Messages

Hello,

When restoring a backup through Web GUI or console, at least the unbound settings are not being restored. The Unbound settings are present in the backup.xml.

Also specifying unbound restore only through the Web GUI does not have any effect.

Other settings that are relevant in my setup seems to have restored properly (Firewall, interfaces,...)

OK, never mind. I did a complete new installation from scratch on a second (identical) system but without loading the old configuration. this time the system rebooted with serial console enabled.

Something must have gone wrong with he restore of the old configuration. I am 100% sure that the serial console was working before.

[OPNsense-22.1.2-OpenSSL-serial-amd64.img]

Dear community,

When installing the OPNsense serial version, after installation the serial console is not set as primary. Is this expected behaviour?

Earlier this week I upgraded from OPNsense 21.x to OPNsense 22.1.8_1-amd64 on an APU4d4. After the update it looked like that the APU4d4 hang during pre boot, where looking for a device to boot from. Even though I am pretty sure I heard the beep, I was not able to connect to the web GUI. (Cold) restarting always resulted in the same frozen pre boot screen on the serial console.

Eventually I downloaded the installation image OPNsense-22.1.2-OpenSSL-serial-amd64.img and booted from USB key. Once running the live image, I started the installation process. Luckily I was able to load the old configuration file, still on the SDD from the previous installation.

After a system reboot I found the serial console again stuck at pre boot but this time I could hear the beep after a short while and eventually I could login to the web GUI with the IP setup from my old configuration.

Best regards,
Robbert

@Plaidy; Did you get it to work?

ps Thanks for your detailed posts and for quoting chemlud.

I'm also looking for this. Any luck with your setup so far?

I have been trying to get HA to work for a while but got stuck. See my post  https://forum.opnsense.org/index.php?topic=16782.0

I have used the same reference documentation as you so possibly there is a fault there.

Since you are using ESXi on (at least) one node, the follwoing link could be interesting if you haven't made the special configuration in ESXi yet: https://medium.com/@glmdev/how-to-set-up-virtualized-pfsense-on-vmware-esxi-6-x-2c2861b25931

It got me from completely nothing to something that kind of works -if you forget about the lack of DNS :-)

@hbc, thanks for clarifying that up! and sorry for the late response. I've had to park this project in the fridge for a while. Though it doesn't look like I've missed a lot on this topic :-)

I'm not to sure if the HA feuture is a regular used option in OPNsense. There is very little info I can find and so far I've burned many hours with trial on error.

[This is what I try to setup:]

Hello community,

For several weeks now, I tried to setup a fully working HA setup with two APU4d boards. I got to a point where I no longer know what to look for.

This is what I try to setup:
<Image 1: schema>


What is working:

- The configuration is synced from the Master to the Backup node. This was working automatically with OPNsense 19.x but since I upgraded to v20.1.4 it seems I have to force the sync manually. Or I am not patience enough?
- State sync is working. When I pull the Master LAN, the Backup LAN becomes Master. Same thing when I pull the WAN.


What is not working:

- When I pull Master WAN, internet connection is lost. Only when I also pull the Master LAN, internet works again. I am guessing I am missing a firewall rule for the PFSYNC?

<Image 2: Firewall rules PFSYNC>

- I don't have a DNS lookup unless I change the DNS server in [Services]-[DHCPv4]-[LAN]. But I understand that I should enter the LAN VIP? When I do, nothing gets resolved. When I enter google DNS (8.8.8.8 ) it works.

<Image 3: DHCP settings>

While trying several configuration changes, occasionally thought I had it working until it stopped working again. I think caches or existing connections or something else got me tricked. Is there anything I should reset/flush after making (DNS) changes other then requesting a new DHCP release?

I also noticed that the Unbound enable switch is not synchronized between Master and Backup. Is this correct behavior?

I am not 100% sure about the NAT outbound settings. I included a picture of my settings too.
<Image 4: Firewall NAT Outbound>

Any push into the right direction would be very much appreciated!

Thanks,
Robbert

Hi Bartjsmit,

I was thinking about setting up 2 separated DNS's before. But I recently moved to an opnsense high availability setup with 2 APU4 boards. After reading about unbound (and other features) I thought it would be a nice way to include the DNS this way.

If this would complicate the firewall configuration significantly and possibly reduces security or reliability, then I will definitely move back to having the DNS outside opnsense.

But if opnsense is able to host this reliable for about 10 users, I still might want to give it a try. The APU(3)'s run quite reliable in general and with the H/A it will allow the most important things to run with just one of the opnsense functional.

Regards,
Robbert

Dear community,

I have setup a DNS forward for mydomain.com. Behind this domain I have multiple computers running with different services. Computer1 has internal IP 10.0.0.1 with services on port 443, 8070 and 3031, computer2 with IP 10.0.0.2 with services on 443, 12320, 12322, computer3 10.0.0.3 ... etc

With port forwards in OPNsense I can access them all from outside i.e. https://mydomain.com or https://mydomain.com:5443 or https://mydomain.com:3030.

To access the services from within the LAN I believe that best practice is to use unbound and create overrides. This work fine for 1 host but I can't figure out how to set this up for multiple hosts.

Any advice would be very much appreciated as I'm stuck for hours now.

Eventually I would like to have subdomains to redirect to the right computer/service. So instead of mydomain.com:5443 I use private.mydomain.com. Is this possible with SVR records?

Thanks,
Robbert


OPNsense 19.7.10-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2u 20 Dec 2019