Messages

1

23.7 Legacy Series / Re: Installation with ZFS - how long does it normally take?

« on: January 29, 2024, 03:02:47 pm »

As I said, I don't know much about ZFS. 
500GB of space is overkill for my setup, 855GB is even more overkill.

I only brought this up because another product lists ZFS first in the list of filesystem options and creates an identically configured ZFS filesystem in a fraction (very small fraction) of the time.

If I were creating an mdadm RAID it's the difference between using --assume-clean and not.
Is there a comparable flag for ZFS?

It's not _that_ critical of an issue as I will only install maybe a couple more times before try a recovery install before I put this in use.

What bothers me a _lot_ more is the routing issues I have hit :/

2

23.7 Legacy Series / Re: Installation with ZFS - how long does it normally take?

« on: January 26, 2024, 03:18:40 pm »

The unit with zfs isn't in use yet, so I don't know how useful looking at IO might be.
I did install os-smart plugin and although the UI widget doesn't appear to function (setup instructions at install time are unclear)  smartctl output shows the drives healthy.

I just initiated a long test on each drive so will see how that turns out.

I'm not that familiar with ZFS, much more familiar with mdadm, but with 4 500GB drives and raidz3 I expected a 500GB volume with three mirrors, but instead it looks like 1TB volume.

Until I get some other issues resolved I'm temporarily running 23.7.12 on a Dell 1950 with a PERC for two SAS drives.
If I can get the routing issue described in another thread resolved I'll move the (newer) hardware into use with ZFS.

3

23.7 Legacy Series / local/static routing issue - any help would be appreciated

« on: January 26, 2024, 02:38:29 pm »

This is the page from OPNSense docs: https://docs.opnsense.org/manual/routes.html
Short and sweet, but not much help.

I had a LAN configured between two other somewhat similar firewall products.
Site 1 LAN 192.168.10.0/24
Site 1 LAN for interconnect 192.168.30/0  (Interface 192.168.30.1)

Site 2 LAN for interconnect 192.168.30/0  (Interface 192.168.30.2)
Site 2 LAN 192.168.20.0/24

Site 1 Gateway for route to site 2 -  192.168.30.2 with monitor IP of 192.168.20.1
Site 2 Gateway for route to site 1 - 192.168.30.1 with monitor IP of 192.168.10.1

Site 1 static routes 192.68.20 Net via Site 1 Gateway
Site 2 static routes 192.68.10 Net via Site 2 Gateway

This configuration worked between sites in the previous setup -- I have changed to OPNSense in Site 1 and Site 2 is on the other/older firewall.

Gateway monitoring doesn't even work on OPNSense.
I can monitor and get a ping response from Site 2 gateway from OPNSense CLI but not the default gateway in Site 2

Obviously I'm missing something in routing, but I can't see it ...

Anyone got any hints?

4

23.7 Legacy Series / Re: Installation with ZFS - how long does it normally take?

« on: January 25, 2024, 04:35:41 pm »

I was just modifying my previous reply and lost it when my session timed out :/

Other than the brutally slow install it seems to operate comparably to anything else I have installed -- once it's on the appliance.

If there are logs I can collect that may help I'll slog through those hours again -- but if it's just to watch the paint dry again I'd rather not

5

23.7 Legacy Series / Re: Installation with ZFS - how long does it normally take?

« on: January 25, 2024, 04:08:15 pm »

It's a:
Supermicro 1U Firewall Server W/ X10SLH-N6-ST031
Processor: Xeon E3-1270 v3 3.5Ghz 4-Core Processor 
Memory: 32GB (4x 8GB) DDR3 ECC Unbuffered Memory
Storage Controller: Integrated Storage Controller

Using 4 onboard SATA ports of 6.
Onboard storage controller in AHCI mode.

In the BIOS the storage controller has three settings: (from memory, the BMC doesn't have any storage info)
RAID
AHCI
IDE

The RAID mode doesn't seem to have any effect.

6

23.7 Legacy Series / smartmontools on 23.7.12

« on: January 25, 2024, 02:25:48 pm »

When installing the os-smart plugin to monitor drive health, the message below is displayed.

There is no /etc/periodic.conf file.
Just daily, weekly, etc, directories in /etc/periodic 

Should this file be created or should an entry in the appropriate period be created?

Message from smartmontools-7.4_1:

--
smartmontools has been installed

To check the status of drives, use the following:

   /usr/local/sbin/smartctl -a /dev/ad0   for first ATA/SATA drive
   /usr/local/sbin/smartctl -a /dev/da0   for first SCSI drive
   /usr/local/sbin/smartctl -a /dev/ada0   for first SATA drive

To include drive health information in your daily status reports,
add a line like the following to /etc/periodic.conf:
   daily_status_smart_devices="/dev/ad0 /dev/da0"
substituting the appropriate device names for your SMART-capable disks.

To enable drive monitoring, you can use /usr/local/sbin/smartd.
A sample configuration file has been installed as
/usr/local/etc/smartd.conf.sample
Copy this file to /usr/local/etc/smartd.conf and edit appropriately

To have smartd start at boot
   echo 'smartd_enable="YES"' >> /etc/rc.conf

7

23.7 Legacy Series / Re: Installation with ZFS - how long does it normally take?

« on: January 25, 2024, 02:20:54 pm »

It was not. 
It was hours.

Between the aborted install and when I let it run to completion, I installed another firewall product and ESXi 7.0U3n.

They installed normally and within minutes.

Most likely not a hardware issue -- not a lot of people using ZFS?

8

23.7 Legacy Series / Installation with ZFS - how long does it normally take?

« on: January 25, 2024, 12:00:31 am »

I have a Supermicro 1U Server I'm (going) to use as a firewall.
4 500GB enterprise SATA disks, so ZFS raidz3 might be a good approach.

It ran so long I stopped it and tried another firewall product that can use ZFS and on the same hardware installation time is minutes, not hours.

I'm running the installation of opnsense 23.7 again ...  I'm 3+ hours in and the screen says 38%.

Is this normal?
Anyone else using ZFS?

9

23.7 Legacy Series / Re: Does a DNS firewall redir rule take precedence over DNS query forward?

« on: January 19, 2024, 11:43:21 pm »

Thank you both!

I thought it would work this way:
Any network covered by the rule would intercept DNS requests and send the to loopback (local DNS)
Unbound, being the local DNS would then (based on a redirect) send a query to the specified DNS server on a domain match.

If that's a correct statement, something on OPNSense is still blocking traffic between networks behind the firewall.

I'll try RTFM'ing the doc that cookiemonster pointed to.

10

23.7 Legacy Series / Does a DNS firewall redir rule take precedence over DNS query forward?

« on: January 19, 2024, 09:21:29 pm »

If a query forward for a specific domain exists in unbound AND a redirect for all DNS queries are redirected to 127.0.0.1, which takes precedent?

11

23.7 Legacy Series / Maybe if I ask another way ... Routing issue

« on: January 19, 2024, 08:12:58 pm »

I have an interface on the OPNSense that is used to send/receive traffic from another network via a dedicated link to another building.

Interface is configured, gateway is set up, static route is added.  (Both sides)

One site interface IP is 192.168.30.1, the other has an interface IP of 192.168.30.2
Gateway on the .1 side is the .2 IP.
Gateway on the .2 side is the .1 IP.
The monitor IP on each is the LAN ip of the respective firewall.  (192.168.10.1 on the .1 side and 192.168.20.1 on the .2 side.)
Static routes have been added for each network -- routes for traffic to the .20/24 has been added and a route for the .10/24 has been added.

From OPNSense on the "LAN" net, I can access servers on the 192.168.30.0/24 net but not the 192.168.20.0/24 net.

When the gateways are configured, you can set up a "monitoring IP" -- it is set for the primary LAN interface IP on both sides.
OPNSense identifies the gateway as up, but the other end sees the OPNSense gateway as down.

It's like static routes are ignored on PFsense.

Do route changes require a reboot?

What settings am I missing on the OPNSense to make this work?

12

23.7 Legacy Series / Re: Gateway to another network

« on: January 18, 2024, 10:56:58 pm »

Anybody?
Telling me to RTFM would be great if you can tell me where...
Everything I can find seems to indicate this will work, but they are all light on details ...

13

23.7 Legacy Series / Re: Administrative "listen interfaces"

« on: January 18, 2024, 04:00:53 pm »

So, WAN blocked by default and selecting only the interfaces I want the GUI exposed on in the selection will be the safest approach?

Thank you -- you are a LOT of help.

14

23.7 Legacy Series / Gateway to another network

« on: January 18, 2024, 02:19:07 pm »

I had this set up and working with another firewall product, but can't seem to make it happen now.
A lot more things to twiddle in OPNSense I think.

I have OPNSense1 set up with WAN/LAN ans some optional interfaces.

One of the optional interfaces is a 10G link to another building with it's own firewall and internet connection.
(One internet connection is DSL the other is line-of-sight radio, and traffic needs are very different on both.)

Previously, I configured an interface on each firewall for the connection between buildings, added a gateway on each with the interface on the opposite firewall as the gateway IP address, and the LAN IP on the opposite firewall as the monitor IP.



That's not working in OPNSense for some reason. 

And best of all, when I activate the route and gateway, my DMZ subnet loses WAN access :/

What portions of this configuration can I post here for suggestions on how to make this work?

Visual if that helps.  Trying to get the gateway/route correct to connect the two sites.


One thing I do see in the static route configuration section is this statement:
"Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway. "

As soon as I enable this route:
Disabled Network                    Gateway                                  Description                Commands
              192.168.20.0/24   OfficeLabGW - 192.168.30.2   Static route to site 2   

And this gateway:
OfficeLabGW    OfficeLab    IPv4    255    192.168.30.2    192.168.20.1    ~    ~    ~    Pending    OfficeLab Gateway

Most everything loses access to the internet.
 
This rather simple setup worked with the firewall I previously used, so I know it's possible.
I suspect I'm just missing something basic.

15

23.7 Legacy Series / Re: System -> Firmware -> Settings -> Type

« on: January 18, 2024, 12:07:07 am »

to be fair, it maybe less of stability issues than me learning where to find the stuff in this interface -- but the initial install and first few updates were ... rough.
Having to reboot multiple times to get past updates ....