Messages

Started to doubt myself so I dived into it somewhat deeper. I digged up old config xml files and figured that in the very beginning in my early steps into OPNsense I had un-ticked the "Password protect the console menu" option likely not knowing what I was doing at the time. The very early backup of the config xml contains <disableconsolemenu>1</disableconsolemenu>. Therefor I was used to the console menu at boot for about 5 years. Only the very last backup this line is no longer present in the config but I really cannot remember ticking the option and this likely happened unintentionally, hence my confusion.
Anyway thanks a lot for bringing this to my attention and sorry for the fuzz.

@Franco
As I am confused as well. I never ticked this option but it was ticked on both machines after the upgrade.

@ Patrick M. Hausen
Thanks, that was it! Is this a new feature? using OPNsense for 5 years now and never saw this feature. If it was there all the time than it has been ticked by the upgrade.

Today I've upgraded 2 similar servers to version 25.1.5_5 and both don't show the console menu after boot-up anymore like use to be but goes right away to the login prompt.
Is this a new feature or a bug?

Just bringing this problem again under attention since there has not been a response thus far.
Is this problem related to https://forum.opnsense.org/index.php?topic=45606.0?
It's clear from post 45606.0 that some changes were made regarding the LDAP implementation but possibly I have missed what the consequences are for already existing LDAP users. Do I need to re-create all the existing LDAP users?

Just upgraded to 25.1 and ran into this problem. LDAP bind error [; Can't contact LDAP server].
I have tested the LDAP connection prior to the update and it was still operational.
This happened on 2 machines, one after the other. Where #2 is for backup purposes.
Using the OPNSense tester results in:
The following input errors were detected:
    Authentication failed.
    error: User DN not found

I checked the connectivity from the console:
nc xx.xx.x.x 389 -v -w 10 and the response is:Connection to xx.xx.x.x 389 port [tcp/ldap] succeeded!
So what is wrong with the upgrade?
Added on Sunday 2-2-2025:
Forgot to mention that this is related to OpenVPN.
I've created for some users a local password, added local database to instance settings of OpenVPN and these users are now able to login.

My own fault. Forgot to input the associated subnet addresses in the parameter's field.

Encounter this problem on a fresh 24.7.1 install having multiple WoL cron jobs defined.
Configd_20240821.log entries are:
Waking up host B4:99:Bx:Bx:Ex:Dx followed by returned exit status 1 and next by message ... ['B4:99:Bx:Bx:Ex:Dx' ''] returned Error (1). Same goes for the other WoL jobs.
Running the manually the Wake on LAN service in the GUI performs well and the log entries are just Waking up host B4:99:Bx:Bx:Ex:Dx and no exit status 1 or Error (1).
Other Cron jobs for Letsencrypt and Proofpoint seem to run fine.

I encounter the same problem as it looks like.
I had lots of (13: Permission denied) entries in /var/log/nginx/latest.log and after altering the rights of the /var/log/nginx folder those entries were gone and log lines were stored properly in the belonging log files.
You wrote that the /var/log/nginx rights were root:wheel that differs from mine which were root:staff.
Log entries are written by nginx as user www which is as expected. I haven't tried a reboot yet but if the case is that this is changed back after every reboot that would be very inconvenient.

[SOLVED] because I've got it to work but [NOT SOLVED] because I don't understand why.
After a hairpulling night I decided to assign another user and that worked right away(???).
So next I added all the users who should have VPN access and all worked fine with the proper assigned IP address.
After a deep thought I remembered that the only difference I could think of was that with the first account I struggled with I had generated the client Certificate in System->Trust->Certificates and NOT using the System-> Access->Users page option used for the other clients. Not that I believe it matters but for completeness I should say that all users are imported from a LDAP server.
So I unlinked in the Cert of my first troublesome user in the System-> Access->Users page and created a new client Cert from the same page. Exported the config and voila it worked as should.
Now I'd like to understand why a Cert generated  in System->Trust->Certificates caused this problem. This maybe something for the developers to sort out.

CSO has been setup correctly but won't assign the given IP address.
Network is: 192.168.80.0/24
CSO  IPv4 Tunnel Network is 192.168.80.5/24
IP address given is 192.168.80.2
Works on my "old" FW.

Last year I ran into a similar problem https://forum.opnsense.org/index.php?topic=35447.msg172767 but that was solved somehow. During the OPNsense upgrades hereafter OpenVPN wouldn't upgrade anymore and got stuck at version 2.6.10. I did not bother too much as clients were still able to log into OpenVPN.
Now I'm setting up a new server and using the new Instance option for OpenVPN. Everything was rapidly up and running but I could not get assigning a fixed client IP address to work, no matter what option I tried after a whole afternoon Googling for a solution. None of the suggestions found solved the problem.

At last I decided to copy the settings of a working Legacy Server and Client from my "old" working FW but with that I stumbled into other problems. With the exact copy of Legacy settings from my old FW I all the time get a TLS Error: TLS handshake failed and the only difference is the newer OpenVPN version 2.6.11.

Does anyone know a proper guide on how to setup an Instance with fixed client addresses?

I'm setting up a new server which is connected to a new fiber provider to replace an existing old server still operational connected to a different fiber provider.
Instead of using a backup from the old machine I want to set-up the new machine from scratch.
I have configured the LAN port of the new machine with a fixed IP address in the same subnet as the LAN of the "old" machine in order to have both WebGui's in sight while copying settings and rules from the "old" to the "new" machine. This works flawless from my workplace in the office being connected to another subnet on the "old" machine.
Once connecting to the "old" machine via OpenVPN there is no response from the WebGui of the "new" machine so traffic is somewhere blocked but while looking at the life logs on both machines it is clear that the request is passing through bot firewalls. The only possible related error I found in the general log of the new machine saying "Error   lighttpd   (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/mod_openssl.c.3510) SSL: 1 error:0A00009C:SSL routines::http request (10.67.6.102)" .
So obviously this is the webserver not accepting the request.
Does anyone understands this lighttpd error and what can be done to overcome?

Another question is the following:
My new connection is 1Gbit opposed to 50Mbit of the old one so I'd like to use the available speed of this new connection through the "old" server while setting up this new firewall. What would be the best solution to route web traffic through this high speed connection.

Well actually I didn't changed it but I left it as was which is "All" by default. I appreciate your response though.

I left the listen interface at "All " so your answer is not a solution.

Obviously I did, otherwise it also wouldn't work with a fixed IP address...