Messages

On my opnsense install the /etc/hosts file has a single entry for the firewall but I can't work out how it selects which address to use.

Code Select Expand

root@firewall:~ # cat /etc/hosts
127.0.0.1       localhost       localhost.home
::1             localhost       localhost.home
192.168.2.254   firewall        firewall.home

My firewall has 8 vlans with IPs on and it appears to select one to put into the hosts file.
Is there a way to influence which IP address is used?

Comparing the two ports using

Code Select Expand

stty -a -f /dev/ttyu0 shows the difference between the ports is ttyu0 has "clocal" and ttyu1 has "-clocal"

I have tried a number of different things now but nothing seems to work.
I have tried adding

Code Select Expand

hint.uart.0.disabled=1 to disable the first uart.

Also tried

Code Select Expand

hint.uart.1.flags=0x10 but no luck.

Strangely when I test the serial port via

Code Select Expand

echo "test" > /dev/ttyu1 it hangs and does not send. Doing this on /dev/ttyu0 works fine.

I know the hardware works as I booted into an Ubuntu live image and both serial ports work on there.

Any ideas?

Thanks that is really useful.
Ideally I would like to add ttyu1 as an additional console so this would be edit the /etc/ttys file to be "onifexists".

My follow up question is how do I make the /etc/ttys file persistent, can this be set via the opnsense interface?

Thanks

It is possible to specify which serial port to use? e.g. /dev/ttyu1

My board has two serial ports and I can see the console on /dev/ttyu0 but not /dev/ttyu1.
I would like to use /dev/ttyu1 if possible.

It didn't work for long.

I think I have worked out another solution. If I "disable reply-to" on the rules everything works nicely.
An alternative solution seems to be adding the assigned vpn interface to a firewall group and setting the firewall rules here.

Is this a bug or expected?

It has started working again now, seems that a reboot of opnsense is required after assigning the interfaces otherwise I get strange behaviour. Will confirm this is the same on the other opnsense instance tomorrow.

update: correction this was a different problem. Problem still exists.

Originally I didn't assign interfaces and I set the firewall rules via the OpenVPN group so both vpn servers had the same firewall rules. Doing this connecting to the first vpn traffic was routed, but connecting to the second vpn no traffic appeared to be routed.

I have since tried assigning interfaces for each and setting firewall rules but this had not helped.

I have found a strange issue on opnsense 20.7.7_1-amd64 when running multiple OpenVPN servers.

The first server seems to work fine but I am finding the second server (configured the same but with different tunnel subnet and port) users can connect to the VPN but none of their traffic is routed.

I have tested this on two separate opnsense instances and both had strange routing/firewall problems with the second OpenVPN server.

Any ideas why this might happen?

I have a domain for the system set to "home" in System: Settings: General.
I then have an override on the unbound DNS for "server1" with domain set to "home".

If I try and resolve the name "server1" from a machine without DNS search domain set i.e. a DNS lookup for "server1." it fails. If I do a request for "server1.home" it works.

What I need is the ability for the "server1." request to resolve to "server1.home" as I have a lot of embedded devices which do not support DNS search domains.

Should this work by default with opnsense?

yes I have added it to the host overrides but it isn't picked up unless I specify the fqdn.

Is it possible to set a default domain on unbound so if a DNS request comes in for a hostname (not fqdn) it appends a default domain to it.
e.g. DNS request for 'printer.' gets mapped to 'printer.home'

Currently I can't get these requests to resolve to anything even with static mappings.

I am trying to get alerts for gateway status. e.g. I would like to receive an email saying gateway x went down at 12:34 03/11/19 and then another email when it came back again.
Unfortunately if the gateway goes down it can't send an email as their is no internet connection so the email would have to be cached until internet is restored. My old firewall used to do this perfectly but I can't find a way to do this on opnsense.
I have found the monit gateway_alert service but this doesn't seem to work for me, possibly because I am not using gateway groups or because the email notifications are failing to send due to no internet.

Is is possible to get opnsense to do what I want or am I better off using an external system to monitor the gateway?

I know the CPU is pretty old so I can't expect much, but I still don't understand why the process sits at 45% with the rest of the system idle. I would have thought even without AES-NI I could max out a core, unless there is a bottleneck somewhere else? I couldn't work out how to test if the system was limited by IO or buffers or the NIC.

bartjsmit: I did wonder about multiple connections but it is not easy to change the server as I don't have access to it at the moment. Maybe this is a solution in the long term.

Thanks for the help

I am running OPNSense on a Xeon X5550 box. We have a 1Gb link to a OpenVPN server which we have tested can provide 800Mb using a desktop PC.
When we use the OPNSense box to connect to the VPN it can only provide 200Mb of throughput through the VPN. I have ssh'd into OPNSense and it only ever appears to be using 45% of a single CPU core. I know OpenVPN is single threaded so I can't expect much, but is it possible to debug what is the bottleneck and why the openvpn process is not using more than 45%?