Messages

21.7.2 is due tomorrow.
Cheers,
Franco

Franco - for important security updates like this - would they be backported to the previous version for a short period (e.g. 21.1.9 gets a hot fix for OpenSSL) ? I ask because it is not always easy to move to the new version immediately since it requires planning etc, but a hotfix for the current version is 100x easier to apply ...

That worked for me also until my 210 went bad and they replaced it with a 310.  Bridged mode only for me now.

Hah ! that post got me thinking - was lucky enough to have Sonic in the neighborhood, spoke to them about their 3 month free trial, was scheduled for an appointment today and they came by and installed it in an hour and half. I'd mentioned that I did NOT need a RG, the install tech had it in his notes, he setup the ONT, tested it and left.

It took me half an hour to read up about MultiWAN and setup OPNSense with it - now I have both to compare, I noticed that Sonic's RTTs are lower by 1-3 msec. The best part - there is no RG box, I connect directly to the ONT

[/usr/local/etc/rc.syshook.d/early]

Upgraded 20.1 to 21.1 today

I have ATT and use the pfatt bypass script alongwith netgraph to create a virtual WAN interface. I was able able to successfully upgrade by doing the following:


- backup configuration
- installed another SSD
- booted from the 21.1 VGA installer
- imported configuration from the old SSD with 20.1
- logged in as 'installer' and installed onto new SSD

BEFORE rebooting:

- copy (and make executable) the pfatt bypass script into /usr/local/etc/rc.syshook.d/early as 99-opnatt
- make sure to have the following modules loaded in /boot/loader.conf.local

Code Select Expand

netgraph_load="YES"
ng_ether_load="YES"
ng_eiface_load="YES"
ng_one2many_load="YES"
ng_vlan_load="YES"
ng_etf_load="YES"

Reboot and check if the WAN interface comes up - if not, execute the script directly and check the log.

After this, I did another manual restore for the config as I noticed some things hadn't transferred over.

And if you run into problems with Wireguard not starting after the upgrade - make sure there is only ONE /32 IP address in the 'Allowed IPs' for each Wireguard Endpoint configuration

Kudos to the OPNSense team for a great release and for all the hard work and effort that goes into OPNSense.

Hello!

I've stumbled upon a used Mellanox device that has just a plain linux OS running on it. Would anyone know if OPNsense could run on it? https://blog.mellanox.com/2017/11/mellanox-sn2010-the-best-hyperconverged-infrastructure-switch/

it has 18 10G/25G sfp+ ports and 4x 40G/100G uplink sfp+ and 2x mnmt 1GB ports. Would this even make (opn)sense to reflash this?

Thanks

The SN2010 seems to be x86/Intel Atom based, but you're better off using a proper network OS like Cumulus.

OPNSense and NOSes like Cumulus are complementary and meant for different things. In any case, I doubt OPNSense supports ONIE or the ASICs used in the Mellanox - and of course you'd have to get a SN2010 that had ONIE on it so that you could install your own network OS.

Currently running 20.1 and would like to shift to 20.7. I also use the pfatt script to bypass my AT&T RG and connect to the ONT. For this reason wanted to solicit advice from wise forum users  ;)

- What's the best way to be able to test 20.7 and roll back to 20.1 without having to re-install?

- Should I repartition the disk, clone the existing install 20.1 and upgrade the clone to 20.7 to test it out? Is there a recommended 'BSD-type' way to do so?

I work from home like many others during this pandemic so a bit cautious about not disrupting what is right now a critical service - especially for the better half  :D

For what it's worth, I just upgraded to 20.7, and I still seem to be able to get DHCP from ATT using the traditional bypass. I've compared my pfatt.sh to opnatt.sh and they're mostly identical.

I do have a few extra parameters on the ifconfigs to make the interfaces promiscuous, but I wouldn't have thought that they should matter:

Code Select Expand

/sbin/ifconfig $RG_IF promisc -tso4 -tso6 -vlanhwtso
/sbin/ifconfig $ONT_IF promisc -tso4 -tso6 -vlanhwtso

The original script also has promiscuous mode enabled on the RG and ONT

Code Select Expand

    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
    /sbin/ifconfig $RG_IF promisc
    echo "OK!"

    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
    /sbin/ifconfig $ONT_IF promisc
    echo "OK!"

The only additional parameters are for TSO. The -tso4/-tso6 disables TSO for IPv4 and v6. And the -vlanhwtso disables TSO on VLAN. That really shouldn't affect anything ...

Here's the original pfatt.sh script (not the newer one) if anyone wants to try this with 20.7

As usual you have to provide values for ONT_IF, RG_IF and RG_ETHER_ADDR should be set to the ATT RG mac

Code Select Expand

#!/bin/sh
set -e

ONT_IF=
RG_IF=
RG_ETHER_ADDR=
OPNSENSE='yes'
LOG=/var/log/pfatt.log

getTimestamp(){
    echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"`
}

{
    echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway for true bridge mode"
    echo "$(getTimestamp) Configuration: "
    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
    echo "$(getTimestamp)         RG_IF: $RG_IF"
    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
    echo "$(getTimestamp)      OPNSENSE: $OPNSENSE"

    echo -n "$(getTimestamp) loading netgraph kernel modules... "
    /sbin/kldload -nq ng_etf
    echo "OK!"

    if [ ${OPNSENSE} != 'yes' ]; then
        echo -n "$(getTimestamp) attaching interfaces to ng_ether... "
        /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');"
        /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');"
        echo "OK!"
    fi

    echo "$(getTimestamp) building netgraph nodes..."

    echo -n "$(getTimestamp)   creating ng_one2many... "
    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
    /usr/sbin/ngctl name $ONT_IF:lower o2m
    echo "OK!"

    echo -n "$(getTimestamp)   creating vlan node and interface... "
    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
    /usr/sbin/ngctl name o2m:many0 vlan0
    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether

    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
    echo "OK!"

    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
    /usr/sbin/ngctl name o2m:many1 waneapfilter
    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
    echo "OK!"

    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
    echo "OK!"

    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
    echo "OK!"

    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
    echo "OK!"

    echo -n "$(getTimestamp)   enabling one2many links... "
    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
    echo "OK!"

    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
    /usr/sbin/ngctl rmhook waneapfilter: nomatch
    echo "OK!"

    echo -n "$(getTimestamp) enabling $RG_IF interface... "
    /sbin/ifconfig $RG_IF up
    echo "OK!"

    echo -n "$(getTimestamp) enabling $ONT_IF interface... "
    /sbin/ifconfig $ONT_IF up
    echo "OK!"

    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
    /sbin/ifconfig $RG_IF promisc
    echo "OK!"

    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
    /sbin/ifconfig $ONT_IF promisc
    echo "OK!"

    echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"
    echo "$(getTimestamp) done!"
} >> $LOG

Sorry about the delay.  Life kinda got in the way.  In any case, I meant traditional in the sense that I am not using the extracted certificates from the gateway, which I do have, to do a full bypass, ie., ont to opnsense.
The only other thing I might point to is that at some point within the last upgrade the devs stopped loading the netgraph modules by default, so you have to ensure that you are adding them to your loader.conf or loader.conf.local .

Are you using the original script by aus or the one from MonkWho or others? If you're using the original script and it is working for you = then it's just a matter of seeing why the newer ones aren't working (changed locations for files and binaries perhaps?)

What do you mean by "traditional mode"?

All I have done is set opnatt.sh as 99-opnatt.sh (after the appropriate .sh editing for the OF_INT and MAC.

What is the "traditional", so I can work backwards to figure out where my cfg is breaking?

The original "traditional" pfatt script from aus was forked and now there's a couple of scripts that can use certificates from the ATT devices etc to authenticate (so you don't even need a ATT device). I believe this is what he's referring to. It's also noteworthy that the poster said he upgraded to RC1 and then to GA. So perhaps something changed between RC1 and GA that is causing the script to fail?

I have 20.1 working great with 20.1.  When I upgrade to 20.7, I don't get DHCP from ATT.

Is there something(TM) changed between the HardenedBSD releases that possibly breaks NetGraph?

I made the grave mistake of NOT having a off machine backup of my config and had to rebuild it from scratch.

I don't want to go through this again trying to get current.

Are you using the original vanilla pfatt from aus or one of the many forks that now have WPA supplicant and certificates etc?

Thinking of upgrading, need to figure out how to do it without breaking my internet ...

nvm, found it: https://docs.opnsense.org/manual/software_included.html

So what was needed was

Code Select Expand

opnsense-code ports tools
cd /usr/ports/devel/hyperscan/
make config
make reinstall

??

Will this pull in the latest hyperscan?

Were you able to set the config to native after 'make config' ?

And do you have any benchmarks for native vs core2? There's a hsbench utility but I believe this doesn't get installed ...

Why not go for the Xeon E series? The X11SCL-iF motherboard is $200 new at Newegg. And a 4 core Xeon E-2124 costs $200 (also at Newegg). I got the other components used for cheap on eBay and other places and built a 1U, 16GB, 6 core Xeon for < $700 https://forum.opnsense.org/index.php?topic=11507.msg58302#msg58302

It does IPS/IDS at line speed (I have symmetric 1GB fiber internet). At somepoint, I will put Proxmox there and run other network related apps along with Opnsense

Going for a 4GB, 4 core Xeon will probably bring down your cost to $600. And if you want to spend even less - why not go for the Core i3-9100? It supports ECC and is a 3.6GHz / 4-core processor capable of 4.2GHz turbo. I believe the CPU goes for $80-$100.

Suricata (used in the IDS/IPS) is multi-threaded but generally you should go for a fast clock rate + threading next. FreeBSD networking and Suricata in general are not that fond of hyperthreading - so you can safely buy the (cheaper) non-HT CPUs and not lose any performance.

Used Supermicro 1U cases and PSUs are also cheap on eBay as are 40mm fans ...

Yes, good thinking. That's why we opted for removing most of netgraph from the system, although some PPP and NetFlow still need it but load it on demand.


Cheers,
Franco

I modified loader.conf.local and rebooted - after which I proceeded to do the upgrade.
So far it seems to be working ... everything came up as expected

[/boot/loader.conf.local file]

Checked the PFATT script again and only the following modules are needed

   
• netgraph
• ng_ether
• ng_eiface
• ng_one2many
• ng_vlan
• ng_etf

I will try to prune the /boot/loader.conf.local file to the following and check if it still works:

Code Select Expand


netgraph_load="YES"
ng_ether_load="YES"
ng_eiface_load="YES"
ng_one2many_load="YES"
ng_vlan_load="YES"
ng_etf_load="YES"


Don't want to load modules unnecessarily if we don't need them ...

Could you provide more details? I use the pfatt script as well and I am hesitant to move to 20.1 because of this

Thanks in advance!