Messages

Thank. I already did that but I m not sure it s okay. HowHcan can I be sure?

I still have the option activated on my network card.

I also change the value in the sysctl

I removed the shellcmd instructions

I removed the file /var/run/restore.dirty

I backup again my firewall and the config file seems to be okay and valid.

I'm not sure if it's the good solution.

I read that it can be from the TSO and LRO which are active on my network card. I can disable it by using ifconfig command. However, TSO6 always stay and when I rebook the firewall, options are coming back.

As I'm using lagg the options are set at the startup of the firewall. How can I be sure that these options are disabled permanently ?

I use oce.ko driver delivered by Emulex directly for FreeBSD 10.1

I use oce.ko driver found in FreeBSD 10.1 release.

I already use loader.conf.

I remove the file in /var/run and everything seems to be fine now.

Hello,

I'm trying to manage the options loaded on my oce interface. I didn't find a way to do it correcty. So I used shellcmd. I downloaded a backup of my configuration, added the shellcmd line and reboot.

But since, I always have the message if I go to the backup/restore page (and the firewall automatically reboots) :

The firewall configuration has been changed. The firewall is now rebooting.

What can I do to avoid this strange behaviour ?

[addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.34,66.146.73.124.broad.dynamic.hf.ah.cndata.com,127.76.101.79,251.40.1.5,36.138.207.21,sto95-4-88-178-136-1.fbx.proxad.net]

I continue to debug. I found two things very strange :

The CARP Announcement packet have public IP inside.. I should not only have same subnet IP (my two firewall are in 172.28.11.101 and 172.28.11.102) ?

172.28.11.101 > vrrp.mcast.net: vrrp 172.28.11.101 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36, addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.34,66.146.73.124.broad.dynamic.hf.ah.cndata.com,127.76.101.79,251.40.1.5,36.138.207.21,sto95-4-88-178-136-1.fbx.proxad.net

I also note many many bad cksum 0 on different type of packet (CARP Announcement or ICMP) :

21:00:08.219352 IP (tos 0x10, ttl 255, id 46264, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->2ef9)!)

Code Select Expand


root@OPNSENSE:~ # tcpdump -i lagg0_vlan8 -vvv "carp"
tcpdump: listening on lagg0_vlan8, link-type EN10MB (Ethernet), capture size 65535 bytes
21:00:08.219352 IP (tos 0x10, ttl 255, id 46264, offset 0, flags [DF], proto VRRP (112), length 56, [b]bad cksum 0 (->2ef9)!)[/b]
    172.28.11.101 > vrrp.mcast.net: vrrp 172.28.11.101 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36, addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.28,15.sub-97-205-206.myvzw.com,adsl-75-24-212-125.dsl.pltn13.sbcglobal.net,dynamic.sdtv.net.tw,219.164.243.201,softbank126252245163.bbtec.net
21:00:09.220242 IP (tos 0x10, ttl 255, id 30484, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->6c9d)!)
    172.28.11.101 > vrrp.mcast.net: vrrp 172.28.11.101 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36, addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.29,143.126.25.101,149.104.16.164,c-68-36-70-172.hsd1.mi.comcast.net,slip139-92-30-202.fra.de.prserv.net,142.41.200.122
21:00:10.221352 IP (tos 0x10, ttl 255, id 15770, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->a617)!)
    172.28.11.101 > vrrp.mcast.net: vrrp 172.28.11.101 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36, addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.30,147.16.210.213,58.204.203.159,44.59.163.33,42.213.235.216,168.192.80.249
21:00:11.222240 IP (tos 0x10, ttl 255, id 14066, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->acbf)!)
    172.28.11.101 > vrrp.mcast.net: vrrp 172.28.11.101 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36, addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.31,ip-109-90-25-189.hsi11.unitymediagroup.de,51.192.163.97,55.187.192.51,118.201.211.21,64.16.244.104
21:00:12.223336 IP (tos 0x10, ttl 255, id 8975, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->c0a2)!)
    172.28.11.101 > vrrp.mcast.net: vrrp 172.28.11.101 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36, addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.32,30.28.37.249,202.5.199.134,169.62.123.150,236.221.81.16,133.206.52.220
21:00:13.224235 IP (tos 0x10, ttl 255, id 4142, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->d383)!)
    172.28.11.101 > vrrp.mcast.net: vrrp 172.28.11.101 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36, addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.33,163.0.108.130,softbank219053055176.bbtec.net,199.188.240.51,c-67-182-72-116.hsd1.ca.comcast.net,233.200.43.96
21:00:14.225353 IP (tos 0x10, ttl 255, id 32762, offset 0, flags [DF], proto VRRP (112), length 56, bad cksum 0 (->63b7)!)
^C
    172.28.11.101 > vrrp.mcast.net: vrrp 172.28.11.101 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36, addrs(7): p4FE15735.dip0.t-ipconnect.de,251.222.243.34,66.146.73.124.broad.dynamic.hf.ah.cndata.com,127.76.101.79,251.40.1.5,36.138.207.21,sto95-4-88-178-136-1.fbx.proxad.net


Any idea ?

I just tried and even on the Factory Default mode I have this error message.

I'm trying to install opnsense again from scratch

hello there,

i tried to import my config after a complete reinstallation from a backup machine. I forgot to load my specific driver first and at the reboot I get this message :

Interface mismatch detected. Please resolve the mismatch and click 'Apply changes'. The firewall will reboot afterwards.

I review my configuration and reboot many times. But since, I always get the message and everything is correct now. I double check with a ifconfig which is fine.

Do I simply need to remove the file in /var/run to avoid this message ? I don't uderstand why there is an interface mismatch now.

Thank you for your help
Romain

Hello,

i continue to test deeply OpnSense but I encounter a trouble.

I have two identical boxes with 4x1Gbe Intel ports and 2x 10Gbe Emulex ports. I have a lagg configured as failover for the two 10Gbe ports. I have 5 tagged vlans going though this lagg. Everything working fine.

i tried to configured HA between the two boxes. I added my Carp VIPs on every vlans but I have strange behaviour with it.

The gateway of my every vlan subnets are my Carp VIPs. Everything seems to be okay on the OPNSense side. The master manages and deals the CARP IP and the backup is waiting for a failure of the master (when I reboot the master, the backup takes correctly the VIPs) However, if I try to ping or go through the CARP IP nothing works unless I use a machine on FreeBSD too. In that case it's works. If I take a windows machine plugged on the same switch with the same tag configuration, it's not working at all.

If I look deeper, I can see that every two firewall can ping and reach the windows machine through their own IP. if I do a ping -S VIP_ADDRESS IP_WINDOWS it's not working.

On the other side, if I try to ping the VIP of the subnet, I have a timeout. But if I look the arp table I can see the right mac address defined by the carp prototol (00:00:...:01).

I tried to deactivate the firewall to see if my issue was related to some missing rules but not.. it's not working better.

I'm pretty sure my CARP are okay because the WAN Side works well with a OpenVPN server. 

Does someone have idea of what going on and what I'm doing wrong ?

Please let me know if you need any more information ?

Romain

it was something related to the driver. Everything I've done as configuration was okay.

Thank you for the reply.

Hello,

I have a two ports network card plugged to two different switchs which are not stackable.

I configured a vlan 8 on the two network cards and created a bridge to be on the same "switch". I activated STP RST on the two sitchs to avoid layer 2 loop.

I didn't put any IP on the vlan interface directly but I added my IP on the bridge interface. I changed some setting to set ip filter on the bridge int and deactivated ip filter on member int.

But since nothing works. If I remove my bridge and put different IP on my vlan int. I can ping any machine on the network. With the bridge I always get "Host not found".

If I look with a TCPDUMP on the interface (bridge and VLAN int) I can see the arp request:

Code Select Expand

root@KISS0525002:~ # tcpdump -i bridge0 -xxx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:17:40.945966 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
14:17:41.961821 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
14:17:43.024847 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
14:17:44.087801 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
14:17:45.150840 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
14:17:45.447351 ARP, Request who-has 172.28.11.3 tell 172.28.11.100, length 42
        0x0000:  ffff ffff ffff 0cc4 7a32 5bca 0806 0001
        0x0010:  0800 0604 0001 0cc4 7a32 5bca ac1c 0b64
        0x0020:  0000 0000 0000 ac1c 0b03 0000 0000 0000
        0x0030:  0000 0000 0000 0000
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
root@KISS0525002:~ # tcpdump -i oce0_vlan8 -xxx
tcpdump: WARNING: oce0_vlan8: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on oce0_vlan8, link-type EN10MB (Ethernet), capture size 65535 bytes
14:18:03.182844 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
14:18:04.183251 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
14:18:05.203726 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
14:18:06.266969 ARP, Request who-has 172.28.11.26 tell 172.28.11.102, length 28
        0x0000:  ffff ffff ffff 02bd 8562 ce00 0806 0001
        0x0010:  0800 0604 0001 02bd 8562 ce00 ac1c 0b66
        0x0020:  0000 0000 0000 ac1c 0b1a
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

My Network card is an Emulex OCE11102-NT and I use the driver found on the freebsd kernel module 10.1 (oce.ko).

Do you know what I do in the wrong way ?

Thanks
Romain