Messages

I was searching the documentation site when suddenly I was unable to access the site any longer - after checking settings, other OPNsense sites and other providers, I can only conclude that my fixed IP is being blocked. Perhaps my searches triggered something.

Is there an OPNsense admin that can check the status of my fixed IP on your side? I'll PM it to whomever can help me if you cannot see it from my connection history of the forum.

Thanks.

** Update: seems to be ok now

But my NAT rule already has an associated rule assigned, it's not set to "pass".

You cannot view this attachment.You cannot view this attachment.

Since the new forum I've never received an email notification despite having the option enabled everywhere that I can find. This never happened on the old forum software. Even today someone replied to my new post and I never received an email. My address is a Gmail account and I see no sign of the emails getting diverted to spam.

Can a moderator or someone with access to the forum logs take a look to see if any alerts are failing for my account?

Ok, I see, but what do you mean by "associate a firewall rule to the NAT rule and then prioritize it"?

I have a NAT rule on my main LAN and WireGuard networks, with a corresponding outbound NAT for redirecting DNS requests to the Internet back into my Pi-Hole. This works really well and have no issues - well except one. I want to block this for a couple of devices on then LAN network as they are basically spamming the DNS servers.

So I added a floating rule for just the LAN network, that blocks just those devices - I used a floating rule as I thought looking at the GUI, that these take precedence over the rule generated for the NAT. This doesn't seem to be the case as these devices do not get blocked, and if I enable logging nothing appears.

However, if disable the NAT rule that redirects the requests which is lower in the list of rules, the new block rule takes effect and I see the devices being blocked - at least I hope that's what it is doing.

This is what is shown in the Diags, Statisics Rules for the above two sets of rules, I couldn't think of an easier way to capture the rules without using screenshots:

Code Select Expand

filter rules
@43 block drop in log quick on vtnet0 inet proto tcp from <External_Blocked_DNS:2> to ! <Local_Networks:3> port = domain label "aed73360b88f4da3639fdefc10265301"
@44 block drop in log quick on vtnet0 inet proto udp from <External_Blocked_DNS:2> to ! <Local_Networks:3> port = domain label "aed73360b88f4da3639fdefc10265301"

nat rules
@25 no rdr on vtnet0 inet proto tcp from <Internal_DNS:9> to any port = domain
@26 no rdr on vtnet0 inet proto tcp from <Internal_DNS:9> to any port = domain-s
@27 no rdr on vtnet0 inet proto udp from <Internal_DNS:9> to any port = domain
@28 no rdr on vtnet0 inet proto udp from <Internal_DNS:9> to any port = domain-s
@29 no rdr on wg0 inet proto tcp from <Internal_DNS:9> to any port = domain
@30 no rdr on wg0 inet proto tcp from <Internal_DNS:9> to any port = domain-s
@31 no rdr on wg0 inet proto udp from <Internal_DNS:9> to any port = domain
@32 no rdr on wg0 inet proto udp from <Internal_DNS:9> to any port = domain-s
@33 rdr on vtnet0 inet proto tcp from (vtnet0:network:2) to ! <Internal_DNS:9> port = domain -> <RALPH> port 53 round-robin
@34 rdr on vtnet0 inet proto tcp from (vtnet0:network:2) to ! <Internal_DNS:9> port = domain-s -> <RALPH> port 53 round-robin
@35 rdr on vtnet0 inet proto udp from (vtnet0:network:2) to ! <Internal_DNS:9> port = domain -> <RALPH> port 53 round-robin
@36 rdr on vtnet0 inet proto udp from (vtnet0:network:2) to ! <Internal_DNS:9> port = domain-s -> <RALPH> port 53 round-robin
@37 rdr on wg0 inet proto tcp from (vtnet0:network:2) to ! <Internal_DNS:9> port = domain -> <RALPH> port 53 round-robin
@38 rdr on wg0 inet proto tcp from (vtnet0:network:2) to ! <Internal_DNS:9> port = domain-s -> <RALPH> port 53 round-robin
@39 rdr on wg0 inet proto udp from (vtnet0:network:2) to ! <Internal_DNS:9> port = domain -> <RALPH> port 53 round-robin
@40 rdr on wg0 inet proto udp from (vtnet0:network:2) to ! <Internal_DNS:9> port = domain-s -> <RALPH> port 53 round-robin

External_Blocked_DNS is the two host aliases of the devices, I've tried adding them directly as well
Local_Networks are all my local subnets e.g. 192.168.1.0/24
Internal_DNS are the IPs of my DNS servers

Which version of the agent/proxy plugin did you install on your OPNsense?

When they recently added agent v7.2 I tested out the plugin that shows no version to see if it simply installs the latest i.e. os-zabbix-agent and found it installed v5 of the agent. I needed to remove it and install the version I needed i.e. os-zabbix72-agent

I don't full know why it's done this way, especially that the version-less agent installs such an old version.

I too am looking for agent v7.2 but for different reasons, however, agent v7.0.9 connects perfectly well to Zabbix v7.2.4 so I don't understand why it's not working for you.

Thank-you, that makes sense now.

I thought I would check on the Snapshot section of configuration of my firewall and saw that I only have, default, and it was dated back in 2023 - its also 9.88G in size.

You cannot view this attachment.

As my current firewall state is stable, I cannot see why I would want to revert back to such an old snapshot. Can I update it with a new snapshot and delete the old one? I've read the docs and a tutorial on the forum, but neither seems to help me.

As my firewall is a Proxmox VM I've been using it for snapshots, but I was curious to look at the OPNsense feature.

I didn't really notice until you posted, but I have to agree that it's definitely clearer when I disable the font in the dev tools as well.

Out of curiosity I did the same to the forum and again it looks better to me.

The short answer to that is no. The long answer you will find here.

Thanks for letting me know and I'm glad I asked - I saw your feature request and will wait to see if something official gets added.

Was looking at this thread with interest as also having OPNsense running under Proxmox, so I went to check the auto-trim option - it's disabled. So I ran it manually for good measure.

I then ran a status check on the pool and it came back with

Code Select Expand

root@bart:~ # zpool status zroot
  pool: zroot
 state: ONLINE
status: Some supported and requested features are not enabled on the pool.
The pool can still be used, but some features are unavailable.
action: Enable all features using 'zpool upgrade'. Once this is done,
the pool may no longer be accessible by software that does not support
the features. See zpool-features(7) for details.
config:

NAME        STATE    READ WRITE CKSUM
zroot      ONLINE      0    0    0
  da0p4    ONLINE      0    0    0

errors: No known data errors


Should I perform the upgrade? I've seen this on Proxmox a couple of times and did the upgrade without issues.

Thanks for the advice, I think I found it - when I ran top the only process that looked to be constantly busy was "monit", and when I tried to stop the service nothing happened, either with the menu option or with the diagnostics/services menu. So I tried to kill it through top and still the process would not stop, and even a normal kill failed on the command line. Had to use kill -9 to get it to stop.


I then checked the monit log and it had been repeatedly complaining for a while about a Suricata alert not available, although the last message was over 12hrs ago, which was probably as I stopped using Suricata quite some time ago. I removed the alert, restarted the monit service and so far the CPU temp has gone back down to previous levels.

After upgrading from 24.7.7 to 24.7.8, the CPU temp of the Proxmox host that OPNsense runs on has increased a fair bit. Has anyone else seen this?


It's still within an acceptable range but it's never been like this for the all the time I've been running it as a VM. There are a couple of other very small containers on the same host, but even when I shut them down the temperature doesn't change. It's also a passively cooled unit so I'd rather it was back to previous temperatures.

I have a Zabbix server monitoring all my certificate's expiration dates, and it's occasionally alerted me to a failed ACME renewal, but as you mention, it would be nice for ACME itself to have some way to report problems, if there isn't already some other way that I'm not aware of.