Topics

Since a bunch of months I never get notification emails from the forum (not in spam folders either). I searched here and found others having the same problem but I didn't find any solution.

Alerts work fine as they should.

I've tried searching but failed. Any idea why I now after upgrading get "No web site is configured at this address." when trying to access the opnsense admin page login? Never seen that before over the years.

In addition to the standard opnsense install I run HAproxy with ACME client and ddclient.

To actually get to the login page I "reload all services" in the console and while it is restarting all the services I get the proper login page and can login. Next time I want to log in, same procedure. Restarting the services could point to one of the services breaks something while running but I can't pinpoint which.

Every five days or so visitors can't reach my site. They get a message in their browser that there are too many redirects. My very uneducated guess this has to do with some problem with Haproxy running on my OPNsense as a https to http proxy for two sites.

After these events I always have the message in the OPNsense dashboard that a problem occurred and I send this in as a report. These reports always end with this below, although some numbers are slightly different, for example the cpuid differs between the reports.

Due to lack of knowledge I have no clue where to begin, does it have to do with the network card drivers, is it a Hyper-V incompatibility issue, is there anything I can try turning off or on to see if it makes any difference? It's getting quite problematic since I need to be on standby 24/7 to be able to restart OPNsense when this happens.




Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0x18
fault code      = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80d37b72
stack pointer           = 0x28:0xfffffe0061f8b650
frame pointer           = 0x28:0xfffffe0061f8b6c0
code segment      = base 0x0, limit 0xfffff, type 0x1b
         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process      = 0 (hvevent3)
trap number      = 12
panic: page fault
cpuid = 3
time = 1652011369
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0061f8b410
vpanic() at vpanic+0x17f/frame 0xfffffe0061f8b460
panic() at panic+0x43/frame 0xfffffe0061f8b4c0
trap_fatal() at trap_fatal+0x385/frame 0xfffffe0061f8b520
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe0061f8b580
calltrap() at calltrap+0x8/frame 0xfffffe0061f8b580
--- trap 0xc, rip = 0xffffffff80d37b72, rsp = 0xfffffe0061f8b650, rbp = 0xfffffe0061f8b6c0 ---
m_copydata() at m_copydata+0xf2/frame 0xfffffe0061f8b6c0
tcp_output() at tcp_output+0x1339/frame 0xfffffe0061f8b8a0
tcp_do_segment() at tcp_do_segment+0x2b54/frame 0xfffffe0061f8b980
tcp_input_with_port() at tcp_input_with_port+0xafb/frame 0xfffffe0061f8bae0
tcp_input() at tcp_input+0xb/frame 0xfffffe0061f8baf0
ip_input() at ip_input+0x15f/frame 0xfffffe0061f8bb80
netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe0061f8bbd0
ether_demux() at ether_demux+0x138/frame 0xfffffe0061f8bc00
ether_nh_input() at ether_nh_input+0x355/frame 0xfffffe0061f8bc60
netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe0061f8bcb0
ether_input() at ether_input+0x69/frame 0xfffffe0061f8bd10
hn_chan_callback() at hn_chan_callback+0xa8e/frame 0xfffffe0061f8be10
vmbus_chan_task() at vmbus_chan_task+0x26/frame 0xfffffe0061f8be40
taskqueue_run_locked() at taskqueue_run_locked+0x181/frame 0xfffffe0061f8bec0
taskqueue_thread_loop() at taskqueue_thread_loop+0xc2/frame 0xfffffe0061f8bef0
fork_exit() at fork_exit+0x7e/frame 0xfffffe0061f8bf30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0061f8bf30
--- trap 0, rip = 0xffffffff80c2b91f, rsp = 0, rbp = 0x3000000020 ---
mi_startup() at mi_startup+0xdf/frame 0x3000000020
KDB: enter: panic
panic.txt0600001214235730551  7136 ustarrootwheelpage faultversion.txt0600007014235730551  7535 ustarrootwheelFreeBSD 13.0-STABLE stable/22.1-n248071-cafeb6ce414 SMP




Some more stuff from the report

Code Select Expand


Copyright (c) 1992-2021 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 13.0-STABLE stable/22.1-n248071-cafeb6ce414 SMP amd64
FreeBSD clang version 13.0.0 (git@github.com:llvm/llvm-project.git llvmorg-13.0.0-0-gd7b669b3a303)
SRAT: Ignoring memory at addr 0x108200000
SRAT: Ignoring memory at addr 0x1000000000
SRAT: Ignoring memory at addr 0x10000200000
SRAT: Ignoring memory at addr 0x20000200000
SRAT: Ignoring memory at addr 0x40000200000
SRAT: Ignoring memory at addr 0x80000200000
VT(efifb): resolution 1024x768
Hyper-V Version: 10.0.14393 [SP5]
  Features=0x2e7f
  PM Features=0x0 [C2]
  Features3=0xed7b2
Timecounter "Hyper-V" frequency 10000000 Hz quality 2000
CPU: Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz (3192.00-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x906ea  Family=0x6  Model=0x9e  Stepping=10
  Features=0x1f83fbff
  Features2=0xfeda3203
  AMD Features=0x2c100800
  AMD Features2=0x121
  Structured Extended Features=0x9c6fb9
  Structured Extended Features3=0x9c000400
  XSAVE Features=0xb
Hypervisor: Origin = "Microsoft Hv"
real memory  = 4294967296 (4096 MB)
avail memory = 4124368896 (3933 MB)
Event timer "LAPIC" quality 100
ACPI APIC Table:
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 cache groups x 1 core(s)
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
random: unblocking device.
ioapic0  irqs 0-23
Launching APs: 1 2 3
wlan: mac acl policy registered
Timecounter "Hyper-V-TSC" frequency 10000000 Hz quality 3000
random: entropy device external interface
kbd0 at kbdmux0
WARNING: Device "spkr" is Giant locked and may be deleted before FreeBSD 14.0.
efirtc0:
efirtc0: registered as a time-of-day clock, resolution 1.000000s
aesni0:
acpi0:
cpu0:  on acpi0
atrtc0:  port 0x70-0x71 irq 8 on acpi0
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <32-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
acpi_syscontainer0:  on acpi0
vmbus0:  on acpi_syscontainer0
vmgenc0:  on acpi0
vmbus_res0:  irq 5 on acpi0
Timecounters tick every 10.000 msec
usb_needs_explore_all: no devclass
vmbus0: version 4.0
hvet0:  on vmbus0
Event timer "Hyper-V" frequency 10000000 Hz quality 1000
hvkbd0:  on vmbus0
hvheartbeat0:  on vmbus0
hvkvp0:  on vmbus0
hvshutdown0:  on vmbus0
hvtimesync0:  on vmbus0
hvtimesync0: RTT
hvvss0:  on vmbus0
storvsc0:  on vmbus0
hn0:  on vmbus0
<6>hn0: Ethernet address: 00:15:5d:0c:87:5b
hn1:  on vmbus0
<6>hn0: link state changed to UP
<6>hn1: Ethernet address: 00:15:5d:0c:87:5d
hn2:  on vmbus0
<6>hn1: link state changed to UP
<6>hn2: Ethernet address: 00:15:5d:0c:87:60
hn3:  on vmbus0
<6>hn2: link state changed to UP
<6>hn3: Ethernet address: 00:15:5d:0c:87:65
hn4:
<6>hn3: link state changed to UP
on vmbus0
<6>hn4: Ethernet address: 00:15:5d:0c:87:66
<6>hn4: link state changed to UP
hn5:  on vmbus0
<6>hn5: Ethernet address: 00:15:5d:0c:87:67
hn6:  on vmbus0
<6>hn5: link state changed to UP
<6>hn6: Ethernet address: 00:15:5d:0c:87:68
hn7:  on vmbus0
<6>hn6: link state changed to UP
<6>hn7: Ethernet address: 00:15:5d:0c:87:69
<6>hn7: link state changed to UP
cd0 at storvsc0 bus 0 scbus0 target 0 lun 1
cd0:  Removable CD-ROM SPC-3 SCSI device
cd0: 300.000MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed
da0 at storvsc0 bus 0 scbus0 target 0 lun 0
da0:  Fixed Direct Access SPC-3 SCSI device
da0: 300.000MB/s transfers
da0: Command Queueing enabled
da0: 130048MB (266338304 512 byte sectors)
Trying to mount root from ufs:/dev/gpt/rootfs [rw]...
<118>Mounting filesystems...
<118>tunefs: soft updates remains unchanged as enabled
<118>tunefs: file system reloaded
<118>camcontrol: ATA ATA_IDENTIFY via pass_16 failed
<118>camcontrol: ATA ATAPI_IDENTIFY via pass_16 failed
<118>** /dev/gpt/rootfs
<118>FILE SYSTEM CLEAN; SKIPPING CHECKS
<118>clean, 27525317 free (6021 frags, 3439912 blocks, 0.0% fragmentation)
<118>Setting hostuuid: b5410ab1-97b9-b14f-8750-c28bb0967f51.
<118>Setting hostid: 0x69cca029.
<118>Configuring vt: keymap blanktime.
<118>Configuring crash dump device: /dev/gpt/swapfs
<118>swapon: adding /dev/gpt/swapfs as swap device
<118>.ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/perl5/5.32/mach/CORE
<118>32-bit compatibility ldconfig path:
<118>done.
<118>>>> Invoking early script 'upgrade'
<118>>>> Invoking early script 'configd'
<118>Starting configd.
<118>>>> Invoking early script 'templates'
<118>Generating configuration: OK
<118>>>> Invoking early script 'backup'
<118>>>> Invoking backup script 'captiveportal'
<118>>>> Invoking backup script 'dhcpleases'
<118>>>> Invoking backup script 'duid'
<118>>>> Invoking backup script 'netflow'
<118>>>> Invoking backup script 'rrd'
<118>>>> Invoking early script 'carp'
<118>CARP event system: OK
<118>Launching the init system...done.
<118>Initializing...........done.
<118>Starting device manager...done.
<118>Configuring login behaviour...done.
<118>Configuring loopback interface...
<6>lo0: link state changed to UP
<118>done.
<118>Configuring kernel modules...done.
<118>Setting up extended sysctls...done.
<118>Setting timezone...done.
<118>Writing firmware setting...done.
<118>Writing trust files...done.

Has been running stable since I turned of IDS but suddenly this. Any pointer to what might have happened? I don't have the knowledge to understand the message :-) It's a virtual machine running on Hyper-V.



OPNsense 22.1.4_1 1aa77c16b
Plugins os-acme-client-3.8 os-dyndns-1.27_3 os-haproxy-3.10



Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0x18
fault code      = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80d37eed
stack pointer           = 0x28:0xfffffe0061f70650
frame pointer           = 0x28:0xfffffe0061f706c0
code segment      = base 0x0, limit 0xfffff, type 0x1b
         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process      = 0 (hvevent3)
trap number      = 12
panic: page fault
cpuid = 3
time = 1648727457
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0061f70410
vpanic() at vpanic+0x17f/frame 0xfffffe0061f70460
panic() at panic+0x43/frame 0xfffffe0061f704c0
trap_fatal() at trap_fatal+0x385/frame 0xfffffe0061f70520
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe0061f70580
calltrap() at calltrap+0x8/frame 0xfffffe0061f70580
--- trap 0xc, rip = 0xffffffff80d37eed, rsp = 0xfffffe0061f70650, rbp = 0xfffffe0061f706c0 ---
m_copydata() at m_copydata+0x4d/frame 0xfffffe0061f706c0
tcp_output() at tcp_output+0x1339/frame 0xfffffe0061f708a0
tcp_do_segment() at tcp_do_segment+0x2cd5/frame 0xfffffe0061f70980
tcp_input_with_port() at tcp_input_with_port+0xafb/frame 0xfffffe0061f70ae0
tcp_input() at tcp_input+0xb/frame 0xfffffe0061f70af0
ip_input() at ip_input+0x15f/frame 0xfffffe0061f70b80
netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe0061f70bd0
ether_demux() at ether_demux+0x138/frame 0xfffffe0061f70c00
ether_nh_input() at ether_nh_input+0x355/frame 0xfffffe0061f70c60
netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe0061f70cb0
ether_input() at ether_input+0x69/frame 0xfffffe0061f70d10
hn_chan_callback() at hn_chan_callback+0xa8e/frame 0xfffffe0061f70e10
vmbus_chan_task() at vmbus_chan_task+0x26/frame 0xfffffe0061f70e40
taskqueue_run_locked() at taskqueue_run_locked+0x181/frame 0xfffffe0061f70ec0
taskqueue_thread_loop() at taskqueue_thread_loop+0xc2/frame 0xfffffe0061f70ef0
fork_exit() at fork_exit+0x7e/frame 0xfffffe0061f70f30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0061f70f30
--- trap 0, rip = 0xffffffff80c2bd3f, rsp = 0, rbp = 0x3000000020 ---
mi_startup() at mi_startup+0xdf/frame 0x3000000020
KDB: enter: panic
panic.txt0600001214221312641  7125 ustarrootwheelpage faultversion.txt0600007014221312641  7524 ustarrootwheelFreeBSD 13.0-STABLE stable/22.1-n248063-ac40e064d3c SMP

After upgrading to v22.1 my QOTOM i5 7200U box started crashing/rebooting randomly. I tried some different bios settings but nothing helped. So I installed OPNsense in Hyper-V on my server instead and restored a backup and I'm running it that way now instead. But it still randomly crashes and reboots (once every few days)

Not much added to the basic setup:
os-acme-client-3.8
os-dyndns-1.27_3
os-haproxy-3.10

I get the "a problem was detected" message in the GUI dashboard and have submitted reports (three times so far) but I'm getting a bit worried.

A pretty standard setup on Hyper-V crashing, have anyone else had problems?




a short bit from the report:

Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 02
fault virtual address   = 0x18
fault code      = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80d37edd
stack pointer           = 0x28:0xfffffe00ad3922a0
frame pointer           = 0x28:0xfffffe00ad392310
code segment      = base 0x0, limit 0xfffff, type 0x1b
         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process      = 20269 (W#01-hn3)
trap number      = 12
panic: page fault
cpuid = 2
time = 1645948400
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ad392060
vpanic() at vpanic+0x17f/frame 0xfffffe00ad3920b0
panic() at panic+0x43/frame 0xfffffe00ad392110
trap_fatal() at trap_fatal+0x385/frame 0xfffffe00ad392170
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00ad3921d0
calltrap() at calltrap+0x8/frame 0xfffffe00ad3921d0
--- trap 0xc, rip = 0xffffffff80d37edd, rsp = 0xfffffe00ad3922a0, rbp = 0xfffffe00ad392310 ---
m_copydata() at m_copydata+0x4d/frame 0xfffffe00ad392310
tcp_output() at tcp_output+0x1339/frame 0xfffffe00ad3924f0
tcp_do_segment() at tcp_do_segment+0x2cd5/frame 0xfffffe00ad3925d0
tcp_input_with_port() at tcp_input_with_port+0xafb/frame 0xfffffe00ad392730
tcp_input() at tcp_input+0xb/frame 0xfffffe00ad392740
ip_input() at ip_input+0x15f/frame 0xfffffe00ad3927d0
netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe00ad392820
ether_demux() at ether_demux+0x138/frame 0xfffffe00ad392850
ether_nh_input() at ether_nh_input+0x355/frame 0xfffffe00ad3928b0
netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe00ad392900
ether_input() at ether_input+0x69/frame 0xfffffe00ad392960
nm_os_send_up() at nm_os_send_up+0x11/frame 0xfffffe00ad392970
netmap_send_up() at netmap_send_up+0x4e/frame 0xfffffe00ad3929c0
netmap_txsync_to_host() at netmap_txsync_to_host+0x74/frame 0xfffffe00ad392a40
netmap_ioctl() at netmap_ioctl+0x1b4/frame 0xfffffe00ad392b10
freebsd_netmap_ioctl() at freebsd_netmap_ioctl+0x74/frame 0xfffffe00ad392b50
devfs_ioctl() at devfs_ioctl+0xc6/frame 0xfffffe00ad392ba0
vn_ioctl() at vn_ioctl+0x1a4/frame 0xfffffe00ad392cb0
devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe00ad392cd0
kern_ioctl() at kern_ioctl+0x25b/frame 0xfffffe00ad392d40
sys_ioctl() at sys_ioctl+0xf1/frame 0xfffffe00ad392e00
amd64_syscall() at amd64_syscall+0x10c/frame 0xfffffe00ad392f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00ad392f30
--- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x801b410ca, rsp = 0x7fffdfffddf8, rbp = 0x7fffdfffde70 ---
KDB: enter: panic
panic.txt0600001214206626760  7142 ustarrootwheelpage faultversion.txt0600007014206626760  7541 ustarrootwheelFreeBSD 13.0-STABLE stable/22.1-n248057-239b52c9023 SMP

Known thing?

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
libxml2-2.9.10 is vulnerable:
libxml -- multiple vulnerabilities
WWW: https://vuxml.freebsd.org/freebsd/f5abafc0-fcf6-11ea-8758-e0d55e2a8bf9.html

1 problem(s) in 1 installed package(s) found.
***DONE***


OPNsense 20.7.3-amd64
FreeBSD 12.1-RELEASE-p10-HBSD
LibreSSL 3.1.4

When upgrading to 19.1.1 from 18.10.0 I noticed a looong boot time which I didn't recognize from before. During boot I get multiple controller timeouts for sdhci_pci1-slot0. So googling a bit I found that the problem is not new as such. Just that I now noticed what feels a longer boot time than before, but not 100% sure on that.

Anyway, what is the best way to get rid of these timeouts delaying reboot?

- Disable SD-card in bios. No such setting in my bios

- Edit /boot/loader.conf.local

- Edit in opnsense system -> settings -> tunables

I'd like to edit tunables but I can't find what to exacly add there. Anyone know?

A week ago (on 18.7.4) I changed some settings without any trouble, removed some obsolete rules, all went well.

Yesterday (on 18.7.5) I wanted to remove one more rule but when I did ALL rules on all interfaces dissapeared! I restored from a backup and tried again, same result.

Haproxy refused to start after update to 18.7.1 but it wasn't the upgrade but the reboot plus a DHCP lease that clashed with a dns address that made it go "can't bind up xxxx" and prevented haproxy from starting.

So never mind, my bad  :)

A number of times this error has popped up in the firmware reporter for me to submit (which I have). Anyone know what this means?

Code Select Expand

User-Agent Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
FreeBSD 11.1-RELEASE-p6  6621d681e(stable/18.1)
OPNsense 18.1.4-4af180a98 [18.1.2_2-43d2878aa] LibreSSL 2.6.4 (amd64)
Plugins os-acme-client-1.13 os-dyndns-1.6 os-haproxy-2.6 os-smart-1.2
Time Mon, 12 Mar 2018 16:22:45 +0100


[11-Mar-2018 00:00:02 Europe/Stockholm] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
[12-Mar-2018 00:00:02 Europe/Stockholm] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122

I've set to autoupdate every 7 days in the settings under "Services -> Let's Encrypt -> Certificates -> Edit certificate properties ->
Auto Renewal is checked
Renewal Interval is set to 7

But the cronjob looks like the enclosed screenshot. What am I missing here?

I've searched a bit for pointers on what to monitor and look for to ensure that the hardware isn't too stressed, possibly resulting in performance degradation for the users surfing our webserver behind our brand new shiny OPNsense box.


If I start with the Dashboard:

I can see the cpu usage varying quite a bit with short peaks up at 80 - 90% but mostly staying around 10 - 20%. What the cpu peaks really mean for actual performance, possible degradation in bandwidth and latency, I have no clue. The orange bars all have good low numbers, the highest being memory at 18%, looking very good.


On to the Reporting page:

Again it's the cpu load I'm wondering about. I've tried to find info on what ranges of the processor values that could be considered no-problem, bordeline-problem and really-bad.
Processes are at a steady 140, user varies between 4 and 10 with peaks up to 20 with resolution at standard but up to 40 with high resolution (at 20 hours zoom). System peaks at 5 in standard resolution and 15 in high resolution in the 20 hours zoom setting.

(the difference in peak values between standard and high resolution of course being due to the short short peaks being averaged out in the whole time slot measured)



Anyone have tips on any good web page with info or some rule of thumbs?

I have HAproxy as a reverse proxy handling all incoming https + letsencrypt certificate, transferring it to my actual webserver on the DMZ. Works great!

But I don't know if I've set a setting wrong somewhere, if I disable HAproxy temporarily all traffic coming in on my WAN interace are served the OPNsense admin pages instead. Even if it's password protected I really don't feel very comfortable with this. If HAproxy stops due to any reason, crash, misconfiguration... no, I don't feel comfortable with that.

Is there any way to prevent this?  :-[

Just a heads up.

I always have a lobby dashboard running on one computer, it's gives me a great overview of things. But I noticed if I use MSIE 10 (10.0.9200.22297 on W2k12) the browser will eat up almost 2Gbyte in a day and crash eventually.

Running dashboard in chrome works perfect.

So not a problem  :)

[In HAproxy]

I have an important question at the bottom of this post. But let's begin with the steps to get this running  :)

The letsencrypt ACME automatic integration with HAproxy is great inserting everything needed for validation, downloading and adding a certificate  :D  I have Letsencrypt running with Haproxy handling incoming HTTPS traffic converting it to HTTP between OPNsense and the internal server. So the internal server does not need a certificate, I only need the automatically updated one on OPNsense. Great!

My initial idea was to do as above with the only difference being that I'd also run HTTPS between OPNsense and the internal server (since I only have an unsigned certificate on it). But I can't get HTTPS to HTTPS to work. As soon as I change to HTTPS on the server tab in HAproxy I get 503 timeouts.

But maybe there are no downsides running HTTPS to HTTP instead of HTTPS to HTTPS???


In HAproxy

ADD SERVER
Name: myserver
FQDN: server IP (on the inside)
Port: 80                                    <<<< if I set these to 443 and enabled I get 503 timeout
SSL: disabled                            <<<<
Verify SSL cert: disabled


ADD BACKEND
Enabled: check
Name: mybackend
Mode: HTTP Layer 7
Servers: myserver
Actions (ACLs): empty


ADD FRONTEND
Enabled: check
Name: myfrontend
Listen addresses: www.mydomain.com:443, mydomain.com:443
Type: SSL offloading
Default backend: mybackend
SSL offloading: check
Certificates: my letsencrypt certificate
X-forwarded-For header: not checked
Actions (ACLs): empty


And finally add a firewall rule
Interface: WAN
Destination: This firewall
Destination port range: HTTPS




---------------------------------------------------

One scary thing though!!!!! If I temporarily stop HAproxy, anyone surfing to my public web site will instead reach the OPNsense admin login page. I DO NOT like that  :o

I'm not clear how to prevent this?? The OPNsense webserver really shouldn't listen to the WAN interface IMHO. I might be missing something here though.

EDIT:
A very good tip from Fraenkie is to simply change the listening port of the OPNsense WEB GUI to some odd port that IS closed (with appropriate rules) on the WAN and not used by NAT or HAproxy. The very very minor drawback, if any, is that you will have to surf to your OPNsense GUI adding the port number to the link https://<yoururl or ip>:<yourspecialportnumber> i

Hi all!

I'm a long time user of pfsense now switching over to opnsense.

The service "loopia" in dyndns is not handling wildcards properly which makes the call to update the ip instead ending up erasing the CNAME in loopias end rendering our web site unreachable.



Here's the code AFAIK in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc

case 'loopia':
   curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
   curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass);
   curl_setopt($ch, CURLOPT_URL, 'https://dns.loopia.se/XDynDNSServer/XDynDNS.php?hostname='.$this->_dnsHost.'&myip='.$this->_dnsIP);
   break;

As you can see it doesn't even check the wildcard setting.

An important note: This functionality is broken in pfsense since many years back but due to a different problem in that code. More info here https://forum.pfsense.org/index.php?topic=138826

What is the best way to get this into a todo fix list?




PS: I can't find any way to edit files from the web GUI, am I blind or is there no such option?