Messages

Hi,

I have an OPNsense connected to the internet and want to get certs via the acme client for an other OPNsense which is behind.
How is this possible?
There is no available automatisation for this.

In a master slave environment on old HP Server hardware I see the following:

Slave:
During the update a warning window appeard: something went wrong, please check the log files.
But the update was completed and the Server rebooted at the end.

Master:
The same warning window appeared and when the reboot should happen it jumped back to the dashboard,
without a reboot.
When I againg clicked on check for updates the window 'reboot is active' appeared, but no reboot was in progress.
I pressed ctrl+alt+del for a reboot.
It took long for shut down, but rebootet succesfully.

I just heard from a colleague that he saw also the warning window but the update worked. (like on our slave)

Only for information.

P.S.: at the moment I see 'pfr_update_stats: assertion failed.' on the master console

System is up and running again with original configuration!

Thank you Franco for your help.

But I think a wait an additional week, before I update the Master.
Maybe you will find something to prevent this behaviour.


Btw. I don't think that the before mentioned segmentation fault is comming from a RAM error.
The system is a HP Server DL360 with ECC RAM and the iLO Management of the Server shows no RAM error.
Also the tests at start are Ok.

As written: the log is not the last log, but was the output of opnsense-update -g

Code Select Expand

pkg install opnsense
Was Ok.

First run of

Code Select Expand

pkg upgrade
results in a segmentation fault.

A second try is now running. ( [99/104] Extracting ruby-3.3.9.1)

Can I run

Code Select Expand

opnsense-bootstrap.sh.in -r 25.7
Without loosing my (maybe) still available configuration of the interfaces and so on?

Hm...

when I run

Code Select Expand

opnsense-update -gI get a log from the update before.
I attached it.

> pkg upgrade

Do you have that particular output for me to prove the theory?

Sorry, I'm at the console and can not copy anything.
But the FreeBSD upgrade worked without any problems.

Ups... there is no directory /usr/local/etc/pkg

Code Select Expand

mkdir /usr/local/etc/pkg

Code Select Expand

mkdir /usr/local/etc/pkg/repos

Code Select Expand

vi /usr/local/etc/pkg/repos/OPNsense.conf
with content:

OPNsense: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
  url: "https://pkg.opnsense.org/${ABI}/25.7/latest",
  signature_type: "fingerprints",
  priority: 11,
  enabled: yes
}

Now opnsense-update results in

Nothing to do.

How can I force it?

Hm...

Code Select Expand

opnsense-update
results in

Missing /usr/local/etc/pkg/repos/OPNsense.conf

I will try to create it by hand now.

I used

Code Select Expand

ifconfig bce3 192.168.0.123 netmask 255.255.255.0
and

Code Select Expand

route add default 192.168.0.254
And I'm back on net.
/etc/resolve was still ok.
Now I started with

Code Select Expand

pkg update -f
and

Code Select Expand

pkg upgrade
This works now as expected. ( At the moment [122/127] Extracting ruby-3.3.9.1)

Next I will check if opnsense-update is available, then I will give it a try.

Ok,

I booted into single user used

Code Select Expand

mount -u /
to make it writable

and created the file with

Code Select Expand

vi /usr/local/libexec/opnsense-auth
content:

Code Select Expand

#!/bin/sh

exit 0
Then

Code Select Expand

chmod 755 /usr/local/libexec/opnsense-auth
Now I can login after a normal boot.
But up to now no internet.

Hi,

I did the trick with second search for updates after pkg was updated.
Update starts then like normal, but suddenly stucks and an Warning message appeard that the update failed.
Unfortunatley I don't know exactly where, but I think it was packet 4 of ..

Nothing works.

After a reboot I see the login prompt, but when I try to login, I get:

sh: /usr/local/libexec/opnsense-auth not found

and I'm not able to login.

Any idea?

[Setup:]

Hello everyone,

I have a problem with OpenVPN in a HA Setup.

Setup:
2x Opnsense (v25.7.3_7) as Master/Slave HA Setup using CARP
OpenVPN S2S Tunnel using Instances

The OpenVPN Tunnel is configured using the 'Depend on (CARP)' setting.
During CARP Failover the configuration works fine. Master and Slave start/stop the client depending on their CARP Status.

But during a manual 'Synchronize and reconfigure all' under 'System -> High Availability -> Status' the OpenVPN client on the slave is started even thought he is not the CARP Master at the time.

This is leads to both Master and Slave trying to connect to the server stealing each others connection until I manually stop the client.

Using Cron to trigger 'Synchronize and reconfigure all' doesn't have this effect only the manual sync.

~Marius

Like @viragomann said, we change the configuration on the pfSense side.
We are now using a large Tunnel network and added a client spicific overrider for our opnsense to handle routing.
Addionally we had to deactivate OpenVPN compression on pfSense side which is deprecated anyway and it seems like not supported by Instances on OPNsense side.

Hello everyone,

We are currently migrating a pfSense infrastructure to OPNsense but ran into some problems with OpenVPN.

We have an OpenVPN server running in P2P mode with a /30 tunnel network on pfSense.
As client we are trying to connect an OPNsense.
Using the 'Client (Legacy)' method we got the tunnel working.
But trying to migrate to the new Instance method didn't work out.

While using the Instance the tunnel gets established and OPNsense shows the tunnel als connected.
But OPNsense dosen't assign an IP from the /30 network to it's tunnel interface.

Normally the OpenVPN server does assign an IP adress to the client when he connects. Atleast when using a bigger subnet.
However since our server is running in P2P mode (/30 subnet) no IP address gets assigned to the client.
So we have a client waiting to get an IP address and a server who doesn't assign them.

Comparing the configurations files from 'Client (Legacy)' and Instance there was 1 crucial settings missing.

ifconfig 10.0.0.2 10.0.0.1

Which assigns the first IP to the tunnel interface and uses the second IP as gateway.
This is achieved by setting the Tunnel Network in the 'Client (Legacy)' Configuration to 10.0.0.0/30.

Adding this settings manually to the Instance configuration file solved our problem but we didn't find a way to set this using the GUI.

Did we miss something or is this setup not possible while using Instances?

Best Regards
Marius