Messages

> Unless .. the keyboard mapping done at installation has changed?

Yes, it's a per install setting not found in the config.xml export. We debated the good and bad about making it more persistent, but it did not seem very important unless you have a special keyboard (diverging from a basic US layout) AND use special characters from the special keyboard.

This doesn't happen for SSH or the web GUI, but it's a possibility for the console.

I mention 1. and 2. because:

With 1. you have to check the authentication settings (an OTP will not allow your plain password to be used, NTP needs to work in order for OTP to work too) and there is a GUI tester for that as well.

For 2. if you have a special keyboard layout and know your password it's easy to infer that it could be susceptible to this problem, but nobody else can tell and certainly not from a password hash. It's also why the default password is rather plain which makes keyboard mapping issues like that very unlikely.

In either case you have all the data to identify the problem and we can help assist with this after diagnosing which one it is.


Cheers,
Franco

At the end of the day I just need to figure out the proper procedure to recover a backup to an identically configured computer (but with obviously different MAC addresses for each interface).

So long as the NIC assignments are done based on interface order Ix0, Ix1 and so on, I should be good -- I know which interface will be the LAN interface and I assume that attaching a laptop directly to that port will allow me to login to the UI (using the known GUI password) and address the console password issue?

I use a standard US keyboard and keyboard layout -- selecting the default in the installer on the recovery installation and _pretty sure_ but not 100% positive I did the same on the original install. 

Sounds like my best approach is to start over and document every step of the recovery.

What's your goal? Breaking access?

The <password/> entry has been compatible across versions forever.

The only thing that could change are:

1. authentication settings
2. console keyboard mapping


Cheers,
Franco

Well, unless a restore does one or both of those things, that's not what this is. <shrug>


Unless .. the keyboard mapping done at installation has changed?
Could that do it?
It's been a while since I did the install of the one I'm restoring, and it's gone through a few upgrades...
I selected the one I always use on the fresh install -- it's common enough I didn't even think about it.

What setting would that be in the backup file?

The config I restored didn't require a login on the local console.
Can't put it on the network to even try the GUI until I am sure the interfaces are properly assigned.

Can I just edit the config file to remove the root/admin userid?
The whole <user> or just blank  <password> like this:  <password></password>
 

I spun up a new install of 25.7.
After getting to the login and doing the basic wizard setup bit, I restored a backup of my running OPNSense running 25.1

None of the passwords from either setup work on the console after reboot.

Is this expected?
Should I have modified the backup file and blanked password fields?
I don't recall seeing anything particular in the docs other than restore steps.

Or is this just some incompatibility between versions?
 

How long does it take to sync up?  Still almost 10 minutes out from local cell tower service time and internal time service from where I work.

Code Select Expand


Network Time Protocol Status
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending us.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending opnsense.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Outlier 134.215.155.177 216.239.35.0 2 u 410 512 377 47.497 +3.974 1.502
Outlier 158.51.99.19 17.253.26.125 3 u 302 512 377 41.426 +1.647 1.390
Outlier 72.14.183.239 127.67.113.92 2 u 42 512 377 16.133 +2.344 2.951
Candidate 108.61.215.221 162.159.200.1 4 u 511 512 377 22.939 +3.755 0.809
Candidate 192.155.94.72 132.163.96.2 2 u 33 512 377 24.175 +4.978 1.317
Outlier 62.72.0.70 209.151.225.100 3 u 163 512 377 50.970 -0.212 4.214
Active Peer 45.79.111.114 127.67.113.92 2 u 258 512 377 56.906 +2.950 1.572
Candidate 72.14.183.39 80.72.67.48 3 u 413 512 377 16.710 +3.197 2.877
Candidate 162.159.200.1 10.162.8.47 3 u 168 512 377 10.624 +2.746 5.546


My time is about 9 minutes off -- compared to two other professionally (more than me at least) managed networks.
The default opnsense pool reported in the logs DNS resolution failure

Error    ntpd    error resolving pool 1.opnsense.pool.ntp.org: Name does not resolve (8)

so I added pool.ntp.org ans us.pool.ntp.org and I'm still seeing status like below.
I do see this and many more servers in the list -- is the "Unreach/Pending" just a side effect of not being in sync?
Although the offset column shows I'm not as far off as it really is ...

I'd really like my gateway to sync up and provide NTP for  the local networks ...

Code Select Expand

Status     Server     Ref ID     Stratum     Type     When     Poll     Reach     Delay     Offset     Jitter
Unreach/Pending     us.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     opnsense.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     134.215.155.177     216.239.35.0     2     u     14     64     7     48.304     +1.936     0.174
Unreach/Pending     158.51.99.19     17.253.26.125     3     u     16     64     7     42.716     +0.857     0.319
Unreach/Pending     72.14.183.239     45.79.1.70     3     u     13     64     7     16.266     +0.373     0.067
Unreach/Pending     74.208.25.46     198.46.254.130     3     u     13     64     7     36.483     +5.648     2.497


I don't disagree with Patrick, but [System -> Settings -> Administration -> Secure Shell -> Listen Interfaces] is a thing....

That only appears to allow a single interface or all.  All is the default.

Update on my months-long struggle with Spectrum:

First off, I have a business account.
Static IPV4 IP
Actually, a /29 subnet of IPV4 - 5 IPs and a gateway IP.

The issue I described manifested as certain streaming services displaying what is supposed to be "local" content for areas that varied wildly across the State of Texas.
We should get "local" content for the DFW area.
     Example - wife subscribes to Peacock to get the Dallas NBC news stations - we are far enough away that terrestrial antenna won't work - 
                      At random intervals, something from spectrum causes geo-location ip information across the internet to update and shift us from Dallas to Houston, or Austin, or San Antonio, or El Paso, or Colorado, or New Jersey ..   You never new if you would get local content or something from New York.

We started with each of the streaming services first -- at least for the ones you _can_ get help for, the rest I forced a cancellation.  (I have been very unpopular) for months.
Everyone of them just said you need to talk to your provider, so we moved on to Spectrum.
After weeks of arguing with first level techs (I had one young lady tell me - in effect - that "geo-location of IP addresses doesn't exist" and _clearly_ didn't understand basic network routing).

BTW, if you call Spectrum and mention to anyone anything about "streaming services" they immediately proceed to do all sorts of wonderful testing and validation of the Spectrum Streaming app.  No matter how hard you try to tell them it's an issue with streaming a different service over the internet -- it's like their employees live in a world where nothing other than Spectrum exists, and they don't really believe other services are possible.

 I finally got a case -- Which Spectrum will not share case numbers with you for reference on future calls -- you just have to hope the next tech that picks up can "find" your ticket --  escalated to ... someone.
I got a promise that a "ticket was in, but could take up to 30 days to process".

45 days of content hopscotch later still no fix.

I escalated the escalation, and even had ...someone... leave a voice mail about the issue.
Another week or so is the current guesstimate.


Spectrum has their own Streaming App that carries Spectrum produced "local news".
So long as that is "working", it's hard to get past 1st level support.


I have suspected they are doing carrier grade NAT and load balancing may be why the geo-location for us kept changing.
If anyone knows of a way to verify that without Spectrum's help I'd love to know it.
I have yet to speak to any first level tech that even knew what NAT might be, and anyone above that level has been very careful to just ignore any direct questions about it.

Short version, if you have any other option, take it!
I have been lucky -- I have had Verizon Fiber and later Frontier when they took over in the Dallas area.
It was pricey but under verizon it just worked 24x7.
Frontier took over and there were some hiccups, but it smoothed out OK.
Moved out here and wound up with spectrum.
It's like they have taken the Comcast playbook as their bible :/

Not that I'm probably any sane reference, but do you need new equipment?
If you are like me and don't mind running retired enterprise gear ...

I'm using an Arista 7050TX-64 and a 7050SX-64.
T model is 48 10GB RJ45 ports and 4 QSFP+ ports.
S Model is 48 10GB SFP+ ports and 4 QSFP+ ports.

Bought them both for less than the cost of the last unmanaged 8 port TP-link 10GB switch off Amazon.

[quotr]
I don't mean to hijack your thread, but did you find a reasonable path to getting IN-ADDR set on your block? Time Warner had a dedicated e-mail address for that, but it's gone now. AT&T appears to have a dedicated e-mail address; Frontier has Frontier Hostmaster. All I could find for Charter/Spectrum was "call business support". (My former employers offered delegation, but few do that for less than a /24 these days.)

I doubt you'll ever get a straight answer about pathing, unless you get a particularly dedicated support tech, or a network tech decides to contact you. Wacky pathing can vary between bug and feature, and I wouldn't expect it to affect geolocation... but that's not my gig. Allocation could be an issue, e.g. if small allocations are drawn from a single large pool and scattered all over the network. It's a bit unlikely (it would take some really lousy planning), but you can't easily evaluate that from outside.

Aside: Instead of a logical /28, Frontier assigned me (effectively) a /29 and a couple /30s (i.e. basically a random set). Ouch.
[/quote]

For Spectrum business the only option is "call business support" and wade through 1st level to get someone who even knows how to do internal DNS requests.
I really haven't had much issue with them on that front -- all I'm looking for is to have proper forward/reverse lookups working.  When they update the PTR record on their end it usually propogates within 24 hours.

I finally ran into a second level resource names "Zak" - that's all I could get for contact info - that said he would "put in a ticket" to have this geolocation issue resolved and it would take "up to 30 days". 
He would not share any details on what exactly they were changing though.

This is all new fiber build out in the last year -- I was promised when we signed up that within 6 months we would have the same up/down speed "as soon as we upgrade a bit of equipment upstream in your area".
That hasn't happened either.

At least I have fiber instead of the DSL and Line of sight radio we had before :/

This has nothing to do with OPNsense -- this is firmly with the provider - Spectrum in Texas.

Spectrum has recently added fiber to my area.
I have a /29 of static IP addresses (Spectrum calls this a "5 block").
At random intervals, geolocation for my static IPs update to various major metro areas in Texas.
When running my IP through various ip tools on the internet you can see the different tools will show different locations.
I assume that those various tools update their location information to some extent at least to routing to/from the IP address, perhaps?

Spectrum tech support has been way less than helpful so far -- most of the 1st level responses haven't even understood the issue.
Most of them don't understand what a PTR record is and will argue about their ability to alter them. :=(
At one point, on escalation I was told that Spectrum will route traffic outside the spectrum network in various physical locations, based on network load.
None of them will answer any questions about how spectrum routing and traffic paths work, or how this could affect the geo-location of the public, static IP addresses for which I pay extra.

Traffic that originates coming to me seems unaffected -- the IP addresses do appear to appear to be public.  Where this shows up as a a major PITA is that I frequently get security alerts from places like ebay - " A device logged into your account from San Marcos, Tx - was that you?" - next login I have to go through account verification. again.
Some streaming services provide "local" channels.
Makes life interesting if you never know if "local" will be Dallas/Ft Worth, Houston, Austin or San Antonio ... 

Any one else on Spectrum or encountered anything like this?

Closest answer so far -- I think I prefer just having another drink. 

Better go back to sleep and sober up.

Ramblings from someone who woke up in the middle of the night with this in his head ...

The Arista 7050S-52 switch (10GB ports) is out in the wild for just over $100 now.
The later 7050 family switches have at least 4GB of ram, and this model has a "built in SSD".
Arista EOS is based on Linux -- I have a 7050TX-64 (10GB and 40GB ports) that is on a 4.9 64bit kernel (and it's not on the latest version.)

Would it be possible to run OPNsense on Arista hardware?
Anyone tried it?


I have no idea what you'd do with that many ports, but at ~$100 - $150 ... 

I'm looking for anyone else on their service where you experience frequent geo-location shifts of your public IP.
I'm on a static /29 from them in the 70.116.n.n range.

The only streaming app that can reliably determine what is "local" to us is the Spectrum TV app. 

Sometimes the streaming apps the wife uses will show us channels/content from the closest Metro area, and a lot of days we get content from San Antonio -- several hundred miles away.

Spectrum business support has provided two responses so far, depending on which level of tech you get:
1. "No, you are crazy, we never have any issues, it's a problem to deal with in your app."
2. "Yea, happens all the time, sucks to be you."


I'm collecting traceroutes to several points of interest, when we see the change to document.
I did some searching and saw someone on reddit asking about the same thing -- their solution was to go to another fiber provider.
I wish I could here.
I had to wait for someone to pass away here to grab an open DSL port before spectrum installed fiber.

Other than the really weird head end issue it's not that bad (especially compared to present alternatives), but at this point it's driving us buggy with this issue.

I am to the stage setting up automated backups of an opnsense installation.
I see the API documentation, and that looks like possibly the answer, however ...

Is the entire configuration stored in a single file as in the backup from the UI?

I have used another, similar product that contained the configuration in a single file and a very simple korn shell script was all that was required to obtain a copy of the file that could be used for restoration.

/conf/config.xml seems to have a majority of the config -- can it be used to restore on a fresh install?
If so, what is the advantage of the APIs for backup?