TCP [FIN-ACK] packets for HTTPS traffic are dropped

NETWORKING SOLUTIONS
28

Hello, thanks for looking into this.

Windows and Linux / Debian works. Trying to update OPNsense is the only serious problem I found so far.

Hopefully, this procedure will help you see the issue…

Download OPNsense from Download - OPNsense® is a true open source firewall and more
(I used 23.1.11 and earlier, but since they don’t recognize the problem and hence can’t fix it,
the actual version is probably not important.)

Install on suitable hardware Hardware sizing & setup — OPNsense documentation
Easiest if using two ethernet interfaces and try to use LAN-port when talking with OPNsense.
(Default rules allow access on LAN-port but not on WAN).

Read the installation manual Installation and setup — OPNsense documentation
I suggest using static IPv4 addresses both for LAN and WAN.
(DHCP also works, but I have had some issues some times)

  • First login to the GUI https://yourconfiguredLANaddress

  • System->Firmware->Settings->Mirror: Chose c0urier.net (HTTPS, Lund, SE)
    (This mirror doesn’t have ipv6 which helps if your own ISP doesn’t support ipv6. I.e. this is the setting I use.)

  • SSH into the OPNsense router (or through RS-232 port if available)

  • Chose 8 (Shell)

  • pkg update -f
    if successful it will complete within seconds
    if unsuccessful percentage counter will stall (most often at 0%), hit Ctrl-C to interrupt.

This “Check for update” is normally done in the GUI. But when using TRB500 as gateway as long as the problem exist, you will have to reboot OPNsense each time you notice that the update doesn’t work. There are background processes that never terminate when using the GUI.

In the shell, using ‘pkg update -f’, you don’t need to reboot if you interrupt with Ctrl-C.

I strongly suggest you do the first setup of OPNsense having the WAN-port connected to some other route to internet than through TRB500 (and probably other devices based on the same firewall rules).

When you have reached the point above where you can run a ‘pkg update -f’ from the shell without any issues, then it is time to move the WAN-cable to TRB500. Of course adjusting WAN address and default gateway first.
‘ping c0urier.net’ must work, then you can try ‘pkg update -f’

When everything works, you should be able to click on “check for updates” on the dashboard in the GUI.

My TRB500 is using TRB5_R_00.07.04.3

1 Like