"
Hello,
Is there a way to download an old version of OPNsense ?
I'm looking for a 16.7 latest iso.
Thank you
Romain
Is there a way to download an old version of OPNsense ?
I'm looking for a 16.7 latest iso.
Thank you
Romain
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#17
16.7 Legacy Series / Re: IPsec - unable to query SAD entry with SPI
July 05, 2017, 10:06:11 AM
I have a similar trouble.
When the VPN is doing his rekey job, OPNsense are sometimes not able to delete SPI correctly but then the tunnel is up. However any traffic that goes through it.
I had to manually delete the tunnel and mount it again.
After, it could works for few hours / days.
When the VPN is doing his rekey job, OPNsense are sometimes not able to delete SPI correctly but then the tunnel is up. However any traffic that goes through it.
I had to manually delete the tunnel and mount it again.
After, it could works for few hours / days.
#18
16.7 Legacy Series / CARP newbie questions
October 10, 2016, 08:55:01 PM
Hi,
I have few questions on how the carp protocol works.
Let's say I have two firewalls which are identical. 4 physicals network ports and 10 vlans on it.
I would like to configure one of my firewalls to be the master on each VLAN. So all the VIP will be actives on the master ? If I shutdown a vlan interface, the VIP goes directly on the backup but the whole firewall switch to the backup one.
I only tested the carp system with one interface and that was working great. I'm loosing only one ping.
Is this how carp work (active /passive) or is there a way to make active /active scenario ? For example 5 VIP will be active on the first firewall and the second part on the second one ? However in this scenario, how that NAT / routing works ?
Which are the criteria to switch to the backup ? If an interface goes down ? Is it possible to add a weight ? If I have the WAN that go down switch, but if I have the MGMT interface continue to work for example ?
Let me know if I'm not clear.
Thanks !
I have few questions on how the carp protocol works.
Let's say I have two firewalls which are identical. 4 physicals network ports and 10 vlans on it.
I would like to configure one of my firewalls to be the master on each VLAN. So all the VIP will be actives on the master ? If I shutdown a vlan interface, the VIP goes directly on the backup but the whole firewall switch to the backup one.
I only tested the carp system with one interface and that was working great. I'm loosing only one ping.
Is this how carp work (active /passive) or is there a way to make active /active scenario ? For example 5 VIP will be active on the first firewall and the second part on the second one ? However in this scenario, how that NAT / routing works ?
Which are the criteria to switch to the backup ? If an interface goes down ? Is it possible to add a weight ? If I have the WAN that go down switch, but if I have the MGMT interface continue to work for example ?
Let me know if I'm not clear.
Thanks !
#19
15.7 Legacy Series / Download 15.7.25 ISO
August 09, 2016, 05:07:58 PM
Hi everyone,
Is there a way to download the 15.7.25 version. I will upgrade my main firewall and want to be sure I can still come back to the old version if needed.
Thank you
Romain
Is there a way to download the 15.7.25 version. I will upgrade my main firewall and want to be sure I can still come back to the old version if needed.
Thank you
Romain
#20
15.7 Legacy Series / Re: pfr_update_stats: assertion failed
January 20, 2016, 04:43:40 PM
Thank you.
#21
15.7 Legacy Series / Re: pfr_update_stats: assertion failed
January 20, 2016, 09:47:18 AM
Not at all. I'm still in 10.1 kernel.
I'm working under the 15.7.24 right now.
Can I know what is behind this generic message ?
I'm working under the 15.7.24 right now.
Can I know what is behind this generic message ?
#22
15.7 Legacy Series / Re: OpenVPN timeout
January 20, 2016, 09:10:29 AM
It seems to be related to the monitoring of the gateway.
I changed to an IP closer (on the same network L2) and it works better.
However, if I do a download and take all the bandwith, the monitor see it and reload all the VPN tunnel (ipsec and openvpn)
Do you know how I can avoid this ?
I changed to an IP closer (on the same network L2) and it works better.
However, if I do a download and take all the bandwith, the monitor see it and reload all the VPN tunnel (ipsec and openvpn)
Code Select
updating dyndns GW_WAN
Restarting ipsec tunnels
Restarting OpenVPN tunnels/interfaces GW_WANDo you know how I can avoid this ?
#23
15.7 Legacy Series / pfr_update_stats: assertion failed
January 20, 2016, 09:04:31 AM
Hello,
I'm in 15.7.24 and I have this following error all the time:
Any idea ?
Thanks
I'm in 15.7.24 and I have this following error all the time:
Code Select
Jan 19 10:32:20 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 10:32:21 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:50 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:51 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:51 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:54 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:54 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:09:55 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:23:06 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:23:07 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:23:07 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:24:51 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:24:52 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 11:24:52 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 12:10:55 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 12:10:55 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 12:10:56 opnsense kernel: pfr_update_stats: assertion failed.
Jan 19 12:10:56 opnsense kernel: pfr_update_stats: assertion failed.Any idea ?
Thanks
#24
15.7 Legacy Series / Re: OpenVPN timeout
January 07, 2016, 11:15:22 AM
Here my temperature sensor. Everything is green :
http://imgur.com/I3dJYH4
It's a classic server super micro with Emulex OCE11102-NT additional network cards (10Gb/s) (http://www.supermicro.com/products/system/1U/5018/SYS-5018A-FTN4.cfm)
How can I know which hardware is causing the trouble ?
http://imgur.com/I3dJYH4
It's a classic server super micro with Emulex OCE11102-NT additional network cards (10Gb/s) (http://www.supermicro.com/products/system/1U/5018/SYS-5018A-FTN4.cfm)
How can I know which hardware is causing the trouble ?
#25
15.7 Legacy Series / Re: OpenVPN timeout
January 07, 2016, 09:44:11 AM
If I look into the system.log. I have many things interesting. I didn't touch anything since few days now (even reload filter or updated GW_WAN).
What do you think ?
Quote
Jan 7 04:24:40 opnsense kernel: pfr_update_stats: assertion failed.
Jan 7 04:38:09 opnsense configd.py: [124af91e-7b0b-4329-ab50-8552785e70b2] updating dyndns GW_WAN
Jan 7 04:38:09 opnsense configd.py: [0d6e9ea4-8c7a-4ef4-8e2b-9889308cc73c] Restarting ipsec tunnels
Jan 7 04:38:09 opnsense configd.py: [5382f117-bb23-4c84-8130-0e3985cf2cc0] Restarting OpenVPN tunnels/interfaces GW_WAN
Jan 7 04:38:10 opnsense opnsense: /usr/local/etc/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use GW_WA
N.
Jan 7 04:38:10 opnsense opnsense: /usr/local/etc/rc.openvpn: OpenVPN: Resync server1 VPN_SERVER_1
Jan 7 04:38:10 opnsense kernel: ovpns1: link state changed to DOWN
Jan 7 04:38:10 opnsense configd.py: [4cb63ed4-c503-482c-8199-2e7f235c12f1] Reloading filter
Jan 7 04:38:13 opnsense configd.py: [aea6d0f5-7e31-49bd-a057-fd5990db60ee] Reloading filter
Jan 7 04:38:13 opnsense kernel: ovpns1: link state changed to UP
Jan 7 04:38:13 opnsense configd.py: [b3cf52d3-5129-4f9e-aa0a-9a22572cb590] rc.newwanip starting ovpns1
Jan 7 04:38:13 opnsense opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: Informational is starting ovpns1.
Jan 7 04:38:13 opnsense opnsense: /usr/local/etc/rc.newwanip: Interface is empty, nothing to do.
Jan 7 04:38:15 opnsense opnsense: /usr/local/etc/rc.openvpn: OpenVPN: Resync server2 VPN_SERVER_2
Jan 7 04:38:15 opnsense kernel: ovpns2: link state changed to DOWN
Jan 7 04:38:15 opnsense configd.py: [7225d8b9-1480-48f3-a8b5-6493c7d23b52] Reloading filter
Jan 7 04:38:18 opnsense configd.py: [81c492db-1b78-4a58-8cfd-7f5b261e2c38] Reloading filter
Jan 7 04:38:18 opnsense kernel: ovpns2: link state changed to UP
Jan 7 04:38:18 opnsense configd.py: [d513199b-0894-47cf-85f8-68171e1f51ae] rc.newwanip starting ovpns2
Jan 7 04:38:19 opnsense opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: Informational is starting ovpns2.
Jan 7 04:38:19 opnsense opnsense: /usr/local/etc/rc.newwanip: Interface is empty, nothing to do.
Jan 7 04:38:21 opnsense configd.py: [50e82462-4b0a-4eee-934a-1a8767c0ec47] Reloading filter
Jan 7 04:39:07 opnsense configd.py: [d5347b54-5a47-4606-be60-8b1144f13a2b] updating dyndns GW_WAN
Jan 7 04:39:07 opnsense configd.py: [406cfcbe-13fa-4aa8-b908-d4130da5fa01] Restarting ipsec tunnels
Jan 7 04:39:08 opnsense configd.py: [5cb93580-f2e0-4ec8-82c7-5c5c7a8bc8a5] Restarting OpenVPN tunnels/interfaces GW_WAN
Jan 7 04:39:08 opnsense opnsense: /usr/local/etc/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use GW_WA
N.
Jan 7 04:39:08 opnsense opnsense: /usr/local/etc/rc.openvpn: OpenVPN: Resync server1 VPN_SERVER_1
Jan 7 04:39:08 opnsense kernel: ovpns1: link state changed to DOWN
Jan 7 04:39:08 opnsense configd.py: [d934784e-40c8-4932-b9f9-adf771b881c8] Reloading filter
Jan 7 04:39:11 opnsense configd.py: [65beb3f5-4027-434d-9d82-a7bd926a9369] Reloading filter
Jan 7 04:39:11 opnsense kernel: ovpns1: link state changed to UP
Jan 7 04:39:11 opnsense configd.py: [e56c8985-8585-4b38-9352-bd7db4ec0a07] rc.newwanip starting ovpns1
Jan 7 04:39:11 opnsense opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: Informational is starting ovpns1.
Jan 7 04:39:11 opnsense opnsense: /usr/local/etc/rc.newwanip: Interface is empty, nothing to do.
Jan 7 04:39:14 opnsense opnsense: /usr/local/etc/rc.openvpn: OpenVPN: Resync server2 VPN_SERVER_2
Jan 7 04:39:14 opnsense kernel: ovpns2: link state changed to DOWN
Jan 7 04:39:14 opnsense configd.py: [e033c0f2-87ac-44b3-958c-d84e1efd54c2] Reloading filter
Jan 7 04:39:17 opnsense configd.py: [062d8244-fe8f-42ea-9e9a-5b6473a96ddc] Reloading filter
Jan 7 04:39:17 opnsense kernel: ovpns2: link state changed to UP
Jan 7 04:39:17 opnsense configd.py: [7c204faf-5113-485b-9b36-e126f982429c] rc.newwanip starting ovpns2
Jan 7 04:39:17 opnsense opnsense: /usr/local/etc/rc.newwanip: rc.newwanip: Informational is starting ovpns2.
Jan 7 04:39:17 opnsense opnsense: /usr/local/etc/rc.newwanip: Interface is empty, nothing to do.
Jan 7 04:39:19 opnsense configd.py: [9a7c1c44-076b-4144-80a3-c0a25d076650] Reloading filter
What do you think ?
#26
15.7 Legacy Series / Re: OpenVPN timeout
January 06, 2016, 07:51:54 PM
I've search a little bit more on my trouble and when all my users received a error message : Error: Inactivity timeout (--ping-restart), I can see that something is restarting the daemon openvpn server :
I have two OpenVPN (with different port and configuration) that receive a event_wait : Interrupted system call (code=4) which does a SIGTERM[hard,] received, process exiting
Do you have any idea of what's going on ? How can I debug from which process the restart daemon instruction come from ?
Thank you all !
Quote
Jan 6 16:23:48 opnsense openvpn[54243]: event_wait : Interrupted system call (code=4)
Jan 6 16:23:48 opnsense openvpn[54243]: Closing TUN/TAP interface
Jan 6 16:23:48 opnsense openvpn[54243]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1602 172.31.129.1 255.255.255.224 init
Jan 6 16:23:51 opnsense openvpn[54243]: SIGTERM[hard,] received, process exiting
Jan 6 16:23:51 opnsense openvpn[41196]: OpenVPN 2.3.9 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 22 2015
Jan 6 16:23:51 opnsense openvpn[41196]: library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
Jan 6 16:23:51 opnsense openvpn[41763]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock
Jan 6 16:23:51 opnsense openvpn[41763]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 6 16:23:51 opnsense openvpn[41763]: Diffie-Hellman initialized with 2048 bit key
Jan 6 16:23:51 opnsense openvpn[41763]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Jan 6 16:23:51 opnsense openvpn[41763]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 6 16:23:51 opnsense openvpn[41763]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 6 16:23:51 opnsense openvpn[41763]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Jan 6 16:23:51 opnsense openvpn[41763]: TUN/TAP device ovpns1 exists previously, keep at program end
Jan 6 16:23:51 opnsense openvpn[41763]: TUN/TAP device /dev/tun1 opened
Jan 6 16:23:51 opnsense openvpn[41763]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 6 16:23:51 opnsense openvpn[41763]: /sbin/ifconfig ovpns1 172.31.129.1 172.31.129.2 mtu 1500 netmask 255.255.255.224 up
Jan 6 16:23:51 opnsense openvpn[41763]: /sbin/route add -net 172.31.129.0 172.31.129.1 255.255.255.224
Jan 6 16:23:51 opnsense openvpn[41763]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1602 172.31.129.1 255.255.255.224 init
Jan 6 16:23:52 opnsense openvpn[41763]: UDPv4 link local (bound): [AF_INET]80.80.236.212:1194
Jan 6 16:23:52 opnsense openvpn[41763]: UDPv4 link remote: [undef]
Jan 6 16:23:52 opnsense openvpn[41763]: MULTI: multi_init called, r=256 v=256
Jan 6 16:23:52 opnsense openvpn[41763]: IFCONFIG POOL: base=172.31.129.2 size=28, ipv6=0
Jan 6 16:23:52 opnsense openvpn[41763]: Initialization Sequence Completed
Jan 6 16:23:54 opnsense openvpn[55726]: event_wait : Interrupted system call (code=4)
Jan 6 16:23:54 opnsense openvpn[55726]: Closing TUN/TAP interface
Jan 6 16:23:54 opnsense openvpn[55726]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1601 172.31.130.1 255.255.255.192 init
Jan 6 16:23:57 opnsense openvpn[55726]: SIGTERM[hard,] received, process exiting
Jan 6 16:23:57 opnsense openvpn[39633]: OpenVPN 2.3.9 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 22 2015
Jan 6 16:23:57 opnsense openvpn[39633]: library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
Jan 6 16:23:57 opnsense openvpn[39904]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server2.sock
Jan 6 16:23:57 opnsense openvpn[39904]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 6 16:23:57 opnsense openvpn[39904]: Diffie-Hellman initialized with 2048 bit key
Jan 6 16:23:57 opnsense openvpn[39904]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
Jan 6 16:23:57 opnsense openvpn[39904]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 6 16:23:57 opnsense openvpn[39904]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 6 16:23:57 opnsense openvpn[39904]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Jan 6 16:23:57 opnsense openvpn[39904]: TUN/TAP device ovpns2 exists previously, keep at program end
Jan 6 16:23:57 opnsense openvpn[39904]: TUN/TAP device /dev/tun2 opened
Jan 6 16:23:57 opnsense openvpn[39904]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Jan 6 16:23:57 opnsense openvpn[39904]: /sbin/ifconfig ovpns2 172.31.130.1 172.31.130.2 mtu 1500 netmask 255.255.255.192 up
Jan 6 16:23:57 opnsense openvpn[39904]: /sbin/route add -net 172.31.130.0 172.31.130.1 255.255.255.192
Jan 6 16:23:57 opnsense openvpn[39904]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1601 172.31.130.1 255.255.255.192 init
Jan 6 16:23:57 opnsense openvpn[39904]: UDPv4 link local (bound): [AF_INET]80.80.236.212:1195
Jan 6 16:23:57 opnsense openvpn[39904]: UDPv4 link remote: [undef]
Jan 6 16:23:57 opnsense openvpn[39904]: MULTI: multi_init called, r=256 v=256
Jan 6 16:23:57 opnsense openvpn[39904]: IFCONFIG POOL: base=172.31.130.2 size=60, ipv6=0
Jan 6 16:23:57 opnsense openvpn[39904]: Initialization Sequence Completed
I have two OpenVPN (with different port and configuration) that receive a event_wait : Interrupted system call (code=4) which does a SIGTERM[hard,] received, process exiting
Do you have any idea of what's going on ? How can I debug from which process the restart daemon instruction come from ?
Thank you all !
#27
15.7 Legacy Series / Improvement - OpenVPN - KeepAlive option
January 04, 2016, 05:39:06 PM
Hello there,
It seems that in certain case we need to change the keepalive mode to a ping manually timeout specified (ping, ping-exit, ping-restart).
However, there is no way to disable this functionnality. The instruction keepalive is automatically added. It should be a good improvement to disable it in order to specify the ping value manually.
Do you think it could be possible ?
Thank you and best wishes for this new year !
It seems that in certain case we need to change the keepalive mode to a ping manually timeout specified (ping, ping-exit, ping-restart).
However, there is no way to disable this functionnality. The instruction keepalive is automatically added. It should be a good improvement to disable it in order to specify the ping value manually.
Do you think it could be possible ?
Thank you and best wishes for this new year !
#28
15.7 Legacy Series / OpenVPN timeout
December 15, 2015, 04:40:55 PM
Hello there,
I have some strange behaviour with my openvpn. I have several timeouts and not related to my internet connection.
I have a low latency (6/10ms max) but sometime and without any explanations, I got ping with high latency 200/500 ms and few timeout. During these latency storm my internet is quite good (I still have 5/6 ms on different websites).
I tried to change tun vs tap and set the sndbuf and rcvbuf to 0 but nothing seems to be working.
The only thing I can do is to restart the service to be okay for few hours.
I changed the verobosity of the client and server log but I don't see anything.
Any idea on what's going on and what can I look into ?
Thank
Romain
I have some strange behaviour with my openvpn. I have several timeouts and not related to my internet connection.
I have a low latency (6/10ms max) but sometime and without any explanations, I got ping with high latency 200/500 ms and few timeout. During these latency storm my internet is quite good (I still have 5/6 ms on different websites).
I tried to change tun vs tap and set the sndbuf and rcvbuf to 0 but nothing seems to be working.
The only thing I can do is to restart the service to be okay for few hours.
I changed the verobosity of the client and server log but I don't see anything.
Any idea on what's going on and what can I look into ?
Thank
Romain
#29
15.7 Legacy Series / Re: [SOLVED] Zabbix agent 2.4
December 12, 2015, 08:20:55 AM
Thank you. It works like a charm.
For others, here what I've done :
For others, here what I've done :
Code Select
pkg add -f https://pkg.opnsense.org/snapshots/zabbix24-agent-2.4.7.txz
Add my conf under /usr/local/etc/zabbix24/zabbix_agentd.conf
To be started automatically on the boot of the firewall : echo zabbix_agentd_enable=YES >> /etc/rc.conf
/usr/local/etc/rc.d/zabbix_agentd start
#30
15.7 Legacy Series / Re: [SOLVED] Zabbix agent 2.4
December 11, 2015, 10:20:53 PM
franco yes i'm on an amd64. Thank you !
andreas no problem :-)
andreas no problem :-)
