Messages

danb35,

So about duplicating the other instructions, don't sweat it as it is nice to have two sets of instructions. Everyone explains things differently and if I don't understand it in one example I can then look at it in the other. Rather have two working examples and approaches than none.

Oh and yours comes up in DuckDuckGo where the other one does not for some reason.

Thanks

So actually to clarify there are two entries that can be put in the email and it will work. One is the Service Account Email and the other is the Unique ID. Both of those will work. However the email address of the account that owns the drive will not. I wonder if cookiemonster was trying that address instead of the service account address?

Any chance the wording for this field and especially the help tag can get updated to reflect this? Maybe have the field say "Identity" and then have the help say something like: "Enter either the Unique ID or the Service Account Email address. Do not use the G-mail address that owns the drive."

It wasn't until I found this thread and looked back over the instructions that I found my mistake.

I have been informed that the shaping project is not a priority as there is no demand for it from the community. I find this a bit odd as I see a lot of products on the market to do just this. It would be nice that if you are someone that would like to see true shaping and blocking per segment to please make your voices heard. Commenting here is one way but email them and tell them.

Now when I say shaping I am referring to being able to do things such as limit bandwidth to a network or group of networks. But not just anything but per application. So I can restrict YouTube or video streaming to a set amount in total or per person but not to exceed x amount for the entire group. And at the same time allow the same YouTube traffic to certain host with no restriction. I also want to block applications to some groups but allow it to others. Also prioritize traffic in group A of a certain type or application over traffic in another group.

So it is not simply blocking of an app or things like P2P but creating limits on apps and prioritizing the traffic. To my knowledge There are no shaping plugins for OpnSense.

So please speak up and spread the word. If we are to ever see shaping we need to be heard.

Thanks.

Dazes and confused here.

I am on 21.1.4 with an HA setup. I added a NAT today and applied it to the active firewall. Then did a sync to the passive. Then one of our websites went down. I did a fail over to the passive and it came back up. Weird part is even after a reboot of the active it still blocks traffic to the web server. Swap to the passive unit and site is back online. Nothing in the logs stands out. I did have an issue with GEOIP as it appears the zip file is bigger now but I just increased the Max Table Entry size and it is happy again.

The configurations show sync so I am completely puzzled why it works on one and not the other even after a reboot. These are running on physical servers with two 1 Gig interfaces in a LAGG for WAN and two 1 Gig interface in a LAGG for LAN.

I have not updated yet as we are building new servers on new hardware with 10 Gig interfaces to replace the older hardware.

Has anyone ever seen anything like this? I am even a loss of what to search for in the forum. Will pull any logs you want to see.

Thanks.

I heard through the grapevine so complete rumors that the backend work is in alpha testing and they are building out the GUI with a target of Q1 22. Total rumors you know.

It is now end of Q3 and no word on shaping. What's up?

Franco,

Yep, it was Sensei and a netmap issue. After a few tries and version upgrades it now looks stable and working good. Went several rounds with the Sensei folks doing some testing for them and debug logs and looks like all is well.

Ricardo,

The foolish man is one who hide the facts from management. I have the complete buy in from management as they are willing to take the risk of an outage in exchange for the savings we gain each year. As noted above we are also using Sensei in preparation for new features, namely traffic shaping by application. Although Sensei is a pay product at my size it is still a fraction of the cost of the other players in the market.

One may say that using open source is not wise in a production environment but it is so weird that I have had far more issues (many never resolved) from the big name ransom players. Canned answer, "We can't replicate that in our test environment". And then they go on to do everything but tell me I am imagining it even when they see it happen. How do you explain that to management for a company you are shelling out $50k plus a year for support!

Doug

Heard through another channel that apparently this is due to an issue in the kernel with netmap.

On the GEOIP issue a few clues and tips. If you look at the GeoIP settings it is reporting as of current 395854 ranges, if the table is 200000 by default then that makes sense. I set mine to 500000 for some space as less than 5000 entries sounds too small to me.

For the easy way to know if it is working just click the apply button on the GeoIP settings page. If the table is overflowing it will report back a generic error, would be really nice if it gave some details. Once you up the table size and go back to GeoIP settings, clicking the Apply button no longer gives an error.

Upgraded the firewalls last night to 20.7.2. HA setup with broke failover(another story/bug). All was well and traffic was flowing without issue. Then at 9:42 the firewall stopped passing traffic. My boss had to go pull the cables on the active firewall to force it to failover to the HA unit. At this point I am concerned that I will have the same failure in the backup unit.

The only plugins I am running are Sensei and Mail Backup. No IDS. The only information I can find on this entry is tied to netmap incompatibility with the NIC. The card is a four port HP card that reports as an Intel Pro 1000.

From the general logs:

2020-09-23T09:45:19   /flowd_aggregate.py[71076]   vacuum src_addr_000300.sqlite
2020-09-23T09:42:28   kernel   548.444820 [1787] netmap_ring_reinit called for em0 RX0
2020-09-23T09:42:28   kernel   548.444791 [1742] nm_rxsync_prologue em0 RX0: fail 'head < kring->nr_hwcur || head > kring->nr_hwtail' h 301 c 301 t 300 rh 301 rc 301 rt 300 hc 300 ht 300
2020-09-23T09:39:50   /flowd_aggregate.py[71076]   vacuum src_addr_details_086400.sqlite
2020-09-23T01:54:49   opnsense[46459]   /usr/local/etc/rc.filter_synchronize: Filter sync successfully completed with https://10.101.0.16/xmlrpc.php.
2020-09-23T01:54:48   kernel   arp: 00:24:81:7e:1c:c3 is using my IP address 164.106.234.141 on lagg1!

Are you using spamhaus? This IP is on their list as a bad actor and there may have been a hiccup somewhere in the process of updating the table of IPs from their database. To use spamhaus it is setup as an alias.

And it is entirely possible I have no clue of what I am talking about and this is complete gibberish.

I need to do some testing with few weird configurations that are not possible from the GUI or the console menu. When I research configuration of the interfaces most sites send me to rc.conf to enter the configuration. However when I look at that file it is empty so that means Opnsense is doing it different. Is there any documentation, if it is even possible, on how to do this?

As a side note I do see most of the configuration in the xml file and know most of it is parsed from there and written to the system at boot time. Is there any documentation of what can be added to the xml file?

I tried to search on this but got no leads. More and more equipment now comes with an out of band management interface. I know you can setup a third interface for management but unless it is isolated from the routing table somehow there are issues with routing on that interface and asymmetrical routing when trying to talk to that interface. Is there a way to create an interface that does not participate in the main routing of the firewall?

And yes I often miss things that are right in front of my face so if I did in this case please point me in that direction. This is going into main production next week and I am having to drink from the fire hose to learn it in time.

Thanks

If all versions are the same then mine has a shutdown in the GUI, see the attached screen shots. It is always better to shutdown than unplug to allow the file system to dismount properly.

There is also a shutdown option from the console. See attachments.

SO, how much is not much? You have PayPal or Venmo.