"
I enabled the 'manual gateway switch' cronjob and set it for every five minutes. It has successfully restored a WAN connection that was incorrectly marked as offline.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
24.7, 24.10 Legacy Series / Re: WAN gateway not going back up after Internet outage
May 19, 2025, 09:53:48 PM #2
24.7, 24.10 Legacy Series / Re: WAN gateway not going back up after Internet outage
May 19, 2025, 09:45:52 PM
Eagerly awaiting 25.7!
Is there a workaround in the meantime, aside from patching or manually restarting the gateway monitor? Is it better for now to disable gateway monitoring?
I have three WAN connections, two fibre and one Starlink. The latter is a last resort backup to prevent complete outages. I have had a couple of times where the monitor observes/thinks some of these WAN connections are down and they don't recover, even though they have.
Is there a workaround in the meantime, aside from patching or manually restarting the gateway monitor? Is it better for now to disable gateway monitoring?
I have three WAN connections, two fibre and one Starlink. The latter is a last resort backup to prevent complete outages. I have had a couple of times where the monitor observes/thinks some of these WAN connections are down and they don't recover, even though they have.
#3
Virtual private networks / Re: "can't assign requested address" – opnSense on AWS
October 24, 2024, 01:56:37 AM
Oh, I solved it. The local IP in OPNsense needs to be the private IP address and not the public Elastic IP. This is because the EIP is natted onto the EC2 instance and is not directly associated with any of the attached network interfaces.
When the traffic goes out from OPNsense, the other end of the connection only sees the EIP address, so it all works as expected.
When the traffic goes out from OPNsense, the other end of the connection only sees the EIP address, so it all works as expected.
#4
Virtual private networks / Re: "can't assign requested address" – opnSense on AWS
October 24, 2024, 01:29:02 AM
I am facing the exact same issue on AWS while trying to get IPsec working:
Did you ever solve this?
The same IPsec configuration works fine on a hardware appliance in my office.
Code Select
2024-10-24T00:09:04 Informational charon 04[NET1] error writing to socket: Can't assign requested address
Did you ever solve this?
The same IPsec configuration works fine on a hardware appliance in my office.
#5
General Discussion / Re: Backup: Nextcloud configuration
May 12, 2021, 01:22:20 AM
I went through the process of creating a CA and cert for Nextcloud in OPNsense and installing it on my Nextcloud instance. Still did not work. The reason is that the HTTPS communication is handed off to curl, so it is necessary to do the following:
add the following lines to the curl_setopt_array:
This is how the array looks now:
After doing this, I was able to backup my config to my Nextcloud instance without error.
It would be nice if this was driven by a 'Skip SSL verification' checkbox in the UI, which would require the following changes in the PHP code:
Alternatively, it is possible to tell curl which CA certificate to trust:
That way, verification can be kept on, but a custom CA cert can be used.
One of these methods will be required when using a Nextcloud instance in an isolated network where Let's Encrypt won't work (because it requires a publicly-resolvable DNS record) and self-signed or private CA certs will not work out of the box.
Code Select
vi /usr/local/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.phpadd the following lines to the curl_setopt_array:
Code Select
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,This is how the array looks now:
Code Select
curl_setopt_array($curl, array(
CURLOPT_URL => $url,
CURLOPT_CUSTOMREQUEST => $method, // Create a file in WebDAV is PUT
CURLOPT_RETURNTRANSFER => true, // Do not output the data to STDOUT
CURLOPT_VERBOSE => 0, // same here
CURLOPT_MAXREDIRS => 0, // no redirects
CURLOPT_TIMEOUT => 60, // maximum time: 1 min
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_USERPWD => $username . ":" . $password,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_HTTPHEADER => $headers
));After doing this, I was able to backup my config to my Nextcloud instance without error.
It would be nice if this was driven by a 'Skip SSL verification' checkbox in the UI, which would require the following changes in the PHP code:
Code Select
public function curl_request(
$url,
$username,
$password,
$method,
$error_message,
$postdata = null,
$headers = array("User-Agent: OPNsense Firewall"),
$verify_ssl = true # additional parameter
) {
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => $url,
CURLOPT_CUSTOMREQUEST => $method, // Create a file in WebDAV is PUT
CURLOPT_RETURNTRANSFER => true, // Do not output the data to STDOUT
CURLOPT_VERBOSE => 0, // same here
CURLOPT_MAXREDIRS => 0, // no redirects
CURLOPT_TIMEOUT => 60, // maximum time: 1 min
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_USERPWD => $username . ":" . $password,
CURLOPT_SSL_VERIFYHOST => $verify_ssl, // verify ssl unless explicitly asked not to
CURLOPT_SSL_VERIFYPEER => $verify_ssl, // same here
CURLOPT_HTTPHEADER => $headers
));
// Code continues as before...
}
Alternatively, it is possible to tell curl which CA certificate to trust:
Code Select
curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/cacert.pem');That way, verification can be kept on, but a custom CA cert can be used.
One of these methods will be required when using a Nextcloud instance in an isolated network where Let's Encrypt won't work (because it requires a publicly-resolvable DNS record) and self-signed or private CA certs will not work out of the box.
#6
21.1 Legacy Series / Re: Private domains with Unbound DNS
May 06, 2021, 09:13:56 PM
I still don't know why the 'Apply' button temporarily fixes things, but I realised that I was only having problems with host overrides for IPs that were already in the system due to their being dished out via DHCP...
Creating overrides for other IPs works fine in all cases
Creating overrides for other IPs works fine in all cases
#7
21.1 Legacy Series / Private domains with Unbound DNS
May 06, 2021, 05:46:03 PM
Hi,
I am observing some strange behaviour with Unbound DNS: I have added a domain override for a domain I am using solely within my local network, let's call it h.example.com. What I want is for queries for any subdomain records to be answered only by Unbound DNS, and not forwarded out to the Internet, as any responses coming back from outside will be incorrect.
The domain override for h.example.com goes to 192.168.1.1, which is the appliance LAN IP.
My DHCP hosts are correctly resolvable, but I am seeing mixed behaviour for host overrides: some resolve 100% of the time and others fail 100% of the time.
One thing that solves the resolution for all hosts is to go to the Miscellaneous page and enter my private domain in the 'Private Domains' field, then click 'Apply'. Once I do this, all my host overrides resolve correctly to addresses within my LAN.
But... if I then restart Unbound DNS, resolution for some of these overrides immediately begins to fail, until I go back to that Miscellaneous page and click 'Apply', even without making any changes.
I have also followed this tutorial on how to put an additional config file in the file system that contains my private domain, and I have verified that the config gets templated as expected, however this does not solve the problem.
Even clicking Apply on the Miscellaneous page, with no entries in Private Domains also fixes the issue. This may be because I have the config file in the system, not sure about that one.
My question now is, what does that 'Apply' button do, why it is able to fix these resolution issues, when everything else fails?
I am observing some strange behaviour with Unbound DNS: I have added a domain override for a domain I am using solely within my local network, let's call it h.example.com. What I want is for queries for any subdomain records to be answered only by Unbound DNS, and not forwarded out to the Internet, as any responses coming back from outside will be incorrect.
The domain override for h.example.com goes to 192.168.1.1, which is the appliance LAN IP.
My DHCP hosts are correctly resolvable, but I am seeing mixed behaviour for host overrides: some resolve 100% of the time and others fail 100% of the time.
One thing that solves the resolution for all hosts is to go to the Miscellaneous page and enter my private domain in the 'Private Domains' field, then click 'Apply'. Once I do this, all my host overrides resolve correctly to addresses within my LAN.
But... if I then restart Unbound DNS, resolution for some of these overrides immediately begins to fail, until I go back to that Miscellaneous page and click 'Apply', even without making any changes.
I have also followed this tutorial on how to put an additional config file in the file system that contains my private domain, and I have verified that the config gets templated as expected, however this does not solve the problem.
Even clicking Apply on the Miscellaneous page, with no entries in Private Domains also fixes the issue. This may be because I have the config file in the system, not sure about that one.
My question now is, what does that 'Apply' button do, why it is able to fix these resolution issues, when everything else fails?
Pages1
