Messages

There is a checkbox in the general settings, maybe in advanced mode called "Query DNS Servers sequentially" or something.

Found it, from the description I thought it was only applicable to System resolvers.



I would also suggest to invert the DHCP Interface setting logic to "Enable DHCP on these interfaces:". The [no dhcp] helps, but it's confusing.

This means, KEA + Unbound with static leases could work for businesses if they want a different DHCP server + DNS server combination. (As it exists right now)
For home users, Dnsmasq could be the preferable choice, even as single DNS/DHCP server that just forwards to e.g., google or cloudflare or the ISP DNS servers.
The choices are there, everybody can take what they think is the better one.
In my home network with quite some vlans and homelab, I run dnsmasq dhcpv4+dhcpv6+RA and all DNS features since 3 months and have peace and quiet.
Sometimes its just personal preference that clouds the correct answer. I am leaning a bit more towards dnsmasq though since it makes more sense to me.

I am so glad dev team took this decision. I expressed my wish to Franco in this 2023 post, and the answer didn't make me much happy. :)

I used dnsmasq for many years both in business environments and in my homelab (before the term homelab was created actually) because of its flexibility and reliability.

I migrated from KEA+Unbound to dnsmasq this evening, took me less than 1h to migrate all settings+data (reservations, aliases, etc.) and I must say that dnsmasq is much simpler and more efficient in terms of configuration. For example, the way you define a host and in one window you can configure a reservation, define multiple mac addresses for one ip, aliases, etc. is much easier to maintain.

I never liked unbound configuration approach, and I also had reliability issues with it: the unbound service restarted several times throughout the day, and I never really understood the cause. I also didn't like KEA much, even though it has been very reliable, but it was missing some features.

Like you said: to each their own. OPNsense now allows the user to choose the services and the architecture, and it doesn't force the user to use a specific service for whatever reason.

Great job devs, hope you don't change this approach. :)

[strict-order]

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/e7441283055dcb33a389f02d4e0f502767c8ecd1

Exactly what I was looking for, after migrating from KEA+Unbound to my favorite: dnsmasq. :)

I had solved temporarily using a custom .conf file with a 1 line (server=xx.xx.xx.xx).

Since it seemed weird I couldn't configure a default forwarder, and had to rely on a custom .conf file, I was about to raise an issue on GH because * wasn't working in domains, but I checked the forum first, and (very luckily) I found this thread.

Thank you for the patch Cedrik, just one question: is strict-order option enabled by default? is there an UI checkbox to configure it?

Great work on dnsmasq, I much prefer it over KEA+Unbound for my homelab's use case.

That's what I was referring to. I don't use a lot of plugins, but some of them are not "official", so there's no consistent way of having them backed up.

I hope one day we'll be able to have one "backup config" file/archive with all config files of all plugins, official and unofficial, that gets imported easily.

Another annoying thing was having to reformat a usb key with fat32 specifically to reimport the config.xml I had on git. I had it on my Ventoy USB drive, that is exFat, used to reinstall opnsense iso, but it didn't mount it, I had to prepare another one specifically, after trying to understand why it didn't mount it.

Little things, that all summed up make a difference when you're anxiously trying to recover the fw installation.

After this experience, What I feel is missing is that in the live usb image there is no recovery tool that checks (and fixes) the disk installation when facing these kind of boot issues.

There are no offline analysis and repair tools for ZFS.

I feared (but kind of expecting it) this feedback was coming. Thanks Patrick.

Here is the pitfall of modifying outside the UI which acts as a sort of collector of the modifications for reinstallations. Also shows the advantage of running it as a virtual machine.
Enven then we have to backup the image of the hypervisor somehow, like taking a full image of it. Or, what takes care of it in both cases is to run it on high availability storage i.e. a raid setup. Even a mirrored pair pretty much takes care of it BUT it is of course sometimes not possible like when not available storage ports.
Reminds, me. I need to make a new image too but has downtime. Boot to Clonezilla, clone to extenal disk.

HA storage doesn't solve the issue of an upgrade script creating issue, or an "rm -rf" on the wrong path. :)

But you have a point that will make me think in the next days: maybe it's time to seriously consider virtualizing OPNsense, I was not in favor of it for several reasons, but considering what happened, probably the advantages outweigh the disadvantages. The ability to quickly restore a VM, in seconds, vs spending a whole night trying to recover a bare metal installation is really tempting. Thanks for the advice.

I reinstalled from scratch and restored the config manually (I had git backup and also manual backups of the config). I double checked the nvme drive and it has no issues I can diagnose. This means that something happened during the upgrade. :(

First time in years I had issues with an opnsense upgrade. Must confess that now I'm a little bit scared for next upgrades.

After this experience, What I feel is missing is that in the live usb image there is no recovery tool that checks (and fixes) the disk installation when facing these kind of boot issues.

The other pain was the fact that we have a config backup, but the plugins (and their config/data) are not restored. Now I'm back on track, almost, but some plugins I still have to configure them. Tailscale for some reason is not behaving properly, but I'll check later, will probably reinstall it from scratch.

Question is: to prevent this from happening in the future, and shorten the restore cycle, what should I do? take a full image of the drive by pulling it out of the system every once in a while? isn't there a better way to achieve this?

Drive full or dying most likely. Are you sure you're not skipping over the boot menu ? if that appears you could try booting the old kernel - just in case the new kernel wasn't installed properly.

Try a fresh install, see how the drive behaves.

It's a 1TB nvme drive, 99% free. Never had issues with it. The boot menu doesn't come up, I see a strange booting /boot/kernel/kernel text line with some hex characters. I managed to press space to get to an OK prompt in which I have some commands available, but I don't know how to load the old kernel from there.



If I don't do anything and it loads the new kernel, then it stops here:



I guess I'm stuck and have to reinstall, right?

Just upgraded to 25.1.5 and it didn't reboot. Hooked up a monitor to see what was going on, and it can't mount root: unknown filesystem.

I took a snapshot before the upgrade, as I always do, but I can't see the usual menu that allows me to rollback to a chosen snapshot.

I'm at a mountroot> prompt, I guess it's expecting I specify a filesystem, I used zfs, but none of the ones I tried worked.

Any suggestion??

You don't need that if you use this HA integration: https://github.com/travisghansen/hass-opnsense

You can automate many things, Filter Rules included, they will be available as binary switches in HA. :)

Hi,

I have an FTTH primary connection and a backup FWA line. Both via PPPoE, with the same ISP.
When I set MultiWAN, the upstream gw is the same for both, and I noticed some weird issues with routing.

I've already setup MultiWAN in the past, never had issues, but I was never in a condition like this with the same upstream gw for both connections.

I spoke with the ISP support, they told me that I should switch to an active/passive configuration, that means that the FWA interface should come online and negotiate PPPoE session only when the FTTH is down.

Right now the default multiwan configuration is active/active. Can I configure it like support is asking? So OPNsense should bring up the FWA interface only when FTTH is down.

Thanks for any help on this.

Alex

I have this error that is filling the log:

Code Select Expand

2024-08-21T20:20:30 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:19:59 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:19:26 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:18:54 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:18:22 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:17:50 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:17:18 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:16:46 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:16:14 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:15:42 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:15:10 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute


I guess it's related to the WireGuard interface, but I don't use WG and have it disabled. I tried enabling it (without any configuration) but the error in the log is still present.

Any suggestion is appreciated.

Thanks.

This is really interesting. I'm collaborating on this project to integrate OPNsense in Home Assistant: https://github.com/travisghansen/hass-opnsense/

It uses both REST API and XMLrpc because the API doesn't offer everything needed. I wonder if using your library we could cover everything.

I'll tell Travis, the dev, about this so he can take a look and see if it fits well. :)

Thanks a lot.

Upgrade went fine. The only two minor issues were

- the os-firewall and os-wireguard plugins missing message, solved by resetting local conflict
- this message regarding libevent/openssl when checking for updates:

Code Select Expand

All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (3 candidates): ... done
Processing candidates (3 candidates): .
pkg: libevent has a missing dependency: openssl111
Processing candidates (3 candidates)... done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I think I can safely ignore it, but I thought to report it, just in case. :)

Thanks for this release.

[Reset all local conflicts]

Reset all local conflicts. Check screenshot attached.

This is great news:

We're already talking to @DentonGentry at the moment about how to approach this structurally.

Cheers,
Franco

it seems like OPNsense team will develop an official plugin, is that confirmed @franco? If so, what kind of priority will it be assigned?

Thanks. :)