There were errors loading the rules: no IP address found for ovpns2

[sense]

Just moved to opnsense.
Have multiple OpenVPN servers.
This one is a site2site with Opnsense as the server. Others are road warrior.
I have assigned ovpns2 as an interface under Interfaces > Assignments so that I can manage each VPN's fw rules and traffic graphs individually.

After any reboot or restarting ovpns2, I get notification/error message up top:
"There were errors loading the rules: no IP address found for ovpns2"

Is this an issue with the way I am using Opnsense? I believe I should not be seeing this error.
Please correct me if I am wrong!

[franco]

Hi and welcome,

I assume this is a 21.1.something. We haven't had this error in a while. During boot OpenVPN server is obviously not started yet and so the interface does not have an address when the rules are loaded for the first time. This is fixed later but the error message remains... We solved these cases by moving the interface address use to the kernel in pf.conf syntax, but maybe we missed a spot.

Long story short: can you provide the rule from /tmp/rules.debug that triggers this error? Is it a manual NAT rule?

Suffice to say after boot is complete the error is gone and it works as intended (I hope).


Cheers,
Franco

[sense]

Hi Franco,
Thank you for the quick reply.
Currently fresh install of OPNsense 21.1-amd64. Same happens on 21.1.3.
To troubleshoot, I have basically a stock install.
NAT - Only default anti-lockout port forward rule. Outbound NAT still set to Auto.
I have not created any rules under the ovpns2 interface I added or the automatically created OpenVPN interface.

Here are logs from a fresh bootup (hopefully this is what you were wanting):

# tail -n 500 -f /tmp/rules.debug | grep ovpns2
scrub on ovpns2 all
antispoof log for ovpns2
# block in log quick on ovpns2 inet from {<bogons>} to {any} label "bfa392e3f9e0968767c9ad6727c500d4" # Block bogon IPv4 networks from site2site
# block in log quick on ovpns2 inet6 from {<bogonsv6>} to {any} label "f368f87bceb1dfc8db199225e1943e3a" # Block bogon IPv6 networks from site2site
# block in log quick on ovpns2 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "1d18405cac180c405306d70abe97a3b5" # Block private networks from site2site
# block in log quick on ovpns2 inet6 from {fc00::/7} to {any} label "41a3a7eebde7e566aa1b15a191ac7199" # Block private networks from site2site
pass out log route-to ( ovpns2 192.168.97.2 ) from {ovpns2} to {!(ovpns2:network)} keep state allow-opts label "ea7bf6631c7a94600550c4313a86bd51" # let out anything from firewall host itself (force gw)
# pass in log quick on ovpns2 reply-to ( ovpns2 192.168.97.2 ) inet from {any} to {any} keep state label "9c9960f347668babb853d39526b9a9a2"

From what I can tell, everything works fine. Tunnel comes up, I am able to log in to the router on the other end right away. Just get that error after every reboot.

I just tried adding an allow all rule to the ovpns2 interface and reboot. Same error.

[franco]

Looks like this one

pass out log route-to ( ovpns2 192.168.97.2 ) from {ovpns2} to {!(ovpns2:network)} keep state allow-opts label "ea7bf6631c7a94600550c4313a86bd51" # let out anything from firewall host itself (force gw)

Let me try to propose a patch.



Cheers,
Franco

[franco]

Can you try this one? https://github.com/opnsense/core/commit/8a65a2d

From the console:

# opnsense-patch 8a65a2d

[sense]

Hi Franco,
This patch resolves the issue for me.
I have rebooted and restarted service many times, no more error.
Thank you!

[franco]

Hi sense,

Ok, we will backport this to 21.1.4 or 21.1.5 since the impact is low.

Not sure which it yet so if it comes back after update don't forget to reapply the patch if the issue comes up again.


Cheers,
Franco