Topics

I am using opnSense since last December and I updated/upgraded it a couple of times without any issues, however, since 22.1.3, I am not able to update/upgrade it anymore, and I've been trying for a month or so,

Code Select Expand

Enter an option: 12

Fetching change log information, please wait... fetch: transfer timed out

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Updating OPNsense repository catalogue...
pkg-static: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/22.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg-static: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/22.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Error updating repositories!
Starting web GUI...done.
Generating RRD graphs...done.

No matter what, I always get "fetch: transfer timed out" either from the GUI or the console, and it takes a lot of minutes for opnSense to report the "failed update". My connection is not the best I admit, but, while opnSense is running the update process I manage to access from my browser all the resources opnSense cannot access; eg:

https://www.opnsense.org
http://mirror.sfo12.us.leaseweb.net/opnsense/
https://mirror.sfo12.us.leaseweb.net/opnsense/

... etc. My browser in on a workstation behind opnSense like my server which is running BIND from opnSense unbound. Although I often have time-outs due to a not-so-good connection I can work everyday with it, moreover, today I just updated arch-linux and manjaro system behind opnSense using the same BIND from unbound setup that I am running for almost half-a-year and I have no problems at all. But I cannot manage to update opnSense from 22.1.3 to 22.1.9 or newer.

And I cannot understand why, if opnSense gets DNS time-outs, it takes so long to complain, or, it it gets a time-out for the change-log information at beginning it still insists to proceed with the update sequence. It seems to me if the change-log cannot be retrieved, due to a time-out-or-whatever-else, and if the change-log is a mandatory requirement for the update sequence why it is not aborted/interrupted after n-time-out seconds. 60 seconds should be enough to inform the user the update cannot proceed for whatever reason, 5-10 minutes ... is totally out-of-question. It is a simple check.

Question:

Is there a way to update opnSense from the CLI from a downloaded opnSense image ?

Can I manually download the packages from the mirror and place them in the opnSense package cache ? (I suppose /var/cache/whatever) ... will opnSense use them or will it insist on downloading them ?

First and foremost: I am posting here because I didn't find a more suitable forum section.

OK the first time I login via https://forum.opnsense.org/index.php?action=login

But, after a while when I was automatically logged-out after n seconds (60 is the default) and I attempt to login once again I get the URL with the previous/current session ID; eg: https://forum.opnsense.org/index.php?PHPSESSID=t2hlaskhlfu54aq3dbq40ijso8&action=login

After entering my credentials once again I was redirected to where I was the last time but I am not logged-in. The menu shows the Login option instead of the Logout and obviously, I cannot post/reply etc.

If I select login in the menu once again I get the same URL with the session ID value attached.

If I manually remove the session ID; eg: https://forum.opnsense.org/index.php?action=login

... the login is successful.

Not a great deal, but exasperating when you attempt to use the forum for a successive batch of post/replies.

Yes. I know. I can bookmark https://forum.opnsense.org/index.php?action=login in my favorites and done.

But I think it should not be the case.

even when I explicitly make them enabled; either by:

- enabling all of them with the top generic checkbox
- enabling them one-by-one with its associated checkboxes

when I apply the configuration all are shown enabled as I specified
when I select any other option on the GUI and then revisit the DNS over TLS page all of them are shown disabled

is this normal behavior or what ?

By the way I already-cleared the former (plain-DNS) servers on [System | Settings | General | DNS servers] and unbound is working as expected so I assume the servers added on DNS over TLS are honored.

When I configure unbound DNS service I automatically get the following access lists:

- Internal Allow 127.0.0.1/8
- Internal Allow ::1/64
- Internal Allow #.#.#.#/# ... my LAN address; eg: 10.0.0.1

I manually added aclDNS as following:

- Allow 10.0.0.2/0 ... internal DNS traffic is coming through this IP ONLY; ie: already-NATed by another router within my LAN

Generic traffic (sans DNS queries) will be going through 10.0.0.1.

So in this case I DO NOT WANT the automatically-added ACLs ... how can I get rid of them ?

My current configuration has:

- System ‣ Settings ‣ General : DNS Server set to 1.1.1.1 and 1.0.0.1 (CloudFlare)
- DNS Query Forwarding: [Enable Forwarding Mode] disabled
- DNSSEC: [Enable DNSSEC Support] enabled

The GUI help states: The configured system nameservers will be used to forward queries to.
The docs states: DNS Query Forwarding: Forward queries to configured nameservers in System ‣ Settings ‣ General : DNS Server

It seems this is NOT required since my configuration is already resolving from CloudFlare ... unless I don't understand something (most probably).

Can anyone clarify please ?

For example alongside the icon of the interface on Lobby | Dashboard | Interfaces.

Meaning an icon, text, whatever stating link quality.

It would really be welcome :)

This is one those posts that do not seek advice to do A or B or whatever; the sole reason is to state that after two-or-so months after first installing opnSense in my life I am quite happy with it.

THANKS to the whole community for a superb product !

It needs to be said.

Although I still have a lot of things to learn about it, opnSense proved far more powerful/configurable than I ever guessed.

THANKS again.

PS: Expect a lot of questions in the days ahead from this newbie :)

Alfa Network AWUS1900 USB 3.0-to-802.11a/b/g/n/ac using RealTek RTL8814AU chip (PCI-ID=8813).

I didn't manage to get it working. It simply does not get recognized under wireless devices in the GUI.

PS: on linux you need to install the RTL8814AU firmware related package and then it works flawlessly but I did not manage to do the same neither on opnSense nor on freeBSD.

Alfa Network AWUS036NHRv2 USB 2.0-to-802.11a/b/g/n using a RealTek RTL8188RU chip (PCI-ID=817F).

For those interested I can state that after two-or-so months of daily usage this adapter works flawlessly.

On my setup the Alfa is serving the WAN side of the router; ie: ISP -> WiFi adapter -> WAN -> LAN.

I was trying to harden my box crypto selecting the algos I want to use and deselecting everything else, and, what probably should have happened ... well, happened, I was locked out of my box.

What I did wrong was deselecting algos in the box and not started delimiting the algos I want to use on my .config file on my workstation for ssh. If I should have done this to begin with, deselecting the unwanted ones on opnSense should have been a straightforward an sure process.

Now, question is: since I can no longer access SSH/HTTPs how do I reset them from the local console ?

Where should I look for providing I enter the shell via VGA on the local machine ?

rc.conf ?

or does opnSense has something like a master configuration file or the like ?

And yes, the next time I promise to be more careful :(

EDITED on 19-01-2022: SELF-SOLVED:

I manually edited config.xml and deleted the entry for specific algos under webgui.

First and foremost I suppose this question should go here since I did not find a more relevant section, otherwise, please point me to.

I am attempting to deploy my first opnSense device as a router to the intranet plus firewall and all the usual stuff to definitely ditch some Cisco boxes (router and ASAs) once and for all -the only ones I'll be keeping for the time being are the switches.

LAN is already set on a wired port, so far so good.

WAN should went out through a wireless port, and I am not finding the wireless settings to set it up. I know there is another menu option named WLAN but this seems to be to set an internal access point for my private devices, and I want it the other way around. I do have an operational setup like this with an outdated Cisco 1941 router and a wireless HWIC card configured as universal access point (I guess that was the description) and it worked fine for many years. Precisely, I set up the HWIC as WAN, enter the BSSID to which I want to connect to with all the details, configure manual IPv4, and then this HWIC connects to another router over the water where wired connections are not possible to begin with.

Please, can anybody advice me ?

I am in the process of attempting my first opnSense installation to replace my current router.

In the meantime I have to move my WAN to the router and sometimes I get off-line.

I can't find a link to download the full docs in PDF or whatever format do you offer other than using a robot to download all the HTML links (very cumbersome to say the least).

Is there a place where the docs are available for direct download ?

I did search the directories on one of the mirrors and find nothing at all regarding docs.