OPNsense 25.1-BETA | feedback

[none]

Hi all,

another issue I got here is ssh login, I created a new user, set it to "admin" group, but could not login. Did just what I used to on 24.7.

Anyone also saw this?

none

[none]

Hi all,

another issue I got here is ssh login, I created a new user, set it to "admin" group, but could not login. Did just what I used to on 24.7.

Anyone also saw this?

none

After a couple of reboots working on something else it worked!


none

[franco]

The mobile menu button was fixed in https://github.com/opnsense/core/commit/970977f5bf

I want to push a package update to the Beta later this week.


Cheers,
Franco

[planetf1]

# opnsense-update -bkr 25.1b -A 25.1

It should be 25.1.b - so being on community I switch to development stream, ran 'opnsense-update -bkr 25.1.b -A 25.1 -i', and then updated

I still have internet.... ipv4 & ipv6 / pppoe

FreeBSD OPNsense.cherrybyte.me.uk 14.2-RELEASE FreeBSD 14.2-RELEASE stable/25.1-n269579-cd5d25393d6 SMP amd64

[planetf1]

Since the update, I did get these log entries:

Code Select Expand

2025-01-07T19:00:20 Error flowd_aggregate.py sqlite3 repair /var/netflow/src_addr_details_086400.sqlite
2025-01-07T19:00:20 Error flowd_aggregate.py sqlite3 repair /var/netflow/metadata.sqlite [done]
2025-01-07T19:00:20 Error flowd_aggregate.py sqlite3 repair /var/netflow/metadata.sqlite
2025-01-07T18:59:05 Error flowd_aggregate.py flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 160, in run aggregate_flowd(self.config, do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 80, in aggregate_flowd stream_agg_object.add(copy.copy(flow_record)) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/interface.py", line 72, in add super(FlowInterfaceTotals, self).add(flow) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/__init__.py", line 185, in add self._update_cur.execute(self._update_stmt, flow) sqlite3.DatabaseError: database disk image is malformed
2025-01-07T18:51:30 Error flowd_aggregate.py flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 160, in run aggregate_flowd(self.config, do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 80, in aggregate_flowd stream_agg_object.add(copy.copy(flow_record)) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/interface.py", line 72, in add super(FlowInterfaceTotals, self).add(flow) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/__init__.py", line 185, in add self._update_cur.execute(self._update_stmt, flow) sqlite3.DatabaseError: database disk image is malformed
2025-01-07T18:51:20 Error opnsense-devel /usr/local/etc/rc.newwanipv6: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '70', the output was 'daemon control: got EOF'
2025-01-07T18:51:19 Warning radvd exiting, 1 sigterm(s) received
2025-01-07T18:51:16 Error opnsense-devel /usr/local/etc/rc.newwanip: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '70', the output was 'daemon control: got EOF'
2025-01-07T18:51:15 Error opnsense-devel /usr/local/etc/rc.bootup: The command '/usr/sbin/powerd -b 'hadp' -a 'hadp' -n 'hadp'' returned exit code '69', the output was 'powerd: no cpufreq(4) support -- aborting: No such file or directory'
2025-01-07T18:51:14 Error opnsense-devel /usr/local/etc/rc.bootup: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '70', the output was 'daemon control: got EOF'
2025-01-07T18:51:11 Warning opnsense-devel /usr/local/etc/rc.bootup: dhcpd_radvd_configure(manual) found no suitable IPv6 address on lan(vtnet0)
The 'repair' entries only came up after I attempted to repair netflow data.

The system was rebooted at around 1851 so unsure yet if these were just related to shutdown.

Update
 - When checking 'dmesg' I noticed the following 'pid 44730 (ntpd), jid 0, uid 0: exited on signal 11 (no core dump - bad address)'

[franco]

It should be 25.1.b - so being on community I switch to development stream, ran 'opnsense-update -bkr 25.1.b -A 25.1 -i', and then updated

Thanks, I edited the original post as well.

About ntpd core dumping I'm unsure. We're rebuilding packages cleanly for 25.1 for the RC, but we're not quite there yet. Haven't seen this here myself. If in doubt at least do a health audit and/or reinstall the ntp package.


Cheers,
Franco

[planetf1]

Thanks @franco - for now I've added a cron 'ntpdate' rather than dig into ntp. Also the system is a vm so the base clock should start synced. I'll try again with the RC code, and investigate further if still bad then.

I did report issues with the flow database. A repair fixed those. May have been unrelated to an upgrade, just a bad time to reboot...

[planetf1]

I checked the config for ntp, and switched from all interfaces to WAN only after seeing this:

Code Select Expand

2025-01-08T07:43:26 Error ntpd unable to create socket on vtnet0 (2) for [fd77:2ac4:81ba::]:123
2025-01-08T07:43:26 Error ntpd bind(22) AF_INET6 [fd77:2ac4:81ba::]:123 flags 0x11 failed: Can't assign requested address
I suspect the ntp issue is unrelated to 25.1, but rather is because I started using a local ipv6 address (fd77:.....) on my lan. This is done by creating a virtual interface in opnsense, whereupon clients use slacc to create an address (this all seems to work ok)

ntp doesn't like it.

Actually it doesn't work on LAN either - so maybe it's all internal ipv6? But the logs only ever refer to the fd77 address. Perhaps the config when selected 'WAN,LAN' isn't being setup properly (the virtual interface shows as a third one)

However I'm not making use of ntp on the lan (that I know of, unless advertized?) so I switched to WAN only. At least that way opnsense itself will be working as a client. Seems good enough for now.

A quick google search indicates there may have been issues in this area with ntp in the past.

[planetf1]

I checked the config for ntp, and switched from all interfaces to WAN only after seeing this:

Code Select Expand

2025-01-08T07:43:26 Error ntpd unable to create socket on vtnet0 (2) for [fd77:2ac4:81ba::]:123
2025-01-08T07:43:26 Error ntpd bind(22) AF_INET6 [fd77:2ac4:81ba::]:123 flags 0x11 failed: Can't assign requested address
I suspect the ntp issue is unrelated to 25.1, but rather is because I started using a local ipv6 address (fd77:.....) on my lan. This is done by creating a virtual interface in opnsense, whereupon clients use slacc to create an address (this all seems to work ok)

ntp doesn't like it.

Actually it doesn't work on LAN either - so maybe it's all internal ipv6? But the logs only ever refer to the fd77 address. Perhaps the config when selected 'WAN,LAN' isn't being setup properly (the virtual interface shows as a third one)

However I'm not making use of ntp on the lan (that I know of, unless advertized?) so I switched to WAN only. At least that way opnsense itself will be working as a client. Seems good enough for now.

A quick google search indicates there may have been issues in this area with ntp in the past.

ntp fails when 'listen vtnet0' is added to the /var/etc/ntpd.conf file by opnsense:

Code Select Expand

root@OPNsense:/tmp # ifconfig vtnet0
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
ether bc:24:11:22:33:44
inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::be24:11ff:fe19:25a8%vtnet0 prefixlen 64 scopeid 0x2
inet6 fd77:2ac4:81ba:: prefixlen 48 duplicated
inet6 2a06:5982:1476:5555:6789:11ff:1234:25a8 prefixlen 64
groups: NET_LOCAL
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
(addresses obfuscated)

[planetf1]

SO maybe the error is caused by me setting up the virtual interface incorrectly. The intent was simply to get a prefix broadcast that clients on the lan would use.

So in opnsense I added 'fd77:2ac4:81ba::/48' - but maybe this should be an actual address?

It seemed to work for the clients - for example my macbook currently has

Code Select Expand

inet6 fd77:2ac4:81ba:0:1cd3:d581:9c41:4242 prefixlen 64 autoconf secured

[franco]

Hmm, don't use /48, always /64 or /128 depending on your intention but still favouring /64 overall.

For better IPv6 support I have a test patch for https://github.com/opnsense/core/commit/6c95d574a4a but no testers anymore it seems -- but this is only for explicit interfaces selected I think.


Cheers,
Franco

[pataps]

I can confirm that using ULAs as virtual IPs in LAN breaks ntpd. As long as lan interface with virtual ip added is selected in the ntpd interfaces list it cannott start saying that it cannot bind to fdxx address. Haven't found any other way around this other than removing virtual ip alias. Although I also think this was already a thing before 25.1.

[franco]

Is this with a specific selection under Services: Network Time: General: Interfaces or using "all"?


Cheers,
Franco

[franco]

I don't have an issue with fd77:2ac4:81ba:0:1cd3:d581:9c41:4242 but it looks like this is DAD playing tricks again...

Does this tunable help?

"net.inet6.ip6.dad_count" with value "0"



Cheers,
Franco

[franco]

My gut feeling is this will fix ntpd starting up correctly but it will probably ignore the virtual IP in /var/etc/ntpd.conf for the mentioned reason.

# opnsense-patch https://github.com/opnsense/core/commit/c6e700fbae3