Messages

Just to mention, on one test box and two operational boxes, all bare metal Intel and AMD, hostwatch trots along quietly with no untoward CPU spikes or log writes. Three principal subnets (no vlans), all IPv4, around 25 devices.

So how can I rollback or switch to a point where the new firmware was not installed, if the operations are persisted

This is, in terms of my explanation, a configuration change. It is not part of the snapshot, so you can still roll back to the prior configuration.

This appears to be the question:

My problem of understanding is why and when will a snapshot in OPNsense start to persist data? When I make it active for the first time? If so, this means I cannot use (rollback to) a snapshot more than once. e.g. how do I rollback to Sept. 2025 when the "default" snapshot was created?
Somehow there is a disconnect I cannot reconcile.

and this is a lay answer from my use of snapshots: essentially, you do not roll back to a date but to a version.

If I take a snapshot then I am preserving a (presumably) stable version. All normal operations of the router will continue to be reflected in that snapshot version as well as in the active. That is, it continues to update for operations ... but not for configuration.

Any configuration changes will be reflected in the Active version but not in the Snapshot version. If you like the changes and they are stable, you can make that the master simply by continuing to use it while optionally deleting the Snapshot. If you do not like the changes then revert to the Snapshot in which case your configuration changes will vanish yet the router will be operationally up to date. If your changes crash the router then you can recover safely to your snapshot on boot.

Snapshots reflect a configuration point, not a time point.

I will be interested to see whether my understanding is confirmed.

Given the base is working software, not a development from scratch, I can understand that the release pattern does not follow a conventional cycle such as one might read in Wikipedia. I interpret development as a form of beta which is yet changing for reasons other than bugs. Community I accept as an advanced stable release which may yet have bugs which are fixed under _NN releases. Business is a supported stable release which might be called long term except that its term is not long.

Opnsense is not the only operation to follow a pattern like this, nor the only forum in which it is argued. I think that the conventional namings from alpha through gold, including the word beta, confuse the issue by their prior connotations.

We have a stable base product. On that there is a development offshoot. When that is feature-complete (for this phase) and stable it becomes Community, field testing more advanced features ahead of the low-risk business edition.

The clear implication is that there are three levels of risk for the consumers who must themselves share the risk management as discussed, firstly by selecting in which level they will join and secondly by their own testing and timing of upgrades on one or more of their own systems. Personally I use select Community then upgrade (always with snapshots) through "Does it work for a few hours?" on a reserve box to "Does it work for a few days?" on an internal production box to "Here we go" on the edge router.

Mikrotik offers WiFi6 devices such as the wAP and cAP but not mesh as plug and play. On the other hand, they give you absolute control of every other aspect of operation including nigh-endless vLans or virtual radios. Do you have ethernet between the levels?

Given you commented on the date and time, are you using the TOTP feature?

I currently have shaping turned off. I tried shaping as a troubleshooting step to limit the speed to 1gb but nothing changed.

The intel x550 NICs will not auto negotiate to 2.5gbps. Which is programmed into the firmware. Manual selection is required. This is why I have a 2.5gb usb nic order so I can test if the NIC is at fault.

I see. You mean like this comment which I found on the Intel site here?

The autonegotiation for 2.5 and 5Gb speeds for the X550 was changed in 2020.

Default autonegotiation excludes the 2.5 and 5Gb speeds.

If 2.5 or 5Gb is chosen in the dropdown, it will change autonegotiation to only advertise that speed. So it is not forcing to 2.5Gb or 5Gb when those options are chosen, it changes the advertised speed.

That may be an issue if the switch is configured as forced to 2.5Gb instead of autonegotiate.

If that still does not help, please make sure the ethernet updated to the latest NVM and drivers.

This comment and the prior discussion on the Intel site imply to me that the problem may lie with NIC configuration rather than with Opnsense config. Your proposed test may be informative ("may" because I lack complete confidence in USB-Ethernet adapters even though I sometimes use them in testing).

You are shaping the WAN-side speed? What was the preceding position, when using auto-negotiation?

@xXHelperXx, I think you misunderstood the meaning of "here". The problem with using an image service is it is more likely to disappear, leaving this thread largely incomprehensible to anyone who might have a similar problem in the future. Is there any particular reason you are unable to post images here, within your replies, rather than as links?

Regarding your further comment, are you filtering on the interfaces or on the bridge? https://docs.opnsense.org/manual/how-tos/lan_bridge.html (see Step Six, System Settings Tunables)

Not really sure why it still block and why especially on LAN and not on VPN.

Different rules, most likely. LAN and Wireguard are not the same subnets.

If you publish your rules here, I will look at them to see whether I can help. Using imgur is not publishing here.

I looked closely at IPFire when first developing my understanding of firewalls and routing, loading both it and OPNsense and donating to both (hoping for IPFire v3) while I examined them. I found IPFire presented concepts cleanly in its otherwise dated interface and its user-driven documentation, but ultimately went for the greater capability, flexibility, of OPNsense. IPFire can be nigh-dictatorial in its model. You can do "everything and more" in OPNsense and its documentation, though in a different style, gives you both setups and detail. As ever, the user forum is a vital component of the information and Q&A system so questions about any translation of concepts or implementation will be answered here.

I never had IPFire in production so cannot comment directly on working up that transition. While I keep an eye on IPFire by continuing to accept their e-mail announcements (curiosity), for my own circumstances there is no question that my choice was sound.

Hi allddd,

Nice work on this!  If you want we can work on including this in a future release as an optional binary package and see how it goes from there?

Cheers,
Franco

Hi Franco,

Thanks! I'd be honored, just let me know how I can help :) Would you need any changes to the Makefile/build process, maybe an install target? A man page would also be nice.

Is this a likely event for, say, 26.1?

Frohe Weihnachten Patrick und alle anderen

The next steps will be adding an openVPN client

Unless there is some external compatibility reason for openVPN, consider Wireguard.

... one thing I also will add, is a way to write a backup to a separate ssd so I can restore it if (when) I mess up

I hope you selected ZFS during installation. If not, consider reinstalling and choosing that. This will enable snapshots (System>Snapshots) which are the quickest and easiest recovery mechanism when something gets stuffed up to the extent you need to revert. You can also save your configuration as an XML file. Snapshots are also part of the upgrade routine, so you can always revert to the prior version if you find a bug in the new one, or you can snapshot before testing a new configuration you are making.

ISC was responsible for "ISC DHCP" which is superseded by Kea, especially for larger installations. DNSmasq is an alternative. Please ignore "ISC DHCP" in the menus, whatever else you do (other than making sure it is disabled of course).

I prefer Opnsense official documentation, which is generally well written. If it proves a little terse then ask for clarification here. Videos and other secondary documentation can be out of date or wrong (or both) so if video is your preferred instructional method you should still verify every step against the official documentation. You will find the relevant part here.

The advice I am giving you is based also on my own working Kea with different subnets and reservations in each. It worked first time by following the docs.