Messages

Major releases for the business edition are published exactly every April and every October. Just check this space for announcements, then.

The moment a new major release is published all prior ones are EOL. There is only ever one supported release, community or business.

So I don't get what you mean by silently stranded. If you don't run 26.4 you run EOL software.

Ich finde die Verwaltung von Listen aber auch manuellen Ausnahmen in AdGuardHome sehr schön und benutze den in Kombination mit Unbound. Also AGH nur fürs Blocken, Unbound als rekursiven Resolver.

Send the netflow data to a different system.

Which once more confirms that the FreeBSD Foundation sponsored enhancements to if_bridge(4) are effective and for most use cases even up to 10G the bridge will not impose any bottleneck.

Yes, a router/firewall is not a switch, but for all users intending to replace a consumer box with OPNsense using a LAN bridge to avoid buying a separate switch is a perfectly valid solution.

Keepalived is a direct implementation of VRRP.
uCARP is a direct implementation on CARP.

I only ever used uCARP, so I learned something. Thanks.

As mentioned by Patrick, you want to configure VRRP.
In FBSD its under CARP, in Linux its under keepalived.

As far as I know both Linux and FreeBSD implement CARP and not VRRP, because the latter is patented. These are two different protocols.

Yes, I have two Pi-holes acting as primary and secondary DNS servers. But instead of using two IPs, I'd like to use a virtual IP.

That's not an OPNsense topic. Just configure CARP on both Pi-holes. Done.

And behind the uplinks you have a globally routable /29, right? You need to connect both BGP routers in that network.

IMHO that is not how it's supposed to work. I have run the setup I outlined for two decades as an ISP with full tables and the only thing I can say is that my topology works.

I don't understand. Typically both routers and the WAN interface of OPNsense would share that /29. Additionally the two routers would have a CARP/HSRP/VRRP address in that /29. OPNsense would use that as its default gateway and the publicly visible address of your infrastructure would be OPNsense's.

The two routers would speak eBGP to their peers and iBGP to each other so in case the router with the active HA address is not the correct uplink it can resend the packets to its partner. Preferably a direct high bandwidth link between the two.

A /29 is enough for two uplink routers plus one HA address for them plus two firewalls and a HA address for them.

HTH,
Patrick

Shouldn't the automation "simply" use SSH to execute whatever is necessary on the TrueNAS system, including midclt?

A virtual IP is really something different, namely an additional IP address on an OPNsense interface.

But if I read you correctly you want "something" for firewall rules containing two or more addresses? That's Firewall > Aliases.

How does your Google WiFi router connect to the Internet? PPPoE? Even if it's DHCP it will probably do NAT, right?

So how is OPNsense supposed to filter anything if in the PPPoE case it can see nothing, only a single PPPoE data stream, or in the DHCP case only the external IP address of the Google router?

A transparent filtering bridge belongs between your Google router and your internal switch.

Would it be possible to use the Alias "This Firewall" as the redirect target instead of the ULA address?

No.

Define an arbitrary ULA, assign to lo0 with /128 netmask, use that.

If you use destination NAT with 127.0.0.1 whatever the service and completely independent of OPNsense, the reply packets are generated with a source address of 127.0.0.1, which is then source NATed back to the public address to achieve bidirectional flow.

In the case of ::1 the relevant RFC explicitly forbids ("MUST NOT") a packet with a source of ::1 ever leaving a conpliant system. So the FreeBSD network stack drops every IPv6 packet with a loopback source that does not also have a loopback destination.

That's why it does not work with IPv6.