Messages

Only small changes to ensure error free operation. 25.7.3 has been rocky, but also very useful in terms of optimisation. So overall we are happy with it (now more than ever).

:)


Cheers,
Franco

Well I am not sure the 25.7.3 problems on install are fixed.  Just did upgrades first to 25.1.x to 25.1.12, then updated to 25.7 and finally to 25.7.3 (not sure what _x, but it is what was downloaded by OPN upgrade Gui at 0715Z on 18Sep).
The update to 25.7.3 downloaded, and extracted OK but on then stalled at

Code Select Expand

[1/49] Upgrading python311 from 3.11.13 to 3.11.13_1...I left it for some 20 minutes and no change on progress so left and returned and it was like the update had cancelled itself and dashboard reported version running was 25.7
Ran a few Audits, and the health audit reported running 25.7 but then reported a few mismatches on version numbers, like the Audit was expecting version associated with 25.7.3, not 25.7 that is running.

The output of that Health Audit is

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.7 (amd64) at Thu Sep 18 17:46:12 AEST 2025
>>> Root file system: /dev/gpt/rootfs
>>> Check installed kernel version
Version 25.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ......
pkg-1.19.2_6: checksum mismatch for /usr/local/lib/libpkg.so.4
pkg-1.19.2_6: checksum mismatch for /usr/local/man/man8/pkg-create.8.gz
Checking all packages....... done
>>> Check for core packages consistency
Core package "opnsense" at 25.7 has 68 dependencies to check.
Checking packages: ..
ca_root_nss-3.108 version mismatch, expected 3.115
Checking packages: ...............
lighttpd-1.4.79 version mismatch, expected 1.4.81
Checking packages: ....
openssh-portable-10.0.p1_1,1 version mismatch, expected 10.0.p1_2,1
Checking packages: .
openvpn-2.6.14 version mismatch, expected 2.6.14_3
Checking packages: .
opnsense-25.7 version mismatch, expected 25.7.3_7
Checking packages: ..
opnsense-lang-25.1.11 version mismatch, expected 25.7.2
Checking packages: .
opnsense-update-25.7 version mismatch, expected 25.7.3
Checking packages: ...
php83-ctype-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-curl-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-dom-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-filter-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-gettext-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-ldap-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-pcntl-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-pdo-8.3.23 version mismatch, expected 8.3.25
Checking packages: .....
php83-session-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-simplexml-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-sockets-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-sqlite3-8.3.23_1 version mismatch, expected 8.3.25
Checking packages: .
php83-xml-8.3.23 version mismatch, expected 8.3.25
Checking packages: .
php83-zlib-8.3.23 version mismatch, expected 8.3.25
Checking packages: ....
py311-duckdb-1.3.1_1 version mismatch, expected 1.3.2
Checking packages: .
py311-jq-1.8.0_1 version mismatch, expected 1.10.0
Checking packages: ...
py311-numpy-1.26.4_6,1 version mismatch, expected 1.26.4_7,1
Checking packages: ....
py311-ujson-5.10.0_1 version mismatch, expected 5.11.0
Checking packages: .....
strongswan-5.9.14 version mismatch, expected 6.0.1
Checking packages: .
sudo-1.9.17p1 version mismatch, expected 1.9.17p2
Checking packages: ..
syslog-ng-4.8.2_3 version mismatch, expected 4.8.2_4
Checking packages: ... done
***DONE***
Hardware is a mini PC, N100 8GB RAM, 100GB SSD, 3 NUC

I have Been Running OPNSense for many years but I continue to struggle to get MultiWan (Failover) working without loosing the ability to ping the OPNSense router, and access the web GUIs of the modems.
I run a single LAN (10.0.0.0/24) with OPNSense box (Router, Gateway, Firewall) at 10.0.0.1.   The box has multiple Eth ports with ports used
1. WAN connected to a Starlink Modem (Gen 1 DIshy with starlink wifi/Router removed) set as Tier1 as Primary WAN
2. WAN4g connected to a DLINK DWM-312 4G/LTE modem (set as tier 2 for backup)
3. Remaining ports are LAN1, LAN2 etc all bridged to form LAN
The Box is quite powerfull, normally using 1% CPU (Intel Core i5-8250U).

Without a Gateway Group set up, I can ping 10.0.0.1 OK, and I can access Starlink modem on 198.164.100.1 from anywhere in LAN.

I then insert a gateway Group  (WombatHollowGateway) and I still have access OK.

But I then insert the WombatHollowGateway into the "Default allow LAN to any rule" (it was set to default) and then I can no longer ping 10.0.0.1 (but I can still access OPNsense Web page on the same IP address) and  I cannot access (HTTP or Ping) Starlink Modem at 198.164.100.1  from anywhere in LAN BUT I can ping 10.0.0.1 and 198.164.100.1 (Starlink Gui) from OPNSense Interface diagnostics menu.   I can also HTTP to 198.164.100.2 which takes me back into OPNSense login!

Does anyone have any idea why adding the Group Gateway to the Rules stop this access to OPNSense, and to modem HTTP GUI.   And what is the impact of leaving the Gateway set to default in Rules.
I have created a Virtual IP for Starlink Net, and a NAT outbound rule to suit.

I have attached a screen shot of the OPNSense dashboard and a cut down copy of the OPNSense config file (sections containing nothing and a few irrelevant (hopefully) sections removed).
Ta  Ian

I have also ben seeing error since upgrade 2 days ago to 2.7.6.
"/usr/local/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/TrafficController.php:74 - Invalid argument supplied for foreach() (errno=2)"
Reported it using the OPNSense Crash reporting

Hi all, need your help or any useful information.

Few days ago I decided to upgrade the distro on my mini-itx pc, made clean-install of 19.1 from USB flashdrive onto SSD. Clean system worked good.

Then I tried to restore settings from previously saved config.xml of 18.7.10_4.
The Web GUI became unresponsive right after config applied and mini pc rebooted. I can't reach or ping or SSH to the mini-pc interface.
But when I conneced monitor straight to the mini pc, all seemed okay, I could login as root, for example.

Same happened, when I tried to upgrade from GUI - clean 19.1 seems fine - tried to restore config - interface unreacheable.
Also when I clean-installed 18.7 and restored config to it - after reboot all is ok, GUI was reacheable.

mini pc config:
Gigabyte GA-H110TN MoBo (dual Intel nics),
4Gb 2133 RAM, 120 Gb SATA SSD,
Intel i350T2 v1 (tried to connect to its igb0).

If I need to do a little more RTFM - please provide a link.

Thanks in advance for your replies.

Not sure if you tried this (part of your description above is not clear), but if not then try.
It is possible that something in you 18.7 config file is not compatible with 19.1, doubt it but is possible.

1. Restore your system (or clean install) to 18.1.  Restore your config file and check all is working OK.  Save your config file (in case).
2. Through the GUI, upgrade to latest version of OPNSense (19.1.x, or soon a 19.7x).  Check ypur system is still functioning (at least better than your clean build).   Address any issues that might be thrown up a problems or warnings, if can't fix consider disabling that module (ie if open VPN reports a issue, note your settings and disable it, you can rebuild it after step 4.
3. Now save your configuration file but name so you recognise it as 19.x based, not your 18.7 based config.  Do not save it on your intended opnsense sever machine.
4. Now do your clean build of 19.x on your OPNsense server, and get into the GUI.  Load your 19.x config file through the GUI.  Check your system is still operating.
5. Rebuild your config of any modules you disabled at step 2.

Good luck

Sent from my SM-P585Y using Tapatalk

Not sure if my quick help there was needed. ;)

Franco, that did help....just though I would include the solution in this post as well for people getting to this thread if searching for a solution.

Yep Chemlab, I answered my own question.

Sent from my SM-P585Y using Tapatalk

Moved onto 19.1 and problem continues.
Removed 2FA  and used certificates, username and password and problem remains but easier to get information from it as it automatically reconnects.

Symptions are strange... and they may be two problems.

This is OpenVPN client on Android 8 tablet.
Can connect to Server and are able to connect to the Opnsense server ui with no problems in usage.  Can also connect through VPN to several simpler webservers (ie load quickly).
But looking at openvpn server log, it connects then immediately reports client disconnect over several log entries.  This then continues every 60 seconds ( happens to be keepalive timeout!)  The log entries are
Apr 11 16:31:27   openvpn[49773]: MANAGEMENT: Client disconnected
Apr 11 16:31:27   openvpn[49773]: MANAGEMENT: CMD 'quit'
Apr 11 16:31:26   openvpn[49773]: MANAGEMENT: CMD 'status 2'
Apr 11 16:31:26   openvpn[49773]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: Client disconnected
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: CMD 'quit'
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: CMD 'status 2'
Apr 11 16:30:24   openvpn[49773]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 11 16:29:56   openvpn[49773]: Ian-tablet/49.180.44.209:17857 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

The OpenVPN  client show data continues to flow over tunnel as would be expected and reports nothing after the initial link establishment.

Then I attempt to access some more complex ui (a QNAP NAS  and a server running Node-Red) through the tunnel and and data flows for about 20 secs, somtimes part of a page is downloaded.  Then Data flow is ceased and 60 seconds later the VPN link is closed and restarted.

Thanks for your suggestions, tried both but the problem still exist.
I have started another topic on this.

Had the same, you need to Reset RRDS (Round Robin Data Set).  It is under one of the menu items must below display item in menu (can't be precise as I do not have access to GUI, off base and again failed to properly set up port forwarding!)

Sent from my SM-P585Y using Tapatalk

I managed to get a openVPN road warior connection with 2FA working but the connection only lasts a minute (i just get logged into a LAN webserver and loose it) or so and then I have to reconnect which means get a new OTP from google authenticator.  Makes the VPN useless. 
Suspect t the cause may be the poor ADSL 2 connection to the Router (6MB/350kB, it is a 3km rural connection) which I cannot do much about.

Problem affects several different clients (android with openVPN app, W10 with Velocity and OpenVPN apps)

Is there anything in settings I can do to
1. reduce it's sensitivity to dropping out
2. Not have to get a new TOTP each time
3. Not use a TOTP at all, use a different authentication method

Or should I go over and use IPSec or is there another road warior VPN solution better suited to my scenario.

Was running OPNSense 18.7 on a gen4 i5 processor with loads of RAM (it is barely working above 10%) and 10 NICs (LAN switch and router)

Since the upgrade to 19.1, the quality graph under Reporting/health has shown no new data under Quality (for WAN) tab.  The data graphed stops on 6 Feb (suspect that is when I updated from 18.7) whilst all other tabs show graphs with data up to the present.

Any idea why...appears the delay and packet loss data is no longer logged, unfortunate as I found it useful for our poor quality Rural ADSL WAN connection.
Thanks

I have established a OpenVPN server on the OPNSense Router and successfully connected a client (OpenVPN on Android and Viscosity on W10) remotely through to the Router as evident by the client getting a VPN IP address (10.0.2.x).
But I cannot use that connection to connect to any of servers inside my Routers domain (10.0.0.x) for HTML traffic.
Is there something I am missing in the client, or the Router that allows a request from the VPN client be directed through to the servers on the routers Domain (10.0.0.x).

Once I have that basic connectivity working, is there some smart configuration I can set up to direct IP traffic depending on how I am connected to the internet, ie
If connected to my Domain (computer WiFi or Ethernet IP is 10.0.0.x) then requests to 10.0.0.x stay in the Domain, otherwise they are routed out through the gateway to the internet.  {this already works, using unbounded DNS), but
If connected to the internet (computer WiFi or Ethernet IP is not 10.0.0.x), all IP traffic is routed over internet connection except to 10.0.0.x which is routed over VPN connection (with IP of 10.0.2.*) into my Domain.
Thanks in advance

First, I cannot find a "HOWTO - Routing Traffic over Private VPN"  in the docs.opnsense.org site.  Thought it might help me with my VPN for which I will raise a new topic.

Also, I forgot to mention, router performance is not a issue, the Router is only using a fraction of CPU and Memory (old i5-2500 with 8GB of RAM, and 128GB SSD), so it is idling.

Thankyou all for your help above.  Switch vse hub differences was enlightening.   I have now got this OPNSense router working quite nicely, as a router/Switch/Gateway for a my network, and the whole system suddenly started to work more well once I set the bridge setting filters to the LAN in Tunables. 
Also got unbounded DNS working (can use names like BMS/ rather than IP addresses to access devices web interfaces) and configured OpenVPN which appears to work (just need to access it remotely check I can access the network). 
I then need to findout how to block access to the Router Web interface from WAN (as I should access remotely it through VPN), havent seen a immediate setting for that, maybe it is a router rule.
I will leave it as a Router/Switch (with 6 (7 when I enable the last NIC I used to initially set it up)) as it allows me to use some of the tools like Insight and PRTG to see what traffic is running between parts of the network as well as the WAN (albeit I can't see traffic that does not exit any of the attached switches/AP). This has been useful as I have finally found which computer currently stomps on the network. It looks like this PC, OneDrive keeps trying to upload .pst file over a limited uplink (usually only 300kB up, 6.5MB down), but there is other stuff uploading so it is about to be backed up and W10 clean installed.

Thanks again monstermania and Marjohn56.  Setting those two attributes in tunables did the trick and things are working nicely (until I changed my flow in Node-red and it stopped! 
I had been ignoring pfsense help and forums as opnsense was largely rewritten....but now realise menu structure is very similiar.

As for my hardware, it is a old PC, i5-2500, 8gb Ram, 120 gb ssd and a hdd, with 2 of HP NC364T quad port 4 NIC PCIe cards (and onboard realtek Ethernet and another very old fast ethernet card which I might activate).  I have seen the chipsets but currently can find it again (think it was the console when running zeroshell... abandon when PPPoE would not work which appears to be a Telstra tg797n problem in the end). The HP card is Intel chipsets.
Modem now is a netgear d7000 in modem only mode,  network is all on one subnet with static IP for most devices, physically the Router direct connects to a 8 port engenius switch, and a 24 port netgear switch (both have 50% PoE ports for IOT things), two engenius AP (one to router, one to Netgear switch), IP Camera  and lots of end devices mostly on the switches or AP.

Although I have bridge set up as a unmanaged switch now, I am interested if there is a more efficient way to set this up.  Not sure if the unmanage switches are smart enough i  that they only route traffic onto the port where the device is connected...or it 'broadcasts' it on all ports hoping one has the device with that IP is connected.   May i  the future need to make work smarter to reduce network loading (especially if I add a few more IP cameras).

Next will be to sort out openVPN port so I can access the LAN securely from the Ethernet (via droid tablet and laptop) when away from home.

Ian

Sent from my SM-P585Y using Tapatalk