Messages

Mine is slightly different but here's an updated script for those of you who are maybe less technically inclined.  Just update the 5 variables at the top to match your configuration and you should be good to go.  You'll just need to setup a cron job to run this nightly - the script below will also work run directly from a synology system.

Code Select Expand

#!/usr/bin/bash

# Change API key and secret, number of days to keep backups, the path to your backups and the hostname for your firewall

key=YOURKEY
secret=YOURSECRET
daystokeep=30
destination="/PATH/TO/SAVE/BACKUPS/TO"
fwhost="IP_ADDRESS_OF_FIREWALL-192.168.1.1"

date=$(date +%Y-%m-%d)

result=$(/usr/bin/curl -I -s -k -u "$key":"$secret" https://$fwhost/api/core/backup/download/this | head -1)

if [[ $result != *"200"* ]]; then
   echo "Result of the HTTP request is $result"
      exit 1
      fi

      /usr/bin/curl -s -k -u "$key":"$secret" https://$fwhost/api/core/backup/download/this > $date.xml

      error=$?

      if [ $error -gt 0 ]; then
         echo "Curl returned error number $error"
            exit 1
            fi

            /usr/bin/gzip $date.xml

            mv $date.xml.gz $destination
            /usr/bin/find $destination/* -mtime +$daystokeep -exec rm {} \;

Kea and the old client can run in parallel on different vlans. Simply disable the old server on a vlan, copy all reservations/useful data to a text editor, go to Kea and set up the vlan in Subnets, add the Reservations, then to Settings to have Kea run on the interface.

Should there be a need, disable Kea on the interface and reenable it on the other side.

But how are you associating VLAN >> Subnet?  Does it just guess based on the interface IP address?  I don't see any option to associate a subnet to a VLAN in the Kea config whereas ISC there's a direct mapping to VLAN/Interface >> DHCP Subnet.

After upgrading to 24.1_1 I noticed that when I attempt to update my wireguard instance (for example to change the peer if my vpn provider has a server go offline), when I click save it spits out the error message "Invalid integer value." and instance is highlighted in red (image attached).

The latest images work just fine.  If you're having trouble getting them onto an sdcard I would suggest using 7-zip to unpack them and balena etcher to write them.

Keep in mind, first boot takes almost 2 minutes on an rpi4, older models will be slower.  If you don't have a USB adapter attached, the built-in port will default to LAN and have a 192.168.1.1 address.  For HDMI use the port that's closest to the USB-C power port.

https://www.yrzr.tk/opnsense-22-for-aarch64/
https://ftp.yrzr.tk/opnsense/FreeBSD%3A13%3Aaarch64/22.7/images/
https://www.7-zip.org/
https://github.com/balena-io/etcher

I've replicated this twice now, I assume nobody else is able to get this to work either?

@franco

You would create an alias with a type of network, and then put in the appropriate subnet and subnetmask.

If you wanted X.X.*.* - it would be 192.168.0.0/16
X.X.X.* would be 192.168.1.0/24

https://www.freecodecamp.org/news/subnet-cheat-sheet-24-subnet-mask-30-26-27-29-and-other-ip-address-cidr-network-references/

Attempting to setup a new system running 23.1.1_2 - when I go to setup gateway groups, I set the first WAN link as Tier 1, when I go to set the second WAN link as Tier 2, it resets the first WAN link to Never.  There appears to be no way to set tiers properly.

OPNsense 22.7

22.7 is currently broken - it was built with phalcon-5.0.0r3, it needs 5.0.0r2.

but why?

Why not? Or: why do such unknown but intricate technicalities get in the way of your preference? ;)


Cheers,
Franco

Is there a reason we can't at least have the device ID match the vlan ID by default?  That would make scripting and visual identification a lot easier and is pretty common best practice in any network I've worked on.

Agreed, and it looks like there is an option to accept 5424 in pfelk.  That being said, is there some reason that having 3164 as optional is a problem?

And whether or not 3164 is added back in as optional, I would assume still having the 5424 option as a checkbox is a bug, no?  If 5424 is the default, the checkbox to enable it does nothing at this point.

The logging you have IS RFC5424.  The logging you're looking for is RFC3164 which was the old default.  I have a feeling based on the changelog that RFC5424 is now the default, and that checkbox probably needs to switch to RFC3164 as an option.

@franco

You should probably tell us what you want the load balancing to look like.  Choosing a connection "at random" is a completely acceptable load balancing strategy for a lot of workloads.  "At random" is generally based on one of a handful of algorithms meant to randomize the link it chooses in an attempt to spread out load.

I read all that through google translate, but yes it makes sense.

The Ubiquiti APs can have their management interface on a separate VLAN from the wireless networks.  I have my network switches, routers, and APs on one "management" VLAN, then multiple VLANs for wireless networks.  A guest network, an IOT network, and a main network.

I will test it and will be back.

The problem is you haven't actually posted what your issue is besides "this NIC is slower".  It's a pretty well known fact that realtek NICs have inferior throughput, and are buggy in general.  You say "Pfsense 2.5 fixed this" but don't actually link to a bug report or github source or performance testing or basically anything to backup that claim so it smells more like trolling than an actual request for help.

The link you provided is for loading newer versions of the realtek driver which people were using to address stability concerns, not throughput concerns.  The driver in question is already included in opnsense:

https://github.com/opnsense/changelog/blob/da9944d43c1fe4466cab2e624727b1ad5f256ca9/community/20.7/20.7.4#L50

I doubt the WAN link is the issue (although possible) - just setup the FreeBSD host in the main office and treat it like it's a branch, just connect it back to the main instance - see if it reconnects when you bounce the main instance or if it acts like the branch offices.