Messages

Ok, in the release notes I can see:

This release brings the new host discovery service which resolves and remembers MAC addresses for IPv4 and IPv6 hosts in your connected networks and provides this data for the firewall MAC aliases and captive portal clients. It is now enabled by default, but you can choose to opt out by disabling the automatic discovery option.

Well, my questions still remain. What could it make to jump to 100% CPU all of a sudden? Also, I am not sure what this actually does. MAC addresses are "remembered" in the ARP cache, so why do I need this service? What is going to be worse (perf, functionality, ...) when I do not use this service?

I've updated to 25.7.11_1 (from 25.7.10) 1 or 2 days ago. A few minutes ago the hostwatch process went haywire and stayed at 100%. I also saw that syslog-ng was at about 80%. Then I killed the hostwatch process and everything went back to normal.

What is this process and what does it do? Is it a new service and what could it make to jump to 100% CPU all of a sudden?

I am not sure, whether the term "boot environments" works either. Maybe it's a better term, but this still doesn't solve my confusion. What would happen, if I were to delete the currently active one (which is also the only snapshot). Or will I get an error that this isn't possible?

But I still do not understand how exactly those snapshots work. So I create a snapshot before I run a firmware update. While I update the firmware, this new snapshot grows (which points to it persisting data). So how do I rollback? Or is all the data that has been persisted removed as soon as I set it active? How can one roolback, if data is persisted?

I also do not know how to rollback my default one (the currently active one) to the time it was created.

It seems that I am not alone with my confusion and unfortunately I was not able to resolve the disconnect I still experience when trying to understand opnsense snapshots.

P.S.: I haven't read up on the bectl link, but will do so later today. Thanks for the link. Maybe the link will make things clearer for me.

I've been using snapshots on Proxmox forever and I have been doing the same on other ZFS systems as well. I have read through the OPNsense snapshot documentation and a few things make no sense to me and I kindly ask you to clarify the situation for me.

When I installed OPNsense on new HW I used ZFS this time around and during the installation a "default" snapshot was created and has been used since.

So the documentation states that if I create a snapshot and make it active, it will be used on next boot (basically does a rollback to the time of the snapshot creation). But my "default" snapshot was created in September last year and when I reboot, it is not rolled back to September, but everything since then has been persisted and it is as if there is no snapshot at all.

So my understanding of snapshots is this: A snapshot is exactly what its name suggests - a snapshot at any point in time. When I rollback to the snapshot it starts at the time the snapshot was created.
In Proxmox I run a VM and by default there are no snapshots. Then I can create snapshots at any point in time and roll back to exactly that point. And I can go back to that point in time multiple times.

But here in OPNsense it persists data. My problem of understanding is why and when will a snapshot in OPNsense start to persist data? When I make it active for the first time? If so, this means I cannot use (rollback to) a snapshot more than once. e.g. how do I rollback to Sept. 2025 when the "default" snapshot was created?
Somehow there is a disconnect I cannot reconcile.

It would all make sense to me, if there was a "rollback" button for the active snapshot. Or is the "Activate" button the rollback button? So even though the "default" snapshot is currently active, I would have to activate it again to rollback to Sept. 2025?

Yep, my thoughts exactly (using GH to discuss). And, btw, I am not going to be angry, if a PR is not merged. I just feel more comfortable discussing features and code on GH, since it's a lot easier to reference code.

You know what, I'll open a PR and let's go from there.

I don't think that adding one line to a script is a complex solution. What I don't understand is that hardcoding a specific shell is considered the normal way of doing things.

Anyway, if a PR that adds one line to a script won't be accepted, because it is deemed too complex or too high of a maintenance burden there is no need to create one, is there?

Don't get me wrong, I have already used the workarounds you mentioned (all but spawning bash from the .cshrc), but I actually like the menu and overview the opnsense-shell script provides. I'm just not a fan of csh.

Too bad, I guess I will have to patch opnsense-shell every time there is an update.

Spawning bash from .cshrc is a rather nasty hack, I'd rather avoid. But that's just me.

The issue is I do not know which files are overwritten when packages are updated, otherwise I'd just update the /usr/local/sbin/opnsense-shell locally. But it is part of the opnsense package, so I think the file is overwritten during every upgrade.
My idea to use an optional file with a CMD_SHELL var in /etc/ or /etc/defaults/ seems the most logical solution that adheres to Unix philosophy. But maybe I am wrong.

I don't really want to discuss this on this forum, since it doesn't understand markup. It's way easier to do that in a PR.

I only needed to know the repo, because I wanted to avoid searching for it on gh, which I have done now. So this topic is now obsolete.

Yes, this is a very nice idea. However, I am great with backend and scripts, but suck at anything with UI and/or frontend.

To answer your question: I don't know how to do that.

In the /usr/local/sbin/opnsense-shell script that is used as the shell for the root user, the shell when selecting menu entry 8 is hard-coded to /bin/csh.

I would like to use bash (/usr/local/bin/bash) instead.

Can you please point me to the correct repo for this script so that I can submit a PR? I am thinking of reading a file (e.g. /etc/opnsense-shell) and in case the file exists and has a CMD_SHELL var, it will be used. Otherwise the current default is used. We can discuss the specifics in the PR.

What do you think?

I am sorry to resurrect this topic, but after a few more times when my Wireguard gateway went down, the cron job "Renew DNS for WireGuard on stale connections" which is run every 5 minutes, does not restart the wg instance.

Thus the GW is still down and requires a manual "disable instance" -> "apply" -> "enable instance" -> "apply" in VPN -> WireGuard -> Instances.

Any other ideas how I can make sure that my WireGuard VPN connection is properly available without interaction? I still think that the GW settings should have a script option when it goes down, but that's another story.

Running the cron job every minute is probably a strain on the system.

IMHO a cron job once per minute that decides there is nothing to do should do no harm. A minute is an eternity in CPU time.

Thanks, I will set it up.

"A minute is an eternity in CPU time." Totally agree, but I haven't checked how these cron actions are actually written. python, php, ...? the first 2 come with quite some overhead, since the interpreter has to be loaded every time. This means I could have a spike every minute. But I guess I'll see.

"Renew DNS" means "restart that connection so it will do a fresh DNS lookup".

Ok, then it makes sense and I agree with you: the wording is a bit off. ;-)

So you get your restart. Did you try that cron job, yet?

Not yet, because I do not know how often I should run it (and my GW hasn't gone down since). Running the cron job every minute is probably a strain on the system. 15 minutes could leave my VPN dead for 14 minutes and 59 seconds in the worst case. While I agree with you that it is workaround and might solve the issue, it is not as useful as triggering a command/action if the gw goes down.
I read up on dpinger and it seems that commands can be triggered and run, but I suppose that functionality was not added to opnsense.
I will open a feature request.

for a vpn instance I've added multiple "peers" to it.    thinking if the first one goes down, it will connect to the next peer. 

I first thought so as well and I have even created another peer but left it disabled. Because according to the Wireguard architecture peers are always active when enabled, unless I misunderstood it. Afaik there is no setting in Wireguard to allow for fail over connections. This means both are active (which counts towards your concurrent connections) and I have no idea what this does to sessions. e.g. If you connect to a web site every packet could come from either one of two IP addresses (or how many peers you have setup). This will certainly raise a flag, if continous packets have alternate IP addresses in their TCP headers.

I am sorry to bump this again, but both answers don't work, because the mentioned options do not exist.

The situation I described isn't a far-fetched theoretical problem, but a real-life possible scenario that is actually quite common for a router/firewall: if gw is down, run a script or trigger an action.

Welcome to OPNsense. ;-)

Alright, let's try to tackle this. First I need a bit of more info. You mentioned "WireGuard VPN on the desktop running OPNsense". Usually OPNsense is running on the edge router (the one that is connected to the Internet).

Internet <--> OPNsense <--> home network (proxmox, NAS, other clients)

But your statement points to something like: Internet <--> ??? <--> home network (OPNsense, proxmox, NAS, other clients)

Can you please clarify your topology?

I use Wireguard myself to access my network from the outside (road warrior setup).
For the sake of argument and the following examples, let's use 10.20.30.1 as your wireguard instance's tunnel address and 51820 as the port. Clients will then use 10.20.30.2 to 10.20.30.254. Your home network uses 192.168.1.0/24
There are a few things to be aware of:

1) You need one WAN rule to let traffic in to the Wireguard port
Protocol: IPv4 UDP | Source: * | Port: * | Destination: WAN address | Port: 51820 | Gateway: *
2) On your Wireguard interface (e.g. WG0) you need rules to specify what clients are allowed to access in your network
e.g. the client with ip address 10.20.30.2 is allowed to access your entire network
Protocol: IPv4 | Source: 10.20.30.2 | Port: * | Destination: * | Port: * | Gateway: *
3) The "Allowed IPs" setting on the wireguard client determines which traffic uses the Wireguard connection. Thus make sure your tunnel address and your home network are included.
AllowedIPs = 192.168.1.0/24, 10.20.30.1/32

@BrandyWine can you please let me know where I can find the option "Execute command on gateway failure"? It is not in the advanced gateway options. Are you using a patched version of OPNsense? If so, how do I get that patch? If not, how can you have that option, when I do not?