Messages

Hi there!

I did speed up the upgrade of my 32bit Alix 2c3/2d3 nano-OPNsense machines' cf card installs by use of a 64bit Intel atom D510 machine, see:

Code Select Expand

Versions OPNsense 16.7.9-i386
                FreeBSD 10.3-RELEASE-p11
                LibreSSL 2.4.4
Updates Click to check for updates.
CPU Type Intel(R) Atom(TM) CPU D510 @ 1.66GHz (4 cores)

Question:
Can I copy (kernel-) slice 1 to slice 2 on the 4GB/8GB cf cards via OPNsense's webGUI? Or is it done automatically?

Kind regards, chol

@franco: yes thank you: acknowledged.

Interesting and good thing is, that I could upgrade my x86-32bit Alix 2c3/2d3 nano-OPNsense machines' cf cards by use of the x86-64 Intel atom D510 machine (only 1 reboot required this time), see:

Code Select Expand

Versions OPNsense 16.7.9-i386
                FreeBSD 10.3-RELEASE-p11
                LibreSSL 2.4.4
Updates Click to check for updates.
CPU Type Intel(R) Atom(TM) CPU D510 @ 1.66GHz (4 cores)

Works steady now! That was a relief yesterday. Kind regards, chol  :)

#1 .. not use the mirrors ??

Just for clarifications, what do you call the <default>? ?

Isn't it the OPNsense, Amsterdam, NL - mirror?

#2 .. hardware is fine (why I know? because a -temporary (  ;) ) reference install of pfSense worked flawlessly (even: all updates and connections to PPPoE bare-bone VDSL-modem).
Happens to be coincidental that also the updates on my two Alix 2d3 machines w/OPNsense 16.7 had issues only with the upgrade process. This caused it, that I did (<irony>) prose at lenght here ..  so please accept my sorry for that, but all that time spent got to my nerves ...  ::)

Regards, Chol.

[9]

 :o  To get text output from update process, I did run the upgrade 5 times. Now the last 6th time the new kernel got installed and the upgrade to 16.7.8 (amd64/OpenSSL) finally succeeded.

1)Got a webgui error:

Code Select Expand

An API exception occured

Error at /usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php:94 - stream_socket_client(): unable to connect to unix:///var/run/configd.socket (Connection refused) (errno=2)

Did "Restart web interface" from console and logged in new and got:

Code Select Expand

A problem was detected. Click here for more information.
(..)
<6>pid 35631 (python2.7), uid 0: exited on signal 4 (core dumped)
panic: bad pte va 401000 pte 0
cpuid = 1
KDB: enter: panic
panic.txt0600002713015025260  7131 ustarrootwheelbad pte va 401000 pte 0version.txt06000016513015025260  7607 ustarrootwheelFreeBSD 10.3-RELEASE-p5 #0 48f6860(master): Fri Jul 22 17:54:41 CEST 2016
    root@sensey64:/usr/obj/usr/src/sys/SMP


Sent the full error report via webgui.

New reboot:
no webgui access from browser, did upgrade via console
resulted in  kernel and base-16-7-7 install, the second time and auto-reboot again
got webgui access (this time), showing:

Code Select Expand

OPNsense 16.7.8-amd64
FreeBSD 10.3-RELEASE-p11
OpenSSL 1.0.2j 26 Sep 2016

Your system is up to date.


;D ;D ;D

NOW - I did upgrade to LibreSSL (w/OPNsense, Amsterdam, NL mirror):

.. this resulted in a rather quick upgrade to LibreSSL flavour (console output said (amd64/LibreSSL)) but broke the WebGUI access  :-\

... got back to OpenSSL (this time 16.7.9 (amd64/OpenSSL)

then did:
-login via webgui
-changed to LibreSSL repository
-saved
-triggered upgrade from console
-no reboot required

FINALLY:

it got me an up-to-date my OPNsense 16.7.9 (amd64/LibreSSL)   :D :D :D

Code Select Expand

OPNsense 16.7.9-amd64
FreeBSD 10.3-RELEASE-p11
LibreSSL 2.4.4

everything is fine now!

Thanks to Franco,Ad and the team  :-*



Hope that helps 

Can confirm the broken update process on

console
&
WebGUI

Hardware:
Atom D510 amd64 4GB ram 2 x SSD 64GB (mirror)

Software-system:
OPNsense 16.7-amd64
FreeBSD 10.3-RELEASE-p5
OpenSSL 1.0.2h 3 May 2016
Firmware Mirror    Amsterdam, NL
Firmware Flavour      OpenSSL

.. both console and webgui upgrades of my vanilla OPNsense 16.7 (default, fresh install) broke whilst fetching packets. After reboot, new upgrade atempt failed .. etc.pp. Sent error report from webgui.

Code Select Expand

***GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (93 candidates): .......... done
Processing candidates (93 candidates): ........ done
The following 91 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
openldap-client-2.4.44

New packages to be INSTALLED:
heimdal: 1.5.3_7
db5: 5.3.28_6
libwww: 5.4.0_5
openldap-sasl-client: 2.4.44
cyrus-sasl: 2.1.26_12
zip: 3.0_1

Installed packages to be UPGRADED:
unbound: 1.5.9 -> 1.5.10
suricata: 3.1.1 -> 3.1.3
sudo: 1.8.17p1 -> 1.8.18p1
strongswan: 5.4.0 -> 5.5.0
sqlite3: 3.13.0_2 -> 3.14.1_1
samplicator: 1.3.7.b6_2 -> 1.3.8.r1
py27-setuptools27: 23.1.0 -> 28.1.0
py27-requests: 2.10.0 -> 2.11.1
py27-pytz: 2016.6.1,1 -> 2016.7,1
png: 1.6.23 -> 1.6.25
php56-zlib: 5.6.24 -> 5.6.28
php56-xml: 5.6.24 -> 5.6.28
php56-sqlite3: 5.6.24 -> 5.6.28
php56-sockets: 5.6.24 -> 5.6.28
php56-simplexml: 5.6.24 -> 5.6.28
php56-session: 5.6.24 -> 5.6.28
php56-pdo: 5.6.24 -> 5.6.28
php56-openssl: 5.6.24 -> 5.6.28
php56-mcrypt: 5.6.24 -> 5.6.28
php56-ldap: 5.6.24 -> 5.6.28
php56-json: 5.6.24 -> 5.6.28
php56-hash: 5.6.24 -> 5.6.28
php56-gettext: 5.6.24 -> 5.6.28
php56-filter: 5.6.24 -> 5.6.28
php56-dom: 5.6.24 -> 5.6.28
php56-curl: 5.6.24 -> 5.6.28
php56-ctype: 5.6.24 -> 5.6.28
php56: 5.6.24 -> 5.6.28
php-suhosin: 0.9.38 -> 0.9.38_3
phalcon: 2.0.13 -> 3.0.1
pftop: 0.7_6 -> 0.7_8
perl5: 5.20.3_13 -> 5.24.1.r4
pecl-radius: 1.3.0 -> 1.4.0.b1
opnsense-update: 16.7 -> 16.7.7_1
opnsense-lang: 16.7 -> 16.7.7
opnsense: 16.7 -> 16.7.8
openvpn: 2.3.11 -> 2.3.13_1
openssl: 1.0.2_14 -> 1.0.2j_1,1
openssh-portable: 7.2.p2,1 -> 7.3.p1_1,1
ntp: 4.2.8p8 -> 4.2.8p8_1
lighttpd: 1.4.39_1 -> 1.4.43_2
libxml2: 2.9.3 -> 2.9.4
jansson: 2.7_3 -> 2.9
isc-dhcp43-server: 4.3.4 -> 4.3.5
isc-dhcp43-relay: 4.3.4 -> 4.3.5
isc-dhcp43-client: 4.3.4 -> 4.3.5
indexinfo: 0.2.4 -> 0.2.6
hyperscan: 4.2.0 -> 4.3.1
curl: 7.49.1 -> 7.51.0_1
ca_root_nss: 3.25 -> 3.27.1
bsdinstaller: 16.7 -> 16.7_1
bind910: 9.10.4P2 -> 9.10.4P4

Installed packages to be REINSTALLED:
wol-0.7.1_2 (options changed)
squid-3.5.20 (options changed)
rrdtool12-1.2.30_7 (options changed)
relayd-5.5.20140810_2 (needed shared library changed)
python27-2.7.12 (needed shared library changed)
py27-Jinja2-2.8 (options changed)
py27-Babel-2.3.4 (options changed)
pcre-8.39 (options changed)
nettle-3.2 (options changed)
miniupnpd-1.9.20160113,1 (needed shared library changed)
lzo2-2.09 (options changed)
libyaml-0.1.6_2
libucl-0.8.0
libnet-1.1.6_4,1 (options changed)
libmcrypt-2.5.8_3
libltdl-2.4.6
libiconv-1.14_9 (options changed)
libffi-3.2.1
libevent2-2.0.22_1 (needed shared library changed)
libedit-3.1.20150325_2,1
libart_lgpl-2.3.21_2,1
ldns-1.6.17_5 (options changed)
idnkit-1.0_5 (options changed)
gmp-5.1.3_3
gettext-runtime-0.19.8.1
freetype2-2.6.3
flowd-0.9.1_3 (direct dependency changed: perl5)
expat-2.2.0
easy-rsa-3.0.1_1 (options changed)
dnsmasq-2.76,1 (options changed)
dhcp6-20080615_7 (options changed)
GeoIP-1.6.9 (options changed)

Number of packages to be removed: 1
Number of packages to be installed: 6
Number of packages to be upgraded: 52
Number of packages to be reinstalled: 32

The operation will free 4 MiB.
69 MiB to be downloaded.
Fetching wol-0.7.1_2.txz: ... done
Fetching unbound-1.5.10.txz: .......... done
Fetching suricata-3.1.3.txz: .......... done
Fetching sudo-1.8.18p1.txz: .......... done
Fetching strongswan-5.5.0.txz: .......... done
Fetching squid-3.5.20.txz: .......... done
Fetching sqlite3-3.14.1_1.txz: .......... done
Fetching samplicator-1.3.8.r1.txz: .. done
Fetching rrdtool12-1.2.30_7.txz: .......... done
Fetching relayd-5.5.20140810_2.txz: .......... done
Fetching python27-2.7.12.txz: .......... done
Fetching py27-setuptools27-28.1.0.txz: .......... done
Fetching py27-requests-2.11.1.txz: .......... done
Fetching py27-pytz-2016.7,1.txz: .......... done
Fetching py27-Jinja2-2.8.txz: .......... done
Fetching py27-Babel-2.3.4.txz: .......... done
Fetching png-1.6.25.txz: .......... done
Fetching php56-zlib-5.6.28.txz: .. done
Fetching php56-xml-5.6.28.txz: .. done
Fetching php56-sqlite3-5.6.28.txz: .. done
Fetching php56-sockets-5.6.28.txz: .... done
Fetching php56-simplexml-5.6.28.txz: ... done
Fetching php56-session-5.6.28.txz: .... done
Fetching php56-pdo-5.6.28.txz: ..... done
Fetching php56-openssl-5.6.28.txz: ..... done
Fetching php56-mcrypt-5.6.28.txz: .. done
Fetching php56-ldap-5.6.28.txz: ... done
Fetching php56-json-5.6.28.txz: .. done
Fetching php56-hash-5.6.28.txz: .......... done
Fetching php56-gettext-5.6.28.txz: . done
Fetching php56-filter-5.6.28.txz: .. done
Fetching php56-dom-5.6.28.txz: ...... done
Fetching php56-curl-5.6.28.txz: ... done
Fetching php56-ctype-5.6.28.txz: . done
Fetching php56-5.6.28.txz: .......... done
Fetching php-suhosin-0.9.38_3.txz: ...... done
Fetching phalcon-3.0.1.txz: .......... done



...broke kernel

Android is Linux. iOS is iOS (Apple, not Cisco).

Android is a specific modified Linux-kernel merged with a version of the BSD standard C-Library, and is BSD-Licensed.

iOS is based on BSD Darwin and the BSD derivative OS-X ( BSD-License)

Hope that helps.

super danke, sowas habe ich gesucht.
Finde nur dazu sogut wie nichts im Netz,

Die englische Wikipedia hat dazu etwas und fuehrt auch die Derivate/Nachfolger auf, siehe m0n0wall.

hat jemand hier auch shcon erfahrungen damit?

Schaue dazu evtl. in die Projekt-Foren:

* t1n1wall- Forum
* SmallWall- Forum

Ich hoffe dies hilft!

P.S.: SmallWall und OPNsense 15.7 in der Sendung BSD Now 97  "Big Network, SmallWall"

Heu Leute,

ich suche gerade eine gute alternative für unsere M0n0wall.

Prima! m0n0wall gilt seit Februar 15, 2015 als discontinued - EndOfLife; das letzte Update ist vom 15 Januar 2014 und es basiert auf FreeBSD 8 (26 November 2009 bis 1 August 2015). Du hast also gerade den Supportzeitraum der Basis von m0n0wall verlassen und seit Feb. diesen Jahres gibt es keine neuen Updates mehr.

Wie dem auch sei, Manuel Kasper hat uns (OPNsense) empfohlen, Du bist hier also nicht falsch :)

Q: Wie sieht es mit deiner Hardware aus? Willst Du hier investieren und auch hier evtl. auf 2015 upgraden? Oder willst Du deine Hardware behalten? Wenn Du willst schreib bitte was Du benutzt.

Wenn mich Opnsense mal anschaue, erscheint mir das sehr groß und resourcendfressend an.
Ich meine M0n0wallimage war 23 MB Groß und Hardware maximum 64 MB Ram usw.
Wenn ich mir dagegen die Opnsense anschaue da geht es bis 4 GB RAM usw.
Habe ich da was missverstanden?

Nichts! Du hast deine Situation und die von OPNsense im Prinzip gut wiedergegeben. OPNsense ist etwa 600 MB gross. Es hilft Dir evtl. fuer Dein Verstaendnis, wenn Du beruecksichtigst, dass OPNsense unter einer 2-Klausel BSD-Lizenz veroeffebtlicht ist, das ist sehr gut und gibt eheblich mehr Freiheiten als mit den aus dem Linuxumfeld bekannten GPL Versionen. Es ermoeglicht maximale Kooperation von Business/Professionals mit Community/Open.

Und OPNsense wird hauptsaechlich von Deciso unterstuetzt und deren Hardwarespecs kannst Du auf der Webseite Applianceshop einsehen. Dort siehst Du wohin (sprich hin auf welche Hardware) OPNsense derzeit oprtimiert wird. Auf der englischen Wikipedia (OPNsense) steht dazu auch etwas. Damit das nicht misverstanden wird, ist es eine Konsequenz aus praktikablen/erreichbaren Zielen und Manpower/Mannjahren oder einfach der begrenzten Resource OPNsense-Developper: Franco, Ad, Jos tun einen grossartigen Job, ueber das notwendige hinaus, auch um die Community zu unterstuetzen.

Ich setzte die M0n0wal zur Zeit nur für unser Gäste WLAN ein so das beide Netzwerke komplett getrennt sind + captive portal.
Könnt ihr mich da aufklären?

Um es direkt zu sagen: das kann eine Fritzbox auch! Evtl. aber mit eingeschraenkten Captive Protal Funktionalitaet.

Ein guenstiger Weg zu einer neuen OPNsense Appliance waere etwa 170 Euro fuer eine 2015 APU von PC Engines ( AMD T40E DUAL core 1GHz, siehe auch OPNsense Ghz small vom Applianceshop fuer 299 Euro).

Ich habe eine alte Intel Atom Plattform mit 2 zusaetzlichen Intel GigaBit-NICs. (ca. 75 Euro bei Ebay).

m0n0wall Nachfolgeprojekte sind:
* SmallWall (letztes Update: 06/13/2015 - 1.8.3 bugfix release )
* m0n0wall-mod (letztes Update: 0.33 June 18, 2013)

Ich hoffe das Dir diese Infos helfen!

There is not much room for improvement short of only supplying an API and letting the other side ship the control logic and it won't have the desired impact or stripping down layers and/or functionality/complexity.

What if an outside App would read config files from the firewall, modify it locally by GUI handlers and sent the modified config text back - like a GUI type of an console ssh connection?

There is an effort to split off base functionality and move it into the plugins instead. This would allow for a slicker installation for small uses cases, but that's what I can think of in terms of slow devices. The approach that we try to pull off with API and privilege separation is likely not the approach to save CPU cycles. I can also think of headless systems, but they still need an API so the web server isn't going away.

Any ideas on how we can actively save CPU cycles without jeopardising the functional scope we are aiming at?

A very theoretical question:
Was it imaginable/doable that all of OPNsense management could be outsourced to an App for your firewall-management device of choice - IPhone, Android, PC, tablet? This would leave a more stripped of and defensible base firewall at the TCP/IP internet-trenches.

Any ideas on how we can actively save CPU cycles without jeopardising the functional scope we are aiming at?

What is it, the "functional scope"? If services can be left asside as non-installed plugins in future OPNsense versions, is it logic to assume the functional scope was to fit a certain set of hardware, like in a OPNsense appliance-shop? I am confused.

Yeah, seemingly works now! Thanks for the sanitation.

Christian, unbound is in FreeBSD base nowadays. There was a move from dnsmasq to unbound in pfSense most likely due to that reason, but that transition hasn't been completed, at least not in our code base.

Ah good to know that.

Bind is in there for a single purpose: Dynamic DNS via RFC 2136. As far as I know there is no replacement. We tried to use bind-tools as a lightweight package but the way the port is designed it conflicts with bind910 installations which some people have asked for as well.

You mentioned RFC2136, but now it's clear.

We can add more dns into the packages, but I believe the pressing work is cleaning up the intermittent state of resolver and forwarder and maybe tackling the bind-tools vs full bind packages in FreeBSD.

My full ACK!

In regard to polipo, I always have the small easy pdnsd for small dns caches etc. on the Linux based laptops of my family.

I am not sure if it makes any sense to try to disable/cut out bind from a smaller (so called SOHO) OPNsense install (like in the method lucifercipher posted elsewhere)?

Franco, could you give some light, why big BIND and why Unbound is in?

I really look enthusiastically towards our plugins ready with 16.1 release.

It showed up so much of new spamming. I had the thought, that s.b. might actually pay some "north korean" whatever persons to spam us ??? All the spamming must be done by persons spending time to do this meaningless actions manually.

Should we say so in our sign up form, that we just do the "uncomfortable" countermeasures because of  spammers?

Knapp drei Viertel einer Reihe populärer GitHub-Projekte könnten laut einer Studie ins Straucheln geraten, wenn der wichtigste oder die zwei wichtigsten Entwickler aussteigen, wie heise berichtet:

Studie: Wichtige GitHub-Projekte von einzelnen Entwicklern abhängig