1
23.7 Legacy Series / Re: 23.7.8 - Squid 6.4 unusable due to repeated crashes
« on: November 12, 2023, 07:01:30 am »
AFAIK "The other side" will pull squid support from next release(s) , due to the increasing security issues.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
23.7 Legacy Series / Re: Fatal Error When accessing the Administration page.
« on: November 08, 2023, 09:27:50 pm »
I have no port set in my ssh section , and have no issues.
That said, i didn't import any ssh stuff from pfSense
That said, i didn't import any ssh stuff from pfSense
3
23.7 Legacy Series / Re: Fatal Error When accessing the Administration page.
« on: November 08, 2023, 08:06:03 pm »Question to all, I'm not against reinstalling fresh again as long as I can import interface, DHCP, and Firewall settings from the export without breaking it again.
Would this be the best path forward? Seems like the consensus is that my import from PFsense might have broken it.
If you use vlans on the pfSense , note this - pfS IF name adaptation you have to do , before the IF import
https://forum.opnsense.org/index.php?topic=36683.msg179265#msg179265
My pfS to OPN journey (still WIP)
https://forum.opnsense.org/index.php?topic=36683.msg179176#msg179176
I haven't had any php exceptions, doing the steps described in the journey.
4
General Discussion / Re: New user - Migrating from "pfSense - CE 2.7.0" to OPNsense
« on: November 08, 2023, 06:50:02 pm »
Just had a "Weird one" ...
All my ICMP rules had a syntax error.
Now i found out that the "Dot" in "Top right" is NOT supposed to be RED
That means there's an error.
Clicking the red dot revealed this:
Solution was "easy" : Edit the ICMP rule , and press save.
But i had to do it for every ICMP rule i had... Well easy fix.
Now there's no more "Red - DOT"
All my ICMP rules had a syntax error.
Now i found out that the "Dot" in "Top right" is NOT supposed to be RED
That means there's an error.
Clicking the red dot revealed this:
Solution was "easy" : Edit the ICMP rule , and press save.
But i had to do it for every ICMP rule i had... Well easy fix.
Now there's no more "Red - DOT"
5
Tutorials and FAQs / pfSense CE-2.7.0 to OPNsense 23.7 - Migration Help/Tips guide
« on: November 08, 2023, 02:19:16 pm »
This is still a work in progress , but would help in migrating from pfSense to OPNsense
https://forum.opnsense.org/index.php?topic=36683.0
https://forum.opnsense.org/index.php?topic=36683.0
6
23.7 Legacy Series / Re: forced reboot results in IP address errors
« on: November 06, 2023, 05:48:27 pm »
Btw:
I just learned about one reason, for the interface migrater to reassign interfaces on boot.
Using (The new) pfSense 2.7.0 Vlan's and Vlan-Interface names
https://forum.opnsense.org/index.php?topic=36683.msg179265#msg179265
I just learned about one reason, for the interface migrater to reassign interfaces on boot.
Using (The new) pfSense 2.7.0 Vlan's and Vlan-Interface names
https://forum.opnsense.org/index.php?topic=36683.msg179265#msg179265
7
General Discussion / Re: New user - Migrating from "pfSense - CE 2.7.0" to OPNsense
« on: November 06, 2023, 04:58:33 pm »
Import Nat/Portforwarding
Importing NAT/Portforwarding seems straight forward.
Just select Restore -> Restore Area : NAT
Ps
I did set OPNsense Outboud NAT mode to match the mode i use in pfS , before the import.
But the mode seems to be included in the pfS config.
PPs:
My NAT is super simple... Two portforward rules , and Outound Nat
So this import might not be tested very well.
Importing NAT/Portforwarding seems straight forward.
Just select Restore -> Restore Area : NAT
Ps
I did set OPNsense Outboud NAT mode to match the mode i use in pfS , before the import.
But the mode seems to be included in the pfS config.
PPs:
My NAT is super simple... Two portforward rules , and Outound Nat
So this import might not be tested very well.
8
General Discussion / Re: New user - Migrating from "pfSense - CE 2.7.0" to OPNsense
« on: November 06, 2023, 04:53:15 pm »As far as I can tell Mega's issue in interface mismatch and reset is the newer VLAN layout in pfSense which is e.g. em1.444 vs. the compatible one em1_vlan444.
There's no way short of doing a search and replace to fix this properly, because the system will miss that this is a VLAN interface and behave oddly afterwards as well (even with lock being set).
Cheers,
Franco
I have addressed the "Incompatibility here", according to Franco's description ... Thnx again
https://forum.opnsense.org/index.php?topic=36683.msg179265#msg179265
Hopefully the adaptation of the pfS config file , will produce valid vlan names for OPNsense
9
23.7 Legacy Series / Re: forced reboot results in IP address errors
« on: November 06, 2023, 06:41:57 am »I'm as green a June grass here - - - where do I find this 'Prevent Interface removal' tick box - - please?
In the Interfaces section - On every IF definition
10
23.7 Legacy Series / Re: forced reboot results in IP address errors
« on: November 05, 2023, 05:02:03 pm »QuoteAre you still booting from the installer ISO? How else could you fall back to what seem to be the default settings?
Well i had somewhat the same experience here
https://forum.opnsense.org/index.php?topic=36683.msg179463#msg179463
I had the console active, and discovered that OPNsense was somehow thinking it had to run the "interface importer" on rebot. And then you'll end up with Lan on first phys , and Wan on 2'nd.
My solution was to tick "Prevent Interface removal" , on every interface.
So it is possible to get your interfaces reassigned, if/when some "Boot time algo" decides "No default interfaces found - Running interface assignments".
That said I was importing lot's of interfaces from a pfS config ...
But they all looked valid before the reboot.
And was left "untouched" on boot , if i ticked "Prevent Interface removal" ...
I'll be ticking that on all my IF's .. Don't want any surprises.
11
General Discussion / Re: New user - Migrating from "The Other One - CE 2.7.0" to OPNsense
« on: November 05, 2023, 10:44:17 am »
Importing firewall rules
I urgently suggest you to NOT do this with your wan connected to the Internet.
I have my wan configured for dhcp, and connected to an "inside" vlan on my existing setup.
After being 100% sure your Aliases and Interface assignments are imported correctly
See here for Interface import
https://forum.opnsense.org/index.php?topic=36683.msg179463#msg179463
And make sure every interface has same assignment as on the pfS
ALL Interface assignments must match excactly across OPN and pfS configs.
Especially pay attention to the optXX assignments, as they reflect the way (time) they were created on the pfS.
When you are sure the IF's are assigned/numbered the same way.
You could import the - Restore Firewall rules section from the pfS config.
Pay attention to "NOT locking your self out" of the target OPNsense box.
Or make sure you have a console attached, and after restore run temporarily disable the OPNsense firewalling by running a : pfctl -d
And now make a firewall rule allowing you access again.
Then enable the firewall by running a : pfctl -e - Or just reboot.
I have not had time to walk through my rules yet, but at first glance tth result seems "Not bad at all ..."
As a minimum do review the rules on your WAN interface, before connecting it to the internet.
And preferably review rules on all interfaces, before setting the "Box in prod".
ICMP Rules - Reports error
I noticed a red dot here -Statusbar - Top Right
And when clicking on it it showed a firewall rule that had a syntax error.
It turned out that ALL my imported ICMP rules had syntax error.
Solution was easy : Edit the rule , and press "Save"
But i had to do it for every ICMP rule i had made ... Well an easy fix.
It is probably a good idea to edit every rule, and just press save.
Based on a few diffs , it seems like the rules are "rewritten" to fit the OPNsense syntax, when editing, and just presing save.
Ie. All my "Disabled rules" har a strange state , where they were "Geyed out, the the text", but still had color on the icon all the way to the left ... "That should be black" - Editing the rule fixed that, and so did a select & disable.
I urgently suggest you to NOT do this with your wan connected to the Internet.
I have my wan configured for dhcp, and connected to an "inside" vlan on my existing setup.
After being 100% sure your Aliases and Interface assignments are imported correctly
See here for Interface import
https://forum.opnsense.org/index.php?topic=36683.msg179463#msg179463
And make sure every interface has same assignment as on the pfS
ALL Interface assignments must match excactly across OPN and pfS configs.
Especially pay attention to the optXX assignments, as they reflect the way (time) they were created on the pfS.
When you are sure the IF's are assigned/numbered the same way.
You could import the - Restore Firewall rules section from the pfS config.
Pay attention to "NOT locking your self out" of the target OPNsense box.
Or make sure you have a console attached, and after restore run temporarily disable the OPNsense firewalling by running a : pfctl -d
And now make a firewall rule allowing you access again.
Then enable the firewall by running a : pfctl -e - Or just reboot.
I have not had time to walk through my rules yet, but at first glance tth result seems "Not bad at all ..."
As a minimum do review the rules on your WAN interface, before connecting it to the internet.
And preferably review rules on all interfaces, before setting the "Box in prod".
ICMP Rules - Reports error
I noticed a red dot here -Statusbar - Top Right
And when clicking on it it showed a firewall rule that had a syntax error.
It turned out that ALL my imported ICMP rules had syntax error.
Solution was easy : Edit the rule , and press "Save"
But i had to do it for every ICMP rule i had made ... Well an easy fix.
It is probably a good idea to edit every rule, and just press save.
Based on a few diffs , it seems like the rules are "rewritten" to fit the OPNsense syntax, when editing, and just presing save.
Ie. All my "Disabled rules" har a strange state , where they were "Geyed out, the the text", but still had color on the icon all the way to the left ... "That should be black" - Editing the rule fixed that, and so did a select & disable.
12
General Discussion / Re: New user - Migrating from "The Other One - CE 2.7.0" to OPNsense
« on: November 02, 2023, 01:14:03 pm »
Import Certificates
My Certs imports wo problems.
Import OpenVPN
My OVPN imports , but when trying to change settings it was giving a: Interface has no ip addr - Error.
Turned out to be : The WAN needs to be up & running (have ip).
Also if using TLS Key ... Check that TLS Key Usage matches the other end ... mine didn't.
I use TLS Enc + Auth on the pfS, and had to change to that on opnSense VPN's
And make sure Compression matches other end. I used "No Preference" (should match Disable compression on pfS)
My Certs imports wo problems.
Import OpenVPN
My OVPN imports , but when trying to change settings it was giving a: Interface has no ip addr - Error.
Turned out to be : The WAN needs to be up & running (have ip).
Also if using TLS Key ... Check that TLS Key Usage matches the other end ... mine didn't.
I use TLS Enc + Auth on the pfS, and had to change to that on opnSense VPN's
And make sure Compression matches other end. I used "No Preference" (should match Disable compression on pfS)
13
23.7 Legacy Series / Re: LAN side has no connectivity since 23.7.7_3 install
« on: October 31, 2023, 09:02:06 pm »
I'm an OPN newbie , but saw this one on reddit
https://www.reddit.com/r/OPNsenseFirewall/comments/17ibl22/open_sense_upgrade_to_2377_3_breaks_internet/
https://www.reddit.com/r/OPNsenseFirewall/comments/17ibl22/open_sense_upgrade_to_2377_3_breaks_internet/
14
General Discussion / Re: New user - Migrating from "The Other One - CE 2.7.0" to OPNsense
« on: October 31, 2023, 06:30:53 pm »
I haven't had much faith in CE since they made PLUS
The only reason i didn't switch to OPN back then, was that they made PLUS free for Home+Lab (HL) use.
But now i have "downgraded" my PLUS boxes to CE, as they write HL registered systems won't get any upgrades without a $129/yr subscription.
So i will still convert my home boxes to OPNsense.
Who knows when they do another "CE surprise", or if CE will slowly "obsolete to death" ...
I think the reviving of the TAC-Lite $129/yr subscription, was to keep SMB's on PLUS.
And at least cash in the smaller fee, instead of nothing.
But i think a lot of users have lost trust in them, no matter what broken promises they are reviving.
I feel sorry for the people that might not be capable of migrate to OPN ...
They might be trapped over there.
Maybe OPNsense Tech-Support could offer a "Basic config" conversion to OPN if the customer ie. pays for a 2..3/yr subscription up front. Or maybe if the customer buys a DEC Box ...
The only reason i didn't switch to OPN back then, was that they made PLUS free for Home+Lab (HL) use.
But now i have "downgraded" my PLUS boxes to CE, as they write HL registered systems won't get any upgrades without a $129/yr subscription.
So i will still convert my home boxes to OPNsense.
Who knows when they do another "CE surprise", or if CE will slowly "obsolete to death" ...
I think the reviving of the TAC-Lite $129/yr subscription, was to keep SMB's on PLUS.
And at least cash in the smaller fee, instead of nothing.
But i think a lot of users have lost trust in them, no matter what broken promises they are reviving.
I feel sorry for the people that might not be capable of migrate to OPN ...
They might be trapped over there.
Maybe OPNsense Tech-Support could offer a "Basic config" conversion to OPN if the customer ie. pays for a 2..3/yr subscription up front. Or maybe if the customer buys a DEC Box ...
15
General Discussion / Re: New user - Migrating from "The Other One - CE 2.7.0" to OPNsense
« on: October 31, 2023, 02:22:44 pm »Once you are done with your migration you will be the migration expert
I would actually advice as well if you are willing to create a full fledged guide on the Tutorials and FAQs section once you are done with the migration.
https://forum.opnsense.org/index.php?board=24.0
Summarizing all what can be migrated and which way. Would be helpful for others as well.
Regards,
S.
Hi Seimus
I doubt i'll be making a document of the conversion.
I'll be describing it in this thread , and make Bold entries in the first post, to relevant posts in this thread.
I'll do the bold entries as a kind of index, so you don't have to scan the full thread.