Messages

Did you verify the AD replication? Might be that there are some lingering objects and users exist on one DC but not on the other.

I am using a low level option. Have a 5G connection with the ISP Modem in bridge mode. I am using a WLAN Power plug with Tasmota and can then programmatically send a web request to it to turn the Modem on and off (had to refer to IT Crowd) and then get a new IP.

In case you do not want to change the Port the firewall is listening.
I created a VIP (10.1.1.1) and since the FW website should not be available on the WAN I redirected Port 443 on the WAN side to the VIP on Port 40443 (or any other port).
Then all you need to do is to configure the reverse proxy (I use Nginx) to listen on 10.1.1.1:40443 and proxy the bits back to the Webserver in the LAN on Port 443.

This https://github.com/opnsense/plugins/issues/722
redirected me to my solution

Just an Idea,
did you create a rule to allow traffic go through the interface? IIRC per default there isn't any so all traffic will be blocked.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

In case you run Opnsense on ZFS you could simply create a snapshot of the system before upgrading. Then you should be able to revert to the previous config easily.
I do that and additionally since my Opnsense runs on top of a Proxmox machine I use the backup feature of Proxmox to backup and recover.

I am aware, but fact is that until the upgrade it worked out of the box assigning to the clients the KEA assigned IP as GW and DNS server. And Unbound in my case was listening on those interfaces.
This was then not working after the upgrade.
However I tried the upgrade again and it works now.
Thanks for the help.

After Upgrading to 25.1.11 I realized that Kea DHCP Server still assigns IP Adresses, but DNS is no longer available. I did not add any extra DHCP options so the Gatway and the DNS Server is the IPadress assigned to the KEA interface on that specific VLAN.
Could not test any further as I need the environment up and running and decided to revert the snapshot.
Anyone had similar experiences?
Andreas

Hi,
just to be  on the safe side, did you create rules to allow the traffic between the nets? Per default IIRC the firewall will block al traffic.

I think someone from the team already fixed that.
I just searched for updates and there is a new Postfix release available.
Updated it --> all is fine.

Thank you!

After the upgrade to 25.1.2 postfix does not start anymore.

In the Log I only see:

28cafc05-69bf-4067-8fa6-be5124013484] Script action failed with Command 'postmap /usr/local/etc/postfix/transport ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 78, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 413, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command 'postmap /usr/local/etc/postfix/transport ' returned non-zero exit status 1.


Any help is appreiciated.

Is it safe for those that have external DB?

I can only share that for me, using an external elastic database it works without problems. But I have to admit I am a home user and I can rebuild the box easily (proxmox snapshot).
So in case you use opnsense on a business relevant machine I would recommend waiting for an official announcement.

For me it worked after the upgrade.
My setup is using a remote elastichsearch database and upgrading Opnsense did not defunctionalize zenarmour.

Fixed it by choosing an encryption protocol instead of setting the encryption to default

Hi,
after applying the hotfix 24.7.4_1 on my two Opnsense boxes during the IpSec negotiation I see the error:

Code Select Expand


"parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]"
received NO_PROPOSAL_CHOSEN notify error

Any ideas if there is some conection to the update?

I had exactly the same issue with a digicert certificate. When I imported it it showed up as self signed, although the Digicert issuein CA is my Authorities store.
After some try and error this is how I solved it:

• Import the certificate it will show up as self signed.
• Edit the certificate make sure the action is is set to "Reissue and Replace certificate and make sure you select the correct CA
• Click Save --> You will get an error
• Change the Action to "Create a certificate Signing Request" and Save. You should now see the certificate with the correct CA
• Click on edit and select "Import Certificate (Signed by CA) it should be the only option
• Save it.

After this you should see the certificate with the correct CA assigned.