Topics

1

23.1 Legacy Series / OpenVPN keeps reconnecting after update 22.7.11 to 23.1.

« on: March 20, 2023, 04:26:25 pm »

I have 2 OpenVPN clients configured.
On 22.7.11 they stayed connected (according to the webinterface anyways), but on 23.1 they keep reconnecing every few minutes.
Besides updating nothing changed.
Also the time it takes to connect the vpn seems way longer than before.
Everytime a vpnclient drops the connection I get a notification. At v22 I received none, now my mailbox gets flooded.

Is there a setting I had to alter (and obviously forgot) or is there another explanation?

TIA!

2

22.1 Legacy Series / Monitoring networkconnection with Monit

« on: June 12, 2022, 12:38:45 pm »

For a couple of days I've been trying to get Monit to monitor my openvpn-client and (re)start the client if needed.
According to the monit manual this should work:

Code: [Select]

check network vpn_cl_openvpn interface vpn_cl_openvpn
   start program = "/usr/local/sbin/pluginctl -s openvpn start 3"
   stop program = "/usr/local/sbin/pluginctl -s openvpn stop 3"
   if check network vpn_cl_vpn interface ovpnc3 then alertThe logging however says

Code: [Select]

/usr/local/etc/monitrc:33: syntax error 'check network'.
Can anybody help me fix this (and get the monitoring working  )?

-- EDIT

Tried the manual approach....

Apparently the gui does not work well...
When I enter this

Code: [Select]

check network vpn_cl_openvpn interface vpn_cl_openvpn
   start program = "/usr/local/sbin/pluginctl -s openvpn start 1"
   stop program = "/usr/local/sbin/pluginctl -s openvpn stop 1"
   if link down then restart
in /usr/local/etc/monitrc and test (and run) it it is fine. The gui, however, gives me an error the syntax is wrong, the interface does not exist and the tab 'Status' shows me the link is down.
Also the log spams me with this

Code: [Select]

2022-06-12T20:28:31 Informational monit 'vpn_cl_openvpn' start: '/usr/local/sbin/pluginctl -s openvpn start 1'
2022-06-12T20:28:31 Informational monit 'vpn_cl_openvpn' stop: '/usr/local/sbin/pluginctl -s openvpn stop 1'
2022-06-12T20:28:31 Informational monit 'vpn_cl_openvpn' trying to restart
2022-06-12T20:28:30 Error monit 'vpn_cl_openvpn' link data collection failed -- Cannot udate network statistics -- interface vpn_cl_openvpn not found
I have tried changing the interface to ovpnc1 (the name it has according to ifconfig), then the gui does not give me errors but does not (re)start the openvpn-client (although the service is stopped).

-- EDIT 2 --
Tried it with running a script which returns 1 when the interface is down en 0 when it is up.
The value 1 makes the openvpn service start (as described above), but Monit keeps the value 1 and thus restarts the interface every 2 minutes...

I can't believe the integration of Monit in OpnSense is that crippled... What am I missing?

3

22.1 Legacy Series / os-git-backup wants to delete branch

« on: April 29, 2022, 03:36:16 pm »

Since a couple of weeks I get the following error:

git-backup unknown error, check log for details (remote: remote: Gitea: branch master is the default branch and cannot be deleted To https://git.domain.org/mine/opnsense.git ! [remote rejected] master (pre-receive hook declined) error: failed to push some refs to 'https://git.domain.org/mine/opnsense.git' )

If I create a new branch, the backup is created successfully but the branch is removed directly afterwards.
Removing and reinstalling did not resolve this.
Anyone got an idea how to fix this?

4

20.7 Legacy Series / Downtime of 1 minute during renewing WAN IP

« on: November 25, 2020, 05:45:41 pm »

Every 32 hours my WAN connection goes down for 1 minute... As such not a big issue, but during calls it's a PITA...
The renewal time of the ipaddress is 4 days, but it gets renewed every 32 hours...
Where can I change this behaviour?

And more importantly, how can I prevent the connection to go down for 1 minute.
In the logging I found this, but this does not hint me in the right direction:

Code: [Select]

2020-11-25T17:30:14 opnsense[30029] /usr/local/etc/rc.newwanip: On (IP address: ###.##.###.##) (interface: WAN[wan]) (real interface: bge0).
2020-11-25T17:30:14 opnsense[30029] /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'bge0'
2020-11-25T17:30:14 dhclient[56458] New Routers (bge0): <WANIP2>.1
2020-11-25T17:30:14 dhclient[6882] New Broadcast Address (bge0): <WANIP>.255
2020-11-25T17:30:14 dhclient[99685] New Subnet Mask (bge0): 255.255.252.0
2020-11-25T17:30:14 dhclient[90625] New IP Address (bge0): <WANIP>.54
2020-11-25T17:30:14 dhclient[89327] DHCPREQUEST on bge0 to 255.255.255.255 port 67
2020-11-25T17:30:11 dhclient[89327] DHCPDISCOVER on bge0 to 255.255.255.255 port 67 interval 13
2020-11-25T17:30:01 dhclient[89327] DHCPDISCOVER on bge0 to 255.255.255.255 port 67 interval 10
2020-11-25T17:29:55 dhclient[89327] DHCPDISCOVER on bge0 to 255.255.255.255 port 67 interval 6
2020-11-25T17:29:51 dhclient[89327] DHCPDISCOVER on bge0 to 255.255.255.255 port 67 interval 4
2020-11-25T17:29:49 dhclient[89327] DHCPDISCOVER on bge0 to 255.255.255.255 port 67 interval 2
2020-11-25T17:29:44 dhclient[89327] DHCPREQUEST on bge0 to 255.255.255.255 port 67
2020-11-25T17:29:42 dhclient[89327] DHCPREQUEST on bge0 to 255.255.255.255 port 67
2020-11-25T17:29:40 dhclient[89327] DHCPREQUEST on bge0 to 255.255.255.255 port 67
2020-11-25T17:29:39 dhclient[89327] DHCPREQUEST on bge0 to 255.255.255.255 port 67
2020-11-25T17:29:38 dhclient[89327] DHCPREQUEST on bge0 to 255.255.255.255 port 67
2020-11-25T17:29:37 dhclient[89327] DHCPREQUEST on bge0 to 255.255.255.255 port 67
2020-11-25T17:29:37 kernel bge0: link state changed to UP
2020-11-25T17:28:57 opnsense[9477] /usr/local/etc/rc.linkup: Clearing states for stale wan route on bge0
2020-11-25T17:28:57 kernel bge0: link state changed to DOWN
2020-11-24T09:43:43 opnsense[20489] /usr/local/etc/rc.newwanip: On (IP address: <WANIP>.54) (interface: WAN[wan]) (real interface: bge0).
Some additional info:

Code: [Select]

cat /var/db/dhclient.leases.bge0
lease {
  interface "bge0";
  fixed-address <WANIP>.54;
  next-server <WANIP2>.1;
  option subnet-mask 255.255.252.0;
  option routers <WANIP2>.1;
  option domain-name-servers <DNS>.57,<DNS2>.215;
  option dhcp-lease-time 490060;
  option dhcp-message-type 5;
  option dhcp-server-identifier <DNS>.55;
  renew 5 2020/11/27 04:47:33;
  rebind 0 2020/11/29 07:50:22;
  expire 1 2020/11/30 00:51:23;
}
lease {
  interface "bge0";
  fixed-address <WANIP>.54;
  next-server <WANIP2>.1;
  option subnet-mask 255.255.252.0;
  option routers <WANIP2>.1;
  option domain-name-servers <DNS>.57,<DNS2>.215;
  option dhcp-lease-time 604800;
  option dhcp-message-type 5;
  option dhcp-server-identifier <DNS>.55;
  renew 0 2020/11/29 04:30:14;
  rebind 2 2020/12/1 19:30:14;
  expire 3 2020/12/2 16:30:14;
}


5

20.7 Legacy Series / DHCP WAN renewed long before expiration

« on: October 23, 2020, 04:50:21 pm »

The leasetime from my provider is 604800 seconds, but after 32 hours my WAN goes down and it does a renew.
Everytime the connection goes down it takes about one minute to get back up again. Not very convenient if you're videoconferencing  .
I took a look at dhclient.leases.bge0 and it shows me (right after the last renew) the following:

Code: [Select]

lease {
  interface "bge0";
  fixed-address xxx.xxx.xx5.54;
  next-server xxx.xxx.xx2.1;
  option subnet-mask 255.255.252.0;
  option routers xxx.xxx.xx2.1;
  option domain-name-servers yyy.yyy.yy1.57,yyy.zzz.zz3.215;
  option dhcp-lease-time 604800;
  option dhcp-message-type 5;
  option dhcp-server-identifier yyy.yyy.yy1.55;
  renew 0 2020/10/25 18:12:36;
  rebind 3 2020/10/28 09:12:36;
  expire 4 2020/10/29 06:12:36;
}
lease {
  interface "bge0";
  fixed-address xxx.xxx.xx5.54;
  next-server xxx.xxx.xx2.1;
  option subnet-mask 255.255.252.0;
  option routers xxx.xxx.xx2.1;
  option domain-name-servers yyy.yyy.yy1.57,yyy.zzz.zz3.215;
  option dhcp-lease-time 489798;
  option dhcp-message-type 5;
  option dhcp-server-identifier yyy.yyy.yy1.55;
  renew 1 2020/10/26 10:10:57;
  rebind 3 2020/10/28 13:12:06;
  expire 4 2020/10/29 06:12:36;
}The first lease-time is 7 days, but the renew 0 is in about 32 hours.
The second lease-time is a bit over 5 days, and the renew 1 is in 48 hours.

Is it possible to have the renew 0 and 1 run later and have the WAN not go down, but continue running??

6

20.7 Legacy Series / Blocking access to ip's in alias for clients in alias does not work (for me)

« on: September 10, 2020, 05:49:39 pm »

I have created a rule (at first with a schedule, but removed the schedule for testing purposes).

The rule consists of an alias (for now with 1 ip address) which is blocked access to another alias (for now with 1 ip address).
It is the first rule in the rules definitions for that vlan, the last rule is triggered - which allows the traffic.
Access from that client is permitted to that ip address.
The rule is evaluated over 100.000 times and triggered 0 times...
There is nothing in the logging to be found regarding this traffic (being blocked).

How/where can I find out why traffic is not blocked?

7

20.7 Legacy Series / Let OpenVPN use NordVPN recommended server

« on: August 21, 2020, 05:39:12 pm »

I have a script that gets the recommended server by NordVPN.
Now I want to use the returned servername to connect OpenVPN-client to.
What is the best way to do that?
Can I 'just' replace the hostname in the config.xml and restart OpenVPN client?
In this case, how do I restart the OpenVPN-client from commandline?

8

20.7 Legacy Series / Overview of rules and usage

« on: August 20, 2020, 04:32:36 pm »

Is it possible to create an overview of the present firewall-rules and how often they're used??

9

20.7 Legacy Series / Firewall blocks one time, passes another...

« on: August 13, 2020, 09:34:27 pm »

When I looked in the live logging of the firewall I found several of the following lines...

Code: [Select]

vl70_iot Aug 13 21:23:09 192.168.70.16:49462 173.194.76.206:443 tcp Default deny rule
vl70_iot Aug 13 21:23:08 192.168.70.16:52646 34.90.171.169:80 tcp Default deny rule
vl70_iot Aug 13 21:23:06 192.168.70.16:48390 34.90.173.53:443 tcp Default deny rule
vl70_iot Aug 13 21:23:05 192.168.70.16:52646 34.90.171.169:80 tcp Default deny rule
vl70_iot Aug 13 21:23:04 192.168.70.16:49468 173.194.76.206:443 tcp vl70 allow to any rule`
As you can see at 21:23:04 the traffic is allowed, at 21:23:09 it is blocked.
I would have expected it to allowed or disallowd, not both....
Is this a bug or is there some other logfile what might explain this (erratic?) behaviour??

10

20.7 Legacy Series / [Solved] VMware Tools installed, but according to ESXi they're not...

« on: August 11, 2020, 09:02:54 pm »

I installed OS-VMware plugin and it installs fine, according to OPNsense, but in ESXi it says VMware Tools are not installed.
How can I find out what went wrong?
ps -ef gives but a few processes, not what I expected....
`
/usr/local/opnsense/version/vmware
/usr/local/share/open-vm-tools/scripts/vmware
/usr/local/share/vmware-tools/scripts/vmware
`
are the only files/folders I found with vmware in the name, the first has a version in it (1.5) the second is an empty folder and the third has a network folder in it with a script...
Running that script does nothing, as far as I can tell...

11

20.7 Legacy Series / VLAN Tag from wifi gets right ip address but appears on wrong interface

« on: August 03, 2020, 12:30:00 am »

I have recently made a fresh install of the most recent OPNSense on ESXi.
On my OpenWRT router I have three ssids (30,70 & 90) with each a different vlan (two ssids are disabled at the moment - 70 & 90).
On my OPNSense I have 2 physical nics, 1 connected to my wan and 1 connected to a virtualswitch on a portgroup with vlan 4095.
Also I created different vlans (10, 20, 30, 70 & 90) in OPNSense and assigned interfaces to them.
When I connect my phone to the ssid it gets an ipaddress from the dhcp-range configured for vlan 30, but it cannot access anything local. Internet works fine.
My phone's ipaddress appears in the firewall logging as a client of vlan 20.
When I disable vlan 20 my phone can access local stuff...

I've searched several places and for a long time, but have not found anything remotely helpfull.

What can cause this and how to resolve this?
Where can I