Messages

I think I've got it.
ADH config had bind_hosts set to 0.0.0.0 I guess it didn't like that. I now manually set all the IPs including 127.0.0.1 and I was able to NAT it.

Thing is, I just started playing around with HA and CARP. It worked before, no issues, even for WireGuard clients which was a completely different IP range. I just cloned the virtual machines for CARP testing, fixed any duplicate entries and everything worked flawlessly, apart from AGH.

I've now just created an alias for the IPs of the two instances of Opnsense as target. This seems to work, although it takes the first query a bit long, then it's normal and fast.

Will still investigate this further. The issue I'm also facing now is SR-IOV not playing nice with CARP.  >:(


EDIT: Using Alias was not a good idea. While windows kinda figures out what to do, every other client on the network is really slow to resolve. I've now for the time being disabled NAT syncing between the two instances and set each to forward to their own network IP.

Yeah I have it setup to automatically add the rules.
Changed it to tcp/udp, still didn't work.

But when I forward it to the actual IP of the current master it works



Also I have to add that my testing is very unscientific, just "ipconfig /flushdns" and try pinging, visiting the website and checking query logs from Adguard

Yep, thats a known bug in adguard

https://github.com/AdguardTeam/AdGuardHome/issues/3015

Seems that this is the case, yes.

Bind AGH to 127.0.0.1 and use NAT port forwarding to make it reachable at the CARP address. That should do it.

Actually tried that yesterday. Didn't work unless there's something I'm missing.
VIP 192.168.0.1


SS from Adguard

I've got the Addguard plugin, which was working fine until I set up CARP.

I have to set the DNS on windows to the actual IP of the LAN interface. I can't use CARP VIP to resolve hostnames for some reason.


Any ideas what could be the issue?

Figured it out. It's a bug with SR-IOV, where the virtual bridge that has the Virtual Function of the SR-IOV won't forward anything until you manually set the bridge forwarding database to include the virtual NICs.

I've already had a script do it for the machines on boot and when I migrated to the other host it I would have had to do it there also. Unfortunately I haven't come across a way to hook it to trigger on migration.

Hi!

I've got a Proxmox cluster with some VMs.

So for whatever reason, after I do a live migration of a VM to a backup server the VM has no internet. OPNSense can't ping the VM and the VM can't ping OPNSense. But I can ping both from my PC and they can both ping me, we're all on the same network.
I thought it might be ARP table issue, but the MAC and IP are the same and I wouldn't be able to ping them if that were the issue. Also it's showing up correctly in the ARP table inside OPNSense

The interesting thing is though, that if I move it back it will work again. Also I saw it do an ARP broadcast in Wireshark after migrating.

I'm really confused and have no idea where to start looking.


EDIT:

It even got an IP from the DHCP server.. It just doesn't have internet and can't really communicate with the gateway.

EDIT#2: It has to be an OPNSense issue, because just for a test I gave it a gateway of our backup Ubiquiti Dream Machine and it kept pinging google without issues throughout the migration and after.


EDIT#3: Just noticed that the migrated machine can't talk to any other machine inside the cluster. And as OPNSense is also a VM in the cluster, it has to be an issue with Proxmox Networking and I have to investigate there now.

In my small business we use online services which are great, but lack some things when it comes to cross service communication.
I've written some Javascript that handles this and it works great. We've been using this for the better part of the year.
We're using Scripty or other JS injection extension for chrome.


For a long time I've been thinking about how to get this onto mobile phones, that don't support these extensions.
Is there a suggested way to do this? We only need to get the Javascript injected on ios/ipadOS/Android devices.

Proxy maybe? Is there a suggested one for OPNsense or a different way someone would go about at getting this to work?


Best regards,

Tom

Figured it out for the slow loading. It was Unbound DNS that was misconfigured, couldn't start and kept retrying and crashing, go figure.

For Wireguard issue, I've added a script that runs on startup that reloads the rules.

Hi!

I've just migrated to Proxmox and have some strange issues.

At boot the first thing is it gets stuck for a really long time to finish loading php_fpm(But I can already access the GUI at this point) and then HA Proxy takes a while also.
Sometimes HAproxy will go fast once it gets to it. But on my other machine it boots really fast. I do get to enter the Interface while it's still loading, but have to manually start Addguard to get the DNS to work and internet. Is there a way to control the loading order?


The other thing, and more important, is that Wireguard just doesn't work correctly. After each reboot I have access to remote LAN but not internet.

Interestingly enough, stopping and starting a rule on the Firewall WG0 interface makes it work. And it doesn't even have to be the rule for this particular Wireguard connection. Or even just enabling and disabling logging makes it work.

I've checked the firewall rules and it shows it as allowed, but there's no traffic going through until I do something in the WG0 Firewal rule.


Any ideas as to what might be the cause for this?


The only real thing I've done differently on this VM is that I've passed through the NICs with SR-IOV and disabled some interfaces. Might have also updated after the migration, not sure.




Thanks for any help,

Tom / Weidah

So after installing os-ntopng-enterprise and os-redis and then starting redis, ntopng doesn't launch.

Log from backend:

Script action stderr returned "b'ld-elf.so.1: Shared object "libgpg-error.so.0" not found, required by "ntopng"'"

Log from general:

/usr/local/etc/rc.d/ntopng: WARNING: failed to start ntopng


log from install or redis:

***GOT REQUEST TO INSTALL***
Currently running OPNsense 22.1.2_1 (amd64/OpenSSL) at Sat Mar  5 17:47:35 CET 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
Updating ntop repository catalogue...
ntop repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   libgcrypt: 1.9.4 [OPNsense]
   libgpg-error: 1.44 [OPNsense]
   os-redis: 1.1_1 [OPNsense]

Number of packages to be installed: 3

The process will require 5 MiB more space.
21 KiB to be downloaded.
[1/1] Fetching os-redis-1.1_1.txz: ... done
Checking integrity... done (0 conflicting)
[1/3] Installing libgpg-error-1.44...
[1/3] Extracting libgpg-error-1.44: .......... done
[2/3] Installing os-redis-1.1_1...
[2/3] Extracting os-redis-1.1_1: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/Redis: OK
[3/3] Installing libgcrypt-1.9.4...
[3/3] Extracting libgcrypt-1.9.4: .......... done
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages:

Installed packages to be REMOVED:
   libgcrypt: 1.9.4
   libgpg-error: 1.44

Number of packages to be removed: 2

The operation will free 5 MiB.
[1/2] Deinstalling libgcrypt-1.9.4...
[1/2] Deleting files for libgcrypt-1.9.4: .......... done
[2/2] Deinstalling libgpg-error-1.44...
[2/2] Deleting files for libgpg-error-1.44: .......... done
***DONE***



Why is libgpg-error-1.44 first installed and then uninstalled?

Yeah, I did that and it works :)

I don't think so. Even if there's no action on the other ports, at least it should make some kind of traffic on the VLAN for the switch to report.

Hi!

So I've gone through everything correctly I think. But nothing seems to work.

I started with my ubiquiti switch. I've created LAN 10 and set port 3 where my LAN2 is to Tagged, then port 15 to untagged for me to connect my PC directly and test.

I've created a new VLAN 10 in OPNSense with the parent interface LAN2.

I've then assigned it.

I've enabled it and given it an IP range of 192.168.90.1/24

I've then passed through everything in a rule for OPT5 (which is the VLAN10)

I've enabled DHCP on OPT5 with range 192.168.90.10-192.168.90.100 and gateway 192.168.90.1 and DNS 192.168.90.1

Images in link to see settings.

https://imgur.com/a/mFiqmwO

EDIT: added overview SS

https://imgur.com/a/Xcg35HV

EDIT:

Is it possible that this is due to me having Opnsense virtalized in Esxi?

Because as soon as I tuned that NIC to VLAN 10 in Esxi it showed up right away on the switch.