Messages

Well I learned something today. I will need to read up on these concepts.
Seems like I was thinking wrong about how the OP could have wanted to see if possible with OPN. My thinkng was along the lines as I said of F5 BigIP hardware load balancers ie https://f5-agility-labs-adc.readthedocs.io/en/latest/class1/module1/lab1.html https://clouddocs.f5.com/training/community/adc/html/class1/module1/lab1.html

I suspect the OP wants to use something akin to the F5s virtual ips where you have in the UI a way to pretty much do a load balancer setup. Say you have a vip of 172.26.27.1 that "points" to both 192.168.10.1 and 192.168.10.2 and chose your algorithm like round-robin.
Essentially what we can do with a reverse proxy in OPN but I don't know what the flow would be to setting up the vip. Perhaps creating a VIP in the UI first with a type "IP Alias" but that gives only a vip assigned to an interface. Or maybe I totally misunderstand the question :)

That's what it will look like in the default logging as the firewall ip will be doing NAT for your clients. You still need to track the client making the original request as I said. Adding additional logging on the firewall is one way to assist it.

> Trying to find were this is coming from: let out anything from firewall host itself (force gw) (WAN)
is the outbound leg from the firewall out to this ip.
You should be able to find the corresponding entry from the LAN of the device attempting the connection. It should be just next or very near it but you might need to enable that log in Firewall > Settings > Advanced: " Log packets matched from the default pass rules " likely.

Your WAN is a private range so the rest of the setup might be at play.
That said, on a default OPN installation, the LAN has a default allow all out rule so all clients on lan will be allowed out via WAN. The purpose is to default to new users as a consumer-type of device. Any new interfaces don't have it.
In light of this, the NAT rule is unnecessary on a default LAN.

I would start by doing hardware tests. Memtest and then stress-test with traffic, with say iperf through it like to a public iperf server if you don't have the means to go across LAN - WAN in a lab.
Looking at logs is about looking for clues. Nobody can tell what to search for except some generic hints like greppin for errors.

Some systems need the whole cert chain in a single file. Others need them separate ie. CA, intermediates if any, server + a separate file for the client. Checck documentation or iternet search for your system's OS needs.
Also posting the log of the failure would help to point in a more specific direction. With any sensitive info redacted.

FreeBSD can perfectly well netboot if you serve the root FS via NFS as intended and documented. No mfsBSD, no pxelinux, ... just an NFS based root filesystem like BSD and Sun have been doing for decades.

Blog post in German:

https://punkt.de/de/blog/2017/automatisierte-installation-von-servern-mit-freebsd-und-zfs.html

Very nicely written resource, thank you Patrick. I have bookmarked for my next time I need to re-do it. I've been meaning to find the time to investigate doing the efi pxie boot. Much obliged.

You have to make a distinction between two different things.

The official OPNsense plugin uses ddclient.net. The catch with ddclient is that there is no official support yet for deSEC.io.


The Github link on the other hand, links to a bash script that I wrote. It was written solely for deSEC.io
How to install it on OPNsense is here: https://github.com/jameskimmel/deSEC_DynDNS#prepare-on-opnsense

the ddclient might not have official support (I don't know if it does or not) but I moved my deSEC account from the legacy a while ago, and it works fine. I can share my settings of it if wanted.

Same setup here, OPN ver (26.1.6) as VM on Proxmox ver (9.1.9) for about a couple of weeks and without problems.
Before the update to 26.1 series it was running on 25.7, again without problem.

right I see. Sorry no other ideas for now.

I haven't kept up with netboot for freeBSD but in the past it needed to use mfsBSD. Check https://forum.opnsense.org/index.php?topic=25003.msg120021#msg120021 for some pointers.

After a hardware change, the interfaces can change i.e. from igb to igc, then a config restore won't match and services relying on them will fail.
I suggest checking this. You can rename with search & replace before restoring, or you could restore and then re-assign interfaces from the console menu (needs monitor and keyboard) before dealing with the plugins. They might need resetting if they allow or reinstall, not sure.

Can you see that testing request hitting the firewall (live view)? It should appear there to trace where/what is refusing the connection. It could be a firewall rule.
You might need to enable logging of rules you created or enabling default in firewall > settings > advanced: Logging

try with a name other than a recognised service i.e. myrsync instead of rsync - as the message suggests.
It seems it is not that it already has a deifinition for it that you can select from the drop-down but as a reserved name.