-
Notifications
You must be signed in to change notification settings - Fork 702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible configd problem: Sections of config.xml related to NAT are not evaluated anymore #7562
Comments
You need to upgrade the slave as well. |
Sorry, no. If you were right, turning off the slave and only running the updated master node should fix the problem.
|
I don’t have your setup nor a way to support you through community support to assess your current config.xml state. |
I could of course send the current config.xml to you; I have a serious problem testing it as I do not have an identical device I can take off-line and test with the current configuration or I would have done that for verification. All I really need is someone putting that config.xml into a current OPNsense at factory defaults and see if the 1:1 NAT mappings are there to verify whether this is a config problem or a firmware problem. Or you tell me how I can opnsense-revert down to OPNsense 24.1.5_3-amd64 without the python downgrade killing me on the way... |
Thank you for getting me several steps ahead... The issue title probably needs changing; it is a migration problem. One is negligible: The shadowsocks migration is failing; i'll split that one off, see #7578 The problem referred here is logged as
The config.xml has been cleaned; all lines with passwords are gone so HA/carp migration might fail. Don't worry, that part is working |
@noseshimself if you remove the entry with If you fetch the old overview page using:
You should be able to remove the item via the then available Don't forget to remove the old file when you're done. |
The only occurrences of "2003:4e:6010" in config.xml are
And to be honest this is irritating me already because I can't find any log entries of system administrators in the ticket system telling me where the static IPv6 address came from. or why they are tagged as "LAN" and "lan" and why the sync connection is "LAN"... The slave router doesn't have this in its configuration. There is nothing referring to it in the NAT section at all:
and using the old version of the page does not show anything IPv6-y that can be fixed at all. |
Sorry for budding in but theoretically this is a valid ipv6 address. It is called IPv6 with embedded IPv4 address. The last 16bits are allowed to be used like this. https://datatracker.ietf.org/doc/html/rfc4291#section-2.2 check the third example. Edit: Oops this is about 1:1 NAT, sorry xD. Just realized. |
You did not read the problem description: Nobody set a static IPv6 address on that interface (I can't find any documentation related to it) and even if somebody might have done so, there should not be any implicit NAT rule that cannot be migrated in a section that did not contain any before migration. Besides that: This is the outward-facing interface and it does not seem to be a good idea to add an IPv6 address there not being assigned by the rated provider (and I know the IPv6 block assigned there). |
I was looking in the wrong place, but I guess this has to be added to #7578 and I should have read the error message. If I run the migration script on the configuration of the (still working) slave something (the shadowsocks migration?) is adding this?
and as we did not do anything IPv6 there I never expected rules showing up there. I just checked all configuration backups back to 2022 and found the first daily change where the IPv6 entries started showing up but can't ask the responsible admin anymore -- he left. After removing the npt-related section from config.xml and rerunning
If I'm reapplying run_migrations.php to the config file before the upgrade I'm getting the same error messages again so the root cause of the problem is the npt entry that never caused any problem (e.g. annoying messages like "hey, I was told to set up an IPv6 NAT rule for an address that is nowhere to be found") |
@noseshimself case closed then? |
I would say so but someone has to find out where the npt entry was coming from. The routers in question were not doing anything with the IPv6 addresses I found. |
let's close this then, tracking origins of local configuration changes is not something we can assist with in community time here. |
(I'm digging through four years of nightly backups to find out how this npt mapping was created and why it is not on the slave -- should I find proof that it was automatically created after installing the exit part of shadowsocks on the gateway I'll open a new issue.) |
Important notices
Describe the bug
After an involuntary update of the master node of a HA cluster from OPNsense 24.1.5_3-amd64 to OPNsense 24.1.9_4-amd64 all 1:1 NAT settings were gone on the running system (gone as in
) although the relevant parts of the configuration file are still in the correct positions and completely intact:
The slave system running OPNsense 24.1.5_3-amd64 is still working after pushing the configuration over
![image](https://private-user-images.githubusercontent.com/6132793/343594084-ca0f7dff-0b2c-4eaf-b648-74b2a24a4fff.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExODc1MTMsIm5iZiI6MTcyMTE4NzIxMywicGF0aCI6Ii82MTMyNzkzLzM0MzU5NDA4NC1jYTBmN2RmZi0wYjJjLTRlYWYtYjY0OC03NGIyYTI0YTRmZmYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcxNyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MTdUMDMzMzMzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MmUwZmE0NmZmNDFkNDU3YWNlZWYyZDBjZTI4OWI5NWE1NDMyOTQ3MDJkZjBjYTU0N2MyMTRkODdiNDQzMzZjNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.varu63Yo6GUx4Ti8eOdYoiZabagySGYOcDJb4F7OVzs)
so I'm assuming that the syntax was sufficiently correct even after the upgrade.
As the bug is stopping the production of a large number of internet-facing servers we had to demote the master to slave and are now using the backup system as master via CARP.
With python being upgraded from 3.9 to 3.11 reverting seems to be an extremely impractical solution, too.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
NAT rules being applied to the running system upon booting.
Describe alternatives you considered
Crying loudly. Seeing the rules still being available on the backup system, stopping to cry and failing over.
Relevant log files
The log file got considerably larger after the update but I can't seem to find anything relevant.
Environment
Software version used and hardware type if relevant, e.g.:
User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
FreeBSD 13.2-RELEASE-p11 stable/24.1-n255023-99a14409566 SMP amd64
OPNsense 24.1.9_4 908aac0
Plugins os-OPNProxy-1.0.5_1 os-OPNWAF-1.1 os-OPNcentral-1.7 os-dmidecode-1.1_1 os-dyndns-1.27_3 os-lldpd-1.1_2 os-maltrail-1.10 os-nextcloud-backup-1.0_1 os-redis-1.1_2 os-rfc2136-1.8_2 os-shadowsocks-1.1 os-squid-1.0_2 os-sunnyvalley-1.4_3 os-theme-cicada-1.35 os-theme-rebellion-1.8.10 os-theme-tukan-1.27_1 os-theme-vicuna-1.45_1 os-vnstat-1.3_1
Time Thu, 27 Jun 2024 01:08:27 +0000
OpenSSL 3.0.14
Python 3.11.9
PHP 8.2.20
The text was updated successfully, but these errors were encountered: