Messages

Thanks Patrick!

Unfortunately I don't know where that MIB should end up. I looked around a bit and various switches put it in different places.

I stuck it in .1.3.6.1.4.1.2021.7890.5 as it was just the next one in /usr/local/share/snmp/snmpd.conf.

Code Select Expand

extend .1.3.6.1.4.1.2021.7890.1 distro /usr/local/opnsense/scripts/OPNsense/Netsnmp/distro.sh
extend .1.3.6.1.4.1.2021.7890.2 hardware /bin/kenv smbios.planar.product
extend .1.3.6.1.4.1.2021.7890.3 vendor /bin/kenv smbios.planar.maker
extend .1.3.6.1.4.1.2021.7890.4 serial /bin/kenv smbios.planar.serial
extend .1.3.6.1.4.1.2021.7890.5 ixl3_temp /usr/local/bin/ixl3_temp.sh

/usr/local/bin/ixl3_temp.sh:

Code Select Expand

#!/bin/sh
# Extract the module temperature from ifconfig output
ifconfig -v ixl3 | awk '/module temperature/ {print $3}'

It "works," but obviously gets overwritten quickly.

That info is definitely available via my Intel NICs.

# ifconfig -v ixl3 | awk '/module temperature/'
   module temperature: 52.00 C voltage: 3.25 Volts

I assume this information is getting to ifconfig via DDM? https://community.fs.com/article/how-to-view-the-ddm-information-of-optical-transceiver-via-snmp.html

Looks like it is just an SNMP configuration, but there isn't a way to make customized configs anymore.

Is there a way to monitor transceiver temps with SNMP? It doesn't look like there is anything there without modifying the SNMP config files manually.

If there isn't I'll request it as a feature?

I would think that too, but it looks like as soon as OPNsense marks the gateway of the primary WAN down due to quality issues (like 10% packet loss) then traffic just stops getting routed to it for both the NAT on the LAN and the public IPs.

Is there another switch or tick somewhere I should be looking for?

Hello! I have two different WAN connections:

Primary WAN: Connected via a /30 transit network to a /29 network, similar to Comcast EDI. One IP from the /29 is assigned to an OPT interface on the main OPNsense router. Other routers behind this interface use that IP as their default gateway.

Backup WAN: Provides a DHCP-assigned public IP.

Goal:

LAN Traffic: I need the LAN connection behind these two WAN connections to be as bulletproof as possible. During work hours, I can't afford any latency or packet loss. Therefore, I want the LAN to fail over to the backup WAN immediately when there's any issue with the primary WAN.

OPT Interface Traffic: I want the public IPs in the /29 network (used by the OPT interface) to stay up as much as possible, even if there's some latency or packet loss on the primary connection. Essentially, I prefer that the gateways remain marked as up for the OPT interface, even when the primary WAN has minor issues.

Issue:

When I experience packet loss or latency on the primary network and OPNsense switches to the backup WAN for failover, the routers using the OPT interface's IP lose their connection completely until the primary WAN recovers. I believe this happens because OPNsense tries to route the /29 network traffic through the backup WAN, which doesn't support it.

Question:

Is there a way to configure OPNsense so that:

LAN Traffic: Fails over to the backup WAN when there's latency or packet loss on the primary WAN.

OPT Interface Traffic: Continues to use the primary WAN (via the /30 transit network) exclusively, regardless of the gateway's status, unless the primary WAN is completely down.

Current Configuration:

I've set up the EDI-like network similar to this guide: https://meh.roach.xxx/2024/04/26/comcast-edi-with-opnsense-route-public-ips-through-opnsense/

Summary:

I need the LAN to fail over to the backup WAN immediately during any latency or packet loss on the primary WAN to maintain reliable connectivity for work-related applications (like Zoom and VPNs).

I want the OPT interface (and the public IPs in the /29 network) to continue using the primary WAN even during minor issues, to maintain services that rely on those public IPs.

I'm looking for the best way to configure OPNsense to accommodate these requirements without adding another physical router.

Any advice or guidance would be greatly appreciated!

Hi all,

I updated to 24.7.5_3 today and HAProxy stopped being able to bind to my Virtual IP that is on my trusted interface.

It looks like the GUI is binding to the virtual IP and the trusted IP.

Has anyone else seen this?

Thanks

Thanks for the feedback Monviech! I appreciate your insight.

Hello,

I've been using BIND and unbound as well as running SNMP, NTP and a few other services on my install. Recently I added a backup Internet connection and followed the "Multi WAN" instructions in the OPNsense documentation. Step 5 explains that i need to add a rule for DNS to work. After this I noticed several other services weren't working and ended up creating a bunch of new rules in order to get them working again. This seems somehow wrong to me even though it works. What I ended up with looks like the attached.

Is there something else I should have done instead?

Hello,

I am trying to have an OPNsense automatically reboot to install new firmware during off-hours. I don't want it to try and reboot every day or even every week. Just fire once and I'll disable the cron job after that. If there is a better way to do this I would be interested.

I'm not sure where to start troubleshooting this, pointers would be greatly appreciated. I'm not sure what logs to check and I don't see where the job would be running in the regular filesystem (/etc/cron.d, /etc/crontab). Freebsd  doesn't seem into run-parts.

I found a previous post where someone brought this up and franco mentioned clicking the "Apply" button. I PROMISE I did that. He also said something about rebooting first? Do I need to reboot to enable this cron? That wouldn't help a lot for what I'm trying to do.

TIA for your help.

Hi all,

Wanted to see if anyone had any great opinions on this. I am replacing my legacy FW with a new machine to support 10Gb (w00t fiber!)

In the previous machine I use NAT rules to send all DNS traffic back to the FW itself. I have a /24 that I created a FW alias of a number of IPs that I called "trusted." All other IPs in the DHCP range and are "untrusted." The "untrusted" IPs go to a port that runs BIND with safe-search and a few other blackholes enabled. The "trusted" IPs go right to 53 where unbound is running and tunneling DoT to supported, external servers.

All of this was a little complicated, but ended up working great. Any new machine the kids pop up automatically is safe and I add static-mapped IPs for any devices that need unfettered Internet access. I mainly did this because of the limitations of BIND and Unbound at the time. I know there are a lot of new changes, but I never updated the old configuration.

What I want is to have some devices pushed through safe searches and other filters for a bit longer and others with unfettered access. Any thoughts on new ways to do this? What are you using?

Thanks so much.

I setup multi-WAN recently with the Comcrap LTE modem and mDNS repeater stopped working.

I have 2 interfaces; one trusted and one guest. Trusted has 10.18.1.0/24 and Guest has 172.18.1.0/24 on it. I have a rule to pass traffic from a handful of 172.18.1.0/24 IPs to a handful of 10.18.1.0/24 IPs. ICMP/Telnet/HTTP/etc. all work. I ran mdns-repeater in a screen on the router so I could watch with debug enabled. I see essentially nothing:

Code Select Expand

# /usr/local/bin/mdns-repeater -p /var/run/mdns-repeater.pid -f em0 em2
mdns-repeater: dev em0 addr 10.19.76.1 mask 255.255.255.0 net 10.18.1.0
mdns-repeater: dev em2 addr 172.19.76.1 mask 255.255.255.0 net 172.18.1.0

From both wired and wireless clients I can see mDNS/Bonjour devices without issue given I am on that particular network.

I assume this has something to do with multi-WAN, but I'm at a bit of a loss as to where to start.

Thanks in advance for any ideas.

Finally had time to look at this more. Not sure anyone ever reads this, but maybe it will help someone. After enabling the console support in the GUI I needed to tweak a couple of things.

From the command line I ran:

Code Select Expand

grep uart /var/run/dmesg.boot

Got:

Code Select Expand

uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
uart2: <16550 or compatible> port 0x3e8-0x3ef irq 10 on acpi0

Since I knew that I wanted /dev/ttyu2 I assumed I needed 0x3e8 as the address. I added:

Code Select Expand

comconsole_port="0x3e8"

To /boot/loader.conf.local. Rebooted and it finally works. This would be similar for any BMC wether it is SMC, Dell's iDRAC or HPE's iLO.

Be really neat to have all of this in the GUI instead.

Wasn't sure where to set this up, but I was wondering if anyone else has a OPNsense box connected to a Comcast LTE modem (Connection Pro) for failover. If so, have you figured out a remote access solution via the NAT that the Comcast box is providing? I was thinking something like Tailscale/headscale. Thoughts?

TIA!

Hello,

I have a machine with several VMs and I am using OPNsense to control their access to the outside world. I also have a regular OPNsense server that has a VPN server on it. What I am trying to do is get access to the VM's internal IPs (10.2.0.2 for instance) via the VPN, but the default route for the servers is the OPNsense VM (172.16.1.1) so packets coming from the 10.1.0.0/24 get in, but the return goes through the OPNsense VM. I set a static route on the OPNsense VM to route 10.1.0.0/24 via 10.2.0.1 (it has an interface that can talk to this server), but I get denied at "Default deny rule". I've set various Firewall rules and I can get ping to work, but no other packets. They all hit the same "Default deny rule". I've tried the "Bypass firewall rules for traffic on the same interface" thing, but that doesn't help.

What am I missing?

Thanks!

Just updating here. I can use screen on the OPNsense OS to connect to the serial port, but there is still nothing from the OS trying to us it and no console. I used:

screen /dev/ttyu2 115200