Messages

On my master/slave opnsense setup with a configuration synchronisation per minute (cron command: HA update and reconfigure backup) I've tried to debug further:

Do not do this.
Each config sync will restart the services on the slave firewalls, e.g. an ntp service will never finish its synchronisation and so on.
This will cause more trouble than it is worth.
Increase the interval to at least one hour.

reserved for Web application firewall configuration

Hello everyone,

as some of you requested this, I will write down, how I configured my Nginx, as a simple reverse Proxy (including HTTPS with letsencrypt, and Web Application Firewall enabled).


Step 1: Installation
You need to install the nginx and lets-encrypt plugins.

After that, configure you're letsencrypt so that you get a valid SSL certificate for your service.
You need to use DNS-01 validation method, because nginx will use the port 80, and the lets-encrypt plugin is not able to use the modify the Nginx configuration for a successful validation.
When youre done, you can continue to Step 2.
(You can also use official paid certificates, if you have one, you need to import the CA, Cert and Key unter System → Trust)


Step 2: Configure Nginx

You need to be sure, that your OPNsense is not using port 80 or 443.
So you need to change the default port of your OPNsense webgui.
This can be done under "System → Settings → Administration".
You also need to disable the HTTP Redirect.
Restart your firewall when done.

From now on, all steps are meant to configure under Services →Nginx → Configuration

2.1 Configure the upstream server

First of all, you need to configure your upstream server, this is the real server, where your web application runs on.
This could be any host on your LAN, DMZ or whatever.

To do so, navigate to Upstream → Upstream Server and click on the + in the right bottom corner.
Now enter a description, IP and port (80 – HTTP in most cases).
Use 1 as Server priority.

2.2 Configure the upstream
Next you need to configure the upstream, where you link your created upstream server.
You need to do that, because you could also configure multiple servers, for the same upstream for load balancing.
So what we configure, is a "load balancer" with just one host.

Therefore navigate to Upstream → Upstream and create one.
Chose a description, and link the upstream server you just created.
As load balancing algorithm, use weighted round robin.
Leave the rest as it is, if you don't use HTTPS directly on your upstream server.


2.3 Configure the Location
As the next step, you need to configure the Location (URL) of your web application.
Navigate to HTTP(S) → Location and click on Add.
As URL Pattern, just use slash (/) and match type none.
URL rewriting should be nothing.
Define the Upstream server you created before and leave the rest as it is for now.

Later, you can configure the Web Application Firewall rule here.


2.4 Configure HTTP Server
The last step, to bring your web application online, is to configure the HTTP Server.
Navigate to HTTP(s) → HTTP Server and click on Add.
This should match your need in most cases:

HTTP Listen Port: 80
HTTPS Listen Port: 443
Server Name: The URL your applications listens to (for example: cloud.domain.com)
Locations: the location created in step 2.3
URL Rewriting: Nothing selected
TLS Certificate: The issued Lets-Encrypt or imported certificate for this host

Leave the rest as it is for now.

2.5 Apply changes
When your done, click on General Settings and then on Apply
Your nginx should now be ready to server your web application.
Be sure to have correct firewall rules (from wan to this device, port 80 & 443)


This tutorial is not finished yet, i will explain some steps more detailed and attach some screenshots the next days.
Hope this is helpful :-)

So, 20.7 was released a couple of days ago ... and the base is finally bsd 12.1

i will start work again on this in next days or weeks, as soon as i have enough time for this.

i will answer all you questions than, because its not everything in my head right now  ;)

As soon i got a stable way to compile for rpi3 and maybe other devices, i will create a pull request to the official git repo.
Afterwards, everyone should be able to compile there own images from official source.

Thank you :-)

First of all, a big thanks for the work you made here Rene, i ve been pleased to read all that 👍👍
I just put my hand on a pi 4 and i m following the fresh update of openbsd and freebsd on it as they both work now!!! with usb support.
Rene i believed i could make my own image too but after reading your long and hard path i m not so enthousiast at all!!!

Thank you :-)

I saw you was on new project and probably dont have no more so much time for that but could you just try to build a pi 4 image for all of us pleaaaaaase??? Or at least the way the build one now that you resolved the multiple problems you got to build a working one for pi 3...

Yea, more or less, but i am on it.
The current problem is, that freebsd on its own is still not supported for freebsd.
You can track that here -> https://wiki.freebsd.org/arm/Raspberry%20Pi
As soon theres progress, i will start porting opnsense to the pi4, just because i'm interessted at the GBit port performance with opnsense on it  ;D 8)

Sorry for the noobish question

What image you guys used with the Pi. I have a Pi3B+ and I have downloaded the latest nightly image.
The USB adapter seems to be recognized fine however the internal Ethernet  is missing.

What Am I missing. In the initial setup I'm being presented only with 1 interface which is the USB

Thank you

Try the setup walkthrough without any usb adapter, configure the adapter afterwards.


All the best out there,
René

Sorry, didnt looked here for a while.

I will post everything tomorrow :-)

Update:

i disabled Response/Request Buffering in the Location, now i have continuously 10MBit traffic load on the cloud vm.


By the way, its a gigabit network, iperf test was around 890MBit in both directions

Hello everyone,

i am currently trying to setup a nextcloud behind the Nginx reverse proxy of opnsense.

So far so good, i set everything up, the rewrites are working, SSL is working, and i can access the cloud from lan and wan.

But when i upload a file to my cloud, its not faster then about 1MB/s (over lan).

On the cloud vm i can see, that there is no continuously incoming traffic (from the firewall), mor there are peaks at about 90mbit/s ever 2-3 seconds.

What could that be?

Already tried allot of settings in the nginx configs.

Currenlty enabled http2 on both sides, and sendfile in the nginx global settings and the vhost.

Kind regards,
René

I am currently very busy, i will have a look over the christmas holidays

Greets,
René

Hi,

just to be sure, have you tried rebooting it, with plugged in usb lan adapter?

Greets,
René

Hi Dirk,

i already noticed that, and described it here: https://github.com/opnsense/core/issues/3818

i have no idea how to fix that currently  :(

i use a case with a small fan builtin + heat sink, the raspberry is running smoothly on  about 37°C :)


Greets,
René

First off thanks very much for doing this and sharing it with the world. I got the image up and running on my RPi 3 Model B and can see that it is just like the OPNSense instances I have run elsewhere. (I have only recently started labbing with pfSense and OPNSense)

Your welcome  :)

When I have tried to connect a second one of these it recognises the device but then the system appears to reboot (when watched from the console it just goes blank and then the boot sequence starts). Unfortunately I don't have any other USB NICs to test with. Just thought I would share my experience.

Can you find anythin in the logs after the reboot?

is it the latest run driver ? Also, is it possible you add urtw and urtwn drivers  :'( ? It seems their are missing, as kldload urtw and kldload urtwn return "not found" error.
Xtools says it is possible to compile kernel only,but how to install it after on rpi3b+ ?

Yes, its the latest run driver.

A first try to build the kernel with urtwn enabled failed, i will look closer in the next days.

To build your own image you need a working build environment, explained here: https://github.com/opnsense/tools

The purpose of the minimum 3GB policy is that you have the added benefit of being able to perform upgrades between major versions or even difficult minor version updates. 2GB can and will fail in this regard.

Thanks for the hint, will change that in further builds.

(But the images a build, will anyways resize the root partition on first boot  ;) )

Greets,
René

This could be interesting  :D

Good morning Dirk,

thanks a lot for the tests, i am glad that everything seems to work so far, hopefully my wlan adapters will arrive today :)

In the meanwhile i uploaded a new image, and the following stuff changed:

• the image to be written onto the sd card has now only 2GB
• the root filesystem is now automatically resized on first boot
• the package set is updated to the latest source
• source is now fully migrated to freebsd 12.1 stable

All the best,
René