Messages

That's what I was referring to. I don't use a lot of plugins, but some of them are not "official", so there's no consistent way of having them backed up.

I hope one day we'll be able to have one "backup config" file/archive with all config files of all plugins, official and unofficial, that gets imported easily.

Another annoying thing was having to reformat a usb key with fat32 specifically to reimport the config.xml I had on git. I had it on my Ventoy USB drive, that is exFat, used to reinstall opnsense iso, but it didn't mount it, I had to prepare another one specifically, after trying to understand why it didn't mount it.

Little things, that all summed up make a difference when you're anxiously trying to recover the fw installation.

After this experience, What I feel is missing is that in the live usb image there is no recovery tool that checks (and fixes) the disk installation when facing these kind of boot issues.

There are no offline analysis and repair tools for ZFS.

I feared (but kind of expecting it) this feedback was coming. Thanks Patrick.

Here is the pitfall of modifying outside the UI which acts as a sort of collector of the modifications for reinstallations. Also shows the advantage of running it as a virtual machine.
Enven then we have to backup the image of the hypervisor somehow, like taking a full image of it. Or, what takes care of it in both cases is to run it on high availability storage i.e. a raid setup. Even a mirrored pair pretty much takes care of it BUT it is of course sometimes not possible like when not available storage ports.
Reminds, me. I need to make a new image too but has downtime. Boot to Clonezilla, clone to extenal disk.

HA storage doesn't solve the issue of an upgrade script creating issue, or an "rm -rf" on the wrong path. :)

But you have a point that will make me think in the next days: maybe it's time to seriously consider virtualizing OPNsense, I was not in favor of it for several reasons, but considering what happened, probably the advantages outweigh the disadvantages. The ability to quickly restore a VM, in seconds, vs spending a whole night trying to recover a bare metal installation is really tempting. Thanks for the advice.

I reinstalled from scratch and restored the config manually (I had git backup and also manual backups of the config). I double checked the nvme drive and it has no issues I can diagnose. This means that something happened during the upgrade. :(

First time in years I had issues with an opnsense upgrade. Must confess that now I'm a little bit scared for next upgrades.

After this experience, What I feel is missing is that in the live usb image there is no recovery tool that checks (and fixes) the disk installation when facing these kind of boot issues.

The other pain was the fact that we have a config backup, but the plugins (and their config/data) are not restored. Now I'm back on track, almost, but some plugins I still have to configure them. Tailscale for some reason is not behaving properly, but I'll check later, will probably reinstall it from scratch.

Question is: to prevent this from happening in the future, and shorten the restore cycle, what should I do? take a full image of the drive by pulling it out of the system every once in a while? isn't there a better way to achieve this?

Drive full or dying most likely. Are you sure you're not skipping over the boot menu ? if that appears you could try booting the old kernel - just in case the new kernel wasn't installed properly.

Try a fresh install, see how the drive behaves.

It's a 1TB nvme drive, 99% free. Never had issues with it. The boot menu doesn't come up, I see a strange booting /boot/kernel/kernel text line with some hex characters. I managed to press space to get to an OK prompt in which I have some commands available, but I don't know how to load the old kernel from there.



If I don't do anything and it loads the new kernel, then it stops here:



I guess I'm stuck and have to reinstall, right?

Just upgraded to 25.1.5 and it didn't reboot. Hooked up a monitor to see what was going on, and it can't mount root: unknown filesystem.

I took a snapshot before the upgrade, as I always do, but I can't see the usual menu that allows me to rollback to a chosen snapshot.

I'm at a mountroot> prompt, I guess it's expecting I specify a filesystem, I used zfs, but none of the ones I tried worked.

Any suggestion??

You don't need that if you use this HA integration: https://github.com/travisghansen/hass-opnsense

You can automate many things, Filter Rules included, they will be available as binary switches in HA. :)

Hi,

I have an FTTH primary connection and a backup FWA line. Both via PPPoE, with the same ISP.
When I set MultiWAN, the upstream gw is the same for both, and I noticed some weird issues with routing.

I've already setup MultiWAN in the past, never had issues, but I was never in a condition like this with the same upstream gw for both connections.

I spoke with the ISP support, they told me that I should switch to an active/passive configuration, that means that the FWA interface should come online and negotiate PPPoE session only when the FTTH is down.

Right now the default multiwan configuration is active/active. Can I configure it like support is asking? So OPNsense should bring up the FWA interface only when FTTH is down.

Thanks for any help on this.

Alex

I have this error that is filling the log:

Code Select Expand

2024-08-21T20:20:30 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:19:59 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:19:26 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:18:54 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:18:22 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:17:50 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:17:18 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:16:46 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:16:14 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:15:42 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:15:10 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute


I guess it's related to the WireGuard interface, but I don't use WG and have it disabled. I tried enabling it (without any configuration) but the error in the log is still present.

Any suggestion is appreciated.

Thanks.

This is really interesting. I'm collaborating on this project to integrate OPNsense in Home Assistant: https://github.com/travisghansen/hass-opnsense/

It uses both REST API and XMLrpc because the API doesn't offer everything needed. I wonder if using your library we could cover everything.

I'll tell Travis, the dev, about this so he can take a look and see if it fits well. :)

Thanks a lot.

Upgrade went fine. The only two minor issues were

- the os-firewall and os-wireguard plugins missing message, solved by resetting local conflict
- this message regarding libevent/openssl when checking for updates:

Code Select Expand

All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (3 candidates): ... done
Processing candidates (3 candidates): .
pkg: libevent has a missing dependency: openssl111
Processing candidates (3 candidates)... done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I think I can safely ignore it, but I thought to report it, just in case. :)

Thanks for this release.

[Reset all local conflicts]

Reset all local conflicts. Check screenshot attached.

This is great news:

We're already talking to @DentonGentry at the moment about how to approach this structurally.

Cheers,
Franco

it seems like OPNsense team will develop an official plugin, is that confirmed @franco? If so, what kind of priority will it be assigned?

Thanks. :)

Thanks for the status update.

Regarding port 80 (HTTP) vs port 443 (HTTPS) you should(*) see some traffic on port 80 going in and out. Usually a HTTP redirection is sent back to the client that points to HTTPS.

(*) Not every browser starts with HTTP but with HTTPS immediately. Hence, you might need to enforce http:// in order to test this.

I use https://httpstatus.io to test, and when testing port 80 I obviously specified http:// while testing 443 I used https://.

As I wrote in OP, I could see traffic in live log for port 80, but not for port 443. That should've let me point immediately to ISP first, but I started doubting OPNsense config, and I spent many hours for 2 days without results. :(

I finally received a reply from the ISP: they filtered port 443 three days ago because of an attack on their network, and they didn't send any email. I complained about the lack of notification obviously.

Sorry to have bothered anyone, I shouldn't doubt OPNsense reliability anymore. It was really strange that a rule config working for 2y all of the sudden stopped working. Should've checked the ISP first, and I wouldn't have lost all this time debugging the issue.

Thanks to the people that tried to help, it's highly appreciated.

did you restart OPNsense, too?

If nothing arrives at your WAN IF you could be blocked by your ISP. Can you safely rule out this scenario? Hence a packet capture on WAN would be very interesting.

Regarding port 80 it is working fine on the whole path to your internal traefik install?

Hi, and thanks for answering my post. I appreciate any help.

1. ISP: yes, I sent an email to my ISP yesterday, because I thought that if I don't see anything coming in on the WAN_FTTH (it's a PPPoE connection with an SFP) then it means something before OPNsense is filtering it.

2. I can't fully test port 80 because Traefik upgrades HTTP to HTTPS, and if 443 doesn't work, that fails.