OpnSense 22.1 Issue #65
Comments
|
I upgraded to 22.1 without even recalling that I had this script running. Haven't been able to get connection through the gateway since the upgrade. I've verified that the upgrade didn't overwrite/remove the script from |
|
Looks like DHCP traffic is not being bridged between |
|
I tried my hand at this over the weekend with trying to use For some reason none of my logs are being output to Edit: I was able to get some better logging through the web ui. It appears something with Edit Edit: I was able to get this working with the steps below. To me it seems like there is something going on with the order of operations of the script. After a reboot I still get stuck on Move WAN from ngeth0 to em1 in the web gui
|
|
I'll have to give this a go. Glad to see its working. If I recall, when I made my PR to go from wpa_cli to wpa_supplicant, there was some poor escaping or bash interpretation happening in the arguments list. Switching to the .conf file is far more supported anyways in the *nix community at large. |
|
I've got a non-wpa_supplicant setup, so I'm not sure those steps will apply to me. May be a reconfiguration of the interface did something, however. |
|
I have not been able to get any more figured out for non-wpa_supplicant setup, has anyone else made any progress? |
Not yet but I'm working on it too. I also tried converting to the wpa supplicant method and can't get it going either but that's true for me on 21.7. If I figure either out I'll report back. |
|
21.7 works for me with supplicant but 22.1 doesn't. |
|
I am also having problems with the latest version of OPNsense, I had to revert to 21.7.8 |
|
Since we've got multiple methods of PFATT in this issue, could you please be specific as to which method you're using? To summarize:
|
I am using the supplicant method. After the update the scripts hangs on "waiting on EAP for authorization". On occasion running the script manually worked. I decided to move back to the older release of OPNsense since if I had to reboot for any reason the script would not terminate unless it gets a IP address. |
|
Are you using my pull request? Or the script in the repository? I had mine
hang at the same place, but it was the wpa-cli code block that was failing.
There was some bash interpretation and escaping that failed.
Try my pull request script and see if it works.
On Mon, Feb 7, 2022 at 19:19 Hou-dev ***@***.***> wrote:
Since we've got multiple methods of PFATT in this issue, could you please
be specific as to which method you're using?
To summarize:
- 22.1 does not work with the "tethered" method, where the router
remains on and connected.
- At least one report of 22.1 working with the *wpa_supplicant* method
I am using the supplicant method. After the update the scripts hands on
"waiting on EAP for authorization". On occasion running the script manually
worked. I decided to move back to the older release of OPNsense since if I
had to reboot for any reason the script would not terminate unless it gets
a IP address.
—
Reply to this email directly, view it on GitHub
<#65 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABN74JWQQTNWVJXMG26OALU2BOQ5ANCNFSM5NDL4CRQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you commented.Message ID:
***@***.***>
--
No trees were harmed in the sending of this message, but a rather large
number of electrons were terribly inconvenienced.
|
|
I tried the zombielinux fork and it had the same issue. |
|
I'm running in supplicant mode with zombilunix's branch. @zombielinux I also tried your script and it still hangs at I want to try updating the script to manually set the WAN back to |
|
I was able to get this working with @zombielinux's updates at the encouragement of @MrCaturdayNight |
|
@dangeist Thanks for the excellent work! I've updated the pull request with the explicit module loading. Also, the DHCP taking a few attempts was observed over here too, I'd say its normal behavior. |
|
Purely selfish reasons. I'm moving all my home network gear over to battery-backed DC power and the RGW was a non-standard voltage and power pigtail :) |
|
I tried the updates from @dangeist and @zombielinux and i'm still getting hungup on boot. I should note that i'm running on After boot i'm able to get authenticated by running A big thank you to all of those who are putting work into this. If I find a work around I will report back. |
|
pfatt.sh also breaks on pfSense 2.6.0. I wasn't able to get it to work and I had to downgrade to 2.5.2. |
|
I can also confirm this is broken on pfSense Plus 22.01 and pfSense 2.6.0 CE. Seems something broke in the newer FreeBSD kernel, I'd imagine. |
|
I did some testing last night and it seems with Opnsense 22.1 there are some problems with my setup (Intel nic) with the updated kernel. There is a option to update the kernel only using Edit 0: I also tried ZombieLinux's version but the same issue with the latest version 22.1 with my Intel nic. Edit 1: There might be some change in FreeBSD 12.3 that broke compatibility with the script since I am seeing reports that pfsense 2.6 is broken. Opnsense skipped 12.3 and used FreeBSD 13's kernel. |
|
Had the issue this morning when I moved over to 2.6 and ended up trying out OPNsense but haven't tried implementing this, watching closely to look for a solution. Silver lining is this gave me an opportunity to take a good look at OPNsense and it's pretty nice. |
|
Sounds like a similar issue with us pfSense people. I am a bit lost thought. Has anyone gotten @zombielinux fork working with Opnsense 22.1? Looking at his code it looks like the only major difference between what I was using was is adding "/sbin/kldload -nq ng_ether" at the start of the script. If someone was successful with 22.1 I'll upgrade again and try it on pfSense 22.01. |
I can try this later on once the fam goes to bed. |
|
Well this is quite different than with pfsense which I am used to, only been running opnsense for a couple of days now. When I boot up it says it can't find the file so I don't know what the issue is, when I try and run the file manually using ./filename it says the same thing so IDK. |
|
root@OPNsense:/usr/local/etc/rc.syshook.d/early # ./99-opnatt-supplicant |
|
I know this is focused on OpnSense but I was able to do a lot of troubleshooting on the possibly related pfSense issue and may have found a solution. If not a solution for you all hopefully it adds some insight. And more info on possibly the root issue in FreeBSD |
|
I really do think this is related... https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260068 Unfortunately, it appears than OPNsense has if_em compiled into the kernel. I can confirm their 22.1 branch of the FreeBSD-13 kernel does not have the patch applied... https://github.com/opnsense/src/tree/stable/22.1/sys/dev/e1000 However, master does... https://github.com/opnsense/src/tree/stable/13/sys/dev/e1000 |
|
There may be multiple problems here. I had no issue getting WPA to authenticate on the ONT_IF with the same script I was using with 21.7, but no traffic would flow and no DHCP lease could be acquired. Disabling the HW Vlan options seemed to fix the traffic flow issue. So I'd make sure you are getting a wpa auth by using the below command as a first step.
|
With pfSense I was the same. Never had any issues with WPA. Was just traffic flow on VLAN 0 for DHCP. Unlike you, the script change did not resolve it for me. |
Perfect. This worked for me on OPNsense 22.1.x using the supplicant method. I upgraded from 27.1.8 with this tweak already in my script and my box booted right up, grabbed V4 and V6 and everything seems good so far. I'm on the em driver Thanks for solving this one. |
|
|
Added "-vlanhwtag -vlanhwfilter -vlanhwtso" to line 50 to enable supplicant auth on OPNSense 22.1 per MonkWho#65
|
@zombielinux - Can you make the same change on the opnatt.sh? It worked, I just tested it on a non-supplicant setup and it worked. |
|
Can confirm |
|
@neydah700 |
|
I can confirm changing the script to |
Are you sure you didn't do any other changes? I spent all weekend trying to get it to work in non-supplicant mode and could not get it to pull a DCHP address for the WAN using a Qotom Q355G4. Clean install of opnsense 22.1. |
I also was unable to get it working on non-supplicant 22.1 with just these changes. I have a BGW210 as well. |
|
Honestly, that's the only change I did. I am running in a VM environment w/ NIC passthrough. What NIC does Qotom Q355G4 have? |
That's the only thing I did. Keep in mind mine was not a fresh 22.1 install, I already had the bypass up and running prior in 21.7, upgraded to 22.1 in place, bypass didn't work and I simply changed the startup script already present. I never tried changing the initial install script and essentially reinstalling the bypass setup. |
It's intel nics. I will have to look up the exact ones later when I get home. |
4 x Intel I211-AT |
That should just work. Here is a few lines before and after my script. Hopefully it helps you. |
|
I did finally get it to work but it won't work on a reboot of the OPNsense. After a reboot I have to clean up everything the script creates in netgraph then rerun it manually. Then it will pull an IP again just fine. Not sure where to go from there. Seems like I may have an additional issue on top of this one. |
what is your netgraph state after the reboot (before the cleanup)? |
I am very new to netgraph so could you be more specific in what you are asking for me? Do you just want the output of "ngctl list" or something more? |
That would be a good start |
|
I was all prepared to reboot, capture the netgraph output, fix things so I could get back but now it's working perfectly. Three reboots and pulls an IP every time. I do not recall doing anything at that would have made a difference. But as long as it's working now I guess. |
Happy to hear, sounds like a timing thing. Sometimes the modem is in an odd spot where it can't pass EAP auth. |
Have verified on opnsense 21.x and on 22.1, non-supplicant, tethered mode.
|
For the non-supplicant method, I'm experiencing issues with Opnsense 2.7. I made the required change to the opnatt.sh file, but no change. Anything specific I can look at/test? This is a new build of Opnsense. I'm currently using pfsense 2.5.2 with no issue. One thing I've noticed is the opnatt.sh file - seems several versions out there. I'm using the one in the master branch here. I also require the 5268AC files. Edit: 3rd restart magic - it works now. Also applied 22.7.2 and we survived. I think another poster above had the same thing - 3 restarts and it works. |
|
I set up Opnsense 22.7 and have tried numerous ways to get this working in supplicant mode. After trying the syntax that dangeist posted, I'm getting the same hanging at waiting EAP for authorization.. How do I get out of this loop? None of the boot options seem to bypass this problem and the loader option doesn't seem to have the options that I need to fix it (modify or delete the script in rc.syshook.d/early) Thanks! |
|
@SGC1990 Does the /sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso fix need to be applied to the supplicant portion of the script? Your commit is only to the bridge section. |
|
Still trying to get supplicant mode working with Opnsense 22.7, but ngeth0 does not have the WAN MAC address and em0 (physical WAN interface) is not set up as promiscuous. When early script is applied, the boot process never completes, so I can't manually change settings as far as I can tell. Any advice? |
Don’t put the script in EARLY. Use START instead. I don’t know if this is a recent change but early scripts run before network startup. |
and others
https://opnsense.org/opnsense-22-1-released/
Has anyone had experience with it yet? I haven't gotten around to it and probably won't have time for a while. Starting an issue thread to keep track of it.
EDIT: reported working well with wpa_supplicant
EDIT MORE: #65 (comment) seems to be the victorious solution that covers both WPA and Tethered operating modes.
The text was updated successfully, but these errors were encountered: