Messages

Thanks for the quick reply!

if you don't feel like applying the patch just yet.

franco, I always feel adventurous😅
That, plus the patch makes a lot of sense. Let me fire up cron, I'll report back in a few.

Edit:

Sure did the trick! Cheers!

Hi,

I have a barely working dual WAN setup that broke further :-[
I've set up a cronjob to do an "Periodic interface reset" every day at 05:00 that worked throughout 21.x, but seems to be broken with 22.1. Every morning the pppoe0 interface is down.

There seems to be an issue shutting down the PPP daemon:

Code Select Expand

<30>1 2022-02-15T05:00:00+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="1"] Multi-link PPP daemon for FreeBSD
<30>1 2022-02-15T05:00:00+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="2"] 
<30>1 2022-02-15T05:00:00+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="3"] process 29540 started, version 5.9
<30>1 2022-02-15T05:00:00+01:00 gateway.domain.tld ppp 71757 - [meta sequenceId="4"] caught fatal signal TERM
[...]
<30>1 2022-02-15T05:00:30+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="79"] waiting for process 71757 to die...
<30>1 2022-02-15T05:00:31+01:00 gateway.domain.tld ppp 29540 - [meta sequenceId="80"] can't lock /var/run/pppoe_wan.pid after 30 attempts
<30>1 2022-02-15T05:00:31+01:00 gateway.domain.tld ppp 71757 - [meta sequenceId="81"] [wan] Bundle: Shutdown
<30>1 2022-02-15T05:00:31+01:00 gateway.domain.tld ppp 71757 - [meta sequenceId="82"] [wan_link0] Link: Shutdown
<30>1 2022-02-15T05:00:31+01:00 gateway.domain.tld ppp 71757 - [meta sequenceId="83"] process 71757 terminated


After that, no automatic attempt to restart the daemon is made. A manual reload brings the interface back up with no issues.
I've attached the latest logfile and a screenshot of the cronjob.

Hey DeltChar!

I think we might be experiencing the same problem.
Try tcpdumping both WAN interfaces to check, whether the responses are actually sent on the interface the packets where received...

Hey fellow OPNsense users!

I've set up multi WAN as a failover group as described here: https://docs.opnsense.org/manual/how-tos/multiwan.html

Attached is a screenshot of the gateway groups.

The interfaces are pppoe0 and igb3, for WAN and Vodafone respectively. I have some services running on pppoe0 (namely OpenVPN and NGINX) locally, which both broke after the upgrade. Turns out, OPNsense is answering to incoming traffic on pppoe0 via the wrong interface, igb3. I can't really make sense of it ???

Try creating a new account and certificate in the plugin. This start registration on the Production environment.

acme.sh supports Cloudflares new token model, which allows fine-grained control over token permissions.
Reference: https://github.com/Neilpang/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token

I'm a huge fan of the "least-privilege" principle, so I took it upon me to take a stab at implementing it into the os-acme-client Plugin.
Here's the result: https://github.com/Alphakilo/plugins/commit/3a4edf21bcb8cc25df9b7748cee6d88dadf5f98b


It works on my lab and my productive installations, though there are some issues where I'd like some feedback on.

• Are <help>-elements appropriate in the dialogValidation.xml?
• I can't get a proper control structure around this, any advice?

Cheers!

🥳 Thank you very much!

Hi fabian!

Thanks for the awesome plugin, love it! One less machine in the network to tend to.
I have a couple of questions / requests though:

Is it possible to define a listening interface?
In my case nginx is a reverse proxy. That's it's only job. The only interface it should be accessible from is WAN.
Also I don't want it to combat the existing listeners on 80,443/tcp.

Could we get to define snippets that we can include per server?
This will help to use advanced features of nginx without further cluttering the web interface.
And also help me to limit the amount of code re usage I have to do per server :P

Can we use existing lists (pf aliases / nginx ACLs) as httpserver.trusted_proxies?
I run behind Cloudflare. And manually adding and maintaining all Cloudflare IPv4 and v6 ranges is a royal pain the buttox.

Is it possible to disable / enable httpservers?
I'm thinking the way we're able to enable / disable, say, firewall rules.

I might check if I can hack the first two together when time allows. The other are beyond my skills.

Love this solid piece of advise btw:


Applies to so many things.

Is it required to run the Elastic stack on the Firewall?
Why not split it into two packages: The "Firewall" part and then Elasticsearch, Logstash, etc...

I did this using an Alias for the port range, much like inbound (aka Port Forward).

I have the strong feeling that dns-01, like tls-sni-01, might be disabled in the foreseeable future:
https://www.theregister.co.uk/2018/09/06/certificate_authority_dns_validation/

Das die Echo-Request von deinem Provider unbeantwortet bleiben:
https://forum.opnsense.org/index.php?topic=7270.0

Du würdest in den Logs sehen, das die Verbindung getrennt und wieder aufgebaut wird.
Dabei erhälst du dabei allerdings stets eine IP. Die Einwahl passt auch, nur hört der pppd halt auf die echo requests zu beantworten.

Gegenstelle denkt das du nicht mehr da bist und trennt.

Sicher das keine IP zugewiesen wird?
Oder wird die Verbindung so ca. alle 20 Sekunden neu aufgebaut?

So. For my homelab I have lots and lots of domains and subdomains. Currently they are registered with Cronon (STRATO).
Since I'm pretty darn tired of STRATOs fits and general backwardness, I'd like to transfer them to a provider that actually knows what they're doing. I've evaluated some providers and settled for gandi.net.

Now comes the complicated part:

I have an dynamic public IP that changes on every reconnect, or at very least on every forced reconnect (24h). The os-dyndns is doing a great job with STRATO, at least as good as it can with that company (yes, I'm salty).

But it seems it has no option for the gandi.net API.

There's an python implementation over at GitHub, but I'd also like to keep the process of DynDNS updates on the OPNsense. While not potentially compromising my border gateway by running 3rd party stuff on it. CNAME is also not an option.

That leaves me... Well, here. Asking for help ;)

Maybe I'm just not seeing how it can be done?
Maybe it could be implemented?

If the latter is true, welp, my PHP doesn't go far beyond <?php phpinfo(); ?>. But I'd be happy to help by testing and providing API keys.

Cheerio!