Messages

Thanks Franco,

even though I don't like it to loose SSH during an upgrade I surely like hardening the system...

But how can I avoid being locked out prior to the upgrade? I was hoping there's a way to do that in preparation before running the 18.7 upgrade... Specifically because I got quite some machine's I only have SSH access to!

And yet so far all I found about it was:

o SSH access can be set for an arbitrary group as well under System: Administration for non-members of "admins" group.  However, in both cases only SCP works due to a request in the forum to be more proactive regarding yielding of shell access rights.  If you want a user to gain true SSH access you need to change their shell from "nologin" to an installed shell in their respective settings.

in your above mentioned thread...

EDIT:
Had a support call with Jos on friday, he suggested to script it and have the script that change's my user's login shell run after the upgrade...

I'm aware of this Posting. And if there's no way around that issue I need to drive quite a few km's.

There's also an older Posting which describes how I did it when setting up the Router...

But how the f... could that working setting be destroyed during the upgrade path. For me it's a basic security setting to disable root and allow only key login to the other user's. That is how I run all my system's! And as I'm running more than two dozen OPNsense router's all over germany I'm now kind of afraid to upgrade them with a simple SSH login... Seem's I need to go to every single Webinterface and downgrade my security settings before I upgrade. Not good!

Greetz
Mircsicz

Just tried it last weekend. moved the whole dvd iso to my tftp server but all I got was a "mountroot" issue

@franco: Looking forward for 18.7 and THX for letting me know how I can use the current feature...

As I'm currently preparing a replacement router for a client I wanted to use the offered option during Installation:

Code Select Expand


Press any key to start the configuration importer: ..


But entering the USB Stick's device name only lead's me to an error message. If I google for that message I find this Topic. And additionally I found that, but none of those solve the issue by using the offer during install.

BTW: I'm using OPNsense-18.1.6-OpenSSL-serial-amd64.img

So if I enter the drive's dev name all I get is:

Code Select Expand


Press any key to start the configuration importer: ..

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)
<Verbatim STORE N GO 5.00>         at scbus2 target 0 lun 0 (pass1,da0)
<General USB Flash Disk 1.00>      at scbus3 target 0 lun 0 (pass2,da1)

Select device to import from (e.g. ada0) or leave blank to exit: da0

No known partition layout was found for 'da0'.

<SATA SSD S9FM02.9>                at scbus0 target 0 lun 0 (pass0,ada0)


So for this time I'll stick with the import through the WebGUI, but for the future I'ld love to have an USB-Stick at hand that I connect in next to the installer stick and have some Client config's on that...

So my question is how has the partition layout to be like, to be able to make a use of the offered import option?

Hi Fabian,

no I always change that to 80, if I have to do something on WebGUI from remote I use a ssh forward...

But through deeper investigation we learned that we can reach the modem's (Hitron) WebGUI on Port 443. As of that finding I called the UnityMedia Hotline once more, asked them for the password of the modem, as admin / admin didn't work, but they asked me to reset the modem. Later during that conversation and after further inquiry with his coworkers the callcenter agent admitted that they are getting more reports from clients that use the modem and report issue's with port 443 traffic. He said that UnityMedia IT is investigating the incident...

I'll report back after I've received feedback from UnityMedia.

EDIT:
Callcenter Agent I talked to this morning admitted right away that it's a know'n issue with the modem that it sometimes doesn't delete all the firewall rule's when provisioned to bridge-mode. All I needed to do was the hard-reset!

With the next provisioning it worked as expected...

Hi all,

I've got a weird situation on a freshly installed APU.

I forwarded HTTPS from an Exchange to enable ActiveSync but the nmap scan only show's the port as filtered. But my SSH HiPort and SMTP are working as expected. Exchange sends and receive's Mail as expected and I'm currently using the SSH Access to check the Router's WebIF...

Packet Capture on target's OPNsense doesn't get a single package and on my OPNsense all I get is SYN packages...

Now here comes the funny part: If I forward Exchange's 443 to 1443 I get to see the login page!

I hope one of you has a hint as I'm kind a lost here...

BTW: Aunty Google showd me that from the other pf based distri: https://forum.netgate.com/topic/121743/port-forwarding-http-and-https-dont-work-on-pfsense-2-4-0-sg2220/12 But this is a UnityMedia Business Line and they told me not to block any port... And as I'm on a UnityMedia Business connection to I could approve that by forwarding one of my internal HTTPS enabled host's and accessing it through LTE and another external device!

Code Select Expand


mircsicz@macbook-pro-wlan ~ $ nmap -sT -P0 -p443 3x.24.13.166
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-03 04:48 CEST
Nmap scan report for b2b-3x-24-13-166.unitymedia.biz (3x.24.13.166)
Host is up.

PORT    STATE    SERVICE
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
mircsicz@macbook-pro-wlan ~ $ nmap -sT -P0 -p1443 3x.24.13.166
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-03 04:49 CEST
Nmap scan report for b2b-3x-24-13-166.unitymedia.biz (3x.24.13.166)
Host is up (0.028s latency).

PORT     STATE SERVICE
1443/tcp open  ies-lm

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds


I'ld love to see a package for the GA too... ;-)

THX, made the change... But as of the holiday we've in Germany I won't be able to report back till tomorow or monday. ;-)

Didn't realize the chroot, THX...

Code Select Expand


option domain-name "it.lan";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;
option arch code 93 = unsigned integer 16; # RFC4578
option custom-lan-0 code 121 = string;

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;

subnet 10.10.254.0 netmask 255.255.255.0 {
  pool {
    range 10.10.254.101 10.10.254.250;
  }

  option routers 10.10.254.1;
  option domain-name-servers 10.10.254.1;
  option ntp-servers 10.10.254.1;
  option tftp-server-name "10.10.254.4";

  option custom-lan-0 1c:ac:0a:00:0a:0a:0a:01;
  next-server 10.10.254.4;
  filename "linux/pxelinux.0";
}

host s_lan_0 {
  hardware ethernet a8:60:b6:3a:12:64;
  fixed-address 10.10.254.76;
  option host-name "MacBook-Pro-TB";
}


I'ld not be suprised if it's a simple windows issue, but with half a dozen machine's at the same time over different patch level's...

No 'deny unknown' option isn't set... And there are no VLAN's

Code Select Expand

root@router:/home/mirco # ps ax | grep dhcp
16133  -  Ss      24:24.10 /usr/local/sbin/syslogd -s -c -c -P /var/run/syslog.pid -l /var/dhcpd/var/run/log -f /var/etc/syslog.conf
16760  -  Is       0:08.67 /usr/local/sbin/dhcpd -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igb1
19699  -  Ss       4:40.53 /usr/local/bin/python2.7 /usr/local/opnsense/scripts/dns/unbound_dhcpd.py /domain it.lan

But as /etc/dhcpd.conf doesn't exist I can't paste the detailed config

The weird thing is the log for a Linux device is exactly the same...

not at all...

I've a machine with a client for a home-office. That connection drop's packages from time to time. I've not had a report for issue's last week but today I got another report...

It's monitored through Zabbix so I've got some stat's:
https://snag.gy/VvMzN2.jpg

And this is what the log gave me:

Code Select Expand

May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI ce0e3334
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c9939946
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c62c0cf2
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI ce922c2b
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space available
May  7 09:06:01 router charon: 12[KNL] unable to delete SAD entry with SPI c6c5b97c
May  7 09:06:01 router charon: 12[KNL] error sending to PF_KEY socket: No buffer space a

So what are those messages about?

I checked the Web-IF and saw that the tunnel had lot's of SPI's, so I manually stopped the tunnel and we had a call over the tunnel which only went silent for like 10 sec's... AWESOME!! When the tunnel was up again it was only the one expected SPI there...

Here's the log from the time when I diconnected the tunnel:
https://pastebin.com/m9VufWAU

So my question is how can I avoid that behaviour in the future?

Just upgraded to 18.1.7 but that didn't solve the issue...