Messages

1

24.7 Production Series / Re: enabling boot environments

« on: September 18, 2024, 03:47:39 am »

about a year ago i purchased an opnsense racl appliance9the model escapes me at the moment).  did these last gen devices not ship with zfs by default?

Hello, if such appliance is running of an "USB/SDCard/CF" or similar, leave it as is(UFS), however if such appliance can run on either single or a pair of "NVMe/M.2/SSD/HDD" then ZFS is the next-gen enterprise file system you want with vast of features/utilities.

The default On-Dashboard Boot-Environments(Snapshots) can "preview/create/name-edit/destroy", a must have tool for upgrades, quick-rollback testing etc, but not limited too, you can use CLI tools to backup/restore to/from remote servers as well for easy disaster recovery etc.

Kudos to the OPNsense/Deciso team for such formidable work and bring the ZFS file system on the installer.

P.S. Sorry forgot to add the attached images as Preview Thumbnails.

2

22.7 Legacy Series / Small Cosmetic Bug, Device Hostname

« on: August 11, 2022, 11:21:33 am »

Hi, this is an old yet small cosmetic bug, in some pages the device name or hostname isn't displaying properly when it contain spaces, looks like some users like to name their network devices with spaces which difficult the device identity initially, since this hasn't been fixed yet just posted as reminder.

For example the "dhcpd.leases" are showing client-hostname correctly but somehow not being parsed properly.

Example images:

3

General Discussion / Re: Please help me understand boot environments

« on: August 10, 2022, 03:03:18 pm »

Boot loaders are at least supposed to always be backwards compatible. If you ever upgrade your zpool, you need to upgrade your boot loader, too. But a downgrade should never be necessary.

Yeah it just happens that I've ran into boot issues/broken EFI console in the past and and I'm still skeptical about bootcode upgrade, though I think I should make some testing on VM's in this regards.

Also agreed that a downgrade should never happens, but sometimes jumping into bleeding edge makes you wanting to rollback when you later discover that something can't be easily fixable on time.

Regards

4

General Discussion / Re: Please help me understand boot environments

« on: August 10, 2022, 12:53:53 pm »

Hi, some time ago I've  created a TUI wrapper around beadm/bectl to ease the Boot Environments backups(exports) to either local or remote servers through SSH.

Each time I upgrade either FreeBSD and OPNsense to a major version I backup the current BE to my server and and after backup completes I create a new BE and reboot into it to perform the upgrade.

Here is the little utility: Bemanager
Here is the source: Bemanager at GitHub
There is no manual on how to configure it but the sample config have some hints.

Notes:
Be aware that after upgrading to a major version, if the user upgrades the bootcode GPT/BIOS/EFI, in order to rollback to a previous BE, the user must mount the previous BE containing the older bootcode and perform a downgrade from its files under "/boot", however if the user upgrades the ZFS pool feature flags, this may lock-down the ability to easily rollback to a previous BE*.

*The solution is to backup the wanted previous BE, then reinstall a FreeBSD/OPNsense version matching the previous version then import back the Boot Environment regardless of the disk layout, e.g. I've exported a BE from a single disk to later import that BE to a mirrored setup with good results.

Unfortunately haven't enough time to read the plugin development manual to make an Boot Environments manager plugin for the OPNsense GUI to perform basic tasks from.

ZFS Boot Environments Reloaded by Sławomir Wojciech Wojtczak (vermaden)

Regards

5

General Discussion / Re: Access Point(AP) web access between LAN and OPT

« on: August 09, 2022, 01:22:50 pm »

Hello, I've decided not to complicate myself with NAT/firewall rules/ect between two different ip/subnets in my home lab, so I've decided to just bridge the HP NC360T ports to act like an 2 port switch and stay with the default 192.168.1.1 for simplicity sake.

Will mark the OP as solved.

6

General Discussion / [SOLVED]Access Point(AP) web access between LAN and OPT

« on: August 09, 2022, 07:49:41 am »

Hello, only have basic knowledge here regarding networking/firewall in general so I think this is the best forum section for asking such question/help, really sorry if should be in another sub forum.

I've recently switched from a basic OPNsense setup with just WAN + LAN, to WAN + LAN + OPT to have two routes, main one for my home LAB and secondary one for the rest of the house locations, since then I've been struggling trying to access from my workstation(192.168.1.200) the Access Point's located on the secondary route(192.168.2.1), I've followed several OPNsense how-to's around the net and read the OPNsense online manual but I was unsuccessful.

So the question is what should be the best way to do this, through NAT-Port-Forward, Firewall-Rule(s) or through Routing, also since an illustration can say a lot of things I will post an image of my setup for convenience.

Wanted scenario:
Gbe Client Admin want to access the Access Point's 192.168.2.10 and and 192.168.2.11 Web Interface, pretty sure after setting up access for one I will know how to do this for the rest, also 192.168.1.200 can ping OPT 192.168.2.1.

System specs:
OPNsense 22.7_4-amd64
FreeBSD 13.1-RELEASE
OpenSSL 1.1.1q 5 Jul 2022
CPU: i5-2390T
RAM: 8GB
Disk: 2.5" HDD/RootOnZFS

Setup diagram:

7

20.1 Legacy Series / Re: ZFS Installer Test Help

« on: March 08, 2020, 08:39:24 am »

Hi mimugmail, those are really great news definitely.

I will be happy to test that Alpha release on my hardware instead.

Regards

8

20.1 Legacy Series / ZFS Installer Test Help

« on: March 08, 2020, 07:43:58 am »

Hello, In response to this now old thread

I've been a bit busy lately hence can't responded in time on the previous old thread.

However had some time and made a "fast draft" update to the opnsense.sh developed by franco in hope to get some feedback about the ZFS installation process/functionality, it currently supports ISO files only as the source media in this test installer, but will fully support USB installers as well based on the testing feedback.

I've currently tested only on GPT/UFS and GPT/ZFS and seems to work well here, though I've only focused in the ZFS filesystem and more testing is much welcome.

Small video showing bsdinstaller working HERE

Testing sources can be found HERE

The current proposal does copy the files freshly from the source media, and does not requires for the live media to carry the base.txt etc. tarballs files, keeping the same size for convenience.

P.S. Note that the file copying process does not have a percentage gauge yet. 

Regards

9

19.7 Legacy Series / OPNsense built-in ZFS Installer Ideas

« on: December 07, 2019, 10:25:53 pm »

Hello, I'm really sorry for posting a another thread about this topic, however since I posted in an already Legacy product thread, it may worth to just point for it instead of duplicating.

Here are some ideas, test files for a simple built-in OPNsense ZFS installer, actually the "bsdinstall" route is the best approach in my personal opinion, though there are several ways to accomplish this eventually.

Regards

10

19.1 Legacy Series / Re: 19.1.4 ISO - ZFS install option missing?

« on: December 03, 2019, 06:55:27 pm »

Hello, I also use here the bootstrap installer for OPNsense ZFS install and is working just fine. 
However looks like there's still many users requesting for a built-in ZFS installer, especially newcomers and/or users afraid of the command line, or simply an online installation is not possible.

Short story:
I was also thinking on doing something similar for NAS4Free/XigmaNAS few years ago, adding the bsdinstall, but since its main Embedded roots don't have much of acceptance, so I created a very simple ZFS installer single script solution(already added in base) to keep a small footprint and file count as minimum as possible, yet its process is based from latest bsdinstall with Boot Environments compliant which is a must.

Simple single script method:
Here is a small video showing how it works in OPNsense with very small edit, the little script does offers to install in ZFS Stripe, Mirror and RAID10, as well as for Swap geli encryption option, currently supports MBR, GPT, UEFI and GPT+UEFI install options during its dialog driven installation.

I would be happy enough to contribute the ZFS installer to the OPNsense devs so they can update/modify/adapt as needed. 

Datasets creation process by the installer(same as bsdinstall):

Code: [Select]

zfs create -o mountpoint=none "zroot/ROOT"
zfs create -o mountpoint=/ "zroot/ROOT/default"
zfs create -o mountpoint=/tmp -o exec=on -o setuid=off "zroot/tmp"
zfs create -o mountpoint=/usr -o canmount=off "zroot/usr"
zfs create -o setuid=off "zroot/usr/ports"
zfs create -o mountpoint=/var -o canmount=off "zroot/var"
zfs create -o exec=off -o setuid=off "zroot/var/audit"
zfs create -o exec=off -o setuid=off "zroot/var/crash"
zfs create -o exec=off -o setuid=off "zroot/var/log"
zfs create -o atime=on "zroot/var/mail"
zfs create -o setuid=off "zroot/var/tmp"
Here is the Disk usage widget after new install boot:


P.S. Please fast forward the video during Unbound DNS after reboot to see the zpool/disk gpart layouts.

The BSDINSTALL method:
Here is a small video showing a very simple install progress using the "bsdinstall" approach, it just need for the distfiles to be placed in "/usr/freebsd-dist" with a sane MANIFEST generated file, then explicitly add the mandatory files under bsdinstall/auto to only show optionals in the dialog if any such debug/extras dist files, additionally place customs in the bsdinstall/config to properly generate/append to config files.

One drawback is that this method required for the OPNsense distfiles to be included in the distribution as expected, however a small edit in the bsdinstall can take the files already present in the ISO and copy them to the target media like in the previous single script method, though I still prefer the bsdinstall personally and follow standards whenever possible.

Here is the test examples for reference.

Regards

11

19.7 Legacy Series / Re: Smart status now yellow "unknown"

« on: August 19, 2019, 12:59:35 pm »

If you haven't already done so, please add your comments or subscribe to the Github issue submitted here: https://github.com/opnsense/plugins/issues/1415

done :-)

Thanks, after manually applying the fix, "SMART Status" widget start working correctly with an "OK" on my healthy SATA disk.

Regards

12

General Discussion / Re: LDAP groups

« on: July 29, 2018, 05:51:13 am »

I agree with post #3, perhaps as an outboard plugin as usual, so is up to the user to add risky and/or unrelated to firewall functionality, plus avoid bloatware.

13

General Discussion / Re: ZFS

« on: July 06, 2018, 01:36:13 pm »

Sorry to poke here again, I just wanted to post my latest simple beadm TUI wrapper, it now supports full Boot Environments replication to .xz compressed files, this creates a replica(zfs send) of your last saved Boot Environment/Snapshot(I use zfsnap for rolling snapshots), then piped to xz regardless of the ZFS RAIDX used.

This can be later restored if you lost your boot drive(s) or simply want to replicate pre-configured setups to alternate hardware/VM's for convenience, note that this tool can backups your BE's to same boot drive as well(I use a 2.5" 250GB HDD w/o issue) and later exported to whatever location or even your desktop with simple tools like FileZilla/WinSCP through SSH, but is not limited to, you can edit the tool and save BE's to a network location as well.

This might help someone with PHP skills to make a similar(optional) plugin I think, Bemanager at GitHub.

Images and sample config file HERE

Regards

14

General Discussion / Re: OPNsense versus pfSense

« on: June 27, 2018, 09:05:15 pm »

Just to add, while already experienced with this kind of appliances, and with a relatively very simple home network, after looking/testing some consumer routers with DD-WRT, m0n0wall, pfSense, and OPNsense, I rapidly felt a huge stability and responsiveness with OPNsense myself with my rather old E7600 and 4GB RAM, setting things up is a breeze and it just works, no frills at all here also BSD licese.

Currently running ClamAV, Traffic Shaper, SSH, PF, Suricata/IDS, DNS etc. and the CPU mostly sitting at 5% with some random 25~35% peaks sometimes, and 35% RAM usage after a while.

Note that I'm running OPNsense 18.1.10-amd64 RootOnZFS with Boot Environments hence abit more RAM due the ZFS ARC usage which is expected, still don't feel the need to add more RAM though.

Overall a pretty solid product, an easy and functional clean interface, did I mentioned the BSD license.

Regards

15

General Discussion / Re: Port forward behind ISP Router

« on: June 27, 2018, 04:23:18 pm »

I think I found a quick working solution to workaround this Locked ISP/Carrier Grade NAT issues, is a no install required service called Serveo, an SSH server remote port forwarding, while may not fit every solution, home/soho can benefit from it I think.

I just created a script to fit my needs with a heartbeat loop to auto reconnect upon remote host possible disconnections/target machine availability, and is working great so far from OPNsense appliance itself since its 24/7.

Maybe a very simple plugin supporting this and similar services could be useful, will take a look into it by the way.

Regards