Messages

Nice, thank you. May consider picking this up in core in the future if boot code incompatibilities are to become more common.


Cheers,
Franco

Hi Franco, I've edited the previous post and added the output for "gpz/zfsboot" code update as well for reference.

Regards

[Sample output from my FreeBSD host:]

Hello, I've updated the `bootcode-update` utility to support GPT labels for compatibility with later FreeBSD releases in case someone wants to play with on a VM.

Sample output from my FreeBSD host:

Code Select Expand

root@nas-mserver: ~# bootcode-update -v
bootcode-update 0.3.6
root@nas-mserver: ~# bootcode-update -e

UEFI Partition: [ ada0p1 ]
Disk Serial:    [ TNS519GYXXXXXX ]
Proceed with EFI bootcode update for the following geom: [ada0p1] (Y/n)?: y
Proceeding...
=> Updating EFI bootcode on ada0p1
/boot/loader.efi -> /boot/efi/efi/boot/bootx64.efi
/boot/loader.efi -> /boot/efi/efi/freebsd/loader.efi
=> Success!


UEFI Partition: [ ada1p1 ]
Disk Serial:    [ 140817TM85A3TDXXXXXX ]
Proceed with EFI bootcode update for the following geom: [ada1p1] (Y/n)?: y
Proceeding...
=> Updating EFI bootcode on ada1p1
/boot/loader.efi -> /tmp/boot_esp/efi/boot/bootx64.efi
/boot/loader.efi -> /tmp/boot_esp/efi/freebsd/loader.efi
=> Success!


Sample output from my OPNsense VM:

Code Select Expand

root@fw-opnsense:~ # uname -a
FreeBSD fw-opnsense.arpa 14.3-RELEASE-p2 FreeBSD 14.3-RELEASE-p2 stable/25.7-n271676-ab2281de1853 SMP amd64
root@fw-opnsense:~ # bootcode-update -v
bootcode-update 0.3.6
root@fw-opnsense:~ # bootcode-update -e

UEFI Partition: [ vtbd0p1 ]
Disk Serial:    [ BHYVE-125E-B3XX-XXXX ]
Proceed with EFI bootcode update for the following geom: [vtbd0p1] (Y/n)?: y
Proceeding...
=> Updating EFI bootcode on vtbd0p1
/boot/loader.efi -> /boot/efi/efi/boot/bootx64.efi
/boot/loader.efi -> /boot/efi/efi/freebsd/loader.efi
=> Success!

Sample output updating GPT/ZFSBOOT:

Code Select Expand

root@nas-mserver: ~# bootcode-update -g

Boot Partition: [ ada0p2 ]
Disk Serial:    [ TNS519GYXXXXXX ]
Pool Member:    [ zroot: '/dev/ada0p4' ]
Proceed with GPT/ZFS bootcode update for the following geom: [ada0p2] (Y/n)?: y
Proceeding...
=> Updating GPT/ZFS bootcode on ada0p2
partcode written to ada0p2
bootcode written to ada0
=> Success!


Boot Partition: [ ada1p2 ]
Disk Serial:    [ 140817TM85A3TDXXXXXX ]
Pool Member:    [ zroot: '/dev/ada1p4' ]
Proceed with GPT/ZFS bootcode update for the following geom: [ada1p2] (Y/n)?: y
Proceeding...
=> Updating GPT/ZFS bootcode on ada1p2
partcode written to ada1p2
bootcode written to ada1
=> Success!

Regards

This is one of the reasons I've created an `bootcode-update` utility to update my FreeBSD hosts boot mirrors whenever I upgrade zroot zpool, or the GPT/EFI bootcode gets updated from freebsd-update, also it works on RAIDZx when I've tested some time ago.

The `bootcode-update` utility can be found HERE so you can see how it works and make your own script for update automation.

Be aware that this utility is an experimental attempt for it and I haven't updated that in a while, though I still use it at my own risk on my FreeBSD host and OPNsense, though it does not support yet with the new FreeBSD EFI gpt/label layout just gpt/id, thinking to update it though.

Also be aware that updating bootcode either GPT/EFI/ZFS may prevent you from boot very old Boot Environments as expected, in such case the user need to manually mount said BE's and update the new bootcode files manually or rollback them on disks, though if the zroot zpool was upgraded this may also prevent old BE's from booting.

So always make sure you want to really update them.

Regards

[System: Gateways: Configuration]

Hello, I'm not sure about your OPNsense setup but you can go to [System: Gateways: Configuration] to add/edit GWs then edit the Dashboard widget and add additional gateways:

You cannot view this attachment.

I run a Transparent Filtering Bridge and has no DHCP servers active as expected, so I really don't need it but I've just added IP4 GW for monitor/informational purposes whether it is up or down.

Regards

With a mirror, a three-way mirror almost makes more sense than a hot spare. Hot spares are more useful for RAIDZ/RAIDZ2.

+1 on this.

Also with a single ZFS disk, one can export the latest Boot Environment to a safe place, and can be later imported in case of disk failure and your back to a working order in minutes, and now with the Dashboard Snapshots one can easily update/upgrade with peace of mind ;)

You cannot view this attachment.

👉 Been using OPNsense since v 16.x with Root On ZFS way before the initial ZFS installer script was made and I can tell its pretty solid stable.

Regards

From the first validation screenshots you can see there is an extra whitespace at the end "3478 ", maybe that's a CR (\r) from Windows line endings or a spurious LF (\n) altogether being converted into a space, but that is strange input like

3478
,4379

What are you actually pasting? Just paste it here in the forum...


Cheers,
Franco

Hi @franco, I did noticed that little spaces as well, also Patrick mentioned it too and I though it was just the GUI output.
However as you said it was provably from copying stuff from random websites in a hurry searching for Steam and some game ports to play behind the TFB.

I'm really sorry for all the noise and this can be marked as solved, so next time I will check/format on my text editor before copying a bunch of ports from the web when creating aliases, also when entering hosts IP's manually it requires for comma at the end of each IP too.

Regards

You can click on "text" below that field.

And then copy paste them as newline separated list:

Code Select Expand

172.16.1.1
172.16.1.2
172.16.1.3

Hi, yes I've selected the text icon and copied them and they populated as new lined and worked just fine.

Also as "Patrick M. Hausen" said, I've also copied several IP's from a text file and pasted them in the Alias field and just hit Save and also worked just fine like shown below:

You cannot view this attachment.

I just tend to ignore the "Copy/Paste/Text" icons under the field box but I will select now the "Text" icon to paste entries in order to avoid the previous the errors.

Regards

10.0.0.300 is not a valid IP address

it only goes up to .255

@Monviech (Cedrik)
Wow ppfff -.-, indeed just get max 255, just my bad, falling asleep since too busy weekend.


@Patrick M. Hausen
I just type in addresses/ports in the field and after adding a comma it automatically creates an entry bread-scrum and a space, between I will try pasting all this entries copied from a text document all just separated with a comma and try again how it goes.

Regards

[EDIT:]

What do you mean by "one by one"? Are you pasting multiple entries at once? That works only if

- they are on a simgle line
- comma separated
- without any extra spaces

HTH,
Patrick

Hello @Patrick M. Hausen, I meant entering each IP/Port one by one unless I got lucky and the GUI accept/recognize more than one "correct" entry.
Also yes separating them by commas automatically converts them in mini bread-scrums then when click on the last entry one or more entry does fail like the below screenshot:

You cannot view this attachment.

Indeed the "10.0.0.300" is a correct alias entry, maybe something with the validation check/match I dunno? as I haven't dig more in depth in this regards.

EDIT: Sorry for wrong IP entry error/mistake, forgot the night coffee cup -.-

System versions:

OPNsense 25.7.3_7-amd64
FreeBSD 14.3-RELEASE-p2
OpenSSL 3.0.17

Regards

Hello I'm not sure if this was already posted, but I'm having this issue whenever I create Ports/Host Aliases:

Sample Screenshots:
You cannot view this attachment.
You cannot view this attachment.

My solution is to create the content one by one, some times it works with two or more ports/hosts.
Regards

Many routers tend to hand out only a /64 range, because they usually "think" that it is only one LAN connected to them - I mean that is in itself not a sure sign that your ISP does not hand out a larger prefix like /56 or /48 as per IA-PD. You would probably see that if you use the ISP router in brige/modem mode and try bringing up the connection with OpnSense as the only router.

I cannot provide any specific instructions, because IDK that provider.

Hi @meyergru yes you are right, apparently this ISP is indeed locking out domestic/home users to just one IPv6 lan prefix and the thing in Bridge or DMZ does not work as intended either, hence why the ISP in bridge or DMZ didn't worked on the IPv6 side as expected when testing, and the user can't modify prefix nor to disable IPv6 in the ISP router.

To make things worse found that this ISP company is nothing more than a [Carrier-Grade-NAT] "cgnat.libertypr.net" with a dynamic/dynamic connection setup.

This boils down that no matter what firewall/router is connected in between it will not work as intended for the IPv6 stuff, and since more and more heavily loaded content-delivery-networks websites/apps are using IPv6 it is not recommended disabling it completely like two decades ago.

I've confirmed this by completely disabling the IPv6 only on my workstation/client and all of this websites/apps loaded partially/broken even when connected directly to the CGN ISP.

I will try contact my ISP and ask if they can change this IPv6 prefix limitation though, and if not possible then wait patiently for further resolutions regarding CGN users with OPNsense.

For now I will enable the `ufw` firewall on my workstation and strict my current `pf` settings on my FreeBSD server, even if is a headache working with this stuff by hand, but at least is better than nothing.

Again thanks a lot for the suggestions @meyergru @cookiemonster @Seimus

Regards

In that case you probably do not have an ISP "modem", but a router. I dislike those router-behind-router configurations, because they have several disadvantages (see point 4 here), however I know that outside of countries like germany, you sometimes cannot use a "modem-only" termination with some ISPs.

For IPv6 to work with such a configuration, you would have to configure IPv6 subdelegation. Essentially, most ISPs hand out a single IA-NA IPv6 and a /56 IA-PD IPv6 prefix from which you can take out parts to delegate to your (V)LANs.

This is explained for a specific example here.

That being said, I cannot see what/how your ISP actually delegates subnets, because there are no netmasks for either IPv4 or IPv6 in your picture.

Hi @meyergru, thanks again for the great info much appreciated, gonna have a good read indeed.

You are right, I have an ISP Cable Modem and Router Combo that has its own DHCP/NAT/UPnP/Firewall etc. integrated, I have the habit to call them ISP modems yeah, between it have the option for bridge mode but can't get the IPv6/DNS6 to work regardless if bridged.

Also this ISP gives just an /64 prefix for IPv6 that can't be changed, between dunno if it could be modified through telnet like in some ISP mode/routers but I think not to mess around with before asking them for options.

I will post an image of the Arris cable modem/router IPv6/DNS config pane for reference indeed, hopefully this can be solved soon so I can order a Protectli box to play with.

Regards

ISP Cable/Modem IPv6 config:

Are you really sure that the problem is about OpnSense? The way you describe it, you employ a great amount of blockers/privacy tools and other plugins in your browser which might interfere with dynamic websites. I would try to use another browser without those tools and try if one (or more) of these are the culprit.

Hi @meyergru, thanks for the input.

I've concluded that OPNsense is not the issue here as previously denoted, also yes I've tested with alternate clients and a Laptop with Debian and fresh/stock Firefox and have no luck with those sites/apps other than connecting it directly top the ISP, same with Android and iPhone clients.

I'm leaning towards a possible IPv6 miss-configuration between the ISP modem and the firewall, since I got some IPv6 content when directly connected to ISP but none wen connected through firewall like shown in the image below, hopefully will get some time to do more testing on this during the weekend.

Regards

Dynamic IPv6 content when connected to ISP directly(no bridge/DMZ modes though):

[Here's the latest testing process I performed:]

Hello, here's an update.
I wanted to get more answers on this but looks like there is very little to none viable solution to this phenomenon yet.

Here's the latest testing process I performed:

1: Played with the MTU and IPv6 without luck.
2: Played with some interface settings and the hardware offloading stuff, no luck.
3: Completely disabled IPv6 in ISP modem and OPNsense to test, no luck.
4: Installed an old OPNsense version "21.7" for re-testing, no luck.
5: Tested with two different clients and a laptop, no luck.

Then decided on testing "that other firewall distro" and I was amazed it did behaved exactly the same as OPNsense after playing with, man that moment I've got an wide ear-to-ear smile as I rapidly determined that OPNsense is not the issue here.

Since both firewalls did behaved the same, I decided to reset my old but good Linksys EA8100v2 and connected it as a basic AP/Router and I was surprised it did also behaved the same as the previous tests, most websites loads ok but web pages/apps depending on any CDN/Google stuff were broken as well, yep wow...

Also noticed that on every time wen restarting the Arris ISP cable modem the DNS/DNS64 servers changes.

So I've concluded that something bizarre is happening between my ISP and OPNsense even if the ISP modem is in bridge mode, definitely this phenomenon is caused by them, and very worrying that most of the websites/apps broken are the ones with the worst privacy concern.

Currently retired the HP Pro 6300SFF/Linksys AP and connected my clients directly to the crappy ISP until I got some more time debugging this, so pity I was about to order an Protectli Vault V1211, but for now will keep testing this issue on old hardware to determine if I should look around for ISP alternatives other than Liberty Cablevision LLC.

PS. Maybe I could try scanning/sniffing the network traffic and patiently read the logs lastly if I could get some time to do so though.

Regards

I was thinking your ISP or your IP but if other hardware fixes, then that's out.
Brings to configuration really. I can only think of some service blocking (blocklists on unbound as an example but you checked that) or MTU or IPv6 settings. There is a good few resources here from meyergru that delve deep into those.

Hi cookiemonster, good point in regards MTU and IPv6, I will play around with those and also completely disabling IPv6 on the ISP and redo some testing again and see what happens before hanging the gloves.

Regards