Messages

This is a stab in the dark, but trying turning EEE off on OPNSense.

In the UK, we had issues with the 2.5G port on the DOCSIS 3.1 modem with specific firmware which were related to Energy Efficient Ethernet. We've since had a firmware upgrade on the modem to fix it, but hey...worth a try?

Powershell scripts. Let's see how this looks

param($result)

# ----- EDIT THESE -----
$FullchainPath = '/usr/share/certify/alanplum.crt'
$PrivKeyPath   = '/usr/share/certify/alanplum.key'
$DescrCommon   = 'CertifyTheWeb Wildcard'

$Targets = @(
  @{ hostName='hide.me.net'; key='hidden'; secret='hidden' }
)
# --------------------------------

# Ensure PowerShell 7+ for -SkipCertificateCheck
if (-not ($PSVersionTable.PSVersion.Major -ge 7)) {
  throw "This script requires PowerShell 7+ for -SkipCertificateCheck. Current: $($PSVersionTable.PSVersion)"
}

# Read PEMs once; use LEAF cert
if (!(Test-Path $FullchainPath)) { throw "Fullchain not found: $FullchainPath" }
if (!(Test-Path $PrivKeyPath))   { throw "Private key not found: $PrivKeyPath" }

$allPem  = (Get-Content -Raw $FullchainPath) -replace "`r`n","`n"
$LeafPem = [regex]::Match(
  $allPem,
  '-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----'
).Value

$KeyPem  = (Get-Content -Raw $PrivKeyPath) -replace "`r`n","`n"

function Invoke-OpnAddOrUpdate {
  [CmdletBinding()]
  param(
    [Parameter(Mandatory)][string]$HostName,
    [Parameter(Mandatory)][string]$Key,
    [Parameter(Mandatory)][string]$Secret,
    [Parameter(Mandatory)][string]$Descr,
    [Parameter(Mandatory)][string]$Leaf,
    [Parameter(Mandatory)][string]$Prv
  )

  $base   = "https://$HostName"
  $pair   = "${Key}:${Secret}"
  $basic  = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($pair))
  $headers = @{
    Authorization = $basic
    Accept        = 'application/json'
  }

  # 1) Search existing by description
  $uuid = $null
  try {
    $search = Invoke-RestMethod -Method Get -Uri "$base/api/trust/cert/search" `
              -Headers $headers -SkipCertificateCheck
    if ($search -and $search.rows) {
      $row = $search.rows | Where-Object { $_.descr -eq $Descr } | Select-Object -First 1
      if ($row) { $uuid = $row.uuid }
    }
  } catch {
    $status = $_.Exception.Response.StatusCode.value__ 2>$null
    $msg    = if ($_.ErrorDetails.Message) { $_.ErrorDetails.Message } else { $_.Exception.Message }
    Write-Warning ("[FAIL] {0} search (HTTP {1}) {2}" -f $HostName,$status,$msg)
    return
  }

  # 2) Build payload (PEMs via *_payload)
  $payload = @{
    cert = @{
      action               = 'import'
      descr                = $Descr
      cert_type            = 'usr_cert'
      private_key_location = 'firewall'
      crt_payload          = $Leaf
      prv_payload          = $Prv
      csr_payload          = ''
    }
  } | ConvertTo-Json -Depth 8

  # 3) Update if found, else add
  if ($uuid) { $url = "$base/api/trust/cert/set/$uuid"; $action='UPDATED' }
  else       { $url = "$base/api/trust/cert/add"      ; $action='ADDED'  }

  try {
    $null = Invoke-RestMethod -Method Post -Uri $url -Headers $headers `
              -ContentType 'application/json' -Body $payload -SkipCertificateCheck
    Write-Host ("[OK]   {0} {1}" -f $HostName,$action)
  } catch {
    $status = $_.Exception.Response.StatusCode.value__ 2>$null
    $msg    = if ($_.ErrorDetails.Message) { $_.ErrorDetails.Message } else { $_.Exception.Message }
    Write-Warning ("[FAIL] {0} (HTTP {1}) {2}" -f $HostName,$status,$msg)
  }
}

foreach ($t in $Targets) {
  try {
    $descr = if ($t.ContainsKey('descr') -and $t.descr) { $t.descr } else { $DescrCommon }
    Invoke-OpnAddOrUpdate -HostName $t.hostName -Key $t.key -Secret $t.secret `
                          -Descr $descr -Leaf $LeafPem -Prv $KeyPem
  } catch {
    Write-Warning ("[FAIL] {0} unexpected error: {1}" -f $t.hostName, $_.Exception.Message)
  }
}

That's was hard to get from my iPad at home :)

What I do is just replace the existing one via the api and restart the webgui.  I think it matches on description.

I have scripts to do exactly this, but I can't share them until I'm back at work in January.

If anyone is interested, I did successfully upgrade the i226-V's in a DEC750 to 2.32.

I used the 1MB bin file from BrandyWine.

All 5 of the DEC750s I ordered had the 2.25 EEPROM by default, and all have been successfully upgraded to 2.32, and had a bit of a hammer test.  All seem to work fine.

I'm sure some of you are asking.....why?

I guess because I can. I just like to make sure that all BIOS and other firmware is up to date before putting it into prod.

I'm sure someone might be interested, but if not, I've at least shared it's possible. :)

To the original poster.

The appliance came with a 180 dollar business licenses that last a year. 

 Why did you decide to wipe and go to the community version?

I don't need business edition, and these 750s are replacing devices already running CE.

I considered using BE, but then I have just increased my annual running costs x 4.

I've had zero issues running CE for the last 5 or so years, so why change.

Plus...CE gets cool things sooner than BE.

Well, the DEC750 has been absolutely rock solid in production now, including upgrading it tonight to .10 CE release.

I've ordered 4 more DEC750s from the shop :). FedEx says arriving Monday.

I honestly wish I'd done this sooner. They are more expensive than other Chinese alternatives but so worth it in terms of stability and issues.

For anyone in the UK considering ordering from the web shop, make sure you have an EORI number. (Google it)

I had a small issue with customs because I didn't have an EORI number, but was easy to apply due to my company being VAT registered. (We've never imported anything before to the UK)

Over the next few weeks, all of my OPNSense routers will be running on official Deciso hardware.

The major thing I noticed, was the 750 (which is fanless) runs consistently at about 37C, whereas my Chinese alternatives (with a cpu fan) run about 55C! This is on a 10G leased line with SFP+ optics.

If you can afford to get a DEC.....you won't regret it.

One last thing.....and I'm going to ask it, even though I think I know what the response will be :)

The DEC750 has the i226V. Should I...(I'm going to try anyway on one of them) do @BrandyWine firmware update on them to the latest firmware? I successfully did my Chinese device ones, but don't know where I would stand with Deciso on warranty if I did it.

The one currently in prod is using SFP+, so I won't touch it, but one of the others isn't, using all 3 i226 ports.

Well....thats was easy....popped into work today.

Just manually edited the config.xml to change mlxen0/1 to ax0/1.
I also removed the intel microcode plugin from the xml.

Imported....plugged it in, now in production.

I am now officially a massive fan of Deciso hardware :)

One last question if I may...

After import, the AMD microcode plugin shows (misconfigured).
I didn't realise there was anything to configure, so for now, I've just removed the plugin.

I'll be placing an order for 3 more next week.  Brilliant hardware..

Device received.....
Nice bit of kit...

I decided to ride the lightning and ignored previous advice and:

1. Updated the BIOS to .35 (Was on 33)
2. Formatted the NVMe and installed Community 25.7 from serial image (ZFS)
3. Added the AMD microcode plugin
4. Updated to 25.7.9_7
5. Did *not* enable HyperThreading in BIOS.

I ran out of time, so will play with importing (after modifying interfaces) my existing config.

If it runs stable and nice, I'll order another 3 to replace other Chinese devices :)

The only oddity I found, was when updating from 25.7 to 25.7.9, I did get an error throw on the screen to check the log (blueish background popup), but I found nothing and it installed and rebooted as expected anyway with no intervention. (This wasn't the original pkg update error...I got that first as expected)

Health checks all pass after the reboot.

Really looking forward to getting this into prod..

Joy. Shipped email received, should get it tomorrow. Happy days

No response from that email either :(

It's like the shop doesnt have anyone working there.

It let me place an order, and crickets since the order acknowledgement.

There is something wrong with the web shop.

It created me an account (still no emails about my order), but when I set a password for the web shop it says it's always weak and won't let me set it

Apparently niOpzEY$3Rie`3-G2`TQT6<(bTS1*Ejysu~4{K0v is a weak password.

So neither can I log in to check my order, or had any emails regarding the shipment of my order, only an acknowledgment email.

So just to be extremely clear for me:

1. Should I install the AMD Microcode plugin on a DEC750, or not? Whats the recommended idealogy.
2. I'm assuming I'll update the BIOS day 1, to make sure it's fully up to date.
3. Is there any value in enabling HyperThreading? AMD CBS -> Zen Common Options -> Core/Thread Enablement -> SMTEN

I'm just looking at the BIOS update instructions, and 1 and 3 are mentioned, but no recommendation.

The final thing, is my current backup came from an install with the Intel Microcode plugin installed, which obviously I dont want with this device.
Is this easy to remove from the config before importing?

TIA

I have ordered one this morning, FedEx priority shipping to the UK, so hope it will be here soon.

Fingers crossed...

I also agree.

I'm currently running 4 different OPNSense on the Chinese hardware, with no major issues, but as this is so critical for work, I think I'd feel better with a DEC.

The device in question is an R86S-G2, which has a super weird issue it has developed with one of the SFP+ ports which can be resolved by rebooting x number of times, but causes me a headache after upgrades. I have ordered another one, but it's going to take a month to get to me, so thought, why not just buy a DEC.

I'll look into ordering the DEC750 tomorrow, and see if I can import my config....

This is exactly why I'm looking at the DEC750.

I'm using an N100 in a business scenario already, which recently is displaying odd behaviour.
The price of the DEC is acceptable to the business, but I prefer to run community edition.

Rather than buying more Chinese variants on AliExpress, I'd rather get supported hardware for the job and hope, it just works.

I appreciate I'd have to fiddle with importing the config due to interface names, but hoping the DEC750 can directly replace the N100...which does currently route the 5 gig with no issues.