Upgradethread 23.1.11_1 to 23.7

[finiterex]

Awesome - I will let you know how I get on!

[iorx]

Hi!

Add my experience here. I did a new install and restored config from 22.1 (latest).
Hade some problem with wan connection initially but that was because of a new MAC-address and the ISP. Resolved it self after a moment.

ALIASES
Though! Restored alias behaved very strange. They refused to populate with content, this was "URL Table (IPs)" which i had some of: geoip, bad-list.
I edited and resaved but they wouldn't load their data, logs indicated that they couldn't be found.
Made a copy of said aliases and saved them. Now they worked.
The restored aliases had a renewal period of 7 days, maybe it wasn't time to reload them? But shouldn't they reload when resaved?

Url used: https://iplists.firehol.org/files/geolite2_country/country_se.netset and https://iplists.firehol.org/files/firehol_level3.netset

Logged looked like this for the restored aliases
2023-08-02T11:19:51   Error   firewall   alias resolve error netGeoSwedenGeoIP2LiteFireHole (error fetching alias url https://iplists.firehol.org/files/geolite2_country/country_se.netset)

Edit a moment after I finished the above comment.
I disabled and enabled the restored aliases and after that they reloaded their data.

Just my 2c! And KUDOS to all awesome developers in this project!

[bringha]

All,

just updated to 23.7 without any problems, all services up again after about 12 min upgrade time, great work and and a big big thank you to the entire OPNsense team for another flawless major update. Great job.

One small cosmetic remark: The Wireguard widget on the dashboard seems not to be able to line break the public key resp. format the columns appropriately so the widget looks somewhat odd.

Another topic I would like to come back is the ddclient OPNsense backend and the extension of the supported standard service providers as eg proposed here:
https://forum.opnsense.org/index.php?topic=34388.0
I had the provider desec running stable  for a couple of weeks in 23.1.11 and I am wondering whether the expansion could find its way into mainstream or is there missing something? I changed the code for me also in 23.7 and it works also here.

Br br

[finiterex]

@franco - just wanted to say thanks for the advise, the updgrade worked.

[dmurphy]

Upgrade went perfectly well.

Took the opportunity to update my boot drives from 120gb to 250gb SSDs and move from UFS to ZFS.

Popped the old disks out, put the new drives in, installed 23.7, restored my config, and back in business.

Fantastic job.  Only issue I ran into was reconfiguring Tailscale, but that was my fault - I was too lazy to pull the config from the 23.1 boot disks.

[lilsense]

on a DEC850 ran the update and was not able to connect to WAN getting:

arprequest_internal: cannot find matching address

I had to stop suricata and reboot to fix. Once I enabled, I would lose the WAN and the same messages would pop.

I am currently running it without suricata.

I had tailscale running and thought that was the issue but seems not to be the case.


added:

ran a sec update and saw this:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.7 at Thu Aug  3 07:07:47 EDT 2023
Fetching vuln.xml.xz: .......... done
openssl-1.1.1u,1 is vulnerable:
  OpenSSL -- Excessive time spent checking DH q parameter value
  CVE: CVE-2023-3817
  WWW: https://vuxml.freebsd.org/freebsd/bad6588e-2fe0-11ee-a0d1-84a93843eb75.html

libX11-1.7.2,1 is vulnerable:
  libX11 -- Sub-object overflows
  CVE: CVE-2023-3138
  WWW: https://vuxml.freebsd.org/freebsd/734b8f46-773d-4fef-bed3-61114fe8e4c5.html

2 problem(s) in 2 installed package(s) found.
***DONE***

[ravenmaster887]

Hello together,

after updated to 23.7 the "Advanced option" under "VPN - OpenVPN - Client Specific Overrides" is not available any more. I used this to push static IPs to different OpenVPN User. In 23.1.11 i used "ifconfig-push 172.16.0.x 255.255.255.0" in the Advanced Field to do this.

This is the only problem after this Update for me.

Do you have an idea how can i set a static IP for different OpenVPN user in 23.7?

Thanks for your help.

[franco]

It's the "Tunnel Network" option you are looking for.


Cheers,
Franco

[ravenmaster887]

Perfect, thank you, it works.  :)

[JoK]

A forum search shows it should be remove

Code Select Expand

pkg remove py37-markupsafe

Not a pro on doing this, any guide to remove it? Thanks

[franco]

Just run the command from the shell.


Cheers,
Franco

[lilsense]

I started getting these messages:

HW_PROBE/ growfs*

what are these?

[ProximusAl]

Just thought I'd add, I've upgraded 3 firewalls from 23.1.11 to 23.7 and absolutely no issues at all.

Well done @Franco and the team.

1 x AliExpress N5105 jobber
2 x R86S jobbers.

I literally use them as Firewalls though, no extra chuff like Suricata etc....(But do use Wireguard :) )

[lilsense]

Since my upgrade I lose the WAN every 6 hours.

What's causing these arprequest_internal: cannot find matching address
I do not have unbound/AGH on this device. :'(


Can someone validate that the below message is related to PHP bug:

[fib_algo] inet.0 (bsearch4#20) rebuild_fd_flm: switching algo to radix4_lockless
[fib_algo] inet.0 setup_fd_instance: radix4_lockless algo instance setup failed, failures=1
[fib_algo] inet.0 (radix4_lockless#57) rebuild_fd_flm: table rebuild failed
[fib_algo] inet.0 (radix4_lockless#57) rebuild_fd: sync rebuild failed

[opn_nwo]

Any undesirable interaction between the new version and AdGuard to be aware of?