Messages

Hello!,

I have OPNSense + Zerotier working with dual WAN.

WAN1: public IPv4 assigned to the FW (ISP1 doesn't care about IPv6)
WAN2: private IPv4 assigned to the FW, with NAT in the ONT + IPv6 assigned but no working (ISP2 doesn't know how to properly delegate IPv6). There's a 1:1 NAT to the firewall (that is as good as it gets with that ISP)

The issue I have is that I see several blocked connection attempts incoming on WAN2. It's super annoying because it fills-up the disk with filter log entries.

The only difference between WAN1 & WAN2 is that WAN2 is behind NAT. Is there any recommended configuration in that scenario?

Hello!, what would be the correct procedure to setup a "link-local only" IPv6 interfaces?. If I choose Enabled+"static ip", I cannot save the configuration.

The usecase would be BGP peering with another network element.

Hello!, did anybody test this further?. I have the same situation, we're some hostnames can be resolved (whatever was served by firewall A, but any lease served by firewall B fails to resolve).

I understand static mapping would "solve" this, but it not always desired (highly dynamic environments)

hello, for DHCP-v4, can you confirm "OPTION 12" is the one clients must send to properly update Unbound A/PTR updates?.

What would be the case for DHCP-v6 AAAA/PTR?.

also, I wonder if OPTION 81 is supported, per https://datatracker.ietf.org/doc/html/rfc4702#section-3.1

Hello!,

I'm running OPNsense on a Lanner NCA-1010B. It keeps rebooting each 15min aprox, anybody can recommend how to pinpoint where is the issue?.

In the system logs, I can only see the fresh boot. Could it be power issues?, triggered by software?

From the logs:

tap9993: changing name to 'zta1ivkmolav2t3'
zta1ivkmolav2t3: link state changed to UP
arp: 10.1.1.105 moved from ac:07:5f:76:56:44 to 00:9e:c8:95:87:c4 on igb0_vlan100
---<<BOOT>>---
Copyright (c) 1992-2021 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.

You use CARP and a link-local address as the CARP address.

Should I use a different link-local address per VLAN/Interface, or can I get away with using the same one (can't recall if there's a recommendation for that)

Hello!,

I found this topic https://forum.opnsense.org/index.php?topic=25158.15

which seems to imply that there's already a recipe, but I fail to find the expected configuration. Do we use CARP with for IPv6 subnets + cluster?, or CARP is not needed and everything should work automagically?

Hello!,

I've setup loadsharing Multiwan following the documentation, and I see that the user experience is really bad.

Two examples:

1- Connection stalls from time to time, and there are slow page loads.
2- Also, a web banking goes bonkers and resets the session every couple of minutes (it seems that different requests to different components from a single client goes through different interfaces: main site, vs CDN, etc)

The only decent experience is achieved with Active/standby WAN setup.

Is there any trick to load balance the outgoing connections per client and not per request?

Saw that in my tests today. It created a gateway even though I marked " This interface does not require an intermediate system to act as a gateway". After the reboot, that gateway is marked as "active" and I get no Internet traffic to the LAN.

Fix for me was to disable the gateways associated with the ZT interfaces.

I was expecting to setup the node with serial console. In the end I had to do some dancing:

1. Work.from console, you actually interact and choose options during boot.
2. After boot was complete, lost access either through keyboard or serial. Setup port assignment
3. Visit the web portal, verified console reverted to VGA. Changed that to serial again.
4. Going back to serial console and verify it works.

With my specific setup, it only bothers me:
- Directional keys don't work via serial for BIOS
- bootloader menu now looks messed up (it wasn't like that on first boot)

Keyboard is fine once fully booted.

Hello!, I'm trying to install OPNSense 22.7 on a Citrix SD-WAN 210 appliance. I can succesfully boot the serial installer, but as soon as the boot process finishes,I lose keyboard access:

Last messages:

---
Root file system: /dev/ufs/OPNsense_Install
Tue May 30 14:57:39 UTC 2023

*** OPNsense.localdomain: OPNsense 22.7 (amd64/OpenSSL) ***

LAN (igb0)      -> v4: 192.168.1.1/24
WAN (igb1)      ->

HTTPS: SHA256 4B 3C 50 66 3C C4 80 31 F7 21 77 04 2A EE 62 9D
               E1 69 D7 33 0C AA 0D 51 B1 B8 8C 2B 93 A3 F1 2A
SSH:   SHA256 qgZPLT2pCAWKzn/VScVQy4ruph8+IBwyWC1OU94BTBI (ECDSA)
SSH:   SHA256 MgGCfkKgrg2L5r3hfTtLLPXzb068ZY/gKuofiLa1ni4 (ED25519)
SSH:   SHA256 EXxxww7RA1VtqViOhl3WovKY98N4LxYAklpnGHDlo40 (RSA)
pw: no such user `installer'

Welcome!  OPNsense is running in live mode from install media.  Please
login as 'root' to continue in live mode, or as 'installer' to start the
installation.  Use the default or previously-imported root password for
both accounts.  Remote login via SSH is also enabled.

---

System is not frozen, I can see kernel messages when unplugging & replugging the USB keyboard.

Working  with GNU screen,and also with USB keyboard installed (device doesn't have a video output port).

Any tips?

Hello, I would like to install OPNsense in a Citrix SD-WAN 210 appliance. It supports both mSATA & SATADOM drives.

Currently it has installed a 60GB mSATA SSD disk and a 16GB SATADOM drive, I'll replace the SATADOM drive with a 64GB one

Do you see any cons running a mirror with those devices?

Original devices:

root@:/ # dmesg|grep ada
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <SATADOM-SH 3ME3 V2 S17411> ATA8-ACS SATA 3.x device
ada0: Serial Number BCA11807060531128
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada0: Command Queueing enabled
ada0: 15272MB (31277232 512 byte sectors)
ses0: pass0,ada0 in 'Slot 00', SATA Slot: scbus0 target 0
ada1 at ahcich7 bus 0 scbus1 target 0 lun 0
ada1: <mSATA mini 3ME4 L17606> ACS-3 ATA SATA 3.x device
ada1: Serial Number YCA11807260091067
ada1: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada1: Command Queueing enabled
ada1: 61057MB (125045424 512 byte sectors)
ses0: pass1,ada1 in 'Slot 07', SATA Slot: scbus1 target 0

Hello, I'm wondering if OPNsense can make use of embedded switching chipset.

Freedom E28Q-L looks like a server with 40GbE embedded switch, originally run Illumus/Solaris and later was ported to Linux from what I heard.

Would be a monster firewall with OPNsense :)

Ref: https://www.pluribusnetworks.com/assets/PluribusFreedomE28Q-LSwitchDatasheet8-17-1.pdf

Tested with current release, only works as client, not AP mode.

Hello, has anybody successfully installed OPNSense on a Citrix SD-WAN 210 appliance?, if that's the case, can you share your experience?