After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

Started by lar.hed, November 04, 2023, 09:56:57 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
November 04, 2023, 09:56:57 AM
So after my Unbound DNS issue/challenge, I have stumbled onto something completely different:

After reboot and everything working last knight, I started my PC (direct connected to firewall hardware - I am running OPNsense on baremetal here) and yet again NO connection with the outside. I can log into my OPNsense web front (ip address) and Home Assistant (ip address) - but there is NO connection to the outside of the firewall. Since I can access stuff on my intranet I do know I have some communication working - but nothing, not even 1.1.1.1 on the outside. Now I do know about the default gateway challenge some have - I have not done anything to that. And the reason is: I have not changed anything on my Dual WAN  (fiber and a LTE connection over a Netgear M5 mobile router that is connected thru ethernet cable), so I know this setup has been working very good for at least a year since I set it up. I can not find any reason why default gateway should be a problem. Do also note that ALL other connections actually DOES WORK. There is only this PC connection that fails outside communication. And this is after link down late last evening and now link up. Here is part of the log to follow:
Code Select
2023-11-04T09:17:54 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dns (execute task : unbound_configure_do())
2023-11-04T09:17:54 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dns (execute task : dnsmasq_configure_do())
2023-11-04T09:17:54 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dns ()
2023-11-04T09:17:53 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure())
2023-11-04T09:17:53 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp ()
2023-11-04T09:17:53 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure ipsec (execute task : ipsec_configure_do(,opt2))
2023-11-04T09:17:53 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure ipsec (,opt2)
2023-11-04T09:17:53 Notice opnsense /usr/local/etc/rc.linkup: ROUTING: entering configure using 'opt2'
2023-11-04T09:17:53 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for opt2(igb2)
2023-11-04T09:17:53 Notice kernel <6>igb2: link state changed to UP


2023-11-03T21:08:46 Notice kernel <6>igb2: link state changed to DOWN
2023-11-03T21:08:46 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for opt2(igb2)

igb2 is the port for the PC that I am writing this on. The only way to get my PC and that port (igb2) working, that I have found out is to reboot the OPNsense box - that I have never ever had to do before upgrade.

So the solution seems to be: Do not turn the PC off - that way the link is up all the time, but that is just bandaid on the real problem....

I would love to know why a link up does not work after this upgrade - what is missing on the link up that the reboot fixes? Any ideas?
November 04, 2023, 10:29:52 AM #1
I am also a bit confused by why Unbound DNS is trying to get configured after link up (first line in the log above) - Unbound DNS is disabled (well, it is not enabled, but it was once after the upgrade, so it may still think it is enabled, but it is not) ???
November 06, 2023, 08:07:44 PM #2
Hi forum,

I can completely confirm this issue.

After switching on a PC that is directly connected to one of the OPN ports, it takes approx. 10 minutes for the external network connection to become available. Connection to the OPN interface works, as does e.g. DNS. So it's not an issue on the "pc side" of the network.

All other physical OPN ports are not affected and continue to function as normal.

The only log entries that appear around the time the network starts to work are those:

SYSTEM/LOG/GENERAL
Notice   root   reload filter for configured schedules   
Notice   kernel   <6>igb1: promiscuous mode disabled   
Notice   kernel   <6>igb1: promiscuous mode enabled

This has only started after upgrading to 23.7.7_3.

Any ideas are much appreciated.
November 06, 2023, 08:14:20 PM #3
Could it be this one? https://github.com/opnsense/core/commit/b0830803

# opnsense-patch b0830803


Cheers,
Franco
November 06, 2023, 08:20:41 PM #4
Thanks, franco, for the hint. I will check at my earliest convenience.
November 07, 2023, 10:04:45 AM #5
franco, I would not be able to say since I never get my port up again for internet connection. What I have to do, to get the port working is one of two things:
1) Reboot OPNsense
2) Disable/Enable interface

Of course I now days prefer option 2 - it is by far the best option...

Still confused though why Unbound still seems to be alive though I have disabled Unbound. And I get some really confusing log messages about Unbound... How do I stop Unbound from running since it is disabled (do note it has been enabled, but since Unbound seems not to work after latest patch I use DNSmasq instead)? Remove it from config xml file and hope for the best?
November 07, 2023, 10:50:44 AM #6
At a guess Iar.hed (and franco surely will correct me) unbound_configure_do() is just a task in the plugins_configure dns () function. It doesn't mean it starts up Unbound.
If you give it time to start up all services, do you see it running?
Code Select
sudo ps -aux | grep -i unbound should do it
November 07, 2023, 11:22:44 AM #7 Last Edit: November 07, 2023, 11:24:23 AM by lar.hed
Well No I do not see Unbound running under services (I show all services under the Lobby overview). And I did SSH into my OPNsense installation and run your suggested ps command:

Code Select
ps -aux | grep -i unbound
root   17569   0.0  0.0   12720   2264  0  S+   11:17       0:00.00 grep -i unbound


So no, Unbound is not running, and this was after 3 days of uptime - as mentioned above I now restart the interface by disable/enable the interface...

So I think you are (of course) correct, it got to be part of some sort of startup sequence for Unbound and all related to Unbound (for example, since I had Unbound enabled earlier and I used block lists, I guess it might download all thoose at any restart or so).

Thanks for your help!
November 07, 2023, 12:12:58 PM #8
I'd appreciate trying the patch and see if it works. It's 100% harmless.


Cheers,
Franco
November 07, 2023, 12:13:24 PM #9
Quote from: cookiemonster on November 07, 2023, 10:50:44 AM
At a guess Iar.hed (and franco surely will correct me) unbound_configure_do() is just a task in the plugins_configure dns () function. It doesn't mean it starts up Unbound.

Correct!  8)
November 07, 2023, 12:30:46 PM #10
Quote from: franco on November 06, 2023, 08:14:20 PM
Could it be this one? https://github.com/opnsense/core/commit/b0830803

# opnsense-patch b0830803


Cheers,
Franco

Just did a fast & fuggly test of this (I edited the file in question since well 2 rows of "filter_configure(false, false);" was way to easy to enter...).

So I say, with a bit of a reservation, that this solved my problem.
November 07, 2023, 01:06:17 PM #11
Easier than running "opnsense-patch"? ;)

So ok, I can bring that back but it's a bit odd, because that wasn't the purpose of why the lines were there.


Cheers,
Franco
November 07, 2023, 01:08:10 PM #12
Sorry, but when you link me to a gitpage where the code is, and well I used to do a lot of software development, then I got curios.... So yes it was easier for me. Maybe not for everyone else.
November 07, 2023, 01:09:18 PM #13
As a policy we post the link and opnsense-patch because if we don't the commit hash could be anything. This way people can double-check that they actually want the patch.

(not an issue, only want to explain)


Cheers,
Franco
November 07, 2023, 01:11:09 PM #14
Next time I will behave :o
Print
Go Up Pages1 2 3
User actions