23.1.7_1 broke my Firewall (Fixed)

Started by My_Network, May 05, 2023, 02:49:34 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 5
User actions
May 10, 2023, 12:18:24 PM #15
The full log around the log message would be helpful. A static addressing with a WAN and no address seems a bit strange still but I'm sure we can find the loophole now.


Cheers,
Franco
May 10, 2023, 12:49:56 PM #16
many thanks for looking into this issue - much appreciated! :)

I attached 2 logs:
- opnsense-badcase.log: this is the full log after the update and reboot (23.1.7_3)

for comparison reasons (there you can see, that setting the default route is successful):
- opnsense-goodcase.log: this is the full log with the former version of OPNsense (23.1.6)
May 10, 2023, 01:10:48 PM #17
I've tried this twice and couldn't reproduce. There seems to be a more obvious issue WRT parsing ifconfig or possibly mismatching the interface name somewhere. I'm leaning towards the latter, perhaps a duplicated gateway entry issue we have had previously?

# grep -nr \<gateway_item /conf/config.xml

There should be as many entries as you can see from the GUI (which can be deleted). If there is one more try to look if there is an overlap...


Cheers,
Franco
May 10, 2023, 01:54:16 PM #18
hmm, the relevant part of the conf.xml looks like this:

Code Select
<gateways>
    <gateway_item>
      <interface>opt8</interface>
      <gateway>192.168.30.1</gateway>
      <name>WAN_GW</name>
      <priority>255</priority>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <interval>1</interval>
      <descr>Interface WAN Gateway</descr>
      <monitor>8.8.8.8</monitor>
      <defaultgw>1</defaultgw>
    </gateway_item>
    <gateway_item>
      <descr>Interface WAN Gateway</descr>
      <defaultgw>1</defaultgw>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>192.168.30.1</gateway>
      <monitor_disable>1</monitor_disable>
      <name>WAN_GW</name>
      <interval>1</interval>
      <weight>1</weight>
    </gateway_item>
  </gateways>

But the GUI shows only one, attachment OPNSence-system-gateways.png

Additionally I attached the interface configuration itself, where I configured the IPv4 Upstream Gateway, attachment OPNSence-interface-wan30.png

All this looked the same before the update and worked fine.

Any hint what to change regarding the interface/gateway configuration is much appreciated, if this is the reason why it doesn't work anymore or is somehow wrong....
May 10, 2023, 01:55:02 PM #19
exceeding max size of attachment, therefore attached with 2nd post
May 10, 2023, 02:01:24 PM #20
Ok the <name/> overlaps here which is the issue since <interface/> differs and that probably causes an empty lookup. Can you check the assignments page for internal identifier of your wan (either 'wan' or 'opt8')? And then just drop the wrong <gateway_item/> from config file.


Cheers,
Franco
May 10, 2023, 02:34:04 PM #21
I think it's now up to me to spend you a beer, or two ;)

After removing the second <gateway_item/> part and reboot OPNsense does now set the default route again etc.
Seems to run fine now!
I will monitor it a bit, but seems you find the root cause!
I think I wouldn't have found this without your help! Many thanks!
May 10, 2023, 03:18:34 PM #22
Okay so far so good. This was added to some other 23.1.x prior which tries to prevent gateway duplication:

https://github.com/opnsense/core/commit/4b03f1c88d

The code to prevent overlap is still not perfect. Let me try to find more loopholes. :)


Cheers,
Franco
May 10, 2023, 04:04:54 PM #23
I think the wizard did some silliness here... https://github.com/opnsense/core/commit/db69027dda5

Hard to reach this state but not impossible. Thanks for the report!


Cheers,
Franco
May 10, 2023, 05:02:21 PM #24
good findings and perfect support! Many thanks!
May 11, 2023, 06:11:28 AM #25
Hi Struppie,

Could you please add a before and after of your conf.xml for reference? Im not sure I completely follow the changes you had to make to get it working.

Thank you  ;D

Nic
May 11, 2023, 08:04:35 AM #26
Hi Nic,

Let's first see if you have a similar issue:

# opnsense-log | grep refusing

Does this bring up something?


Cheers,
Franco
May 11, 2023, 10:01:10 AM #27
Quote from: My_Network on May 11, 2023, 06:11:28 AM
Could you please add a before and after of your conf.xml for reference? Im not sure I completely follow the changes you had to make to get it working.

I'll be happy to assist, but let's first check - as suggested by franco - if you are facing the same problem. Otherwise we may make it worse than better ;)

What does the following command spit out on your side?
# opnsense-log | grep refusing
May 12, 2023, 04:23:06 AM #28 Last Edit: May 12, 2023, 04:37:57 AM by My_Network
Hi Guys,

So I finally had the chance to get a little downtime...23. 1.7_3 still breaks my Firewall.  Unfortunately, the proposed command did not spit out a result. But I stood upon something wierd in my log that was not there before the upgrade to 23.1.7_3. Dowgraded to 23.1.6 since to get back up and running using opnsense-revert -r 23.1.6. Please see screen capture. You will see an error about the wrong gateway beeing chosen or something like that. The gateway for these vlan should be 192.168.12.1 and not 192.168.15.1. Why is it choosing the wrong one?

Thank you  :o

Nic
May 12, 2023, 09:09:50 AM #29
Hi Nic,

Part of this looks odd. Let's assume it's also a side effect from a duplicated gateway entry. I wrote a patch to quickly diagnose this via https://github.com/opnsense/core/commit/c1784ad1a

# opnsense-patch c1784ad1a

Warnings should appear in the general log in that case.

I'd still suspect the configuration side has an issue on your end not directly related to 23.1.7.


Cheers,
Franco
Print
Go Up Pages 1 2 3 4 5
User actions