Messages

@Monviech thank you for the update and the explanation.

Is this still on the table? 

I ran into a situation yesterady that I needed to reset which device was using a specific ip address and could not;  In short, I'm using the Network Time Service with OPNSense and have attached to my system a stratum 1 time server at IP address 192.168.7.24. Various devices on the network reference this IP address specifically.  The device I am now using is a replacement to the old one and has a different different mac.

With the old way of doing things this was simple, but with dnsmasq not giving up the on the lease on the old device, even after I restart the dnsmasq service, it seems I'm stuck with a misconfigured network until the old lease expires later today.

Some sort of delete button on the old lease would be very helpful.

thank you - it is now gone!

Recently I upgraded to OPNSense 26.1 and with that upgrade migrated to dnsmasq dns and dhcp - and everything is working fine.

However, in my list of firmware plugins I notice I have this:

os-isc-dhcp (installed)   1.0_3   277KiB   2   OPNsense   ISC DHCPv4/v6 server

Is this still needed or can it be removed without impact to how things work?

Thank you for your time and insights.  This is a well over my paid grade, so I really do appreciate your help.  I'll poke around a little more on this and may open it on github as potential bug.  However, for now I've got my program up and running, just had to assign a static ip address to the device running it. 

Thing is it took several days until I stumbled on this work work around.  However, perhaps someone else reading this thread in the future will be able to save some time because of it. 

Again, with thanks for your time and insights!

Well, I change my project's code to reference only 1 NPT Server (as shown below)

configTime(GMT_OFFSET_SEC, DAY_LIGHT_OFFSET_SEC, NTP_SERVER1);

and point directly to the ip address of my esp32 time server used by OPNSense.

However, I got the same results:

If the client is assigned a dynamic IP address it does not get the time from the time server.

If the client is assigned a status IP address it does get the time from the time server.

Well of course you are right! :-)

I had been thinking of my ntp server as the Network Time Service running on OPNSense - i.e. the ip address of the OPNSense box itself - which as I understand it intercepts calls to, for example, pool.ntp.org, and responds to the device itself.

Hi,

Thanks for your comments.

Regarding: Obviously, you set the NTP servers in your code, so your client does not use DHCP assignments.

That's not exactly how it works, if you look at the example from my earlier post here: https://wokwi.com/projects/420011361310192641 you will notice that all that is done is a wifi connection.  The NTP request, travels over UDP, and I assume is generally broadcast and that is how the NTP sever pick up on the request.  I also assume that the NTP server gets the source IP address from the UPD packet and that is how it know to which device it needs to respond to (if it itself also doesn't do a general broadcast). In any case I am no expert on how NTP Servers work, but that is my educated guess as the client doesn't configure the NTP server's address.

Again, this works fine when the client is connected with a static address, but with a dynamic one.

Thanks for your comments.

How do you configure your NTP client in each setup?

There are different ways to get NTP data for an esp32 device - but under the hood I suspect they all boil down to the same thing:
Here is some stub code I wrote for an emulator to see if I had the basics right (which I did):
https://wokwi.com/projects/420011361310192641

You can easily check with another client and/or by dumping DHCP requests and answers.
In my testing I set up Wireshark on another computer on the same interface, and the had it monitor for ntp requests.
Yesterday, When the esp32 device had a dynamically assigned address I could not see the ntp request via wireshark.
Also, yesterday, when the esp32 device had a statically assigned address I thought could see the ntp request via wireshark, but I just checked again and I didn't see it.

Not using Wireshark, is there a way in OPNSense to dump DHCP requests and answers?

[In short:]

I don't know if this is an OPNSense bug or not - so I thought I would post here and get comments before reporting as a bug (if appropriate) on Github.


In short: NTP is not working for devices on my Wifi Mesh network that are assigned dynamic addresses, however it does work if I assign them a static address.

Question: is this an OPNSense bug or just the way things should work?


Additional background and detail:

I am running OPNSense (current community version) with various interfaces, including:
   LAN
   LAN_IOT
   Master_Clock

I have two separate physical Wi-Fi networks.  One is attached to LAN the other to LAN_IOT.
Both the Wi-Fi LAN and LAN_IOT are running in Access Point mode.
The Wi-Fi LAN device is a TP-Link Deco mesh system (with three TP-Link Deco connected in the Mesh). 
The Wi-Fi LAN_IOT is a legacy TP-Link Access Point with also connects to a legacy TP-Line Extender.

OPNSense is running the Network Time Service.

The Network Time Service runs on the Master_Clock interface.

The Network Time Service gets its time from an ESP32 - GPS based Stratum 1 Time Server I developed and released in 2023.

The Network Time Service delivers NTP date/time data to all other interfaces.

This setup has been working very well for me since 2023, however almost all my devices connected on all interfaces have been set up, via OPNSense, with static IP addresses.

Recently I have been programming another set of ESP32 projects and noticed that while there could connect to either the LAN Wi-Fi network or the LAN_IOT Wi-Fi network they would not retrieve the NTP date/time data.

I spent several days trying to resolve this; but most of this time was chasing down the rabbit hole that my ESP32 code was bad / bad board configurations / etc (non of which seemed to be the issue in the end).

Also, in debugging this, at one point I stopped the OPNSense Time Service, and with it stopped my other device could get NTP date/time data but my ESP32 projects could not.  So that was not it.

However, late yesterday I found that if in OPNSense I set the ESP32 project device up with a static IP address it was able to get the NTP date/time date just fine. However when it ran as with a dynamic IP address the problem returned.

In conclusion:

In any case, I am reporting it here. 

I don't know if its an issue with OPNsense, TP-Link, both. or simply how things work.

If it is an as of yet unknown/unreported issue with OPNSense, the above offers a work around.

Also, if the comments here so indicate, I will open it up as a bug on the OPNSense Github page.

With thanks.

You won't have been locked out. You disabled the DNS resolver so whatever URL you were using to access the web GUI could not be resolved.

You should have been able to access the web GUI using the firewall IP address to enable unbound again

Well I very much suspect you are right:

I was trying to access it via:

Code Select Expand

https://192.168.1.1

when I should have been using:

Code Select Expand

https://192.168.1.1:8443

On my OPNSense system I use Unbound and Caddy.

With the help of Caddy, I access the OPNSense WebGUI from a PC on my LAN interface via https.

I was trying to get something else working today, and disabled Unbound.  Immediately upon doing that I was locked out of the OPNSense WebGUI.

I had to connect a keyboard and monitor to my OPNSense box and do a restore from a backup earlier in the day (when Unbound was enabled) to get WebGUI access back again.

Is this a known problem?

Ok, I finally got ssl access to Home Assistant via my own domain name, CloudFlare, and the OPNSense Caddy plugin.  Here is how:

1. setup my domain dns, cloudflare and Caddy in the same was is in my previous post (directly above) for ha.example.com

2. created and installed a SSL a self signed certificate as detailed in this video:
    https://www.youtube.com/watch?v=d-CbVVxAHtI
    (on the Home Assistant box and on the local machine I wanted to use to access Home Assistant)
    (note: without the certificate I could still access portions of Home Assistant screens, however some key
    features like changing Home Assistant settings were blocked)

3. added the following to Home Assistant's configuration.yaml file:

Code Select Expand

http:
  ssl_certificate: /config/homeassistant.pem
  ssl_key: /config/homeassistant-key.pem
  server_port: 8123
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.1
    - 172.30.33.0/24
    - ::1
    - 127.0.0.0


After that I could access Home Assistant with https://ha.example.com/lovelace/default_view

Thanks to all for their help!

I've been using the OPNSense plugin for Caddy for a little while now, still working out some of the kinks on my system but today I ran into a new one.

I had a device referenced by https://pikvm.example.com which had been working well for at least a week now, maybe two.

However, this morning I could no longer access it via https://pikvm.example.com as I could as recently as yesterday.  Regardless, I could access via http://xxx.xxx.xxx.xxx (its IP v4 address).  Also, I could ping it just fine at its IP v4 address.

After some digging, I realized I did not have the device assigned to a static IP v4 address in OPNSense on the page Services: ISC DHCPv4: [LAN]

I assigned a static IP address to it, and vola it was working again.

Just thought I would share.

Yes, that's all pretty much the way I figured it - just thought I'd ask incase there was something OPNSense could do - but obviously not.