Messages

How long does it take to sync up?  Still almost 10 minutes out from local cell tower service time and internal time service from where I work.

Code Select Expand


Network Time Protocol Status
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending us.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending opnsense.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Outlier 134.215.155.177 216.239.35.0 2 u 410 512 377 47.497 +3.974 1.502
Outlier 158.51.99.19 17.253.26.125 3 u 302 512 377 41.426 +1.647 1.390
Outlier 72.14.183.239 127.67.113.92 2 u 42 512 377 16.133 +2.344 2.951
Candidate 108.61.215.221 162.159.200.1 4 u 511 512 377 22.939 +3.755 0.809
Candidate 192.155.94.72 132.163.96.2 2 u 33 512 377 24.175 +4.978 1.317
Outlier 62.72.0.70 209.151.225.100 3 u 163 512 377 50.970 -0.212 4.214
Active Peer 45.79.111.114 127.67.113.92 2 u 258 512 377 56.906 +2.950 1.572
Candidate 72.14.183.39 80.72.67.48 3 u 413 512 377 16.710 +3.197 2.877
Candidate 162.159.200.1 10.162.8.47 3 u 168 512 377 10.624 +2.746 5.546


My time is about 9 minutes off -- compared to two other professionally (more than me at least) managed networks.
The default opnsense pool reported in the logs DNS resolution failure

Error    ntpd    error resolving pool 1.opnsense.pool.ntp.org: Name does not resolve (8)

so I added pool.ntp.org ans us.pool.ntp.org and I'm still seeing status like below.
I do see this and many more servers in the list -- is the "Unreach/Pending" just a side effect of not being in sync?
Although the offset column shows I'm not as far off as it really is ...

I'd really like my gateway to sync up and provide NTP for  the local networks ...

Code Select Expand

Status     Server     Ref ID     Stratum     Type     When     Poll     Reach     Delay     Offset     Jitter
Unreach/Pending     us.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     opnsense.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     134.215.155.177     216.239.35.0     2     u     14     64     7     48.304     +1.936     0.174
Unreach/Pending     158.51.99.19     17.253.26.125     3     u     16     64     7     42.716     +0.857     0.319
Unreach/Pending     72.14.183.239     45.79.1.70     3     u     13     64     7     16.266     +0.373     0.067
Unreach/Pending     74.208.25.46     198.46.254.130     3     u     13     64     7     36.483     +5.648     2.497


I don't disagree with Patrick, but [System -> Settings -> Administration -> Secure Shell -> Listen Interfaces] is a thing....

That only appears to allow a single interface or all.  All is the default.

Update on my months-long struggle with Spectrum:

First off, I have a business account.
Static IPV4 IP
Actually, a /29 subnet of IPV4 - 5 IPs and a gateway IP.

The issue I described manifested as certain streaming services displaying what is supposed to be "local" content for areas that varied wildly across the State of Texas.
We should get "local" content for the DFW area.
     Example - wife subscribes to Peacock to get the Dallas NBC news stations - we are far enough away that terrestrial antenna won't work - 
                      At random intervals, something from spectrum causes geo-location ip information across the internet to update and shift us from Dallas to Houston, or Austin, or San Antonio, or El Paso, or Colorado, or New Jersey ..   You never new if you would get local content or something from New York.

We started with each of the streaming services first -- at least for the ones you _can_ get help for, the rest I forced a cancellation.  (I have been very unpopular) for months.
Everyone of them just said you need to talk to your provider, so we moved on to Spectrum.
After weeks of arguing with first level techs (I had one young lady tell me - in effect - that "geo-location of IP addresses doesn't exist" and _clearly_ didn't understand basic network routing).

BTW, if you call Spectrum and mention to anyone anything about "streaming services" they immediately proceed to do all sorts of wonderful testing and validation of the Spectrum Streaming app.  No matter how hard you try to tell them it's an issue with streaming a different service over the internet -- it's like their employees live in a world where nothing other than Spectrum exists, and they don't really believe other services are possible.

 I finally got a case -- Which Spectrum will not share case numbers with you for reference on future calls -- you just have to hope the next tech that picks up can "find" your ticket --  escalated to ... someone.
I got a promise that a "ticket was in, but could take up to 30 days to process".

45 days of content hopscotch later still no fix.

I escalated the escalation, and even had ...someone... leave a voice mail about the issue.
Another week or so is the current guesstimate.


Spectrum has their own Streaming App that carries Spectrum produced "local news".
So long as that is "working", it's hard to get past 1st level support.


I have suspected they are doing carrier grade NAT and load balancing may be why the geo-location for us kept changing.
If anyone knows of a way to verify that without Spectrum's help I'd love to know it.
I have yet to speak to any first level tech that even knew what NAT might be, and anyone above that level has been very careful to just ignore any direct questions about it.

Short version, if you have any other option, take it!
I have been lucky -- I have had Verizon Fiber and later Frontier when they took over in the Dallas area.
It was pricey but under verizon it just worked 24x7.
Frontier took over and there were some hiccups, but it smoothed out OK.
Moved out here and wound up with spectrum.
It's like they have taken the Comcast playbook as their bible :/

Not that I'm probably any sane reference, but do you need new equipment?
If you are like me and don't mind running retired enterprise gear ...

I'm using an Arista 7050TX-64 and a 7050SX-64.
T model is 48 10GB RJ45 ports and 4 QSFP+ ports.
S Model is 48 10GB SFP+ ports and 4 QSFP+ ports.

Bought them both for less than the cost of the last unmanaged 8 port TP-link 10GB switch off Amazon.

[quotr]
I don't mean to hijack your thread, but did you find a reasonable path to getting IN-ADDR set on your block? Time Warner had a dedicated e-mail address for that, but it's gone now. AT&T appears to have a dedicated e-mail address; Frontier has Frontier Hostmaster. All I could find for Charter/Spectrum was "call business support". (My former employers offered delegation, but few do that for less than a /24 these days.)

I doubt you'll ever get a straight answer about pathing, unless you get a particularly dedicated support tech, or a network tech decides to contact you. Wacky pathing can vary between bug and feature, and I wouldn't expect it to affect geolocation... but that's not my gig. Allocation could be an issue, e.g. if small allocations are drawn from a single large pool and scattered all over the network. It's a bit unlikely (it would take some really lousy planning), but you can't easily evaluate that from outside.

Aside: Instead of a logical /28, Frontier assigned me (effectively) a /29 and a couple /30s (i.e. basically a random set). Ouch.
[/quote]

For Spectrum business the only option is "call business support" and wade through 1st level to get someone who even knows how to do internal DNS requests.
I really haven't had much issue with them on that front -- all I'm looking for is to have proper forward/reverse lookups working.  When they update the PTR record on their end it usually propogates within 24 hours.

I finally ran into a second level resource names "Zak" - that's all I could get for contact info - that said he would "put in a ticket" to have this geolocation issue resolved and it would take "up to 30 days". 
He would not share any details on what exactly they were changing though.

This is all new fiber build out in the last year -- I was promised when we signed up that within 6 months we would have the same up/down speed "as soon as we upgrade a bit of equipment upstream in your area".
That hasn't happened either.

At least I have fiber instead of the DSL and Line of sight radio we had before :/

This has nothing to do with OPNsense -- this is firmly with the provider - Spectrum in Texas.

Spectrum has recently added fiber to my area.
I have a /29 of static IP addresses (Spectrum calls this a "5 block").
At random intervals, geolocation for my static IPs update to various major metro areas in Texas.
When running my IP through various ip tools on the internet you can see the different tools will show different locations.
I assume that those various tools update their location information to some extent at least to routing to/from the IP address, perhaps?

Spectrum tech support has been way less than helpful so far -- most of the 1st level responses haven't even understood the issue.
Most of them don't understand what a PTR record is and will argue about their ability to alter them. :=(
At one point, on escalation I was told that Spectrum will route traffic outside the spectrum network in various physical locations, based on network load.
None of them will answer any questions about how spectrum routing and traffic paths work, or how this could affect the geo-location of the public, static IP addresses for which I pay extra.

Traffic that originates coming to me seems unaffected -- the IP addresses do appear to appear to be public.  Where this shows up as a a major PITA is that I frequently get security alerts from places like ebay - " A device logged into your account from San Marcos, Tx - was that you?" - next login I have to go through account verification. again.
Some streaming services provide "local" channels.
Makes life interesting if you never know if "local" will be Dallas/Ft Worth, Houston, Austin or San Antonio ... 

Any one else on Spectrum or encountered anything like this?

Closest answer so far -- I think I prefer just having another drink. 

Better go back to sleep and sober up.

Ramblings from someone who woke up in the middle of the night with this in his head ...

The Arista 7050S-52 switch (10GB ports) is out in the wild for just over $100 now.
The later 7050 family switches have at least 4GB of ram, and this model has a "built in SSD".
Arista EOS is based on Linux -- I have a 7050TX-64 (10GB and 40GB ports) that is on a 4.9 64bit kernel (and it's not on the latest version.)

Would it be possible to run OPNsense on Arista hardware?
Anyone tried it?


I have no idea what you'd do with that many ports, but at ~$100 - $150 ... 

I'm looking for anyone else on their service where you experience frequent geo-location shifts of your public IP.
I'm on a static /29 from them in the 70.116.n.n range.

The only streaming app that can reliably determine what is "local" to us is the Spectrum TV app. 

Sometimes the streaming apps the wife uses will show us channels/content from the closest Metro area, and a lot of days we get content from San Antonio -- several hundred miles away.

Spectrum business support has provided two responses so far, depending on which level of tech you get:
1. "No, you are crazy, we never have any issues, it's a problem to deal with in your app."
2. "Yea, happens all the time, sucks to be you."


I'm collecting traceroutes to several points of interest, when we see the change to document.
I did some searching and saw someone on reddit asking about the same thing -- their solution was to go to another fiber provider.
I wish I could here.
I had to wait for someone to pass away here to grab an open DSL port before spectrum installed fiber.

Other than the really weird head end issue it's not that bad (especially compared to present alternatives), but at this point it's driving us buggy with this issue.

I am to the stage setting up automated backups of an opnsense installation.
I see the API documentation, and that looks like possibly the answer, however ...

Is the entire configuration stored in a single file as in the backup from the UI?

I have used another, similar product that contained the configuration in a single file and a very simple korn shell script was all that was required to obtain a copy of the file that could be used for restoration.

/conf/config.xml seems to have a majority of the config -- can it be used to restore on a fresh install?
If so, what is the advantage of the APIs for backup?

So:
WAN blocked by default
LANS have access by default

I need to block access from some LANs I need to create firewall rules.

It seems in the gui the ability to enable ssh access is global and I don't see anything that is interface specific.
Is the WAN interface disabled for ssh access by default?

Especially if you edit DHCP static leases or DNS overrides in order to save yourself the time of one-by-one entry:

There appears to be no data integrity checking prior/during restore.

Some examples:
Trailing spaces in fields - like mac addresses, duplicate entries in DHCP leases, all are rejected if attempted in the GUI.
All get by the restore without error.
Best part is, in the case of ISC DHCP4, apparently handing multiple IP addresses to the same MAC address works.
Both get inserted into unbound.
So a single device gets two valid leases and both entries are inserted into DNS.

Being able to sort the static lease entry tables by the various column headers would help identify these quickly.
You can sort the leases table - so you can only see them the obvious when it occurs and some device becomes unavailable on the network because it happens to not respond to the first DNS entry.



My bad for the essentially corrupted data -- but if there is an attempt to idiot-proof opnsense, I'm winning today. :/

Alias should look like this?

    "alias": {
      "de9e2fdc-8240-44e6-acd2-a7d1551cc244": {
        "enabled": "1",
        "name": "Opt4_Isolation_Alias",
        "type": "network",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "__lan_network\n__opt1_network\n__opt2_network\n__opt3_network",
        "categories": "",
        "description": "Alias group to isolate the Opt4 network"
      },