Messages

It's exactly as you say. It worked perfectly!

Thanks so much for the help!

[Error mounting partition /mnt/boot/efimount_msdosfs: /dev/gpt/efifs: Invalid argument]

Hello everyone. I'm having a problem installing OPNSense on VMWare ESXi 7.0.
Using default install procedure I receive the following error, when the install prcedure is in the disk partition step

Error mounting partition /mnt/boot/efi
mount_msdosfs: /dev/gpt/efifs: Invalid argument

The same error occurs if BIOS or EFI is selected in the VM setup.
This does not happen with VMWare ESXi 6.7 where I have installed several versions of OPNSense many times.

Using EFI/GPT does have any advantage? If the answer is yes, do you suggest any workaround ?
Or  if it's not possible tuo use GPT, which of the disk partition options it would be advisable to use, BSD or MSDOS.?

I appreciate any advice

Many thanks
Norberto

Thanks for the answers.
A custom script would be a workaround while the API for users and groups is not available.
Any suggestion to take as a base?
As far as I can see, the value <disabled>1</disabled> is added in conf.xml and the password in master.password is changed to *LOCKED**

Many thanks

Hi. Good 2023 for all !

I would like to know if it is possible change user properties from the command line.

I have a client with about 200 openvpn users and the idea is to disable all users who have not used openvpn for a while, running a script by cron each week.

Many thanks in advance
Norberto

Hi.
I'm not totally sure, but think that the same behavior is in OpenBSD original carp implementation.
It would be good if the MAC Address of the CARP interface was used, but I do not know how it could affect it in case of master failure.
The backup would start using the same MAC, but that the switch have it learned in another port (the one of the master).
Does it have to do with this?

Regards
Norberto

Hi, did a quick search in the forums and on github but did not find an answer, is this FreeBSD/pfSense CARP problem also an issue in OPNsense?

https://redmine.pfsense.org/issues/6957

[FRR]

Sorry.
Indeed we had some inconvenience (I don't remember which one now) with options that were not available in the VRRP administration interface.
We analyzed modifying the plugin and decided that it was simpler for us to use vrrp directly.

Must be read as:

Indeed we had some inconvenience (I don't remember which one now) with options that were not available in the FRR administration interface.
We analyzed modifying the plugin and decided that it was simpler for us to use FRR directly.

First of all, let me clarify that I have no relationship with OPNSense and that it is not my interest to have a discussion, but I think it's a partial view to state that the product cannot be used in a large company. May be no the right product for you, sure.

We personally migrated a couple of old OpenBSD firewalls to OPNSense and it is working perfectly.
It is not so small. It has 3 internet access (separating different traffic for each one), several internal interfaces, plus several VPNs with OpenVPN and IPSec.
There are about 400 servers on the network and about 3000 users who use it. In adition 400 remote OpenVPN users.

Indeed we had some inconvenience (I don't remember which one now) with options that were not available in the VRRP administration interface.
We analyzed modifying the plugin and decided that it was simpler for us to use vrrp directly.
I have many years of Linux / Unix experience and I appreciate that FreeBSD is underneath.

We were also able to add external scripts and cron jobs for certain very specific things that were used in the old firewalls, such as upadate a dynamic DNS when an internet link stops working or parse some site to obtain a list of IP address, etc etc 
We plan in the future add IDS/IPS or Sensei to the firewall.

It has limitations like any product, but its Open Source base allows it to be adapted with more or less effort. I thinks a closed product it's not so versatile.

It is true that it is faster to edit pf.conf, but if the user (as is our case) is not a Linux / Unix specialist, he is deeply grateful to have a friendly interface to add a firewall rule or simply validate it. Or check the traffic or even add a VPN user, without needing to edit a single file.
Sure, it would be nice to be able to drag a ruler to place it in a given position or put a separator to facilitate reading, but for us it's not the end of the world.

One last comment regarding the OpenBSD CARP active/active. It works perfect, but did you try to use it in a firewall? For us was a real headache to get it to work, and is related in the way OpenBSD select which cluster member takes the traffic. In fact already in OpenBSD we had switched to active/passive.

While OPNSense may have been originally intended for a small business environment, it is perfectly adaptable to a much more demanding one.
If we enter the cost into the equation (even paying for support from Deciso),  the product goes from good to excellent.

Sorry for the long message and if something is not totally clear, explaining all this was a lot for my english.

Regards
Norberto

First of all, let me clarify that I have no relationship with OPNSense and that it is not my interest to have a discussion, but I think it's a partial view to state that the product cannot be used in a large company. May be no the right product for you, sure.

We personally migrated a couple of old OpenBSD firewalls to OPNSense and it is working perfectly.
It is not so small. It has 3 internet access (separating different traffic for each one), several internal interfaces, plus several VPNs with OpenVPN and IPSec.
There are about 400 servers on the network and about 3000 users who use it. In adition 400 remote OpenVPN users.

Indeed we had some inconvenience (I don't remember which one now) with options that were not available in the VRRP administration interface.
We analyzed modifying the plugin and decided that it was simpler for us to use vrrp directly.
I have many years of Linux / Unix experience and I appreciate that FreeBSD is underneath.

We were also able to add external scripts and cron jobs for certain very specific things that were used in the old firewalls, such as upadate a dynamic DNS when an internet link stops working or parse some site to obtain a list of IP address, etc etc 
We plan in the future add IDS/IPS or Sensei to the firewall.

It has limitations like any product, but its Open Source base allows it to be adapted with more or less effort. I thinks a closed product it's not so versatile.

It is true that it is faster to edit pf.conf, but if the user (as is our case) is not a Linux / Unix specialist, he is deeply grateful to have a friendly interface to add a firewall rule or simply validate it. Or check the traffic or even add a VPN user, without needing to edit a single file.
Sure, it would be nice to be able to drag a ruler to place it in a given position or put a separator to facilitate reading, but for us it's not the end of the world.

One last comment regarding the OpenBSD CARP active/active. It works perfect, but did you try to use it in a firewall? For us was a real headache to get it to work, and is related in the way OpenBSD select which cluster member takes the traffic. In fact already in OpenBSD we had switched to active/passive.

While OPNSense may have been originally intended for a small business environment, it is perfectly adaptable to a much more demanding one.
If we enter the cost into the equation (even paying for support from Deciso),  the product goes from good to excellent.

Sorry for the long message and if something is not totally clear, explaining all this was a lot for my english.

Regards
Norberto

Hi.
I have an installation with a lot of openvpn users defined. The authentication server is OpenLDAP.
I need to remove more than 300 users and I would like to avoid having to do it one by one from the web interface.

Is there a suggested method that could be used?

I don't like the idea, but could it be done by editing config.xml and removing <user> .... </user> and the corresponding certificate?

I will appreciate any suggestions.

Regards
Norberto

Hi. Thanks for your answer.
With Sensei running since 1 h aprox. this is is te output of top.

last pid: 47471;  load averages:  0.26,  0.22,  0.21  up 82+01:19:58    14:13:28
40 processes:  1 running, 39 sleeping
CPU:  0.9% user,  0.0% nice,  0.3% system,  0.1% interrupt, 98.7% idle
Mem: 3568M Active, 6243M Inact, 12M Laundry, 1740M Wired, 1204M Buf, 4824M Free
Swap: 8192M Total, 118M Used, 8074M Free, 1% Inuse

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
37978 elasticsea   90  52    0    16G  2891M uwait    4   6:55   0.00% java
70777 root         11  20  -20  2365M  1186M nanslp   2   1:35   0.10% eastpect
33012 root         11  20  -20  2217M  1043M nanslp   1   1:31   0.00% eastpect
54255 root          1  20  -20  1318M   199M nanslp   0   0:01   0.00% eastpect
47906 root          1  52  -20  1318M   198M wait     0   0:00   0.00% eastpect
81766 root         41  20  -20   186M   108M select   0   0:26   0.00% python3.7
98584 root          1  22    0   132M    25M accept   0  13:55   0.00% python3.7
80229 root          1  20    0    40M    16M accept   3   0:00   0.00% php-cgi
76840 root          1  20    0    40M    16M accept   5   0:00   0.00% php-cgi
20743 root          1  20    0    41M    16M accept   0   0:00   0.00% php-cgi
70273 root          1  20    0    40M    16M accept   7   0:00   0.00% php-cgi
27950 root          1  20    0    40M    16M accept   7   0:00   0.00% php-cgi

I'll give you an update tomorrow.

Regards
Norberto

Hello.
I am needing to configure two OpenVPN clients that connect to different servers.
I have two internet connections.
Each client would use a wan, but I would like that if one of the wan goes down both clients could use the other.

I will thank you for any advice to be able to do it.

Regards
Norberto

Hi MB. Many thanks for your answer.

Hi.

> It's probably your system started swapping due to high memory consumption.
Yes was what I also assumed. But let me point some details.

After 24h with Sensei ON the swap usage grew up from 0% to 15% and RAM from 45% to 65%.
I can't discover why is the swap used since there are no processes that use it.

Running top -S -W -o swap:

75 processes:  2 running, 72 sleeping, 1 waiting
CPU:  2.0% user,  0.0% nice,  1.2% system,  0.3% interrupt, 96.5% idle
Mem: 3381M Active, 3317M Inact, 5061M Laundry, 1823M Wired, 1278M Buf, 2290M Free
Swap: 8192M Total, 1261M Used, 6931M Free, 15% Inuse

  PID   USERNAME    THR PRI  NICE   SIZE    RES SWAP STATE    C   TIME    WCPU COMMAND
   11    root                   8     155 ki31      0       128K      0     RUN      0       ?        775.80% idle
80319 elasticsea        90     52    0      12G    2694M    0     uwait    7  73:37   2.94% java
    0     root                  37   -16    -           0        592K      0    swapin   3  28.0H   2.14% kernel
18726 root                 11     20  -20    2510M   967M    0      nanslp   2  31:53   2.02% eastpect
77943 root                 11     20  -20    2510M   926M    0     nanslp   1  28:37   1.99% eastpect
44833 root                 11     20  -20    3625M  2087M    0    nanslp   3  34:04   1.68% eastpect
58255 root                 11     20  -20    3625M  1959M    0    nanslp   4  29:39   1.56% eastpect


It is a basic OPNSense installation with the only peculiarity that it has a pair of interfaces defined as a bridge by a client's specific request. That bridge has an average traffic of about 8 mbps.
I have each of two bridge interfaces as protected in Sensei.

After stopped Sensei, swap goes down to 1% and RAM to 26%.
If I stopped Elasticserach also Swap remains in the same value and RAM goes down to 10%
After restarted both process RAM goes to 48% and swap keeps in 1%.
I suspect that tomorrow I will find the increased values again :(

Is Sensei using swap in any way?

> 1.7.1 is a bit old. Any chances that you can upgrade to OPNsense 21.1.x and Sensei 1.8.2?
> Sensei 1.8.2 tells you which processes are using the most memory and you can track down the source.

It's not easy for me to upgrade because I should disconnect the bridge interfaces while doing it. I am not close to where it is installed, however I could upgrade if you suspect it can help.

Do you think it is not related to Sensei? I can leave it off for a few days and see what happens.

> For a workaround, you can also increase your SWAP warning threshold via Sensei -> Configuration -> Updates & Health.
> Find "Max Swap Utilization (% of total SWAP):" through the bottom of page. Since you're using the Passive mode, this should not > have any negative implications.

I saw this option. However, if swap grows every day, would it always end up giving the error or not?

I really appreciate your advice.

Regards
Norberto

Hello.
I'm testing Sensei but it stops after a while because it found a swap usage greater than 30%.

I am using version 1.7.1 with OPNSense 20.7.7_1

The box is a Lanner NCA-4210B with a Core i7 7100 processor and 16 GB of RAM.

Memory usage with Sensei turned ON is approx 45% and Swap use 0% (76/8192 MB).

Deployment mode: Pasive
Database: Local Elasticsearch
Deployment Size: Large

Could someone help me to track down the source of the issue ?
Any suggestions are greatly appreciated.

Regards
Norberto

Hi Frank.
I would be grateful if you can tell me if you were able to move forward with this problem.

I'm exactly at the same point as you.
I need to setup several static routes in the LAN with different GW.

With disable-force-gateway checked, no pass-out rule with route-to are added, even in the WAN, and I don't know if it could be a problem.

Many thanks in advance
Norberto

Hi.
I need to install a site-to-site OpenVPN tunnel between two sites that currently have a satellite link between them.
The default gateway in each site will be changed to the OPNSense box.

But, I'll need to have the satellite link as a backup if the VPN fails.

I could be constantly checking the VPN to see if it's up or not, and if it goes down, add a static route that goes through the satellite link router, but since they're in the same LAN, the returning traffic will not go to the OPNSense box, so a pf state is not going to be established.

I could set the rule up as stateless, but I don't like this idea only needed when the VPN goes down.

Is there some way to define a pf anchor? There's not a problem with not using the GUI for this.
If this is effectively possible, then the stateless rule would need to be loaded only if the VPN goes down. In the rest of the cases the normal rule would be used.

Any advice is much thanked for.

Regards
Norberto

Hi.
The problem reappeared and apparently only occurs when there are many (100 or more) users connected to the VPN.
Any idea ?

Thanks