Messages

Unfortunately I have little control over the switches on the WAN side as there is only a single unmanaged switch on the WAN side between the firewalls and the ISP modem.
Looking at the ARP table on each firewall I can see some inconsistencies. For my LAN VIP I can see it is using a ICANN mac address, however for the WAN VIP it is using the same mac address as one of the physical WAN interfaces. I guess this could be causing issues?

I have setup a pair of firewalls using three public IPs all within a /24 subnet. This is the same setup as shown in the docs just with different IPs. https://docs.opnsense.org/_images/900px-Carp_setup_example.png.

The problem is the backup firewall (doesn't matter which one) has severe packet loss (40-80%). The primary firewall always works fine when using the VIP.

For example in the diagram above if I ping 8.8.8.8 or any other site from the backup firewall using 172.18.0.102 I get packet loss. If I failover then I get packet loss when pinging from 172.18.0.101.

I haven't got any NAT rules other than for the VIP.

Any idea what could be causing this or what I can check to debug the issue? Thanks

On my opnsense install the /etc/hosts file has a single entry for the firewall but I can't work out how it selects which address to use.

Code Select Expand

root@firewall:~ # cat /etc/hosts
127.0.0.1       localhost       localhost.home
::1             localhost       localhost.home
192.168.2.254   firewall        firewall.home

My firewall has 8 vlans with IPs on and it appears to select one to put into the hosts file.
Is there a way to influence which IP address is used?

Comparing the two ports using

Code Select Expand

stty -a -f /dev/ttyu0 shows the difference between the ports is ttyu0 has "clocal" and ttyu1 has "-clocal"

I have tried a number of different things now but nothing seems to work.
I have tried adding

Code Select Expand

hint.uart.0.disabled=1 to disable the first uart.

Also tried

Code Select Expand

hint.uart.1.flags=0x10 but no luck.

Strangely when I test the serial port via

Code Select Expand

echo "test" > /dev/ttyu1 it hangs and does not send. Doing this on /dev/ttyu0 works fine.

I know the hardware works as I booted into an Ubuntu live image and both serial ports work on there.

Any ideas?

Thanks that is really useful.
Ideally I would like to add ttyu1 as an additional console so this would be edit the /etc/ttys file to be "onifexists".

My follow up question is how do I make the /etc/ttys file persistent, can this be set via the opnsense interface?

Thanks

It is possible to specify which serial port to use? e.g. /dev/ttyu1

My board has two serial ports and I can see the console on /dev/ttyu0 but not /dev/ttyu1.
I would like to use /dev/ttyu1 if possible.

It didn't work for long.

I think I have worked out another solution. If I "disable reply-to" on the rules everything works nicely.
An alternative solution seems to be adding the assigned vpn interface to a firewall group and setting the firewall rules here.

Is this a bug or expected?

It has started working again now, seems that a reboot of opnsense is required after assigning the interfaces otherwise I get strange behaviour. Will confirm this is the same on the other opnsense instance tomorrow.

update: correction this was a different problem. Problem still exists.

Originally I didn't assign interfaces and I set the firewall rules via the OpenVPN group so both vpn servers had the same firewall rules. Doing this connecting to the first vpn traffic was routed, but connecting to the second vpn no traffic appeared to be routed.

I have since tried assigning interfaces for each and setting firewall rules but this had not helped.

I have found a strange issue on opnsense 20.7.7_1-amd64 when running multiple OpenVPN servers.

The first server seems to work fine but I am finding the second server (configured the same but with different tunnel subnet and port) users can connect to the VPN but none of their traffic is routed.

I have tested this on two separate opnsense instances and both had strange routing/firewall problems with the second OpenVPN server.

Any ideas why this might happen?

I have a domain for the system set to "home" in System: Settings: General.
I then have an override on the unbound DNS for "server1" with domain set to "home".

If I try and resolve the name "server1" from a machine without DNS search domain set i.e. a DNS lookup for "server1." it fails. If I do a request for "server1.home" it works.

What I need is the ability for the "server1." request to resolve to "server1.home" as I have a lot of embedded devices which do not support DNS search domains.

Should this work by default with opnsense?

yes I have added it to the host overrides but it isn't picked up unless I specify the fqdn.

Is it possible to set a default domain on unbound so if a DNS request comes in for a hostname (not fqdn) it appends a default domain to it.
e.g. DNS request for 'printer.' gets mapped to 'printer.home'

Currently I can't get these requests to resolve to anything even with static mappings.

I am trying to get alerts for gateway status. e.g. I would like to receive an email saying gateway x went down at 12:34 03/11/19 and then another email when it came back again.
Unfortunately if the gateway goes down it can't send an email as their is no internet connection so the email would have to be cached until internet is restored. My old firewall used to do this perfectly but I can't find a way to do this on opnsense.
I have found the monit gateway_alert service but this doesn't seem to work for me, possibly because I am not using gateway groups or because the email notifications are failing to send due to no internet.

Is is possible to get opnsense to do what I want or am I better off using an external system to monitor the gateway?