[SOLVED] update 21.7.1 interface assignment error after update and how to fix

[RamSense]

I noticed after upgrading to opnsense 21.7.1 that there where some items not running.
Sensei stopped and OpenVPN did not start.
Before update I had running interfaces on 21.7:
LAN (igb1)
WAN (igb0)
VPN (ovpns2)
WireGuard (wg0)

Investigating the problem I found that Opnsense 21.7.1 interface error:
Lan (igb1)
WAN (igb0)
VPN (igb0)
Wireguard (wg0)

fixing it I saw that ovpns2 ws not available anymore. I reconfigured vpn to ovpns1
On the LAN interface configuration I noticed that IPv6 Configuration Type was set to " track interface" instead of none.
I changed that also.
saved.
Started vpn again, running
started sensei again, running. Sensei bugged over the fact that the ovpn2 was missing also.

@Franco, it looks like the opnsense update/system glitched over the ovpn2 with no ovpn1 present/used.
I could fix it with above reset of config.

p.s. This in addition to my first sensei bug mentioning here: https://forum.opnsense.org/index.php?topic=24237.0

[franco]

Check your config history. The system does not reassign OpenVPN devices on its own.

If for whatever reason OpenVPN devices were not available it might look wrong in the interface assignments assuming "igb0" is the first interface in the list...


Cheers,
Franco

[RamSense]

Franco, yes that is correct. VPN was given the igb0
I see config changes in the history by sensei and my change of vpn interface to ovpns1.
I am pretty sure I have not changed the working config before updating to 21.7.1, but I could get it all working again with the above. I do not know where it got triggered, by sensei, by updating, or something I did but forgot about...
Just very glad it is working again! and posted it in case any other user had the same result by some sort of behavior.

Thanks for your fast reply.

[franco]

Out of curiosity... in the change where igb0 was inserted into OpenVPN interface... what was the change message/page?


Cheers,
Franco

[RamSense]

Is there a way to do a search in the log for that? and how to?
When I look I see:  /interfaces_assign.php made changes
and this is the update script I think: (system): /usr/local/opnsense/mvc/script/run_migrations.php made changes

can I look into details of that one?

[franco]

System: Configuration: History has all the info, e.g.:



Choose the diff between two versions with the radio buttons and click view differences. The upper window will show you what has been changed by whom and why.

Preliminary analysis:

/interfaces_assign.php <-- administrator click changes interfaces which is likely what changed it to igb0 (if it was indeed changed)

/usr/local/opnsense/mvc/script/run_migrations.php <-- migration system will likely not change your interface assignments


Cheers,
Franco

[RamSense]

Dear Franco,

I sent you a PM with the info from the oldest and newest interface change I could find in the system history, limited by 60 entries.

There must be something I mess up with. I have a completely working system, VPN works, all good.
Then I decided to do a reboot, just in case and to make a fresh system start....
What do you think?! VPN did not start up. Error0 or something.
I went to openvpn, disabled the vpn, than again to openvpn, enabled it again, and now it starts?!
I tested it, but now my firewall rules for vpn to my local email server did not work, e.g. it looks like virtual IP of VPN was not going through but the real ip of the iPhone 4g connected with vpn.

Strange. So I decided to restore an older working config of opnsense that I have with vpn settings in it and email server rules. The system rebooted automatically and all started working right away. Very strange where I can't get my head around...

For final testing I decided to reboot my opnsense box after the restored config above to see if it also quits working. Just to see if the system breaks again, or that it starts like it should as when I restored this older working config... and...
It works like it should!

So I think it is safe to say that it must be something I have done in the config of opnsense that's bugging after a reboot and that I have "solved" this by my older config restore to opnsense. Maybe you can see something in the PM I sent you, and otherwise I am glad I have solved it and I made a new backup of my settings that are working now great at 21.7.1 :-)

[RamSense]

Again a following up (this keeps me busy...) Just one item was not working and showed red in lobby dashboard:
Network Time Daemon

pressing the play/start did not work.... so I did another reboot.

But than again VPN bugged! This message is in the lobby dashboard:
[error] 0. Unable to contact daemon   
Service not running?

But the OpenVPN is green in the top right of my Lobby dashboard. I went to VPN->openvpn->servers-> in the config I checked disabled. And than saved.

went to the dashboard and it stated not enabled/no config.
I went again to VPN-openvpn->servers-> opened the config again setting it to enabled, saved and it works..

how strange is that?

[errored out]

I had a similar issues with wireguard where the first wireguard configuration (wg0) was copied (wg1) and configured.  After deleting wg0 thinking wg1 would change to wg0 it did not.  At each change I had applied, which restarts the service. 

Looking at the interfaces, it showed the wireguard interface with em0 (not wg0 or even wg1 as it should have).  I then started looking at the configurations (C.L.I.) and noticed there were 2 configurations, wg0 AND wg1.  I then deleted wg0 changed the wg1 name to wg0 and reset the service.  Took a little more tinkering, but I was eventually able to get it to work.

Long story short, you may want to take a look at the openvpn configurations saved through SSH to see what you have in the website vs the terminal.

[RamSense]

thnx for sharing!

[franco]

Sorry, took a while to take a look at the diff.

It looks like OpenVPN device changed from ID 2 to 1, so that means an older server was deleted and redone later.

From the assignments page the old assignment to OpenVPN ID 2 was no longer available so the default changed to "igb0" since that is likely your first device as previously suggested. But this is only in the GUI, it won't be in the configuration until you hit save, which could have been the case not taking a close look while doing something else. I know I would miss that too...

Unfortunately it seems that the reassignment is a manual labour when redoing a VPN server due to the ID shift and subsequent stale assignment of the existing OpenVPN interface. That also means all rules and gateway don't work unless the assignment is fixed properly to the new device (ID 1).

Does that make sense?


Cheers,
Franco

[RamSense]

@franco,

Ah that makes sense with opnsense :-)
Yes that sounds like a logic explanation of what was happening or not happening. I had indeed been playing with 2 openvpn settings and ended with having just one the way I wanted.

Although logic and the possibility of me missing to hit save button once. I think the system would be more " monkey proof" if opensense did some check while during a reboot to prevent this from happening.( ? )
* i will mark this thread as solved.

thank you very much for your explanation.

[franco]

It's like you are pulling a network card out of the box without first changing the configuration... bad things must happen.

What we could possibly do is prevent OpenVPN instance deletion as long as it is assigned as an interface?


Cheers,
Franco

[RamSense]

@franco,

What we could possibly do is prevent OpenVPN instance deletion as long as it is assigned as an interface?

. Even an easier solution indeed. I think that prevents it from happening!

[franco]

Ok, I made a ticket to work on it later: https://github.com/opnsense/core/issues/5163


Thanks,
Franco