Messages

how can I mark this as solved?

Renaming the thread title by adding '[Solved]' at the beginning is the most common.

Let's see what is needed by using the lastes 26.1.6 nano as an example. The referenced guide writes:

OpenSSL is used for image file verification. 4 files are needed for verification process:

• The SHA-256 checksum file (<filename>.sha256)
• The bzip-compressed image file (<filename>.<image>.bz2)
• The signature file for the uncompressed image file (<filename>.<image>.sig)
• The OpenSSL public key (<filename>.pub)

• For "The SHA-256 checksum file", "<filename>.sha256" refers to "OPNsense-26.1.6-checksums-amd64.sha256"
• For "The bzip-compressed image file", "<filename>.<image>.bz2" refers to "OPNsense-26.1.6-nano-amd64.img.bz2"
• For "The signature file for the uncompressed image file", "<filename>.<image>.sig" refers to "OPNsense-26.1.6-nano-amd64.img.sig"
• For "The OpenSSL public key", "<filename>.pub" refers to "OPNsense-26.1.pub"

"<filename>" does mean different things here, which can be a bit confusing.

With that the process would be as follows:

• verify the *.pub file content by comparing it from two different sources
• Verify the compressed image: 'openssl sha256 OPNsense-26.1.6-nano-amd64.img.bz2'
• Convert the signature file to base64: 'openssl base64 -d -in OPNsense-26.1.6-nano-amd64.img.sig -out /tmp/image.sig'
• Verify the uncompressed image file against it's signature and the public key: 'openssl dgst -sha256 -verify OPNsense-26.1.pub -signature /tmp/image.sig OPNsense-26.1.6-nano-amd64.img'

Could you elaborate which part you did find confusing and need clarification?

needing to nano in a new file .pub -- for the public key

Not sure what you want to say here.

as well as a bit of unclearness about whether you uncompress before or after checking the checksum 256

Since "openssl sha256 OPNsense-<filename>.bz2" ends in "bz2" you can be sure that for the sha256 checksum the compressed file is needed. And later it then mentions in the warning "Make sure to unpack the image using bunzip2 before verifying". So checksum => compressed image, verification => uncompressed image.

I solved the problem; it was related to the converter I was using. Thank you.

Thanks for reporting back. What converter did you end up using? Would maybe helpful for future reference.

Finding 1 — updates blocked by lapsed subscription (403).

If you buy a OPNsense appliance, you get 1 year of the Business Edition. After the year you either renew/pay the subscription or change to Community Edition. The 403 likely means that your BE subscription has run out and therefore you are not allow access to the BE repo anymore.

You can switch to the CE and back to BE later if you choose to renew the subscription.

Finding 2 — templates errors every boot, and the serial console has no login prompt.

I'm can't comment on the template error. For the serial console, make sure the 'USB-based serial' box is unchecked. You can find details in the documentation:

https://docs.opnsense.org/hardware/serial_connectivity.html#serial-console-connectivity

Regarding upgrading to latest: Fastest is usually backup the configuration and reinstall if you have fallen back a bit. Otherwise if you go via the webGUI, just upgrade to whatever OPNsense is offering you, and the next and so on.

The cable we are using is a 2 fibers LC UPC Duplex to LC UPC Duplex OS2

You can't use single mode cables with multimode transceivers. Gotta be OM (usually OM3 or OM4)

https://en.wikipedia.org/wiki/Multi-mode_optical_fiber

Did I understand you correctly, that you have the FS S+85DLC03D for the Mikrotik switch and the FS SFP-10GSR-85 in the OPNsense 3800. They really should work together. And you do use a multi-mode fiber cable?

What Mikrotik switch model is it and does the Mirotik switch also show the correct information about the transceiver?

Searching the forum, someone installed OPNsense on it some time ago : https://forum.opnsense.org/index.php?topic=29602

This is an OPNsense (FreeBSD based router) forum.

You are better of asking the GL-iNet forum (https://forum.gl-inet.com/) if you are running the official GL-iNet firmware or the OpenWRT forum (https://forum.openwrt.org/) if - and only if - you are running the official OpenWRT firmware.

You gotta provide a lot more information if anyone should be able to help you.

• what OPNsense version are you using?
• exact mini PC model/motherboard (motherboard is the most important part
• exact i226-T2 model
• exact converter model
• which port is the converter placed on the motherboard?
• the output of "pciconf -lv'

Please bear with me if I am not saying this well.

Yesterday I noticed an update that updated the updater on my opnsense DEC850v1 device. I think it changed the mirror from which I get my updates. It now says https://pkg.opnsense.org/FreeBSD:14:amd64/26.1 is my mirror.

Was this legit?

How to you check the mirror it uses, in the web GUI, System: Firmeware > Status? It shows the same URL for me for the mirror '(default)', that is fine for sure.

No update should ever change the mirror.

Any other things I should be looking into?

What is the ISP2 device you're connecting to (type/model)?

• Add a small switch between igc1 and the ISP modem/router. The ISP modem/routers are sometimes very picky when it comes to auto negotiate speed
• Or try set the interface speed manually to something you know the ISP modem/router supports
• Or configure it as an additinal LAN(2) interface, connect it to a small switch. That should be enough to see if the link comes up

Coreboot

No coreboot in the DEC740 I got, do you know which models got coreboot?

This is my first installation of OPNsense, before I was using pfsense and perhaps I switched on&off some parameters in some "specific" sequence that "activated" some bug, while exploring the configuration.

I think you are mistaken, the picture you posted is exactly what was to be expected: you are connect by HTTPS. It's written as HTTPS but with a red line through it, if it had been HTTP then HTTP would be at the start of the URL.
But the browser marks it as not secure because the HTTPS certifcate in use is a self-signed one (it's the same with pfSense).

All self-signed certificates are marked as not secure but every device you buy uses a self-signed certificate. Be it Synology, QNAP, pfSense, OPNsense, Sophos, etc.

TL;DR: What you see it exactly what was expected, you are connecting to https://<your OPNsense IP> and the browser asked you to verify that you want to connect to an not secure page (but still https as shown in your screenshot)

pls find hereafter a picture of my configuration. I try to connect to webgui on https, but I am always switched on http.
I do not understand why...

You are right, that should not be possible. If you access the GUI by HTTP you will be redirected to HTTPS automatically.
Have you pressed 'Save' at the bottom of the page?

Can you post a picture of the web browser URL when you access the GUI per HTTP, that includes the full URL when the GUI/login is shown?
And maybe try a `curl -o - http://<your OPNsense>/ ? That should not output anything normaly when HTTPS is active.

Was würdest du mir für ein Programm empfehlen? Ich arbeite ausschliesslich mit Apple (Mac) und nutze Firefox. Ich bin auch bereit, für eine gute Software zu bezahlen – wichtig ist mir einfach, dass es zuverlässig funktioniert

Ich arbeite auch meistens mit einem Macbook Air und an zweiter Stelle mit dem Linux System. Mittels Mac habe ich mich auch schon Serielle verbunden. Wie vom @Patrick vorgeschlagen verwende ich minicom (gibt's auch auf Linux, so muss ich nix neues lernen :) ).

Grundsätzlich: Ein Terminal (z.B. Terminal oder iTerm auf dem Mac) ist nicht ausreichend, es braucht ein Programm welches das serielle Protokoll versteht, wie minicom, screen oder CoolTerm. Es ist aus Deinem Text nicht ersichtlich ob der Punkt klar ist, darum hier die vielleicht überflüssige Klarstellung.

Da der Mac den seriellen Port in /dev/ auflisted, kann man davon ausgehen, dass der Teil geklappt hat. Wenn Du über Homebrew minicom installiert hast, starte es mittels :

Code Select Expand

minicom -b 115200 -D /dev/tty.usbmodem
(Du kannst minicom verlassen per ESC + x oder das Menü anzeigen per ESC + z, die ESC Taste ist die META Test in macOS)

Nachdem Du die Return/Enter Taste drückst, solltest Du eine Ausgabe sehen. Wenn nicht angezeigt wird, dann trifft eventuell das von @Patrick erwähnte zu und Du musst im BIOS die entsprechenden Einstellungen ändern.

https://docs.opnsense.org/hardware/serial_connectivity.html#serial-console-connectivity, der Abschnitt "Legacy UART vs. UEFI serial" wichtig!

Das BIOS wird auf alle Fälle angezeigt, egal wie die oben erwähnte BIOS Einstellung gesetzt ist. Sprich wenn Du die DEC740 neu startest, während Du mit der seriellen Konsole verbunden bist, muss das BIOS erscheinen.