Messages

Same issue here: no logs in GUI after update to 22.1. Any ideas / plans to fix this? :-[

I don't quite get it but still look forward to your update ;D

Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup. :(

Yes, it would need to be along the lines of something like the "users" section of freeradius, i.e. with an individual "NTS" checkbox per Server.

What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"

https://chrony.tuxfamily.org/doc/devel/chrony.conf.html
NTS should only be added to servers specifically configured with NTS. Then it will be sufficient to add a line with "authselect MODE", where mode can be require/prefer/mix/ignore.

[DHCP server config appears to have been active nonetheless]

Issue solved!

The interface I used for attaching the 5G WAN CPE was previously used for internal purposes. As such, the DHCP server was configured with "Deny unknown clients" and "Enable Static ARP entries". These entries for the DHCP server disappeared from the GUI after switching the WAN interface from static IP to DHCP client, just like they should.

However, the DHCP server config appears to have been active nonetheless. This can't be the intended behaviour and should be fixed. After switching the WAN interface to static IP, removing the DHCP server entries and then switching WAN back to DHCP client for getting an IP, everything works as intended.

As the issue persists, I tried to get additional information.
Attached is an image of a packet capture on the WAN interface connecting OPNSense (Mellanox NIC) and the ZTE 5G CPE/Gateway. As can be seen, the CPE sends ARP requests to OPN's WAN port and receives propper replys. For some reaseon though, this keeps repeating indefinitely. :-\
The Firewall itself doesn't seem to send any ARP request to the CPE and also doesnt't infer the data from the received requests.

[no corresponding ARP entry for the 4G/5G CPE]

Hi,

my setup has two WANs:
one via Cable (DOCSIS), one via a 4G/5G CPE which is in bridge mode and attached via Ethernet.

For some reason, the latter's WAN gateway in OPNSense does not come up on its own. OPNSense receives an IP via DHCP, but there is no corresponding ARP entry for the 4G/5G CPE. If I add this manually, everything works.

However, as the 4G/5G WAN IP can change setting a static entry is no real solution - i.e. there is no fixed MAC-IP combination.

As of now, my best guess for this behaviour is that both WAN and Gateway IP are in the 100.64.0.0/10 range, i.e. carrier-grade NAT IPs. However, the corresponing WAN interface at OPNSense is set to allow both bogons and private IPs.

Thus I'm looking for any other issues which could cause the observed behaviour. Any ideas would be greatly appreciated! :)

Thank you all for the feedback!
After playing around and looking at logs this issue is now solved: a reboot finally fixed it :P
It's the little things that get you... ;D

Hi,

I just noticed that chrony doesn't seem to work with NTS anymore. Once I enable this setting, no synchronization takes places which results in the "tracking" tab showing the date as 1970...
Even when only one NTS server (e.g. cloudfare) is used nothing happens.
As it worked flawlessly before, this might have crept in during the last update?
Does anyone else experience such behaviour?

Thanks!

Using Mellenox ConnectX-3 NICs (driver: mlx4en) traffic reporting is still broken. Oddly enough, this only affects setups in which VLANs are defined on virtual functions (i.e. VFs, see https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/edit#gid=0). Thus netmap generally works, just not in this instance. When VLANs are assigned in OPNSense (which has it's drawbacks compared to VFs), it works as intended. It would be great if anyone could have a look at this :)

https://github.com/opnsense/src/issues/103

Thanks Franco. Now I can wait patiently for the upgrade path.

This looks like a nicer option. Otherwise the custom config won't be part of the overall config file, potentially messing up restores:
https://forum.opnsense.org/index.php?topic=23941.0

Sorry for the noob question but trying to get ahead of the eventual upgrade to 21.7, but currently my Unbound has the following in custom:

Code Select Expand


server:
  do-not-query-localhost: no


forward-zone:
  name: "."
  forward-addr: ::1@5353
  forward-addr: 127.0.0.1@5353


It's forwarding to the DNSCrypt-Proxy service.

Will I be able to do this with 21.7 and the new standard menu? Currently still on 21.1.8 as I am not on-site to attempt the upgrade to 21.1.9

Did you find a solution yet? I'm faced with the same issue now that custom options are being taken away :(

Hi,

thank you for your help! :D

Can you open a feature request in GitHub? I'll take it then

I opened up a request on Github, not sure if this is the right format though:
https://github.com/opnsense/plugins/issues/2470

Hi,

just a quick feedback: I patched in the changes and they work great. Thanks! ;D

Hi,

I recently decided to switch to chrony which is working great so far :D
Unfortunately though, the pluging doesn't allow to specify the authselectmode, i.e. how to handle NTS. Currently it seems to be set to "require", meaning all non-NTS servers are ignored. However, I'd like to run a mix of remote NTS servers plus local non-NTS servers. Thus it would be great if the options "prefer" and "mix" were available. Would it be possible to add this with an upcoming update? Thanks!