Messages

On multiple occasions I've been observing that even thought a certificate has been renewed, the previous version is still being serviced.
I then manually trigger the HAProxy restart action directly from the "Run automations" symbol under Services>ACME Client>Certificates>Certificate Entry>Commands .
The certificate being served then becomes correct, but some time later I get the old one back.

I now find that 2 certificates listed as "Update Certificates" under Services>HAProxy>Maintenance>SSL Certificates.
There is an entry for 1_HTTPS_frontend and on that line under Commands, an "Apply Changes" icon is available.
Clicking that and confirming the operation also gets rid of the use of the old certificate.  Hopefully this stays permanent, now I only need to find a way to automate this after a certificate renewal as restarting the HAProxy does not seem to permanently affect this.

EDIT:
It is possible to create another automation (Service>ACME>Automations) for this.  When selecting "System or Plugin Command" under "Run command", "Sync SSL certificate changes into running HAProxy service" can be selected as a system command.  I think this is the permanent fix.

EDIT2:
Tested the automation on a 2nd setup where 5 was shown under "Update certificates".  Running the automations that now include the sync commande made that go away ;-).

Thank you both for your quick replies.

"opnsense-update -pA 24.7" does partially work, I stumble on another error:

Code Select Expand

===> Pre-installation configuration for squid-6.10
[6/8] Extracting squid-6.10:  79%
pkg-static: Fail to set time on /usr/local/sbin/.pkgtemp.squid.8Gwysv47Hapu:No such file or directory
[6/8] Extracting squid-6.10: 100%


Thay maybe why the system updated to a newer OS version, but not the corresponding OPNsense version.  I've been performing the updates from the WEBUI previously.

EDIT:
Calling upon "opnsense-update -pA 24.7" a second time fixes the issue.

I have a similar issue.

I proceeded with a series of updates on an old install and I am now stuck on the system trying to get:

http://pkg.opnsense.org/FreeBSD:14:amd64/24.1/sets/changelog.txz

which does not exist.

However
http://pkg.opnsense.org/FreeBSD:13:amd64/24.1/sets/changelog.txz

exists.

The question is:
- Is that useable?
- How to force to get that file?

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.1.10_8 at Tue Jul 30 16:04:03 CEST 2024
Fetching changelog information, please wait... fetch: https://pkg.opnsense.org/FreeBSD:14:amd64/24.1/sets/changelog.txz: Not Found
Updating OPNsense repository catalogue...
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.1/latest/meta.txz: Not Found
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.1/latest/packagesite.pkg: Not Found
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.1/latest/packagesite.txz: Not Found
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I have a similar issue.

I proceeded with a series of updates on an old install and I am now stuck on the system trying to get:

http://pkg.opnsense.org/FreeBSD:14:amd64/24.1/sets/changelog.txz

which does not exist.

However
://pkg.opnsense.org/FreeBSD:13:amd64/24.1/sets/changelog.txz

exists.

The question is:
- Is that useable?
- How to force to get that file?

I have OPNsense running on a Proxmox server where its WAN port has the WAN_IP directly (datacenter).

On the LAN network it's connected to a bridge where several containers and VMs are connected.

I have several NAT rules which allow a connection from the publlic network to a internal TCP Servirce I'll call LANIP2:LANPORT .  The NAT rule works for WANIP:WANPORT to LANIP2:LANPORT .



However when I try to connect from a machine on the internal network to WANIP:WANPORT, the NAT rule does not seem to apply - I can not connect.  I can connect if I map the domain name to the internal IP, either in /etc/hosts or by mapping it to the local IP in unbound DNS running on OPNsense.

I would like to do properly though.

I've tried to determine why OPNsense stopped connecting and tried to fix it interactively using different methods without success.

When it happened at a bad time (the day after I was on a remote location for a few weeks), I looked into a method to monitor this and reboot if needed - which leaded to the already know solution apparently with a similar undetermined reason for the loss of the network.

Yes, OPNsense is connected to another router which is my internet modem where OPNsense is defined as the DMZ.

OPNsense is on a dedicated machine with two ethernet ports and installed as the native OS (no proxmox nor other virtualisation) on a Core i3-8100 CPU @ 3.60GHz based machine.

From time to time I lost internet connectivity "from my internal network" - and I found that OPNsense could not connet to the internet either.
The internet box was connected to the internet though and as far as I remember, I could connect to the internet box from my internal network.  And connect to the internet through a direct connection through the internet box (without the OPNsense firewall).

It turned out that i was not alone and a script already existed.
I have ajusted that to my needs, made it a bit more self-containing with regards to its installation.

It's available as a gist: https://gist.github.com/035129a6f90979ba39ec8377e99922f5 .

This script will ping the internally defined servers on every execution.  When the ping fails, it will bring the igb0 interface down and up to try to restore the connection and ping again.  If that fails, OPNsense is rebooted.

I find that my OPNsense server reboots from time to time and that I not have to intervene unless the internet connection is really down.

Could you tell us how to enable websocket on HAProxy?
Emby and Home Assistant don't work completely without them.

For the record, I use the setup explained in the tutorial and I also have an issue with Home Assistant's use of websockets.

The issue is that after about 30 seconds of inactivity, the web socket is closed by haproxy, which results in a page reload as this is what Home Assistant does when the socket disconnects or reconnects (probably to ensure that the shown states are up-to-date).

I opened a github issue for that and the founder blames the haproxy configuration.

There is at least one UI for nginx that has an option for websockets:
.

I've tried amending timeout values, but none of those that I changed had a positive effect on the timeout.

I have not found the correct option yet - I guess that there is a setting to fix this.

Edit: it seems that there is a heart-beat @55 seconds and nginx times out at 60 seconds, while ha-proxy does at 30s by default.  https://github.com/home-assistant/home-assistant-js-websocket/issues/108 .

I added "timeout tunnel 60000" to Services>HAPRoxy>Settings>Settings>Default Parameters>Custom Options  which is available after enabling the advanced mode.

Then I checked Services>HAPRoxy>Config Export where I could find this setting in the same section as the one suggested by Home Assistant

When looking at the dyndns log, I can see that the password is used as "Authorization: Apikey PASSWORD", so the password should be the Api key.

I ran into difficulties basically because the service I selected to identify my IP address returned an empty result.
After changing the service, the IP update worked properly with an empty username and the Api key as the password.

The hostnames are the "subdomain" - for the root domain one has to set "@".

I must be missing something.

I've tried several approaches without succes.

I defined a bridge, and I can ping the brige using the IP I want to use as the gateway IP on the other subnet.
I've add a firewall rule on the bridge to let everything pass.

I'ld be surprised this can't be done in OPNSENSE.

I would like to define at least two subnets on my OPNsense LAN interface.

This is not for security reasons, but because some devices need to be on a predefined subnet.
I want to communicate from one subnet to the other.

I thought that I could configure the firewall to listen on multiple IPs, set it up as the gateway on all IPs and a DHCP server for each one of them.
The DHCP server is not really a requirement.  One would be configured to accept only certain MAC Addresses, and they other one may be set up to deny them.

I can define a Virtual IP on the firewall and ping it.

My switch is not VLAN capable.

Is it possible to add some kind of virtual interface operating on the physical LAN interface?



I've already looked around on the forum:

Closest topic - but I do not have another Laptop to configure for ensure the forwarding:
https://forum.opnsense.org/index.php?topic=18381.0
Suggests the Virtual IP, but that's not the complete solution, and no solution was provided in the end:
https://forum.opnsense.org/index.php?topic=17655.0
Other topic, but more about VMs, and no OPNSense solution:
https://forum.opnsense.org/index.php?topic=5429.0
Regarding access points:
https://forum.opnsense.org/index.php?topic=15168.0
Pretty close: two neighbours that want a subnet:
https://forum.opnsense.org/index.php?topic=14224.0