OPNCentral provision error for Firewall Categories

Started by v01ded, November 03, 2023, 02:11:34 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 03, 2023, 02:11:34 AM
Dear All,

I'm getting the following error when trying to push down Firewall Categories from the central OPNSense firewall to other managed firewall. There is only 1 firewall category in the central firewall and none on the manage firewall. At the moment, I have only enable synchronization on the Alias and Firewall Category class. Synchronization on the Alias works without error.

Here is the error in the log file of the central firewall and the details of the firewall category. Any idea what i did wrongly?

Stanley

November 03, 2023, 09:04:49 AM #1
Hi,

Can you add a category on the remote host manually and try to sync again?

If this works then we know what the issue is and how to fix.


Cheers,
Franco
November 03, 2023, 10:02:43 AM #2
Hi Franco,

Did as you have suggested. I created a corresponding Firewall Categories with the same name on the remote firewall and the sync worked. Cheers.

Stanley Lim
November 03, 2023, 10:37:55 AM #3
Hi Franco,

I also noticed another unusual behavior on the syncing of Firewall Rules and could be related this is issue. Everytime I click on on Management >> Provisioning >>  Reconfigure button, I notice a duplicate set of rules will be create on the remote firewall. Please see attached screenshots.

Stanley
November 03, 2023, 11:46:51 AM #4
Hi Stanley,

We prepare a fix for the Categories. About the rules not sure yet. What are the versions on both ends to make sure we're not looking at the wrong thing? The code diverged between version and may behave differently when using different versions on both ends.


Cheers,
Franco
November 03, 2023, 11:51:28 AM #5
Hi Franco,

Both Firewall uses  OPNsense 23.10-amd64 with OPNcentral 1.7. Cheers.
November 03, 2023, 01:26:33 PM #6
Thanks, I'll follow up next week. We are going to discuss it on Monday and then work on it.


Cheers,
Franco
November 07, 2023, 01:28:03 PM #7
Fixed both issues for the next release 23.10.1.

Syncing floating rules between changing interfaces is difficult. There are some constraints to what we can consider synced and what we cannot sync because the list of selected interfaces does not match (anymore) between machines. But in this particular case the code was improved to avoid duplication as much as possible.


Cheers,
Franco
November 16, 2023, 12:27:18 PM #8
Hi Franco,

Apologies for the delay response. i was away from work and wasn't able to test the update until now.

Updated to OPNSense 23.10_2. The Aliases is syncing right now. However, the duplication of Firewall rules still exists on the Floating groups. Not errors in the system log. Firewall rules for other interface does not have such issue.

Thanks for resolving the aliases issue. Hope we can resolve the Floating firewall rules issue too. Cheers.

Stanley Lim
November 16, 2023, 12:46:29 PM #9
Hi Stanley,

No problem. Note that 23.10_2 < 23.10.1 (which hasn't been released yet). It should be released before December, but haven't decided on a date yet.


Cheers,
Franco
Print
Go Up Pages1
User actions