Messages

[Also, it's crucial to use standard network terminology.The term "KSPD" is not a recognized networking acronym and only leads to confusion. If it's a VPN or site-to-site tunnel, refer to it as such.]

The root cause was asymmetric routing: the initial packet from 10.62.70.59 reached its destination via a direct path (likely bypassing OPNsense), but the response went back through OPNsense, which dropped it due to missing state.

Also, it's crucial to use standard network terminology.
The term "KSPD" is not a recognized networking acronym and only leads to confusion. If it's a VPN or site-to-site tunnel, refer to it as such.

As it seems the cronjob at 10PM did not work for me. For what ever reason. It was not executed every day at 10PM.... I changed the time to "90 cycles".
Not sure if anything has been changed with monit recently. At least this way it works again.

routing...

 Apply the action immediately on match.

[24.10.2_8]

Hi Fastboot,

we are currently using your script with the Business Edition of OPNsense.
To make it work with our setup, we've modified the following line:

Code Select Expand

AVAILABLE_VERSION=$(pkg rquery '%v' opnsense-business)
Is it also possible to detect major updates using your script?
For example, we currently have a system running OPNsense 24.10.2_8, and it is awaiting an update to 25.4 however, this doesn't seem to be picked up.

Greetings from Germany,
Nils

Hi Nils,

as I do not use the business edition, I am not sure. But surely the script should be adaptable.

For that I would need the output of the commands from the script. To have an example..

But unfortunately I am also facing some kind of issues. Not sure how to track it down actually.

For instance last check was 19.05 22PM.Today is 21.... No idea why the monit stucks. Already checked the logs, but nothing.

Does anyone else face this issue?

Firewall -> Settings -> Advanced
Enable:
- Reflection for port forwarding
- 1: 1 reflection
- Automatic outbound NAT for reflection NAT

Firewall -> NAT -> Port Forwarding
WAN    TCP    *    *    WAN address    80 (HTTP)    192.168.1.50    80 (HTTP)    Name

This is not best practice and should be not used at all.
https://docs.opnsense.org/manual/firewall_settings.html
https://docs.opnsense.org/manual/how-tos/nat_reflection.html

https://en.wikipedia.org/wiki/169.254


I propose to read through some HowTo's...

1. Workstation OS and IP addressing
2. Installation of OPNsense
3. Switch configurations. e.g VLANs

Sorry... Keine Kekse, keinen Support...

Ich gehe davon aus, du arbeitest nicht in der IT?

Nix persönliches. Allerdings "geht nicht" "funktioniert nicht", hilft nicht sonderlich beim Troubleshooten. Für mich funktioniert es noch bei der non business version.

Zudem schaue ich hier eher selten rein. Allerdings hätte ich vermutlich direkt helfen können, sofern ich eine hilfreiche Problembeschreibung bekommen hätte. Einfach mal drüber nachdenken ;)

@franco

I've tried the new approach. Unfortunatelly your commit does not give the full output.

e.g
root@fw:~ # configctl firmware changelog current
25.1.5
root@fw:~ # configctl firmware changelog latest
25.1.5

I would expect as output: 25.1.5_4

At least to have monit working properly to notify about a new version.

I did not read through the complete commit, but it would be nice if the complete version can be shown.

DNS umbiegen.... nur auf interne den traffic zulassen... Done...

Wenn mit Certs gearbeitet wird, schwieriger....aber machbar...

Ich würde mir ggf. mal die Firewall logs anschauen ob irgendwo was geblockt wird. Natürlich muss dafür das Loggin eingeschaltet werden. Im Zweifelsfall eine floating rule erstellen die alles loggt. Wenn er den wirklich eine IP automatisch bekommt...

ansonsten ist ping, traceroute, mtr, tcdump und wireshark dein freund.

Nebenher wenn die PVID nicht korrekt gesetzt wäre, dann würde der Client auch keine IP bekommen, denn dann geht gar nix.

[no]

And for now my impression is like the usual case is a 2-3°C delta and up to 15°C for cases where heat transfer is problematic.

I wonder if it is better to keep the old way of doing it and explaining users that if they observe a big difference, they should inspect their cooling  ;)

Maybe it's just me, maybe I am in the wrong mood at this moment. But sometimes I have the impression you think that other users are stupid.

In this regard I can only speak for myself for sure. Actually I precisely know what I am doing. I know my hardware, and I know my tools. If not, I put time and effort in it to get a deep knowledge of the things I work with.

But to make it very short: There is no issue with the cooling in my devices. If it would, it would have been fixed already.

@OPNenthu

I have a protectli, but like mentioned its a different model. The VP6000 Series is almost brand new and shipped with two fans.
My 6630 has a complete different behavior with a Linux installed and using lm-sensors. In my case I can say the difference is like 30-40°C compared with the output I get from the dashboard.
Even the output of "sysctl dev.cpu | grep temperature" is far away from this peaks.

https://protectli.com/wp-content/uploads/2024/07/VP6630-Datasheet-20240628.pdf
Page 8 you can see the Mainboard. #28 would be the place for the NVME (I'm using a INTENSO SSD with SLC). There is an additional heatsink with a thermal pad mounted in my case.

On top of that I got a replacement part from Protectli. The first 36-48hours the Dashboard showed lower values in comparison to the other machine. After that it reached as well the 80-82°C on the dashboard. So to summarize. Both devices have the same behavior after ~2+ days

My environmental temperature is monitored by different Sensors. Just to name some: BME680, BME280 and some others.

The NVME is monitored as well:
E.g
Temperature:                        36 Celsius

Room_Temperature right now:  21,52 °C (increasing)
Also this temperature is far away from having an impact on the temperature of the FW. In a high computing power pc build, the NVME temperatures are even similar. And there the heatsink is "MASSIV" (Gigabyte X670 Aorus Master)

Let's see how it goes in the summer :D

Code Select Expand

[quote author=fastboot link=topic=44373.msg221848#msg221848 date=1733331746]
[quote author=Patrick M. Hausen link=topic=44373.msg221843#msg221843 date=1733330957]

You logged into a file with the command `sysctl -a | grep temperature`?
[/quote]

No, not that command. I did not test it, but I would assume that even this would't make a huge difference.


Trust me, it will. This command reads 16.000 OIDs from the kernel and this is what heats up the CPU.

And while it is perfectly fine to argue that this is not a clever way to read the CPU temperature because a side effect of the reading itself raises it significantly, the temperature read is correct at that very moment.

That's the entire point. Finding better ways to read temperatures while not missing sensors some users might consider essential.

Well... give the users the choice what they want to see.

When I build dashboards in Grafana, Home Assistant, .... I choose only what I want to see.
But not sure if this is that easy to implement, as I am far away of being a dev myself.

Like just mentioned. My Unix skills are very limited.

From reading the other threads, the way to measure is "sysctl dev.cpu | grep temperature | sort" but correct me if I am wrong.

As I never reach the 80-82°C with this reading, I assume that the other reading must be wrong. I only reach this specific temperatures when I stress the CPU to 100% and even this does not happen in just 1 second.