Messages

Nothing shows as listening on port 9100 in sockstat. 

I'm guessing I have enable the plugin, but every file seemingly associated either says "Don't edit" or doesn't exist.

[not]

I'm trying to get the os-node_exporter plugin working.  It is listed as installed in the plugins tab.  However, I see no indication that it is running.  It is not listed on the homepage.  I don't see anything about it in a process list.  The file /etc/rc.conf.d/node_exporter explicitly states not to edit it, but its one line is

Code Select Expand

node_exporter_enable="NO"

The node_exporter file I happened to find in /usr/local/etc says to add lines to /etc/rc.conf.local or /etc/rc.conf to enable it, but neither of those files exist for any other services.  Do I create them? Does it need some sort of bracketed identifier inside to say "These options are for the Prometheus node_exporter"?

Also, once its running, will I need to create a firewall rule to allow my Prometheus instance to scrape it for stats?

It is very confusing behind the scenes with this.

Thanks for any assistance.

Excellent, thank you!

I have OPNsense 23.1.4_1-amd64 running under XCP-NG 8.2.1 and have the os-xen 1.2_1 guest utilities installed, which apparently is the latest, as no update is available.  However, XCP and Xen Orchestra report no guest utilities installed, and there is no os-xen service listed on the dashboard for start/restart/stop.  There are a couple of processes running that would seem to be xen-related:

Code Select Expand

0    16     0 3 -16  0       0     16 waitev   SL    -      0:19.78 [xenwatch]
0    17     0 2 -16  0       0     16 xbread   IL    -      0:00.05 [xenstore_rcv]

but again, the hypervisor isn't seeing them installed.

Any ideas on getting the hypervisor to recognize the tools?  I need to migrate my router VM to another host so I can patch.

Thanks!

I'm on 22.7.4 and have the netdata plugin enabled.  I set it to be bound to the LAN interface.  Sockstat shows that netdata is listening on the LAN interface on port 19999, but trying to access the URL times out.

I figure I need to make sure its working locally before troubleshooting why its not sending to the configured backend.

Any suggestions is appreciated.

If someone could let me know where the files go, I could manually download and place them on the router, and restart Unbound.

Doing that curl command dumps out the file, and I'm able to check for opnsense updates on the repo which requires it, so name resolution seems to be working

Might anyone know where the files are for the built-in DNSBLs?  Perhaps I can get in there and check why it can't find them to refresh.  I don't know for sure, but the error seems like it is trying to resolve just a base path, and not a full URL.

I have Unbound DNSBL enabled, and a selection of the built-in blocklists set in Cron to update once a day.  However, I get this error for each of the blocklists when it tries to update:

Code Select Expand

2022-02-21T16:18:21-06:00 Error unbound blocklist download : unable to download file from https://adaway.org/hosts.txt (error : HTTPSConnectionPool(host='adaway.org', port=443): Max retries exceeded with url: /hosts.txt (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8025ca850>: Failed to establish a new connection: [Errno 8] Name does not resolve')))

2022-02-21T16:17:20-06:00 Error unbound blocklist download : unable to download file from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (error : HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /StevenBlack/hosts/master/hosts (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8025ca460>: Failed to establish a new connection: [Errno 8] Name does not resolve')))

Is there some configuration I might have missed beyond the checkmark in the Unbound DNSBL config, and adding the Cron job?  I don't have any custom blocklist URLs or such.

Any insight is appreciated.

I recently upgraded my router to 22.1 and also got AT&T fiber.  My RG is in passthrough mode so my OPNsense router gets the public IP.

I'd like to get IPv6 working properly, and have found a couple of threads from a year or more ago regarding changes to the dhcp6 conf file for multiple ia-pd and id-assoc entries to get multiple /64 delegations, for pfsense.

https://forum.netgate.com/topic/153288/multiple-ipv6-prefix-delegation-over-at-t-residential-gateway-for-pfsense-2-4-5

https://forums.att.com/conversations/att-fiber-equipment/ipv6-prefix-delegation-to-3rd-party-router-not-working-2020-edition/5e98da19fd08354359ccd447?commentId=5e9b3ea5758fed7722fd4361&replyId=5eb1a6b372a09d7a3fc8f1fb

I just wanted to check with anyone who might be able to confirm that this is proper for OPNsense 22.1 before I go mucking about in the conf files manually.

Thanks!

I installed the netdata plugin on my router with the intent of ultimately feeding the data to a backend DB and making a Grafana display.

However, before I do that, I'd like to ensure that netdata itself is working properly.  But all I have is a blank grey screen that says "Netdata - Real-time performance monitoring done right!" at http://router:19999

It has no graphs or menus or any other elements.

Could someone perhaps point me toward what configs might need to be tweaked to get some sort of display out of it?

The settings in the OPNsense menu are Enabled / Listen address:  127.0.0.1  /  Listen port: 19999

I thought maybe I needed to change the listen address from localhost to the LAN address, but if it weren't listening at all, I wouldn't even get the grey page.

Any help is appreciated.

If the VLANs are created in OPNsense it should work no problem. On my bare metal OPNsense I use two NICs and have four VLANs plus LAN, and have never had to manually specify routes. Maybe a config issue with the VM in your case?

That's what I was thinking.  I was under the impression that regardless of IP space used, if I put a known IP into a browser or SSH client or whatever on a device connected on VLAN 1, it would know "Oh, I have that IP space on Interface 2!  I'll send that over there" and I get a connection.

I went through, and I realized I didn't have VLAN interfaces configured under "Interfaces->Other->VLAN" but I didn't think tagging was necessary if the interfaces are physically distinct, and the switch ports are configured for all traffic on each of the ports to be for the appropriate VLAN.

Based on my knowledge, you need to create static routes.

If the physical interfaces of VLANs 200 and 300 have IPs 10.10.20.1/24 and 10.10.10.1/24 then you need to create static route of 10.0.0.1/8 to either 10.10.10.1 or 10.10.20.1

Basically you need to specify a gateway which both VLANs are using as gateway to point traffic towards different networks

Reason why you won't be able to gain access to VLANs from LAN is because VLANs are both in differnet IP space

Okay, so I was mistaken that OPNsense just inherently "knows" routes between its interfaces, regardless of IP subnets used.  I will look at setting up routes.

Thanks!

Also gotta say that I find it odd that WAN is set up as a VLAN...

I'm not sure how else I would set up having four physical ports on the switch involved to provide connectivity between the router and the ISP.  I have three physical hypervisor hosts, each with a NIC in the VLAN, allowing me to migrate the OPNsense VM between them without losing connectivity to the ISP.

First make sure that if your switch has the feature, it allows access to it's Webgui from right VLAN (some manufacturers like Zyxel allow you to restrict management access to specific VLAN.

I have four VLANs configured on my OPNsense router, each with a distinct NIC

10 (LAN, 192.168.0.0/24)
100 (WAN, IP from ISP)
200 (MGMT, 10.10.20.0/24)
300 (IoT, 10.10.10.0/24)

10 is the PCs, tablets, media devices, etc
100 allows the OPNsense VM to move from VM host to VM host while maintaining connection to the world.
200 is iLOs, SNMP and netdata traffic, VM movement
300 is smart home stuff - cameras, etc.

VLAN 200 and 300 have a DHCP server configured with IPv4 reservations, but each host has its corresponding IP configured as static.  VLAN 10 has dynamic DHCP assignments.

My LAN interface has the default "Allow LAN to Any" rules for IPv4 and IPv6.
There are currently no rules on the MGMT interface, because I couldn't get any to work, so I have it back to how it was at initial installation and configuration.

Also if you run opnsense on custom build PC or virtual machine, make sure it's ethernet ports support IEE 802.1q (also known VLAN tagging). Opnsense vlan relies on VLAN tags and without that support, it doesn't work properly.

I was under the impression that VLAN tagging shouldn't be necessary if each VLAN is on a distinct interface, as the switch is configured for the corresponding port to be a member of the VLAN and all traffic on that port is assumed to be for that VLAN.

I was also under the impression that OPNsense is aware of its various VLANs, and configuring specific routing isn't necessary between them.

My goal is to prevent anything coming in from WAN from getting to IoT or MGMT, or anything from IoT and MGMT from getting out to WAN and LAN (initiating a session that direction) but LAN able to get to MGMT and IoT.