Messages

Have an issue using timeservers.
Setting a pool of timeservers, it doesn't matter what I choose.
As an example I used the NL & OPNsense pool - 0-3.nl.pool.ntp.org & 0-3.opnsense.pool.ntp.org
But using single timeservers hosted by some uni's(NL) leads to the same outcome.

OPNsense is hosted by a (local) Proxmox server which runs as it should.
Proxmox is bridged behind OPNsense in the picture of OPNsense as a router.
This also leads to no problems and runs very stable.

NTP is the only service giving me a headache for it looses it's connection after an undefined amount of time.
A message is displayed on the dashboard: No active peers available.

Mostly the NTP server will find a new peer and the time will be synchronized again on the network.
But, if the 'non active peer' situation takes too long I will be notified by the 'Check_MK' - read Nagios - server there are problems with time syncing.
Check_mk often gives a warning the service is 'flapping' - meaning it's condition is not stable and changes quickly (not measurable but quite indicative)

Because OPNsense runs on Proxmox there is no 'real' hardware clock and the clock is only run by the virtual processor.
You can imagine the offset goes haywire within a few hours, the clock can be off by (many) minutes.

Resetting the NTP server most of the times solves the problem, but not always!
One of the problems I have and is really annoying is OTP authentication.
My codes are on my phone which is on a 4G network. I think you see the problem...
Had to stop using OTP for most apps cause it became a to unstable situation.

Anyway, this has ran stable for almost a year, but I'm having problems with it for a while now - I can't remember exactly when it started, sorry!
Manually resetting the NTP server may be needed a few times per day.

Is there a way to figure out what stops the NTP server from using perfectly fine pools.

Many thanks in advance if you can help me figure this out

just tried to setup up check_mk_agent but it is not working.
Check_mk reports by full scan the following error:
Agent output is encrypted but encryption is disabled by configuration

I don't know why you get that encryption error, what exactly are you trying to do?
Does the script run okay on OPNsense itself?

2. the is no rc.conf file in my /etc folder

I was using the instruction from the first post

Are there any hints for me?

I'm runing 21.1.2

Neither is there on mine I don't see it mentioned in the first post either?!
If you really need it create it!
BTW. the way I use check_mk using SSH and main.mk(WATO is prefered) is still working fine on 2.0.0p1

Yes, it just looks okay.
First message:

Code Select Expand


PLL         0x0001  /* enable PLL updates (rw) */
UNSYNC      0x0040  /* clock unsynchronized (rw) */
NANO        0x2000  /* resolution (0 = us, 1 = ns) (ro) */


The status returned by ntptime:

Code Select Expand


PLL         0x0001  /* enable PLL updates (rw) */
NANO        0x2000  /* resolution (0 = us, 1 = ns) (ro) */

If your curious where ive got my info from, I'm a nitwit you know  :P
ftp://ftp.ripe.net/test-traffic/ROOT/libDelay/Delay.h

edit: forgot to paste the 'NANO' in 'first message ;)

And for completion here's OPNsense source file (±210):
https://github.com/opnsense/src/blob/master/contrib/ntp/kernel/sys/timex.h

Message: '0x2041', The clock was not synchronized, yet.
Run 'ntptime'
You see: 'status 0x2001 (PLL,NANO)'?
All is fine, the clock is synchronized.

I found that disactivating PowerD made a change. It feels more snappy.
I've enabled all the logging I can and send it towards my syslog server.

Hey cloudz, I'm curious by what you mean with 'feels more snappy'.
I still use 'PowerD' all settings set to 'Maximum', everything works the way it should.
With that I mean ; no breakage, no services or internet loss or any problems locally.
Also, up- & downloads are instant, browsing works fine, no lag anywhere.
Could be I'm not 'pushing/pulling' hard enough, but, my experience with Proxmox is rock solid from the start 8)

Just import your self signed cert into the OPNsense

I'm not the one having problems  ;D

Valid and trusted are two very different things in the world of certificates.

Of course a wrong Uname/paswd would break the action.
Nextcloud has the app. paswd for that, you'd never need to worry the curl would work just fine also using self signed certs. no problem.
If you setup your local env. correctly using self signed certs there are no complaints by apps servers phones or whatever, just don't use them remotely unless you have a very good reason to do so, in fact better don't.

I looked for 'ssl_verify_result":1' ; no list seems to explain the meaning for ''1'
Later on in the line 'ssl_verifyresult":0' there seems nothing wrong.

Just a guess but https://192.168.1.100 or whatever private IP address will never have a valid SSL certificate. Maybe it's failing because of that? Does it matter if you enter a correct or a wrong username/password combination?

Valid? Sure it's valid if it's a self signed cert. Using an IP just because it's a local, don't make it less valid, it's just local.
You're restriction is you can only use it locally.
I have no idea what you mean with 'wrong username/password combination'??

I'm using NextCloud backup on multiple boxes. NextCloud instance has a valid SSL cert though and is reached by hostname instead of IP. No issues.

I guess by valid you mean signed by a trusted third party{where trusted is what you believe) A locally signed cert. is just as valid and let me remind you, it's trust value not measurable higher ;)

In theory you can have an IP address in the SAN. But I guess this is not the case here.

Not only in theory, it's no problem to sign the local cert. SAN with both local IP and local hostname or one of them.

Hi GreenMatter,

Is the same IP you passed to domain1 as well as domain2 a typo?
Please show the override you created...
As far as I know Unbound is not erratic at all, at least I'm having no problems at all nor did I have any in the past. I could be wrong and there are problems in situations I,m unaware of...

Greetings, mark

Still, 'show the errors', it's impossible to say anything about them this way. For now OPNsense isn't to blame and they're all user faults, until you prove otherwise with some evidence....

Please, show the 'options list'(Proxmox) you used to install OPNsense.

If you have more memory to spare, give OPNsense more!

I'm using Suricata with some 20000+ rules, some blocking most in alert mode, including all services you mention +OVPN, system mostly using less than 1G RAM.
Are you sure you need all the rule-sets you(probably) enabled?, more than 2G RAM use sounds as quite a lot for the enabled services + Suricata you mention...

My advice is, start with a basic OPNsense and watch the used resources enabling services one by one.
Again, Show the options(list) you used to create your OPNsense VM and the errors you encountered... ;)

Hi J. Lambrecht,

Well, it's hard to say what's wrong here.
First, OPNsense runs very stable on Proxmox, at least that is my experience with it, in fact there should be no noticeable difference or very little at the most, I even run my Proxmox itself behind the OPNsense VM, it runs very stable and predictable.
Second, unless there is something wrong with your hardware or Proxmox setup you should be able to choose 'SCSI/VirtIO SCSI' even with 'SSD emulation' if you like.
Third, don't say there is 'a plethora of errors', show something for the kind people on this forum :) to work with, we don't have Crystal Balls...
Fourth, you really need to tell us more about your setup, there could be reasons why the system is swapping or uses lots of memory, though, I don't see this on mine it's hard to compare, it all depends on your setup...

Greetings, mark

You don't need the WebDav URL, though, if your server would be mine, the address I would need would be 'https://192.168.1.100/nextcloud'
BTW. you're not the only one having issues with logging there should be a fix in 20.7.2, lets hope it works for everyone..

Hmmm, things usually don't suddenly stop working, unless there was something off in the first place or changed in such a manner they demolish your working solution in a later stadium.
See, in basics it's actually a very simple construct, OPNsense makes a backup and uploads the file to an online filesystem, almost similar to a NAS - I know it's not the same but that's beside the point... ;D
Okay, are you able to address the backup account you created with some client on Linux, Android or whatever client and are you able to see the content of the backup dir.(OPNsense) on NC, can you send a file to it?
BTW. are you sure the URL is correct?, and not that it should be 'https://192.168.1.100/nextcloud'; or 'https://nextcloud.subdomain.tld'??

Okay, so you didn't make any changes and it suddenly stopped working after updating?
Have you tried to recreate the whole setup without touching your backup dir. on NC?
Like create a new app PW etc.?
Do you have a user setup on NC solely for OPNsense backups, if not try and recreate that setup...

I didn't have any problems updating, though, both my OPNsense and NC are running on Proxmox, so the situation is different but the purpose is the same ;D

Greetings. mark

Hi,

Don't forget to enable the backup before you test, if you don't and than test, it would be a reason to get that message you see ;)

Greetings, mark