec77a92aaa >= 8" BLOCK;
    CheckRule "$policy8caca66bc2054683b0f9dcc96d4bb44c >= 8" BLOCK;
    CheckRule "$policy9016671b2ac443bfaae9d74836e045af >= 8" BLOCK;
    CheckRule "$policy4c041911949f42e5a3e5c5b8d31c65fd >= 8" BLOCK;
    BasicRule wl:11;


    BasicRule wl:1009;


    BasicRule wl:1206;


    CheckRule "$policy4e07ebd58e85405e8f0b9ccaf2398aaa >= 8" LOG;
    CheckRule "$policye6a7ab1e0b6b45149022b45c2cf63345 >= 8" BLOCK;
    CheckRule "$policyeeb570a227a940a7b044aac8b8faeffc >= 8" BLOCK;
    DeniedUrl "/waf_denied.html";


And because of that, I'm not able to continue whitelisting as I don't see new NASXi errors (for example, I'm not able yet to upload a file with WAF Policies enabled)...