Koozali.org: home of the SME Server

software update tonight, now no network

Offline robf355

  • *
  • 70
  • +0/-0
software update tonight, now no network
« on: November 21, 2021, 11:29:42 PM »
HiI updated sme tonight using the software installer, now I cannot access the network /internet anything
The ethernet adapter link light is off, if I go into the bios and check the network the light comes on, as soon as sme reboots and starts it goes off
the packages updated were
qpsptpd-0.96-20.e17.sme.noarch
smeserver-clamav-2.7.0-10.e17.sme.noarch
e-smith-qmail-2.6.0-13.e17.sme.noarch
e-smith=-email.5.6.0-15.e17.sme.noarch
smeserver-horde-1.0.0-29.e17.sme.noarch
e-smith-radiusd-2.6.0-21.e17.sme.noarch
e-smith-samba-2.6.0-26.e17.sme.noarch
e-smith-packetfilter-2.6.8-8.e17.sme.noarch
e-smith-apache-2.6.0-16.e17.sme.noarch
ifconfig shows the correct ip address and subnet mask
Code: [Select]
br0: flags=4099<UP,BROADCAST,MULTICAST> MTU 1500
inet 192.168.0.10  netmask 255.255.255.0 broadcast 192.168.0.255

no bytes transmitted or received
Code: [Select]
ROUTE SHOWS: KERNEL IP ROUTING TABLE
Destination           gateway                  genmask            flags      metric      ref      use   iface
default                  pc-00002.kjctec       0.0.0.0               UG          0             0        0       br0
192.168.0.0          0.0.0.0               255.255.255.0         U            0             0        0       br0
any ideas, I can't download anything form the net from this machine, strange that the link light is off on the adapter, I've logged in as admin and select configure this computer to check the network adapter selected, all as it should be.
could the packet filter be the problem as that's the only network related thing that was updated
Any help appreciated

edit: update display for easy reading
« Last Edit: November 22, 2021, 03:31:49 AM by Jean-Philippe Pialasse »

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: software update tonight, now no network
« Reply #1 on: November 22, 2021, 12:00:16 AM »
you could do a downgrade of packetfilter and see..might just be a typo but my version, no issues, is
[root@fagehome ~]# rpm -q e-smith-packetfilter
e-smith-packetfilter-2.6.0-8.el7.sme.noarch

--
qui scribit bis legit

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: software update tonight, now no network
« Reply #2 on: November 22, 2021, 12:23:09 AM »
The packetfilter update was to do with

 restrict VPN networks to their interface [SME: 11640]
 remove remoteVPNSubnet property added VPNif property

and it was me who verified it..damn if its it...

--
qui scribit bis legit

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: software update tonight, now no network
« Reply #3 on: November 22, 2021, 01:10:47 AM »
What mode is your server configured? ie server, server-gateway ?
Check in /var/log/iptables to see if there is anything there?

Mine is running in server only mode and I can access the internet fine with today's updates installing fine.
rpm -q e-smith-packetfilter
e-smith-packetfilter-2.6.0-8.el7.sme.noarch

I notice that you are running in bridge mode and you said in you OP that you cannot access the network or internet. Why are you using a bridge interface?

I understand that you had a working configuration and after the latest updates it stopped working, but please provide more information exactly how your system is configured. Have you go a vpn configured? enabled/disabled etc
...

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: software update tonight, now no network
« Reply #4 on: November 22, 2021, 01:14:38 AM »
Another thought, if the link light is off on the network card try plugging the cable back in (at both ends)
...

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: software update tonight, now no network
« Reply #5 on: November 22, 2021, 04:35:24 AM »
Yes, suspect OP is operating with a VPN setup or is related to posting smecontribs forum re openvpn-bridge
« Last Edit: November 22, 2021, 05:14:50 AM by TerryF »
--
qui scribit bis legit

Offline robf355

  • *
  • 70
  • +0/-0
Re: software update tonight, now no network
« Reply #6 on: November 22, 2021, 07:04:51 AM »
server is operating in server only mode
previously had openvpn bridge and routed installed, but following problems (posted in contribs) they were both uninstalled.
Code: [Select]
rpm -q e-smith-packetfilter
error: Failed dependencies:
e-smith-packetfilter >= 1.13.0.13 is needed by (installed) e-smith-portforwarding-2.6.0-3.el7.sme.noarch
iptables o/p:
Code: [Select]
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ForwardedTCP
-N ForwardedTCP_2236
-N ForwardedUDP
-N ForwardedUDP_2236
-N InboundICMP
-N InboundICMP_2236
-N InboundTCP
-N InboundTCP_2236
-N InboundUDP
-N InboundUDP_2236
-N SMTPProxy
-N SSH_Autoblock
-N SSH_Whitelist
-N SSH_Whitelist_2236
-N denylog
-N local_chk
-N local_chk_2236
-N state_chk
-A INPUT -j state_chk
-A INPUT -j local_chk
-A INPUT -s 224.0.0.0/4 -j denylog
-A INPUT -d 224.0.0.0/4 -j denylog
-A INPUT -p icmp -j InboundICMP
-A INPUT -p icmp -j denylog
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j InboundTCP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A INPUT -i br0 -p udp -j InboundUDP
-A INPUT -i br0 -p udp -j denylog
-A INPUT -j denylog

dmesg:
Code: [Select]
[   61.535056] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[   61.536867] Bridge firewalling registered
[   61.558224] tun: Universal TUN/TAP device driver, 1.6
[   61.558227] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[   61.560137] IPv6: ADDRCONF(NETDEV_UP): tap0: link is not ready
[   61.560143] device tap0 entered promiscuous mode
[   61.560851] br0: port 1(tap0) entered blocking state
[   61.560853] br0: port 1(tap0) entered disabled state
[   62.605388] IPv6: ADDRCONF(NETDEV_UP): br0: link is not ready

As a test I disabled the ethernet adapter in the bios and then enabled the second adapter, the link light then come on but the output form iptables is the same, it seems that ethernet adapter isn't even activated, preusmably the os thinks it doesn't need it?

I checked /etc/sysconfig/network-scripts/enp0s25
It has the setting ONBOOT=no

Any ideas as to how I rectify this, I'm not at all conversant with the templates or db config so any pointers as to what to look for (if that is the issue) would be very welcome
« Last Edit: November 22, 2021, 07:34:42 AM by robf355 »

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: software update tonight, now no network
« Reply #7 on: November 22, 2021, 07:47:15 AM »
I suspect that you have an issue with which network interface is active. In your original post your o/p for ifconfig mentions 'br0' and in your last post you mention 'enp2s0'. They are different.
If you have disabled the openvpn bridge you shouldn't be using 'br0' you should be using the raw interface 'enp2s0'
Log on as admin and configure your network to use enp2s0.
You may have to read the wiki for openvpn bridge and follow how to disable the bridge network.
...

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: software update tonight, now no network
« Reply #8 on: November 22, 2021, 08:31:08 AM »
If you have two adapters, and it seems you do from comment above, make sure you are plugged into the right one and have it selected in the console config screen, I have made that mistake in the past when moving from server-gateway to server only and been a little hastey in my cable reomovals and plugins.. :-)
--
qui scribit bis legit

Offline robf355

  • *
  • 70
  • +0/-0
Re: software update tonight, now no network
« Reply #9 on: November 22, 2021, 09:49:24 AM »
Thanks for the suggestions, I finally fixed it (Thank god)
checked the openvpn-bridge wiki, it mentioned:
Code: [Select]
You may also want to remove some other dependencies if you don't use them anymore

yum remove smeserver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet

Notes
1. disabled both sever network cards and re booted - this may not have been necessary
2. restarted and attempted to reconfigure the server form admin screen, refused as no network card found.
3. rebooted tried to uninstall  as above, yum refused, said "Another app is currently holding the yum lock"
killed the yum instance, then retried - uninstall sucessful
Code: [Select]
Nov 22 08:33:24 Erased: perl-Net-OpenVPN-Manage-0.02-2.el7.sme.noarch
Nov 22 08:33:24 Erased: perl-Net-Telnet-3.03-19.el7.noarch
Nov 22 08:33:25 Erased: smeserver-bridge-interface-0.2-7.el7.sme.noarch
5. just in case:
Code: [Select]
signal-event post-upgrade; signal-event reboot5. rebooted, then reconfigure, all ok
Code: [Select]
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.10  netmask 255.255.255.0  broadcast 192.168.0.255
        ether 00:19:99:c3:ce:9b  txqueuelen 1000  (Ethernet)
        RX packets 5577  bytes 1876912 (1.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6724  bytes 5129912 (4.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 18  memory 0xfe600000-fe620000
Thanks for the help
 :-D

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: software update tonight, now no network
« Reply #10 on: November 22, 2021, 09:54:22 AM »
mate, grinners :-) and you have gained some knowledge along the way
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: software update tonight, now no network
« Reply #11 on: November 22, 2021, 11:10:54 AM »
It was most likely the bridge interface contrib doing the damage.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: software update tonight, now no network
« Reply #12 on: November 22, 2021, 02:19:20 PM »
will need to investigate the bridge contrib.
trying to reproduce your steps to see if we can reproduce. 

try to correct if i forget some steps

SME server only
install smeserver-openvpn-bridge + smeserver-phpki-ng
configure certs for server and one client
put servers certificates in place
configure the port forwarding on your router
open vpn hang on start (can you specify if on reboot or initial install, how you saw that)
uninstall smeserver-openvpn-bridge
yum update then signal-event post-upgrade signal-event reboot
no network, only access by keyboard and screen. 

Offline robf355

  • *
  • 70
  • +0/-0
Re: software update tonight, now no network
« Reply #13 on: November 22, 2021, 02:57:19 PM »
Hi

this is the sequence I followed , after every signal event update I did  a manual reboot - shutdown now -r
Code: [Select]
yum --enablerepo=smecontribs install smeserver-openvpn-bridge
yum --enablerepo=smecontribs,epel install smeserver-phpki
then there was a mention in the wiji about enabling the epel repository
Code: [Select]
db yum_repositories set epel repository Name 'Epel - EL7' BaseURL 'http://download.fedoraproject.org/pub/epel/7/$basearch' MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-7&arch=$basearch' EnableGroups no GPGCheck yes GPGKey http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL Exclude perl-Razor-Agent,pwauth Visible no status disabled
signal-event yum-modify


the  as per a query I logged, to install phpking:
Code: [Select]
yum --enablerepo=smecontribs,smetest,epel install smeserver-phpki-ng
signal-event post-upgrade; signal-event reboot

then I also needed openvpnrouted, installed and changed the port
Code: [Select]
yum  install smeserver-openvpn-routed --enablerepo=smecontribs
config setprop openvpn-bridge UDPPort 1195

Generated the certificates from the manager page and then
Code: [Select]
cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/
signal-event openvpn-routed-update

This is when I checked the server manager page and it said the service was trying/waiting to start
I checked the logs:
Code: [Select]
less /var/service/openvpn-routed/log/
less /var/service/openvpn-routed/log/supervise/status
all empty

following some responses to my query about the service not starting
Quote
this will show status of service
# systemctl status openvpn-bridge

dont use openvpn so cant do any triage, have it installed to a VM but thats about it so far, no certs etc setup
I decided to (as per post) uninstall and try it on a VM instead - as I couldn't afford to have the main server down
Code: [Select]
yum remove smeserver-openvpn-routed
yum remove smeserver-openvpn-bridge
hope this helps
« Last Edit: November 22, 2021, 03:00:02 PM by robf355 »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: software update tonight, now no network
« Reply #14 on: November 22, 2021, 06:08:18 PM »
Not sure you can run bridged AND routed at the same time.

But bridged will probably be the one that causes the issue

JP will comment but he's a busy boy the next few weeks so be patient while he saves lives.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: software update tonight, now no network
« Reply #15 on: November 22, 2021, 07:25:22 PM »
Not sure you can run bridged AND routed at the same time.

But bridged will probably be the one that causes the issue

JP will comment but he's a busy boy the next few weeks so be patient while he saves lives.

you can run the 3 openvpn contribs on the same server.  i do !

bridge and s2s are the less intrusive as they do not require bridging which is the delicate operation. 

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: software update tonight, now no network
« Reply #16 on: November 22, 2021, 08:05:33 PM »
Cool.

So openvpn bridge is not the same as smeserver bridge, and they're not rrally dependent. Hence uninstalling the openvpn contribs won't remove it.

Nonetheless I imagine it's still where the issue lies.

Did you really want a bridged network device? Or just after openvpn and installed by mistake?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline robf355

  • *
  • 70
  • +0/-0
Re: software update tonight, now no network
« Reply #17 on: November 22, 2021, 09:54:25 PM »
I had bridged and routed on 9.2. I actually used the routed for tablet to server connection when at customers. The bridge section was installed because it keeps the certificates up to date. Though I also had the bridge service started on 9.2 so I could use Windows to connect to my cifs shares on the odd occasion when away from the office.
I didn't ever try and install the actual openvpn from a non sme package. Both mine were from contribs as far as I was aware.
To be honest the 9.2 versions worked really well both with iPhone and android

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: software update tonight, now no network
« Reply #18 on: November 22, 2021, 10:28:33 PM »
smeserver-bridge is also needed for softethernet and for different needs.

so while openvpn-bridge needs it they are two things.


routed is needed for ios things because bridge is mot supported. 
bridge is to be prefered for laptop and android.


try wireguard for the tablet.  you will love it. 

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: software update tonight, now no network
« Reply #19 on: November 23, 2021, 12:59:01 AM »
try wireguard for the tablet.  you will love it.

Yep, a tick for this..
--
qui scribit bis legit

Offline robf355

  • *
  • 70
  • +0/-0
Re: software update tonight, now no network
« Reply #20 on: November 24, 2021, 04:18:27 PM »

try wireguard for the tablet.  you will love it.
Installed - so easy to setup, is it as secure as open vpn?

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: software update tonight, now no network
« Reply #21 on: November 24, 2021, 07:57:41 PM »
Installed - so easy to setup, is it as secure as open vpn?

Possibly. There are a lot of sites where you can compare between Ipsec v2, OpenVPN, and Wireguard (forget Ipsec v1/L2TP/PPP)

Each has benefits and drawbacks.

OpenVPN and Ipsec have been around a long time, and are well known and tested. They can both use certificates which can enhance your security considerably, but are not so easy to set up.

It will depend on your needs.

For home use defintitely try Wireguard as it is simple to install and use. But you need an app so consider your privacy there.

For more business orientated work you may want to look at OpenVPN or IPsec. They might not be quite as 'quick', but they are the industry standards and used by governments and business globally.

OpenVPN needs an app for a mobile - but clearly privacy is involved - and certificates.

Ipsec can be used on mobiles natively so that is a bit less overhead and better privacy. It can be used with just passwords, or with RSA signatures, or certificates.

Wireguard and OpenVPN have Koozali implementations. I have had an ipsec implementation for years which I need to finish upgrading for v10 and plus better mobile support. yet another job :-(

I'd have a good read around so you really understand the differences, pros and cons.

YMMV... :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation