I have been running OPNSense for my home network for the past 6 months, and have been learning much about it. I am currently on 23.1 and am ready to take the plunge to 23.7. Before I mess up totally and take the house network down for an extended amount of time, thought I'd ask a quick question.
Is it recommended that I do an offline update (as noted in the OPNSense Documentation) or can it be done from System > Firmware > Updates in OPNSense itself? My configuration is as basic/vanilla as it can get.
No need for an offline update. If on slower hardware keep in mind there could be 15+ minutes before the FW is back up.
When you're up on 23.7 check for updates again to get on 23.7.4
Thanks for the response. This was just one of those times that you reach a fork in the road and if you take the wrong branch there may not be an easy way to go back. Hunting for answers on your phone after you make a poor choice is never fun. (Ask me how I know ::) )
My move to OPNSense came with getting one of those Topton N5105 boxes, migrating away from a getting old Asus router running Tomato. No worries on a 15 minute update, but thanks for the heads up to be patient.
N5105 is a fast one, should be ~6 minutes down
Done, and completely painless. You were right smack on the money, just about 6 minutes to having the login screen back. Updated again to 23.7.4, ran a quick audit and all is good.
In the future, make sure you download your config before doing an update. Also make sure you have a copy of the installer handy. That way if the update does go sideways you can reinstall and import the config.
That said, I've yet to need them in any of the updates I've done, but it's still cheap peace of mind.
Thanks, I had both. Some may laugh at my key ring full of flash drives, but I have on hand what I need to get myself out of most situations. Along with my aversion to any software version that ends in .0 (or even .1, for that matter) is why I waited for 23.7.4 to be released.
Well, that and os-ddclient to work properly with duckdns. Which it still isn't for me. >:(
Quote from: connervt on September 21, 2023, 01:46:30 AM
Well, that and os-ddclient to work properly with duckdns. Which it still isn't for me. >:(
Did you change the backend ?
I did. Set up per this post, from 2023-09-02:
https://forum.opnsense.org/index.php?topic=34575.msg173857#msg173857
Created a test domain, manually gave it an incorrect address (to see if it changed by ddclient). I get nothing but KO in my logs:
DuckDNS update failed for 0da****1-4d80-4820-b**d-b83***6f3815 [duckdns - TEST] with ip 67.246.*3.*6 for domains qwertytest.duckdns.org, response: KO
(some data obscured by me)
Try a simpler password, I think I read something about special characters causing issues recently
Just to clarify: "offline" upgrade here means the sytem will fetch all packages to install and do the upgrade before starting network connectivity. This is done to avoid scenarious where tools would try to fetch extra packages from somewhere else that could break or in cases when network connectivity cannot be established due to OS updates or mismatches between core and OS (these are upgraded incrementally).
Cheers,
Franco
Quote from: connervt on September 21, 2023, 01:46:30 AM
Thanks, I had both. Some may laugh at my key ring full of flash drives, but I have on hand what I need to get myself out of most situations. Along with my aversion to any software version that ends in .0 (or even .1, for that matter) is why I waited for 23.7.4 to be released.
Well, that and os-ddclient to work properly with duckdns. Which it still isn't for me. >:(
Check out ventoy. It will help consolidate those drives. Also, there are actual devices that you can load isos and which will emulate a usb cdrom.
Quote from: connervt on September 21, 2023, 10:57:21 AM
I did. Set up per this post, from 2023-09-02:
https://forum.opnsense.org/index.php?topic=34575.msg173857#msg173857
Created a test domain, manually gave it an incorrect address (to see if it changed by ddclient). I get nothing but KO in my logs:
DuckDNS update failed for 0da****1-4d80-4820-b**d-b83***6f3815 [duckdns - TEST] with ip 67.246.*3.*6 for domains qwertytest.duckdns.org, response: KO
(some data obscured by me)
Double check your backend. That format doesn't look like what I've seen for messages from the native backend.
This is one of the reasons I'm lamenting the lack of verbose logging in the new backend. It doesn't provide you with the req/resp anymore. You can try doing a packet capture to grab the URL being used and then testing it via curl and adding &verbose=true to see what DuckDNS gives as the failure reason.
https://www.duckdns.org/spec.jsp
Quote from: newsense on September 21, 2023, 11:21:58 AM
Try a simpler password, I think I read something about special characters causing issues recently
DuckDNS doesn't use a password. It's your account token which doesn't contain special characters. Although it does annoy me that they're using a GET for a change request.
Quote from: franco on September 21, 2023, 11:59:54 AM
Just to clarify: "offline" upgrade here means the sytem will fetch all packages to install and do the upgrade before starting network connectivity. This is done to avoid scenarious where tools would try to fetch extra packages from somewhere else that could break or in cases when network connectivity cannot be established due to OS updates or mismatches between core and OS (these are upgraded incrementally).
Good to know. I'm going to have to remember to look for the option next time I update.
franco, CJ and newsense - Thank you all for your input. I keep on learning with it all. As for my flash drive collection, old habits die hard. But still a good choice - portable, can usually get it to boot on any system, and lives in the desk drawer where my servers and network live, so I (usually) can find what I need.
CJ is right - Duckdns uses a token in the password field. I cut/past it right from my duckdns.org account page. What is interesting (and probably a good thing?) is while the string from the log is similar in format to my token, they are not the same. (same 8-4-4-4-12 char cadence)
As I wrote earlier, I set things up based on a recent post from here. Not really all that much to configure, so unsure if it is dumbness on my end or ...? Screenshots attached.
Just went through the whole setup and worked just fine - apart from a curve ball when checking the IP with an external service.
Using
dg6464 post as a reference from another thread - however I did _not_ uncheck
Force SSLQuoteMy Working Settings:
General ->
Interval = 600 seconds
Backend = native
Accounts ->
Service = duckdns
Username = blank
Password = <token>
Hostnames = hostname.duckdns.org
Check ip method = Interface [IPv4]
Interface to monitor = WAN
Check ip timeout = 10
Force SSL = checked
Two things for you to try:
1) Change the backend - Save - Apply - Revert to Native - Save Apply
2) If that doesn't change much delete the configuration, remove and reinstall the package, create a new DuckDNS profile.
pkg remove os-ddclient && pkg install os-ddclient
You don't need to reinstall, but removing all the old account entries from the plugin is a good idea.
Cheers,
Franco
OK this is getting weird.
Set up another FW, same steps, different host, and I'm getting a cert validation error.
I don't get why is this an issue or why
www.duckdns.org would have to match the SANs in the GUI certificate.
QuoteCaused by SSLError(CertificateError("hostname 'www.duckdns.org' doesn't match either of 'opnsense.localdomain', 'opnsense',
OK, Fixed.
Anyone seeing the issue above, check your DNS resolver. Some list(s) block wilcard duckdns.org
Quote from: connervt on September 22, 2023, 01:27:22 AM
franco, CJ and newsense - Thank you all for your input. I keep on learning with it all. As for my flash drive collection, old habits die hard. But still a good choice - portable, can usually get it to boot on any system, and lives in the desk drawer where my servers and network live, so I (usually) can find what I need.
CJ is right - Duckdns uses a token in the password field. I cut/past it right from my duckdns.org account page. What is interesting (and probably a good thing?) is while the string from the log is similar in format to my token, they are not the same. (same 8-4-4-4-12 char cadence)
As I wrote earlier, I set things up based on a recent post from here. Not really all that much to configure, so unsure if it is dumbness on my end or ...? Screenshots attached.
I agree with newsense. Try checking Force SSL.
Quote from: newsense on September 22, 2023, 08:07:05 AM
OK, Fixed.
Anyone seeing the issue above, check your DNS resolver. Some list(s) block wilcard duckdns.org
Such fun. :D
Sorry to have dropped off the radar for several days. I had been reading your responses (and much appreciate them). My work has me doing four 12 hour days, then followed by family emergency.
I tried what was suggested previously, none of it giving much success. I have finally received a positive result from both my logs and duckdns, by doing the unexpected - I set the Backend to ddclient, not native.
I'm not one to argue with success, but I thought that native was developed specifically to work with OPNSense?
The problem is if you mix and match and erratically change the backend your account settings are wrong because they belong to the other backend.
The best approach is to pick a backend, clear all the accounts and add them back (making sure not to switch the backend anymore).
https://github.com/opnsense/plugins/issues/3570
Cheers,
Franco
Thanks franco. I tried again, but end up with the same result. Working with ddclient as backend. Not working with native.
I deleted all accounts then removed and reinstalled plugin. Set a bogus IP address in the duckdns website for my testing domain. Reinstalled plugin. Set Backend = native (it defaults to ddclient). Hit Apply and restarted service. Created account, Save, Apply. Result was failue message in log and no update recorded on duckdns website.
Next I deleted account, set backend = ddclient. Hit Apply and restarted service. Created account, Save, Apply. Success message in log and updated IP address shown in duckdns website.
Very strange. I understand where you were going with your last post, makes perfect sense. But I guess I'll stay on the ddclient backed for now. It isn't mission critical for my setup, as it is only used as an ISP/firewall watchdog (all of my true domains are managed via Cloudflare tunnels).
My duckdns works on ddclient and native backend that I currently use. Updated yesterday. Just checked IP and it matches.
I don't deny there's an issue. It's just not clear what it is.
Cheers,
Franco
Interesting. I was afraid I was going to have to recreate my config as franco recommends, but I changed literally nothing except the backend from ddclient to native and everything worked just fine.
The only differences I've seen are that native recognizes that the IP is already set and doesn't need to be changed whereas ddclient would send a change request every interval despite getting a success result. Also, ddclient would log the actual req/resp while native does not.