Messages

1

24.7 Production Series / Re: Dashboard graphs and reverse proxy

« on: November 14, 2024, 12:50:32 am »

The solution turned out to be pretty simple:

Code: [Select]

location / {
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_pass http://172.31.0.1;
        }
The live widgets are working with these two extra options.

2

24.7 Production Series / Re: Losing Internal/External Connectivity to OPNsense firewall

« on: November 13, 2024, 07:17:18 pm »

The only thing that comes to mind is an IP address conflict, but the chances of it co-occuring on multiple interfaces seems remote. Are you able to look at the console while the network interfaces stop responding? It might be interesting to watch top or tcpdump during an outage.

3

24.7 Production Series / Dashboard graphs and reverse proxy

« on: November 13, 2024, 12:13:43 am »

I set up an nginx reverse proxy to handle requests to OPNsense's web UI. This appears to work well so far, except that the CPU, Firewall and Traffic graphs on the dashboard don't display any data. This isn't my area of expertise, so can anyone recommend any modifications to my nginx config to get these graphs to display properly?

Code: [Select]

server {
listen 80;
server_name opnsense.example.org;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name opnsense.example.org;

location / {
proxy_pass http://172.31.0.1;
}
}

4

24.7 Production Series / Re: ISC DHCP secondary pool

« on: November 13, 2024, 12:03:09 am »

I was trying to work with a host that was temporarily moved from another network. Re-IPing the host broke some ACLs so I was trying to preserve its IP address, and adding an interface to OPNsense wasn't an option. I was able to connect to the host and update the ACls to get things working.

5

24.7 Production Series / Re: Fresh Install: "gpart: autofill: No space left on device

« on: November 11, 2024, 10:02:10 pm »

Ok, that makes sense. Thank you.

6

24.7 Production Series / Fresh Install: "gpart: autofill: No space left on device

« on: November 11, 2024, 09:26:28 pm »

OPNsense 24.7 DVD/ISO installer on Vmware 7.0U2 v19 virtual machine

I created a new VM and booted it from the installer ISO in UEFI mode. It boots fine, then I log in as "installer". It asks me on which device to install OPNsense, and I choose a ZFS install type "stripe". I choose the only device available, da0, which is an 8-GB virtual disk that I created as new with the VM. It warns me that the disk will be wiped and I select YES. Then I get the attached error (also quoted in subject).

Some web searches didn't turn up much, so I shut down the VM, increased the disk size to 10 GB and tried again. This time the installer succedded, but 'zpool list' shows that ZROOT is only 2 GB. What do I have to do to get the installer to use the whole virtual disk?

7

24.7 Production Series / ISC DHCP secondary pool

« on: November 04, 2024, 09:45:42 pm »

I have an OPNsense pair configured in HA. I have an existing subnet with a CARP IP and ISC DHCP server running:

Code: [Select]

Interface: opt14
CARP address: 10.13.4.1/24
VHID: 134
DHCP Range: 10.13.4.100 - 10.13.4.199
So far this works as expected and the DHCP server serves leases on the primary subnet.

I need to run a second DHCP pool on this same interface but a different subnet. I created a VIP on the new subnet using the same VHID as the CARP interface:

Code: [Select]

Interface: opt14
VIP: 172.31.0.254/24
VHID: 134
Then I added a secondary pool to the DHCP server on this interface:

Code: [Select]

Range: 172.31.0.16 - 172.31.0.32
As soon as I save the change, the DHCP service stops and the log shows:

bad range, address 172.31.0.16 not in subnet 10.13.4.0 netmask 255.255.255.0

What am I doing wrong?
Is there a way to achieve what I'm trying to do?

8

General Discussion / Re: Download historical configs

« on: November 01, 2024, 08:35:16 pm »

I think I found them in /conf/backup/.

9

General Discussion / Re: iSCSI VLAN Question

« on: November 01, 2024, 08:26:06 pm »

If both devices are on the same vlan then they should be able to communicate at layer 2 with no firewall in the path. Check your switch configs.

For trouble-free operation, all the hosts on the LAN should have the same MTU and all the connected switch ports should have an equal or larger MTU.

10

General Discussion / Download historical configs

« on: November 01, 2024, 07:51:29 pm »

When I navigate to System > Configuration > History I can see a long history of config changes. I know I can select them 1 by 1 and download them, but is there a way to grab all of them off the filesystem? Are they stored individually?

11

24.7 Production Series / Re: ISC DHCP bind interfaces

« on: October 17, 2024, 06:16:43 pm »

What is the recommended way to disable ISC then when I'm ready to enable KEA? If I disable ISC on every interface and stop the service will it remain stopped?

12

24.7 Production Series / ISC DHCP bind interfaces

« on: October 15, 2024, 11:59:27 pm »

The documentation says

If you want to tryout KEA in OPNsense, just disable the legacy dhcp server on the specific interface and go to the KEA DHCP menu available under Services ‣ Kea DHCP.

This is incorrect in my experience, as I disabled ISC DHCP server on a single interface and then enabled KEA DHCP server on the same interface. Clients failed to get a lease and the KEA log shows this:

Code: [Select]

2024-10-15T17:31:45-04:00 Warning kea-dhcp4 WARN [kea-dhcp4.dhcpsrv.0x13d887012000] DHCPSRV_NO_SOCKETS_OPEN no interface configured to listen to DHCP traffic
2024-10-15T17:31:45-04:00 Warning kea-dhcp4 WARN [kea-dhcp4.dhcpsrv.0x13d887012000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface lagg0_vlan152, reason: failed to bind fallback socket to address 10.15.2.1, port 67, reason: Address already in use - is another DHCP server running?
This is confirmed in the shell:

Code: [Select]

# sockstat -l4 | grep 67
dhcpd    dhcpd      42491 23  udp4   *:67                  *:*
Is there a way to force ISC DHCP server to bind only to interfaces where it is enabled so that KEA can be bound to others?

13

24.7 Production Series / tailscaled service doesn't start on boot

« on: September 26, 2024, 06:35:15 pm »

I have 4 OPNsense firewalls with tailscale installed from mimugmail's repository. 3 of them work as expected, where the tailscaled service starts after boot. The 4th does not, and I have to get remote hands to start it for me.

The main difference I'm aware of between this one and the other three is that the other three had tailscale built from ports before I switched them to mimugmail's repo.

I have run service tailscaled enable and I can see tailscaled_enable="YES" in /etc/rc.conf. I'm not sure what else to check. What else should I be looking for to see why the service doesn't start at boot?

14

Hardware and Performance / Dell Sonicwall SuperMassive 9800 CPU architecture

« on: May 28, 2024, 04:55:23 pm »

I'm trying to find out what CPU architecture the Sonicwall Supermassive 9800 has, and more specifically, whether one might have any hope of installing OPNsense on it, but this information is elusive, and as far as I can tell nobody has talked publicly about trying it.

It appears the rest of the 9000 series uses a Marvel Octeon chip, but not the 9800. Anybody know what's in this behemoth?

(Octeon in the 9600) https://www.itpro.com/server/20258/dell-sonicwall-supermassive-9600-review

(64 cores in the 9800) https://www.sonicwall.com/medialibrary/en/datasheet/datasheet-sonicwall-supermassive-series.pdf

(Up to 32 cores in Octeon) https://www.marvell.com/products/data-processing-units.html

(9800 is different from 9000 series) https://www.reddit.com/r/sonicwall/comments/oa732o/supermassive_9800/

15

Hardware and Performance / Re: 2.5 GBE card recommendation

« on: September 15, 2023, 04:42:58 pm »

I have the adapter, so it's ready for a PCIe card. I've been doing some reading on the i225 and i226 cards from Intel. It seems people are having mixed results with these, so I'm loathe to drop money on them.

Intel's X550 adapters are 10/5/2.5/1 GBE capable, but pretty pricey. There doesn't seem to be much for affordable used hardware on ebay either.

Any other brands worth looking at? I'm guessing the 10/5/2.5/1 models are going to be expensive as they're still current tech, but if there are any 2.5 GBE adapters that are known to work well then I'd like to hear any recommendations.