Recent posts

#1

Q-Feeds (Threat intelligence) / Re: Q-Feeds and Adguard Home

Last post by wbennett - Today at 01:53:28 PM

Perfectly possible, I run that at home. Open a ticket with Q-Feeds support to get a second API key for use in AGH.

AGH does need an upstream server, though. So if you don't want to run Unbound as a recursive server, you need to cofigure your ISP, 1.1.1.1, or whatever you prefer. I use Unbound.

Did you have to pay for a second API key?

#2

Hardware and Performance / Re: TOPTON Mini PC Running OPN...

Last post by Seimus - Today at 01:45:57 PM

I have seen such freezes/lockups in the past. It was caused by Memory faulty blocks.

I would advise to run memtest in a prolonged period.

Regards,
S.

[ISSUE:]

#3

26.1, 26,4 Series / Telegraf causing boot to hang ...

Last post by kitty123 - Today at 01:21:43 PM

ISSUE:
- Across numerous version of OPNsense, reboots began hanging 30-60 minutes

TROUBLESHOOTING:
- Console showed firewall hanging at: "Invoking import script 'importer'"
- Found similar issue: https://forum.opnsense.org/index.php?topic=51232.0
- Performed Ctrl+t during hanging boot:

Console Output:
>>> Invoking import script 'importer'
ctrl+t

load: 1.07  cmd: find 64678 [running] 0.00r 0.00u 0.00s 24% 187516k
Scanning: /tmp/gosnowflake-cgo2367248933/gosnowflake-cgo2367248933
Scanned: 64581

load: 1.01  cmd: rm 26358 [running] 0.00r 0.00u 0.00s 26% 2268k
/tmp/gosnowflake-cgo2399318380
Scanning: /tmp/gosnowflake-cgo1006708623/gosnowflake-cgo1006708623
Scanned: 126229

Ctrl+C to continue boot

# cd /tmp/
# find . -maxdepth 1 -name "gosnowflake*" | wc -l
  840131
 
- gosnowflake* seems to be associated with the telegraf plugin: https://forum.opnsense.org/index.php?topic=24062.0
/tmp # cd gosnowflake-cgo2932511425
/tmp/gosnowflake-cgo2932511425 # ls -la
total 327585
drwx------       2 telegraf wheel      2 May  5 16:37 .
drwxrwxrwt  840595 root     wheel 840630 May 10 07:11 ..

- telegraf appears to be creating tons of directories causing the boot hang

RESOLUTION:
- Deleted all the directories 'gosnowflake-cgo*' in /tmp/
- Removed 'Telegraf' plugin
- Reboot is once again quick (Less than 1 minute)

#4

Virtual private networks / Re: restart wireguard service

Last post by FredFresh - Today at 01:02:57 PM

Hello,

I am not netirely sure about the root cause behind this but, I connecto to an external VPN provide and sometime the connections is dropped.

The best solution I found is to stop for at least 5 minutes that specific instance (I think I shall stop to query the server for some time) and after to enable again the instance.

The only way I found is to create script to be used through Cron, everything seems to work fine but the problem is to find a command that does not need the Administrator rights, anyone can help me on this?

Here below the script: it checks if the handhshake is older than 5 minutes and in that case it disable the interface for the needed time.

Code Select Expand

#!/usr/local/bin/bash

# --- PARAMETERS ---
INTERFACE="wg1"             
PEER_IP="10.4.0.1"           
THRESHOLD=300               
DOWNTIME=360                
WAIT_AFTER_UP=60             

LATEST_HANDSHAKE=$(wg show "$INTERFACE" latest-handshakes | awk '{print $2}')


CURRENT_TIME=$(date +%s)
ELAPSED=$((CURRENT_TIME - LATEST_HANDSHAKE))


if [ "$ELAPSED" -gt "$THRESHOLD" ]; then
   

    ifconfig "$INTERFACE" down
   
    sleep "$DOWNTIME"
   
    ifconfig "$INTERFACE" up
   
    sleep "$WAIT_AFTER_UP"

    traceroute -n "$PEER_IP"

else

    exit 0
fi

#5

German - Deutsch / Re: Empfehlungen für den Umsti...

Last post by meyergru - Today at 12:41:47 PM

Wenn Du keine speziellen Anforderungen hast, kannst Du einfach ISC durch Kea DHCPv4 ersetzen und weiterhin RADVD für SLAAC nutzen.

Die festen Reservierungen kann man aus ISC per CSV-Export in Kea übernehmen.

#6

26.1, 26,4 Series / Re: kea dhcp option for debian...

Last post by Monviech (Cedrik) - Today at 11:28:00 AM

Ah I see you need a slightly different test. Thats not currently supported in the GUI. (And probably won't be supported since that opens pandoras box of complexity, Kea's classification language is deceptively deep.)

All tests are matching the data of an option exactly. Try to find an exact matching test that can match your clients with the available DHCP options.

If there is notjing available that fits your need Im afraid you have to continue using the manual config.

#7

26.1, 26,4 Series / Re: kea dhcp option for debian...

Last post by cybermcm - Today at 11:23:00 AM

Thank you for your fast answer!
I tried this but it still doesn't work. I tried the example from the docs, this is working (providing a TFTP boot file), but the specific option for the debian installer does not (tried with option 60,43,124)
Maybe the fact that with a manual config only a substring is checked?

Code Select Expand

substring(option[vendor-class-identifier].text,0,3)
Anyone who already solved this?

#8

26.1, 26,4 Series / Re: ping: sendto: Invalid argu...

Last post by viragomann - Today at 10:46:22 AM

tcpdump does not show any packets on the WAN interface so I do not know the sender address.

Any source address in packets stemming from 127.0.0.0/8 is translated to the CARP VIP on the WAN due to your rule. So it's obvious the you cannot see any IP of this subnet.^^

#9

25.7, 25.10 Legacy Series / Re: Assign Firewall rules to m...

Last post by Monviech (Cedrik) - Today at 10:29:17 AM

The filter logic is quite complicated already, and Inspect is quite performance heavy thats why it's a separate toggle.

Also I don't understand, if you e.g., select your LAN interface in the filter, and press Inspect, what exactly is missing? Are there any floating rules missing that have LAN selected?

#10

25.7, 25.10 Legacy Series / Re: Assign Firewall rules to m...

Last post by db9 - Today at 09:56:30 AM

Press "Inspect". It will show the full ruleset for an interface.

Why not via the filter, it's more obvious. It will also not show up in the other interface view.