Messages

[If there is a specific person that is in charge of this, perhaps you can put me in touch with them and I can submit edit suggestions to them.]

Hi. I just happened to be looking through the tunables again today in the UI, and the descriptions of a few of them have finally bugged me enough to want to do something about it 😀 for example, for net.inet.tcp.delayed_ack the description says "Do not delay ACK to try and piggyback it onto a data packet" most likely because the default value is 0, which turns off delayed ack. But the description could easily be mistaken by someone where English isn't their first language, or a person who lists 25 certs in their Xwitter display name, to mean that enabling the option (value of 1) would be the correct value to achieve the results of the description. This is just one example, but there are quite a few that have "odd" descriptions that describe the nonsense defaulted option, but can confuse, mislead, or just seem to miss the mark.

I would like to update these and submit the revision for review, and I'm not sure the right way to go about doing that. I'm guessing it's all one single locale file? If so, would it be best to submit the revisions as a patch file to replace the whole tunables section? A file containing only the tunables section so that the devs can review and just replace manually? The only problem I see with a patch file against the current release version is obviously it won't match if any changes have been made on the dev branch.

Would it be preferable to clone the dev branch and then do a pull request for the locale file?

PS- what if I were interested also (and separately) providing help hints for core menus or official plugin menus? I can take a look at current UI code and replicate the current method to place an anchor and the hint text, since this would be adding hints for some items that don't have hints but could use them. I would even be willing to do the mundane task of placing a help hint to show correct formatting (there are a couple menu items that don't have it) as well as adding something like the following, for the entry fields that it applies to: "Press Enter to create an entry from your current text input. Additional entries may be added. To remove an entry, tap/click to select it, and press Backspace."

As for the help hint text, Einstein said, "Everything should be made as simple as possible, but not simpler." and I believe the purpose of the help hints is to clarify what information is expected and, where necessary, identify fields that shouldn't be populated unless you already know it needs to be populated.

If there is a specific person that is in charge of this, perhaps you can put me in touch with them and I can submit edit suggestions to them. I'm not trying to step on anyone's dick. There's a lot of text to maintain. And if we go by old school standards, documentation is only created under severe intoxication. A person only has so many livers.

Thanks in advance.

So an update:

I tried setting secondary console to Serial Console

I tried primary with VGA, EFI, and Mute, all still require me to connect the console and press enter.

I'm at a loss. I'm okay with disabling the boot menu, but I'm not sure how with opnsense. If I need rescue mode or something, I can USB boot. This might be my only solution, to boot the kernel directly without the menu.

Hey franco,

Reviving this because I still have the issue and have been unable to fix it. I just read through this thread https://forum.opnsense.org/index.php?topic=3972.15 and it was inciteful, though obviously several years old.

I've tried using a dummy HDMI dongle with no success. I even tried with the dummy HDMI dongle and a usb keyboard dongle attached with no luck. note that it does actually boot without needing interaction when using a real HDMI display and the same usb keyboard dongle with the keyboard powered on (it would only be a band-aid fix to leave my usb wireless keyboard powered on 24/7 or have a wired keyboard permanently attached to the device). Possibly my HDMI dummy dongle is bad, it's possible, but I would estimate the chance of that being pretty low, even with Chinesium standards.

If I have the console connected and putty open on the com port (using an RJ45 to USB serial cable) the boot menu briefly pops up for opnsense, then boots. without being connected to the com port, I have to connect to the com port, press enter, and then boot proceeds.

I did the install completely over serial, downloading the dvd iso, dd'ing it to the plugged in usb flash drive, manual boot selecting it, setting the console boot option, etc etc. i don't have the usb flash drive configured as a bootable option in my UEFI boot config settings. its definitely the opnsense boot menu waiting for input.

i have a strong linux background, but my only bsd experience is with opnsense. I *still* get frustrated every time i type "ip a" and get an error  ;D

My current console settings are attached. Primary is serial. Secondary is VGA. I will try to adjust these settings (will I lose any console messages by setting serial console for secondary?), such as trying EFI console for primary, serial as secondary, or VGA as primary with dongle inserted, and serial as secondary. I'm guessing one of these will fix my issue, but I'd like to definitely resolve this and be able to provide the solution and mark as solved, for anyone else encountering this, since its the top google hit for my search terms. took me a second to realize I was reading my own post  ;D

Btw, I do understand the need to transition, and It might make configuration simpler for many people. I understand the UI isn't final form yet either. But DHCP is one of those things you expect to "just work" and when it doesn't, and you can't find a logical reason, it's frustrating. I'll give it a try again this weekend at 2am when I'm the only one awake, and I'm not blaming anyone or angry about it, I'm.. I guess I'm disappointed by kea so far. But I've never used it. I'll deep dive it and hopefully it won't feel like a regression.

I've run into an issue with it. Now I'll be honest, I forget how ICS works, and I'm not sure how it's been implemented into opnsense. Does it fork for each interface?

A concern I have is that I have 3 active internal interfaces. Maybe I'm old school, but I was trying to figure out how to set it up per interface, and then I realized, you just put them all into one line. It gives me anxieties, and I wonder... anyone assess it for possibilities of it leaking all of the subnets it serves? I don't offsec as great as i want to. Or... great at all. By ANY context of the word. 🫢

I did hit a problem with it. It was only serving my LAN interface, despite having the appropriate subnets entered. I can tear into it but is there by chance someone who's already done it? I went back to ICS right now because I was down nearly all day. Fwiw, I had just done a clean, fresh install of 23.7 before changing to the dev branch. I had an anomaly routing issue that was preventing one of my interfaces from having a functional wan connection, and it was easier to reinstall than continue tearing apart the config. Note: there are still some issues with configuring opnsense using a combination of console and webui. I'll document those this weekend if I have time.

Regarding:

Binding to things is a bit of a grey area for DHCP servers.

When did this become a thing? Most modern daemons that are likely to have bindings for segmented services, are either expected to run multiple instances (granted, most of the time it's dockerized) or forks itself for each configured instance.

In short, it might be that it is not a good idea to run multiple DHCP servers on one host, depending on the specific implementation in opnsense and your network.

I assume that a majority of opnsense deployments are currently serving DHCP to more than one interface. It's highly probable. It's kind of a thing that an advanced router would be desired for. Im asking this with all sincerity. Do you have alternate suggestions for serving multiple interfaces that would allow it to be brought up or down easily on that interface (with settings preserved)? I'd appreciate a better understanding, also, of why binding it to the interface is a grey area. It's just that I've never heard that. But opnsense is the only software I've ever had to run FreeBSD, so I'm pretty ignorant on BSD particularities. I use just about every flavor of Enterprise Linux (RHEL/centos/fedora/rocky/alma/etc) and Debian or Ubuntu when I have to (thankfully docker has saved me from that mostly). Anyway, I'd love to hear more on this please.

Hi guys,

Hopefully someone can provide some insight for me on a minor issue that has me stumped. I'm not all that familiar with bsd (only opnsense) but pretty experienced with Linux, and I thought I knew grub well enough.

So here's the issue. I run a mini PC appliance from AliExpress. Celeron n5105, 16gb ddr4, 4x i226v, rj45 console. I run the device headless. Uefi boot, but device type or method doesn't seem to matter. I keep my rj45 serial to USB cable plugged in 24/7 through the wall to my living room by where I usually use my laptop.

When I reboot the machine, it boots straight up with no input required if my console cable is connected to my laptop and laptop is on. If laptop is off/asleep, the boot hangs waiting for user input. I have to open my laptop, open a putty connection, and press enter. Then the boot continues. There's no indicator in dmesg of course as the boot process doesn't start until I hit enter. If I plug in my portable 7inch HDMI LCD, it also boots straight up. Basically, anything that would let me see the prompt, keeps it from prompting 😂 I tried using an HDMI dummy adapter but it doesn't make a difference. I tried leaving my wireless kb USB dongle plugged in, doesn't make a difference. This bios has a ton of things but lacks the basic "wait for input, continue on all errors, etc" option.

I honestly can't tell if the POST is waiting for input or the bootloader. When I press enter, it immediately begins the boot without showing the bootloader menu, so it leads me to believe it's actually bootloader config that's waiting for the input. My loader.conf and menu config are unmodified. Actually the entire /boot is unmodified except whatever opnsense has changed. This install was a fresh install of 23.1. I haven't found an answer from searching, but surely someone knows this and it's a really simple change.

Fwiw, I don't mind disabling vga console if that would fix it. I only use the serial console (console redirect is also enable and configured properly in bios).

Side note: occasionally, connecting over console shows nothing on the screen and accepts no input. Just the blinky cursor. To fix it I just reboot the system, which then shows the shutdown sequence on the console and accepts input once reset, no idea what causes that.

Thanks in advance for your help!

Hello,

TL;DR: yes, this will work essentially the same, from security side. Some problems may occur with network traversal from double NAT though. Using DMZ averts most of these. Use a static IP on the opnsense WAN port and set that IP as the DMZ ip on the ISP equipment.

references:
https://www.erikoest.dk/b_d_uk.htm#:~:text=Bridge%20mode%20%2F%20DMZ%20(in%20English),-Multiple%20routers&text=If%20your%20ISP%20(Internet%20Solution,Wide%20Area%20Network%20(WAN).
https://www.practicallynetworked.com/fixing-double-nat/



-- Breakdown --
So your modem is essentially another router (an edge router technically) which sits at the edge of your network infrastructure and is the gateway between your network(s) and the rest of the world (the internet). It obtains an IP address from your ISP, and then uses NAT to share the connection with your network. This is pretty much known by everyone but just throwing it out there for context.

By connecting your opnsense box's WAN to the router set up as DMZ, all inbound traffic should be getting passed to the opnsense box. proper DMZ operation would pass incoming connection attempts, etc to the opnsense WAN. your opnsense box will, in default configuration, provide NAT to your LAN devices as well. This causes double NAT. But because you have DMZ set for your opnsense device, you *SHOULD* be fine.

I emphasize *should* because it seems every consumer has a different idea of what they define as a DMZ. The first article above talks about using DMZ in place of bridge mode. Assuming your ISP's device's DMZ mode works as it should and the opnsense box is the only device directly connected to the modem, then it should work fine.

Make sure you define the static IP on your opnsense WAN port to match the one set as DMZ in your ISP equipment, otherwise you'll start having problems if your opnsense WAN ip changes.

EDIT: just realized you wrote this back in November   :-[ but i'll leave this here in case someone else with the same question comes along. maybe you or a moderator can change the title to better direct people with this question? and move it to the general forum? something like "Using OPNsense device on ISP equipment as DMZ when unable to use bridge mode" or.. it might already be covered in a sticky there.

Hello,

I am hoping to get a couple of opinions to help make a decision. I've been running opnsense now for about 6 months, replacing my damned merlinwrt off-the-shelf router, and picked up a couple of business APs. My current appliance is a Mini PC with a Celeron J4125 (2.0ghz base, 2.70 burst), dual Realtek LAN, 6GB DDR4. My ISP is Spectrum with between 200-250mbit/s down, 10-12mbit/s up. The LAN port of my appliance runs to a 5-port managed switch, which connects to my main AP (Engenius ENS357APv3, wifi 6) which connects about 20 clients. another port runs to an 8port managed switch which is filled with my PC, unraid server, 3d printer, a few other things. At any given time I have about 35-45 devices with active connections, capping out at 54 I believe one time. about 5 of those are macvlan aliases on my unraid server.

My opnsense appliance has AdGuard Home (thanks mimugmail) for blocklists. i was using unbound for private reverse lookups but switched it over to dnsmasq tonight. i want to keep the dhcp on opnsense dhcp service. I have suricata set on my WAN port in IPS mode with all the Open and unregistered ET rules downloaded (not all enabled). I run zenarmor on LAN side. it used to use mongodb and limited me to the 50 client choice, due to "poor" system specs. mostly because the 6gb ram. however, its now using sqlite set to the 100 user maximum (due to having mimugmail's repo installed). i don't have any complex setups, i'm not doing SSL intercept (once I get my VLANs set up, it'll be easier) or even SNI after running into problems with only SNI selected (port forwards were set correct). I disabled the transparent http proxy as well now. basic rules in pfilter, default allow out, drop all stateless incoming to WAN address, dns intercept to force use of the adguard dns server. netflow running as well.

current RAM usage is at about 2gb/6gb. i think the most i ever saw was up around 4 or 5gb, it was only one time. cpu sits at around 25-60% during most standard usage, including gaming while streaming.

So the point i've been trying to get to... I picked up another mini pc, has the same processor (Celeron J4125) with 8GB DDR4, dual NIC, yada yada. just got it today (well yesterday). I need to get familiar with QRadar, so I was going to install that on this new mini pc, but then I thought about swapping them. QRadar lists 8gb minimum but I believe I installed it with less before.

Given the services I'm running, the loads I mentioned, my ISP speed, and am only using 1gbps LAN, would I even notice a difference by swapping them out and using the 8GB model for opnsense? i believe one big change is that zenarmor, if reinstalled, would use elastic install of mongo or sqlite? i think after typing all this and laying it all out to myself as well, i don't think i'd benefit really from the swap and the extra ram would go to better use with QRadar. but i'd like to hear any opinions that anyone bored enough wishes to share.

Thanks in advance and for reading this overengineered post  ???


tech