"
Noticed something else: on the NUT page in OPNSense the service looks like it's running -- however on the OPNSense dashboard it does not report to be running. So perhaps there's a config issue? I don't know what to look at, and there's precious little to click around in. I do not believe this was happening before, and it also takes longer to let me back to the page when I click refresh NUT tool.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
General Discussion / Re: Getting NUT working with CyberPower UPS
January 07, 2025, 10:22:27 PM
That would probably help. It LOOKED enable (allowed access but no access control as allowed) but was not. I enabled version 1 of SNMP instead of 3 (UPS had both) since 3 required authentication.
That aside, still not seeing anything in the NUT web UI for UPS status.
That aside, still not seeing anything in the NUT web UI for UPS status.
#3
General Discussion / Re: Getting NUT working with CyberPower UPS
January 07, 2025, 09:58:11 PM
Gave that a try and I'm not seeing anything in Diagnostics -- so I assume it's still not working?
I disabled netclient & have the following configs for SNMP.
I disabled netclient & have the following configs for SNMP.
#4
General Discussion / Getting NUT working with CyberPower UPS
January 07, 2025, 08:53:50 PM
I've got a networked CyberPower UPS that I'm trying to get to work with the NUT plugin for OPNSense.
See attached images for most details but here's a few not shown:
I'm using the netclient "UPS type" (all others are unchecked).
Nut account settings (dropdown under general settings are blank).
This is what I see in a terminal that I have open:
```
Broadcast Message from root@OPNsense01
(no tty) at 14:42 EST...
UPS user@192.168.20.21:80 is unavailable
```
Are there any log files I should be looking at?
Any obvious settings missing?
I did find this post, but it's about a USB connection, not a networked UPS. So it looks like cyberpower is supported, at least somewhat.
https://forum.opnsense.org/index.php?topic=22203.0
See attached images for most details but here's a few not shown:
I'm using the netclient "UPS type" (all others are unchecked).
Nut account settings (dropdown under general settings are blank).
- Services: Nut: Diagnostics page in web UI is blank.
This is what I see in a terminal that I have open:
```
Broadcast Message from root@OPNsense01
(no tty) at 14:42 EST...
UPS user@192.168.20.21:80 is unavailable
```
Are there any log files I should be looking at?
Any obvious settings missing?
I did find this post, but it's about a USB connection, not a networked UPS. So it looks like cyberpower is supported, at least somewhat.
https://forum.opnsense.org/index.php?topic=22203.0
#5
High availability / HA confusion
November 25, 2024, 04:58:41 AM
I have two physical OPNSense boxes I'm using as my primary router, and either one of them performs fine. However I have a few problems when I try to run them together in High Availability:
PS: Is "cluster" even the right word for HA OPNSense? It seems like it's more of a train, per this post:
https://forum.opnsense.org/index.php?topic=30225.msg146197#msg146197
Edit #1:
I think the DHCP conflicts was due to some combo of services not getting synced and the backup node not getting updated (possibly breaking sync?) due to it not having a direct internet connection (see point #2 above). At the moment, the DHCP conflicts seem to be gone so I'm counting that as a win. For anyone who tries this in the future, double check all this. Also, the newer sync is SO MUCH BETTER than the old one & actually gives some insight.
- [maybe solved, see edit #1 below]The network has multiple VLANs (or OPT networks if you prefer), and OPNsense is the DHCP server & DNS server for these networks. When both boxes are connected I am seeing DHCP conflicts, DNS conflicts, etc. How do I get them to share the info rather than both try to act as the primary router on the network? Is there a config or setting I'm missing somewhere?
- I am on a residential network, so I only have 1 WAN IP & 1 physical RJ45 port for my WAN connection. How do I keep two (or more) nodes of a HA "cluster"? Do I need to physically move a cable? Can I create a 2nd route through the "other" routers? Any suggestions are welcome!
PS: Is "cluster" even the right word for HA OPNSense? It seems like it's more of a train, per this post:
https://forum.opnsense.org/index.php?topic=30225.msg146197#msg146197
Edit #1:
I think the DHCP conflicts was due to some combo of services not getting synced and the backup node not getting updated (possibly breaking sync?) due to it not having a direct internet connection (see point #2 above). At the moment, the DHCP conflicts seem to be gone so I'm counting that as a win. For anyone who tries this in the future, double check all this. Also, the newer sync is SO MUCH BETTER than the old one & actually gives some insight.
#6
General Discussion / Re: HAproxy plugin not working & giving "unknown directive"
May 06, 2023, 05:11:19 AM
Whelp, after MANY hours spent wondering what could possibly be wrong it turns out that it was actually Prometheus Node Exporter. I fat fingered the address when I put it in. I understand this means I'm an idiot, but some sort of notification about this would be nice. Or even stop the metrics but start HAProxy? At least that would help me narrow down debugging.
For anyone else who has this problem, is there a log that would show you this? I knew to doublecheck check HAProxy's listening IP & port, but I didn't think to check the metrics.
For anyone else who has this problem, is there a log that would show you this? I knew to doublecheck check HAProxy's listening IP & port, but I didn't think to check the metrics.
#7
General Discussion / Re: Simple Feature Request - Export/Save config before update
May 05, 2023, 08:58:53 PM
Hah, right? Everyone has some story (or will). How do you do an automated backup? Where does the backup live?
#8
General Discussion / Simple Feature Request - Export/Save config before update
May 05, 2023, 08:34:19 PM
Wanted to throw out a simple feature request--some form of idiot reminder to export your config before applying an update.
This could be as simple as a static string with a link to the backup/export page--or could be more complicated like storing whether there's been an export of the config.
Note: Tying it to time or change could also work. Just though that dummy reminder could be appreciated!
This could be as simple as a static string with a link to the backup/export page--or could be more complicated like storing whether there's been an export of the config.
Note: Tying it to time or change could also work. Just though that dummy reminder could be appreciated!
#9
General Discussion / HAproxy plugin not working & giving "unknown directive"
April 29, 2023, 03:36:32 AM
I am trying to use HAProxy as a reverse proxy in OPNSense. This SHOULD be straightforward (no?) but I'm getting some errors that are out of my depth....the current error is that HAProxy is refusing to start (immediately stops when start button is pushed).
I tried using the GUI to create the reverse proxy components and I believe they are all correct (test button says no issues). However when I try to press start--it immediately stops. I don't see anything in any logs but I'm happy to look around more if anyone knows some useful places to look.
Much troubleshooting & googling has gotten me to running the command below and seeing the following error:
"unknown directive '.'" from running
I know that
Also, no idea WHY I'm getting this problem. If anyone could point me towards a default version of this file (and possible other files or tell me the best way to restore a default version of this file--I would happily try that too.
Thanks in advance!
I tried using the GUI to create the reverse proxy components and I believe they are all correct (test button says no issues). However when I try to press start--it immediately stops. I don't see anything in any logs but I'm happy to look around more if anyone knows some useful places to look.
Much troubleshooting & googling has gotten me to running the command below and seeing the following error:
"unknown directive '.'" from running
Code Select
haproxy -c -f /usr/local/etc/rc.d/haproxyI know that
Code Select
. filename allows bash to source the file name, but I don't know whether that's standard in BSD or what would be required or missing for that to work. It's also the first line in my file so it may be a red herring? As I said, I'm out of my depth here! Any help is appreciated.Also, no idea WHY I'm getting this problem. If anyone could point me towards a default version of this file (and possible other files or tell me the best way to restore a default version of this file--I would happily try that too.
Thanks in advance!
#10
23.1 Legacy Series / sshlockout (auto) rule blocking port 443
March 29, 2023, 04:50:52 AM
I'm configuring a new OPNSense installation and I've been having trouble connecting to the webGUI when the firewall is enabled--which is problematic.
After some digging, I found an automatic rule to block all TCP traffic to 443 commented with "sshlockout". (See attached image)
I tried changing the default port for the webgui but this rule actively seems to track that.
What is creating these sshlockout rules? Why is something (seemingly) related to ssh creating a rule on port 443 (not just 22)? And how did you go about finding this out so I can do it if I run into other problematic automatic rules with minimalistic descriptions?
Image of full rules here because I couldn't get it below 300KB >:(
https://imgur.com/a/pxOSQct
Edit: I just realized I don't have any sort of auto-lockout rule! Is that something I need to select outside of the wizard?
After some digging, I found an automatic rule to block all TCP traffic to 443 commented with "sshlockout". (See attached image)
I tried changing the default port for the webgui but this rule actively seems to track that.
What is creating these sshlockout rules? Why is something (seemingly) related to ssh creating a rule on port 443 (not just 22)? And how did you go about finding this out so I can do it if I run into other problematic automatic rules with minimalistic descriptions?
Image of full rules here because I couldn't get it below 300KB >:(
https://imgur.com/a/pxOSQct
Edit: I just realized I don't have any sort of auto-lockout rule! Is that something I need to select outside of the wizard?
#11
High availability / Re: HA with 3 nodes
September 13, 2022, 06:40:49 PM
I was just about to ask this too!
It seems trivial to do with CARP, but I don't see a way to sync any of the info to more than 1 node using PFSync :(
It seems trivial to do with CARP, but I don't see a way to sync any of the info to more than 1 node using PFSync :(
#12
High availability / Re: am I using CARP incorrectly?
September 13, 2022, 06:38:52 PM
I hope so! I'm looking to do something similar (with less VLANs) but I don't see how else you do it unless you can change state of all VLANs/networks on change of CARP state (after all, OPNSense is aware of the state of all networks)?
#13
General Discussion / Re: Interface bug (or misunderstanding)
August 08, 2022, 03:23:50 PM
Ok, found some more quirks. I thought I had a functioning setup, the trick was to only add WAN interface on initial setup (not add LAN). I later added a bunch of OPT interfaces.
Now, somehow, the firewall seemingly added rules about blocking BOGON/local IP addr on the WAN (I want those allowed & I am certain I unchecked those), and it moved the "anti-lockout rule" to one of the OPT interfaces. Is there a way to disable those rules apart from the wizard?
I did not check this as I was adding the OPT interfaces as it did not occur to me that anything like this would happen >_<
As for the previous questions--I can't confirm I checked the firewall logs or applied the allow all rule when everything was in the correct state so it's hard to say as things have changed. If I can get the "Automatically generated rules" back the way I want them, I will happily check firewall logs & try making an allow all rule again. After going through the wizard I was able to get BOGON/localIP addr to be allowed on WAN (we'll see if that stays) but I was NOT able to change the anti-lockout rule from OPT1 to WAN.
Thanks for showing me the health check. While it came out fine, I had not heard about that before, so that was a new one! Learned something new that will definitely be useful in the future :)
Now, somehow, the firewall seemingly added rules about blocking BOGON/local IP addr on the WAN (I want those allowed & I am certain I unchecked those), and it moved the "anti-lockout rule" to one of the OPT interfaces. Is there a way to disable those rules apart from the wizard?
I did not check this as I was adding the OPT interfaces as it did not occur to me that anything like this would happen >_<
As for the previous questions--I can't confirm I checked the firewall logs or applied the allow all rule when everything was in the correct state so it's hard to say as things have changed. If I can get the "Automatically generated rules" back the way I want them, I will happily check firewall logs & try making an allow all rule again. After going through the wizard I was able to get BOGON/localIP addr to be allowed on WAN (we'll see if that stays) but I was NOT able to change the anti-lockout rule from OPT1 to WAN.
Thanks for showing me the health check. While it came out fine, I had not heard about that before, so that was a new one! Learned something new that will definitely be useful in the future :)
#14
General Discussion / Re: Interface bug (or misunderstanding)
August 06, 2022, 04:15:46 AM
DNS rebind check is disabled, but I'm currently accessing it via IP address.
Listen Interfaces is currently all (recommended & default) but I do want to make it only WAN eventually.
Listen Interfaces is currently all (recommended & default) but I do want to make it only WAN eventually.
#15
General Discussion / Interface bug (or misunderstanding)
August 05, 2022, 04:45:16 AM
I'm doing weird things and I found OPNSense behaving different than I would expect. Is it a bug or a misunderstanding on my part?
I am trying to setup OPNSense to have the web interface accessible on the WAN! (Don't worry, it's nested behind a standard OPNSense router so WAN != internet for THIS router)
I have been having weird issues with this setup, and I eventually did a factory reset of OPNSense & I noticed 2 things:
1) A package (HAProxy) is still installed. While I'm happy it's there as I did want it, I don't know if there's a separate way to clear packages if that's not desired?
2) The web interface stopped working when I tried to access it via the WAN.
#2 made sense, as the sane default is WAN block all & LAN allow all. No big deal, this is good design & I proceeded to disable the firewall with the cli "pfctl -d". And as expected, it worked like a charm, webgui was there :)
The problem arose when I went through the wizard and allowed bogon & private networks on the WAN (remember, not the internet in this case). I checked firewall rules, and WAN even has the "anti-lockout rule"! Great! Exactly what I want, now just "pfctl -e" and -- wait, now I can't access the webgui. "pfctl -d" and the webgui loads.
So my question is, why is the webgui blocked by the firewall on the WAN even with the anti-lockout rule on the WAN? I have no manually set firewall rules & have done nothing beyond the wizard.
Is there another toggle somewhere I'm missing to prevent this (as, I get it, this is normally a terrible design)? Or is this just a design nobody ever tested?
Notes:
I'd be happy to explain my setup if that's needed to debug -- whether the solution is re-architect my network, fix this "bug" (if it is a bug), or find a hidden toggle--please let me know! I want to get this system to a stable & functional state.
If there's any logs/debug info that would help please let me know what it is!
Attached is a screenshot of the firewall rules on the WAN.
I am trying to setup OPNSense to have the web interface accessible on the WAN! (Don't worry, it's nested behind a standard OPNSense router so WAN != internet for THIS router)
I have been having weird issues with this setup, and I eventually did a factory reset of OPNSense & I noticed 2 things:
1) A package (HAProxy) is still installed. While I'm happy it's there as I did want it, I don't know if there's a separate way to clear packages if that's not desired?
2) The web interface stopped working when I tried to access it via the WAN.
#2 made sense, as the sane default is WAN block all & LAN allow all. No big deal, this is good design & I proceeded to disable the firewall with the cli "pfctl -d". And as expected, it worked like a charm, webgui was there :)
The problem arose when I went through the wizard and allowed bogon & private networks on the WAN (remember, not the internet in this case). I checked firewall rules, and WAN even has the "anti-lockout rule"! Great! Exactly what I want, now just "pfctl -e" and -- wait, now I can't access the webgui. "pfctl -d" and the webgui loads.
So my question is, why is the webgui blocked by the firewall on the WAN even with the anti-lockout rule on the WAN? I have no manually set firewall rules & have done nothing beyond the wizard.
Is there another toggle somewhere I'm missing to prevent this (as, I get it, this is normally a terrible design)? Or is this just a design nobody ever tested?
Notes:
I'd be happy to explain my setup if that's needed to debug -- whether the solution is re-architect my network, fix this "bug" (if it is a bug), or find a hidden toggle--please let me know! I want to get this system to a stable & functional state.
If there's any logs/debug info that would help please let me know what it is!
Attached is a screenshot of the firewall rules on the WAN.
