"Recent posts
#1
Documentation and Translation / Re: Catalan Translation
Last post by franco - Today at 10:20:45 AMYes, but always keep "%s" around the text being translated to retain context. This is mostly used to inject HTML links into the text.
Cheers,
Franco
Cheers,
Franco
#2
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by OPNenthu - Today at 10:13:36 AMAh! Didn't notice I had dropped it. All looks fine.
#3
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by franco - Today at 10:12:13 AM-L is important to view the remaining lifetime :)
#4
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by OPNenthu - Today at 10:09:55 AMIt's stuck on 7200 now for all interfaces and no longer counting down. This all in short succession (sorry for the spam).
Expected?
Expected?
Code Select
igc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 02:xx:xx:xx:xx:b2
hwaddr 64:xx:xx:xx:xx:9f
inet 69.xxx.xx.99 netmask 0xfffffc00 broadcast 255.255.255.255
inet6 fe80::xx:xxxx:xxxx:xxb2%igc1 prefixlen 64 scopeid 0x2
inet6 2601:xx:xxxx:3160:xxxx:xxxx:xxxx:xxxx prefixlen 64 pltime 7200 vltime 7200
media: Ethernet autoselect (2500Base-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
#5
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by jfou1987 - Today at 10:08:46 AMHello Abdullah,
As others explained, it was concerning a bunch of IP address. And in my case, testing a lot of Belgian (verified) IP address from different providers.
I don't know if it was OPNsense parsing method or the CSV file corrupted. But there was a serious issue.
File was not complete. As i said, for exemple in Belgium, ip range was limited to the 5.x.x.x
We solved the issue by creating a new white liste in our appliance.
As others explained, it was concerning a bunch of IP address. And in my case, testing a lot of Belgian (verified) IP address from different providers.
I don't know if it was OPNsense parsing method or the CSV file corrupted. But there was a serious issue.
File was not complete. As i said, for exemple in Belgium, ip range was limited to the 5.x.x.x
We solved the issue by creating a new white liste in our appliance.
#6
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by franco - Today at 10:04:14 AMYup, renew intervals can be short. In my setup it's 30 minutes.
Cheers,
Franco
Cheers,
Franco
#7
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by OPNenthu - Today at 09:54:27 AM@franco, as we were typing the timers already refreshed. It seemed like a very short interval. The router uptime since the reboot is ~45 min.
No issues seen on the client(s) yet. Will keep an eye on it.
No issues seen on the client(s) yet. Will keep an eye on it.
Code Select
root@firewall:~ # ifconfig -L
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 64:xx:xx:xx:xx:9e
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::66xx:xxxx:xxxx:xx9e%igc0 prefixlen 64 scopeid 0x1
inet6 2601:xx:xxxx:3161::1 prefixlen 64 pltime 6448 vltime 6448
groups: IG_LOCAL IG_OUT_WAN IG_DNS IG_NTP IG_DROP_LOW
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 02:xx:xx:xx:xx:b2
hwaddr 64:xx:xx:xx:xx:9f
inet 69.xxx.xx.99 netmask 0xfffffc00 broadcast 255.255.255.255
inet6 fe80::xx:xxxx:xxxx:xxb2%igc1 prefixlen 64 scopeid 0x2
inet6 2601:xx:xxxx:3160:xxxx:xxxx:xxxx:xxxx prefixlen 64 pltime 6448 vltime 6448
media: Ethernet autoselect (2500Base-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
...
#8
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by franco - Today at 09:40:46 AM> I'm not using Prevent Release, but my /60 delegation doesn't change often so I don't think I should see anything interesting except these timers will eventually reset?
Yes, correct.
The biggest issue we've had here was a kernel bug that would not update the link route lifetimes when they were renewed by the deamon. Ifconfig was fine but the route disappeared. This was fixed in 25.7.11 with https://github.com/opnsense/src/commit/46f807c0c
So you should see your prefix renew and your clients still able to connect after each renewal.
Thank you for testing. The last few reports have improved the confidence to tag and ship the new dhcp6c code in 26.1 so we will probably do that.
Cheers,
Franco
Yes, correct.
The biggest issue we've had here was a kernel bug that would not update the link route lifetimes when they were renewed by the deamon. Ifconfig was fine but the route disappeared. This was fixed in 25.7.11 with https://github.com/opnsense/src/commit/46f807c0c
So you should see your prefix renew and your clients still able to connect after each renewal.
Thank you for testing. The last few reports have improved the confidence to tag and ship the new dhcp6c code in 26.1 so we will probably do that.
Cheers,
Franco
#9
Announcements / OPNsense 26.1-RC1 released
Last post by franco - Today at 09:37:35 AMGood morning world,
Here we are now with the first release candidate to kickstart the 26.1
series. While this marks the end of an era as ISC-DHCP functionality
moves to a plugin it is only the beginning of structural improvements
and further innovation of topics that are important to our users: firewall
GUI and API, IPv6, intrusion detection using Suricata and overall security.
Keep in mind this is mostly an image-based pre-production test release.
Upgrades from the 25.7.11 development version will be available at some
point, but it is not clear when. An online-only RC2 will probably follow
as well. The final release date for 26.1 is January 28.
https://pkg.opnsense.org/releases/26.1/
Here are the development highlights since version 25.7 came out:
o Introduce a new consistent rules GUI using MVC/API (formerly known as "Automation")
o Suricata version 8 and new inline inspection mode using "divert"
o NAT port forwarding migrated to "Destination NAT" as MVC/API
o Various IPv6 stability improvements and additional features
o Setup wizard improvements including use case selection
o Services: Router Advertisements migrated to MVC/API
o Shell command escaping improvements and audit
o Interfaces: Settings migrated to MVC/API
o Default IPv6 setup now relies on Dnsmasq
o Factory reset for individual components
o The firewall live log was rewritten
o Unbound blocklist source selection
o Automatic host discovery service
A more detailed change log will follow!
Migration notes, known issues and limitations:
o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accomodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x. Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed. Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection. Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
The public key for the 26.1 series is:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArTnFQp0jjj5bkLNx9G1j
q26WmN/EtAaJUt+2MY8W8h7L3kokRMlTgEvCYJOkUjbJYbjuG0Cut3JExNYa1vdD
1SLIlJShyI8OsjbAS/flZdJB9c0Vxz2CwpoX9Efmp5TaB3GWqhHS0OVLx4MSI3HJ
qP/aQLjZMuCQHX8beUQB77YWcT6sPC5UMYeNEW1uHR7Oki/TpOXWnzNStEQXRL6/
MiuYJovedlNXeNUeebJyG0TyLJ/3uGMYhHKYK+OJkB03P3iLGGVE/WWNugsqX6bY
tTU9PquHo5zDApndp8iG49Fs/DC0r7V1P85ETPtW2SuZQ7YeDuz3VKvuMxAqyQoC
1FLOsIuEfudDmRuMuTsRgB6jaGACEWUTuRyiFG4+kVDi1/qOWpYatP8C8B7Lx9UU
CTZhCl+Se4woWGtp5KOtYe+pvJ4oz40SL4drUQFEP3ZOsK/HzyLjPFRgxfANNUPG
ONayKHJXVVFPg2ATk9jeNPsLmXlcDmi/rihyN4RM2w0/bi8BWSc+dMGZ5ZhNJdsF
wHBIscgpiAhs+HS8Usxy3idv/JkY0h9tZ2QnljhUUwhYV+DT9yZf5ABU0B68VjJ4
/GloUc3bS7HBeSTAauYMOQvgkY1vcySGWTXvsGOw/Crpk4DYx5KpGNYHmENRey2c
AQdi+Fvi3fFkV1BoxGo78NcCAwEAAQ==
-----END PUBLIC KEY-----
Please let us know about your experience!
Stay safe,
Your OPNsense team
--
SHA256 (OPNsense-26.1.r1-dvd-amd64.iso.bz2) = b0f1f48cd9104e96c37ab11c4381e3401d7d892c97ff8ec7aec1fcec44f16feb
SHA256 (OPNsense-26.1.r1-nano-amd64.img.bz2) = e9c6d72908bc60fc4172ee9c6cd92e7b34bc0e234cc5ad17b3d9f951824cc22a
SHA256 (OPNsense-26.1.r1-serial-amd64.img.bz2) = e03638f1d6fdbc300155fedf5d350603cb1479bf0f8ffe62c439ef0993b5aeb9
SHA256 (OPNsense-26.1.r1-vga-amd64.img.bz2) = f78a0bb9f771fe8846c32ab501875d3970e569b0c4163eff08cfc3bedc1ad747
Here we are now with the first release candidate to kickstart the 26.1
series. While this marks the end of an era as ISC-DHCP functionality
moves to a plugin it is only the beginning of structural improvements
and further innovation of topics that are important to our users: firewall
GUI and API, IPv6, intrusion detection using Suricata and overall security.
Keep in mind this is mostly an image-based pre-production test release.
Upgrades from the 25.7.11 development version will be available at some
point, but it is not clear when. An online-only RC2 will probably follow
as well. The final release date for 26.1 is January 28.
https://pkg.opnsense.org/releases/26.1/
Here are the development highlights since version 25.7 came out:
o Introduce a new consistent rules GUI using MVC/API (formerly known as "Automation")
o Suricata version 8 and new inline inspection mode using "divert"
o NAT port forwarding migrated to "Destination NAT" as MVC/API
o Various IPv6 stability improvements and additional features
o Setup wizard improvements including use case selection
o Services: Router Advertisements migrated to MVC/API
o Shell command escaping improvements and audit
o Interfaces: Settings migrated to MVC/API
o Default IPv6 setup now relies on Dnsmasq
o Factory reset for individual components
o The firewall live log was rewritten
o Unbound blocklist source selection
o Automatic host discovery service
A more detailed change log will follow!
Migration notes, known issues and limitations:
o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accomodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x. Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed. Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection. Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
The public key for the 26.1 series is:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArTnFQp0jjj5bkLNx9G1j
q26WmN/EtAaJUt+2MY8W8h7L3kokRMlTgEvCYJOkUjbJYbjuG0Cut3JExNYa1vdD
1SLIlJShyI8OsjbAS/flZdJB9c0Vxz2CwpoX9Efmp5TaB3GWqhHS0OVLx4MSI3HJ
qP/aQLjZMuCQHX8beUQB77YWcT6sPC5UMYeNEW1uHR7Oki/TpOXWnzNStEQXRL6/
MiuYJovedlNXeNUeebJyG0TyLJ/3uGMYhHKYK+OJkB03P3iLGGVE/WWNugsqX6bY
tTU9PquHo5zDApndp8iG49Fs/DC0r7V1P85ETPtW2SuZQ7YeDuz3VKvuMxAqyQoC
1FLOsIuEfudDmRuMuTsRgB6jaGACEWUTuRyiFG4+kVDi1/qOWpYatP8C8B7Lx9UU
CTZhCl+Se4woWGtp5KOtYe+pvJ4oz40SL4drUQFEP3ZOsK/HzyLjPFRgxfANNUPG
ONayKHJXVVFPg2ATk9jeNPsLmXlcDmi/rihyN4RM2w0/bi8BWSc+dMGZ5ZhNJdsF
wHBIscgpiAhs+HS8Usxy3idv/JkY0h9tZ2QnljhUUwhYV+DT9yZf5ABU0B68VjJ4
/GloUc3bS7HBeSTAauYMOQvgkY1vcySGWTXvsGOw/Crpk4DYx5KpGNYHmENRey2c
AQdi+Fvi3fFkV1BoxGo78NcCAwEAAQ==
-----END PUBLIC KEY-----
Please let us know about your experience!
Stay safe,
Your OPNsense team
--
SHA256 (OPNsense-26.1.r1-dvd-amd64.iso.bz2) = b0f1f48cd9104e96c37ab11c4381e3401d7d892c97ff8ec7aec1fcec44f16feb
SHA256 (OPNsense-26.1.r1-nano-amd64.img.bz2) = e9c6d72908bc60fc4172ee9c6cd92e7b34bc0e234cc5ad17b3d9f951824cc22a
SHA256 (OPNsense-26.1.r1-serial-amd64.img.bz2) = e03638f1d6fdbc300155fedf5d350603cb1479bf0f8ffe62c439ef0993b5aeb9
SHA256 (OPNsense-26.1.r1-vga-amd64.img.bz2) = f78a0bb9f771fe8846c32ab501875d3970e569b0c4163eff08cfc3bedc1ad747
#10
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by OPNenthu - Today at 09:36:31 AMI don't have multi-WAN but I just tried the first part. I also see pltime = vltime and both are counting down.
I'm not using Prevent Release, but my /60 delegation doesn't change often so I don't think I should see anything interesting except these timers will eventually reset?
I'm not using Prevent Release, but my /60 delegation doesn't change often so I don't think I should see anything interesting except these timers will eventually reset?
Code Select
root@firewall:~ # ifconfig -L
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 64:xx:xx:xx:xx:9e
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::66xx:xxxx:xxxx:xx9e%igc0 prefixlen 64 scopeid 0x1
inet6 2601:xx:xxxx:3161::1 prefixlen 64 pltime 4588 vltime 4588
groups: IG_LOCAL IG_OUT_WAN IG_DNS IG_NTP IG_DROP_LOW
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 02:xx:xx:xx:xx:b2
hwaddr 64:xx:xx:xx:xx:9f
inet 69.xxx.xx.99 netmask 0xfffffc00 broadcast 255.255.255.255
inet6 fe80::xx:xxxx:xxxx:xxb2%igc1 prefixlen 64 scopeid 0x2
inet6 2601:xx:xxxx:3160:xxxx:xxxx:xxxx:xxxx prefixlen 64 pltime 4588 vltime 4588
media: Ethernet autoselect (2500Base-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
...
