Messages

Hi there,

What I noticed so far, is that when I deleted old rules on my master system and synced both, the old rules were not deleted on the backup system.

Is that expected? Just wanted to know 😊

[Edit:  I didnt realise you have to click the drop down and can then see the rules.  My bad]

Thaaaannnkkkk youuuuuuu!!!
Yes... learning is sometime "that" hard!!! 😂

Code Select Expand

/var/log/hostwatch/*


Thanks a lot for this super fast answer, this helped a lot! 😊

Hi there,

My 5 cents, also had this issue with 25.7.11_2 : it filed up one my FW hard disk in less than an hour.

What's relevant in my case (or weird) : I have a pair of FWs in HA mode and this morning, I did a rule update that I synced with the passive node and only the passive node started to fill up the HD after I did the sync.

I think I updated to  25.7.11_2 the day of publishing and I saw no problem until today.

Weird no? 😉

PS: what should I clean to get some space back?

Hi there,

Today by updating my FWs to the latest version (25.1.10), I noticed that I had my web console certificates expired (on both nodes as one certificate is shared)
Nothing to worry about, I've a configured internal CA, I created a new GUI certificate on the master with the same parameters (SAN are valid for both nodes/IPs)

Issue is: when I wanted to sync the configuration, I was not able to find the new certificate on the backup node.

I've tried to reboot both nodes and also to activate/deactivate certificates sync (saving & hitting sync each time) - Didn't help.
I've also the exact same issue on a second pair of FWs (remote backup site - same version but VMs)

I can't figure out if it is a recent issue or not, so I'll need some help to troubleshoot and solve it.

Thanks in advance!😉

PS: I DID find the new sync button... 😇 but I would really appreciate a full sync status panel if possible.
(ref: https://github.com/opnsense/core/issues/8301)

Hi there,

Same issue for me, fixed with the hotfix.
Thanks a lot for the quick reaction!👌

PS: Live view was also broken and fix solved it too.

It's not my prerogative to consider or not consider change requests - I am just an OPNsense user and Deciso customer like most people on this forum.

Oups, but the more we are, the chances are greater! 😊

I did open a feature request in the meantime (not really a bug IMHO)

I agree. The wording could be more helpful. Would you open an issue on Github about that?

Sure I will, thanks for considering it! 👌

[system: migrate HA status page to MVC/API]

I indeed read system: migrate HA status page to MVC/API in the release notes, but it didn't really made me understand what it means.

So if it is the Synchronize and reconfigure all, it is not clear at all, because if you put your mouse on the button, it is displaying "Restart all services"... 😁
There is also the link Perform synchronization, in the HA settings area, right behind Configuration Synchronization Settings (XMLRPC Sync), but also not very clear.

None of them is giving you a clear status/result anyway so any chance to change the way we get a confirmation that everything is running smoothly?

PS: I'd love to hear from dev team to understand the change, there is probably a good reason.

Hi there,

I might be mistaken by a change, but I can't find the small "synchronize to backup" button for HA settings in the new 25.1 UI.

And therefore, also missing the small status when you press on it!

Is it missing or is it moved somewhere else? Thx in advance!

Thanks a lot for the fix!

I thought I was going crazy this morning when I got no Internet anymore... :)

Have you ever found a solution to this? I am stuck in the same problem. The detection that an IPSEC tunnel is actually down (despite DPD etc.) takes forever.

I didn't bother too much, I switched to Wireguard tunnel.
It's from my homelab to my parents for DR backups so, it just need to work!
It also increased drastically speed, so it was a win. :)

Actually I've PPPoE active with a single dhcp IP. So this is the problem.
I will try to migrarte the WAN interface behind the router with private CARP IPs

No problem, hope you can sort it out! ;)

CARP need a single IP per interface on each FW in order to be able to create a VIP.
Here you can have an overview:
https://docs.opnsense.org/manual/how-tos/carp.html

You Wireguard tunnel will be based on VIP 172.18.0.100 in this example.

I've a HA pair with PPPoE.

I can't understand the sepcificity of PPPoE pon HA setup, but one of the "obvious" thing to configure is the VIP for Wireguard tunnel.
Setting name is:  Depend on (CARP)

In my setup, each Firewall has a dedicateed IP on the Internet router "LAN" which in my case is used as a transfer network only. Don't know if it is possible with PPPoE ;)

I have another cluster where Wireguard works perfectly through an HA failure.

Well it's done, I have my HA setup properly working with Wireguard.
Thanks again for the feedback ;)