Show Posts - morik_opnsense

Profile Info
- Summary
- Show Stats
- Show Posts...

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - morik_opnsense

Pages: [1] 2

1

24.7 Production Series / KEA DHCPv4 Option 6 (DNS) multiple values + Option 43

« on: November 27, 2024, 07:48:37 pm »

Hello,
Running ISC DHCPv4 on OPNsense 24.10.1-amd64 (business edition). KEA DHCPv4 server seems stable enough to considering moving over. For ISC, Opnsense GUI provided only 2 values for DNS servers per subnet. However, one could use Additional Options-->6 followed by hex string to add >2 DNS alternatives. I have 4 configured (adguard+pihole running on VMs + on Pi2 - for when server reboots are required).

c0:a8:64:24:c0:a8:64:22:c0:a8:64:23:c0:a8:64:24
I'd like to maintain this setup in KEA. Their https://downloads.isc.org/isc/kea/2.6.1/doc/html/arm/dhcp4-srv.html indicates that multiple values are possible. But, because I haven't migrated to KEA yet, I can't tell whether such multiple (more than 2) values in DNS options will be supported. Any guidance would be much appreciated.

Furthemore, in order to provide Ruckus/Cisco Wi-APs with controller information, i use Option 43 like so

type=string "hex 060c3139322e3136382e302e3431"
But, in the GUI, i'm unable to find a way to provide such additional custom options which survive reboot?

2

General Discussion / looking for ipv6 filterlog samples for {TCP, UDP, ICMP} please

« on: August 01, 2024, 06:23:17 am »

Hello all,
I'm sure many of you have implemented bsmithio's project https://github.com/bsmithio/OPNsense-Dashboard/tree/master for obtaining and rendering OPNSense telemetry data via TIG stack (Telegraf, InfluxDBv2, Grafana).

A recent change in OPNSense's filterlog data caused the filterlog processing in graylog to break. I forked (https://github.com/morikplay/OPNsense-Dashboard) the aforementioned project and fixed it for IPv4 packets (+ few enhancements). Not having enabled IPv6 in my home network, I am unable to complete the changes for others to potentially benefit from. I did look at this link https://github.com/opnsense/ports/blob/master/opnsense/filterlog/files/description.txt Franco sent in the one of the forum threads. But, I'd appreciate a few (5-10) sample filterlog traces for ipv6 packets with UDP, TCP and ICMP each, please. This will help me verify implementation and give back to the open-source community.

3

24.1 Legacy Series / Post 24.4.1 (business) upgrade FW initiated traffic is blocking

« on: June 28, 2024, 03:11:21 pm »

(updated w/ logs - initial post was done via cellphone)
Hello experts,
When on 23.x business edition, life was great. 24. X Upgrade was to make it better. To a large degree it is. But, I have a strange new problem which I’m unable to solve. Two plugins: crowdsec (8080 port) and Telegraf (port 8086 for influx) stopped working. Logs indicate a connection timeout for both services. The destination endpoints (on opt6) are fine, and reachable to:from elsewhere both inside and outside the network; just not for when originating from firewall for non-ICMP traffic. No rule changes at my end. Results in a timeout.

traceroute to 192.168.100.21 (192.168.100.21), 64 hops max, 40 byte packets
 1  crowdsec-lapi (192.168.100.21)  0.656 ms  0.416 ms  0.330 ms

Live log doesn’t show packet blocks. It does show “let packets from firewall itself in the out direction but nothing in the reverse direction (which should be allowed by default given the stateful nature of flows).

curl -vi --connect-timeout 10 http://crowdsec-lapi.esco.ghaar:8080
* Host crowdsec-lapi.esco.ghaar:8080 was resolved.
* IPv6: (none)
* IPv4: 192.168.100.21
*   Trying 192.168.100.21:8080...
* ipv4 connect timeout after 9999ms, move on!
* Failed to connect to crowdsec-lapi.esco.ghaar port 8080 after 10006 ms: Timeout was reached
* Closing connection
curl: (28) Failed to connect

interface capture shows:

Servers
vlan0.100	2024-06-28
07:37:50.442037	f4:90:ea:00:9f:72	00:50:56:82:d8:b4	ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.1.31315 > 192.168.100.21.8080: Flags [S], cksum 0x8070 (correct), seq 445912424, win 65535, options [mss 8960,nop,wscale 12,sackOK,TS val 1292126707 ecr 0], length 0
Servers
vlan0.100	2024-06-28
07:37:50.442400	00:50:56:82:d8:b4	f4:90:ea:00:9f:72	ethertype IPv4 (0x0800), length 74: (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.21.8080 > 192.168.100.1.31315: Flags [S.], cksum 0xe967 (correct), seq 3873949677, ack 445912425, win 43440, options [mss 1460,sackOK,TS val 3838080763 ecr 1292126707,nop,wscale 9], length 0
Servers
vlan0.100	2024-06-28
07:37:51.442697	f4:90:ea:00:9f:72	00:50:56:82:d8:b4	ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.1.31315 > 192.168.100.21.8080: Flags [S], cksum 0x7c87 (correct), seq 445912424, win 65535, options [mss 8960,nop,wscale 12,sackOK,TS val 1292127708 ecr 0], length 0
Servers
vlan0.100	2024-06-28
07:37:51.443231	00:50:56:82:d8:b4	f4:90:ea:00:9f:72	ethertype IPv4 (0x0800), length 74: (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.21.8080 > 192.168.100.1.31315: Flags [S.], cksum 0xe57e (correct), seq 3873949677, ack 445912425, win 43440, options [mss 1460,sackOK,TS val 3838081764 ecr 1292126707,nop,wscale 9], length 0
Servers
vlan0.100	2024-06-28
07:37:52.462713	00:50:56:82:d8:b4	f4:90:ea:00:9f:72	ethertype IPv4 (0x0800), length 74: (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.21.8080 > 192.168.100.1.31315: Flags [S.], cksum 0xe182 (correct), seq 3873949677, ack 445912425, win 43440, options [mss 1460,sackOK,TS val 3838082784 ecr 1292126707,nop,wscale 9], length 0
Servers
vlan0.100	2024-06-28
07:37:53.642675	f4:90:ea:00:9f:72	00:50:56:82:d8:b4	ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.1.31315 > 192.168.100.21.8080: Flags [S], cksum 0x73ef (correct), seq 445912424, win 65535, options [mss 8960,nop,wscale 12,sackOK,TS val 1292129908 ecr 0], length 0
Servers
vlan0.100	2024-06-28
07:37:53.643161	00:50:56:82:d8:b4	f4:90:ea:00:9f:72	ethertype IPv4 (0x0800), length 74: (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.21.8080 > 192.168.100.1.31315: Flags [S.], cksum 0xdce6 (correct), seq 3873949677, ack 445912425, win 43440, options [mss 1460,sackOK,TS val 3838083964 ecr 1292126707,nop,wscale 9], length 0
Servers
vlan0.100	2024-06-28
07:37:55.662758	00:50:56:82:d8:b4	f4:90:ea:00:9f:72	ethertype IPv4 (0x0800), length 74: (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.21.8080 > 192.168.100.1.31315: Flags [S.], cksum 0xd502 (correct), seq 3873949677, ack 445912425, win 43440, options [mss 1460,sackOK,TS val 3838085984 ecr 1292126707,nop,wscale 9], length 0
Servers
vlan0.100	2024-06-28
07:37:57.842474	f4:90:ea:00:9f:72	00:50:56:82:d8:b4	ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.1.31315 > 192.168.100.21.8080: Flags [S], cksum 0x6387 (correct), seq 445912424, win 65535, options [mss 8960,nop,wscale 12,sackOK,TS val 1292134108 ecr 0], length 0
Servers
vlan0.100	2024-06-28
07:37:57.842885	00:50:56:82:d8:b4	f4:90:ea:00:9f:72	ethertype IPv4 (0x0800), length 74: (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.21.8080 > 192.168.100.1.31315: Flags [S.], cksum 0xcc7e (correct), seq 3873949677, ack 445912425, win 43440, options [mss 1460,sackOK,TS val 3838088164 ecr 1292126707,nop,wscale 9], length 0
Servers
vlan0.100	2024-06-28
07:38:01.966765	00:50:56:82:d8:b4	f4:90:ea:00:9f:72	ethertype IPv4 (0x0800), length 74: (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.100.21.8080 > 192.168.100.1.31315: Flags [S.], cksum 0xbc62 (correct), seq 3873949677, ack 445912425, win 43440, options [mss 1460,sackOK,TS val 3838092288 ecr 1292126707,nop,wscale 9], length 0

establishing socket open to .100.21:8080 (server in question)
server responds with SYN ACK
but opnsense doesn't respond with an ACK

#nc -4znvw 10 192.168.0.58 443
Connection to 192.168.0.58 443 port [tcp/*] succeeded!
#nc -4znvw 10 192.168.0.58 443
nc: connect to 192.168.0.58 port 443 (tcp) failed: Operation timed out
# nc -4znvw 10 192.168.0.58 443
nc: connect to 192.168.0.58 port 443 (tcp) failed: Operation timed out

4

24.1 Legacy Series / Re: Dynamic DNS for Porkbun

« on: June 28, 2024, 02:56:46 pm »

I may not be answering the question directly, but I wrote a shell script (essentially curl command) with a cron job as an alternative. Happy to share script if it helps anyone.

5

General Discussion / crowdsec + external postgresql

« on: June 19, 2024, 07:45:33 pm »

In need of the experts' advise once again.

What: os-crowdsec installed and works like a charm w/ local SQLite db. When switching it out to an (external) postgresql on the local network, all hell breaks loose.

System Info:

Opnsense 24.4_8-amd64
FreeBSD 13.2-RELEASE-p11
os-sec 1.07

postgresql config in crowdsec config.yaml

db_config:
  type: pgx
  user: <user>
  password: <pwd>
  host: <host_ip>
  port: <host_port>
  db_name: crowdsec
  sslmode: prefer
  max_open_conns: 100
  decision_bulk_size: 2000
  flush:
    max_items: 10000
    max_age: 90d

Issue crowdsec service does not start after the change to config.yaml. It can't seem to connect to postgresql database. Database is verified to be up, and credentials work when using psql locally on db server and also remotely via another ubuntu machine.

[fbfdf7e6-bc7e-4543-b7bc-d7fadff59603] Script action stderr returned "b'{"level":"error","msg":"error while performing request: dial tcp <ip>:8080: i/o timeout; 4 retries left","time":"2024-06-19T01:39:21-07:00"}\n{"level":"error","msg":"error while performing request: dial tcp <ip>:8080: i/o timeout; 3 retries l'"

6

24.1 Legacy Series / Re: CrowdSec 1.6.0 has been released, with 24.1 it appears we are still at 1.5.5

« on: June 19, 2024, 06:21:04 am »

For the switch from SQLite to PgS on OpnSense crowdsec os-plugin to work, are specific pgs drivers required? If so, where to get it from? Also, a sanitzed copy of your configuration would help me set mine up, if feasible!

7

23.1 Legacy Series / Re: Reverse proxy and opnsense issues from local network

« on: January 29, 2024, 05:00:12 am »

I have the same issue as well. Using caddy instead of nginx. Were you able to solve it? If so, how?

8

General Discussion / Re: Unbound + dnsmasq

« on: January 19, 2024, 08:10:22 pm »

Quote from: firewall on November 30, 2023, 08:08:10 pm

i gather that you're using aliases+pf rules to lock down traffic to the furthest extent possible on what reads like an iot vlan. if the devices only have access to manually-whitelisted endpoints and your vacuum wants to reach a mystery machine hosted on AWS for which you can't make a threat assessment, why not just allow access to any & all AWS ranges? the list is published & updated¹ but you'll either need to parse the json (e.g. with jq ) or find a reliable source of these same data in a format consumable by opnsense...i'm sure such a thing exists. you might also use that step to remove any ranges not associated with EC2 (your hostname resolves to an elastic load balancer host and all IPs it distributes, in your case, are EC2).

Thank you for the very well thought of response, and the pointers. To balance "convenience" viz-a-viz security but more importantly the wife-factor, for now, I ended up changing the firewall rule to allow

*:8083. I'm unfamiliar w/ jq but will look into parsing json via jq for integration w/ opnsense.

Quote from: firewall on November 30, 2023, 08:08:10 pm

add'l point... pihole-FTL shares enough code base with dnsmasq to describe it as being functionally similar, and as such it will parse and leverage config files in /etc/dnsmasq.d/. from a workflow perspective these options are considered before its forwarding mechanism (to resolvers defined via pihole UI) kicks in. ootb, nothing that can meet your desire for pf rules unless you leveraged it to generate a locally-hosted reference for alias lookup via url on opnsense (e.g. alias = http://192.168.69.69/this_shit_sucks).

I must apologize but i'm unable to understand the proposed solution here. Make some change to pihole which then influences firewall rule execution at opnsense? Please do elaborate at your convenience.

Quote from: firewall on November 30, 2023, 08:08:10 pm

add'l point 2...if you insist upon addressing it with opnsense you should still be able to make it happen by:
change dnsmasq listen port to something besides unbound's port 53, e.g. 53053
add override for roborock.com at opnsense > domain overrides, specifying 127.0.0.1@53053 as authoritative nameserver
figure out what cli voodoo is required to add/modify dnsmasq configs on opnsense (making sure they persist)
cross fingers, pray to the networking gods regularly, and research alternatives in the interim

Ha ha. I'm considering replacing the aging pihole w/ adguard on Opnsense itself. So, introducing dnsmasq and the complications associated w/ changing network infrastructure (e.g. I have a shit time getting Active Directory to work in this setup as such) is not my preferred route at this point. But, beggars can't be choosers.

Quote from: firewall on November 30, 2023, 08:08:10 pm

add'l point 3...subjectively, trying to do *more* with dns on opnsense vs. moving it elsewhere has led to more problems than solutions for me (e.g. host blocking via unbound DNSBL on opnsense will give you heartburn, not exploring the adguard community plugin is an exercise in sanity preservation, i could go on). i'm sure circumstances such as migrating to unbound as default, changing ddns clients, etc don't help matters much but i'm not in the business of making excuses for time wasted.

You don't recommend adguard plug-in on Opnsense? If not, what about clients-->adguard (e.g. as a vm) --> opnsense unbound --> interwebs? Opnsense blocklists are brilliant but troubleshooting why a particular website is getting blocked is worse (to me) than pulling my own tooth. I see folks recommending adguard on Opnsense to ease off this troubleshooting?

9

General Discussion / Re: Unbound + dnsmasq

« on: January 19, 2024, 08:00:18 pm »

Quote from: Patrick M. Hausen on November 30, 2023, 08:32:48 pm

@firewall 100% agree. The only real solution to a problem like this is to isolate that damn device. If you are in the lucky situation to have WiFi infrastructure that can do multiple SSIDs mapped to VLANs, then give that vacuum its own VLAN and permit access to the whole Internet but not anything local. Case closed in my opinion.

Thank you for the suggestion. I did consider the possibility of introducing a VLAN dedicated for just one machine. For pre- 802.11ax devices (STAs), that'd imply a different BSSID for this VLAN i.e. it'll be a separate WLAN network. Which implies wastage from an OA&M perspective (management) but more channel bandwidth wastage. Starting 802.11ax, the feature for MBSSID can be used; but most IoT devices don't support it.

10

General Discussion / Re: Unbound + dnsmasq

« on: January 19, 2024, 07:44:47 pm »

folks, please allow me to apologize for the long delay in response. I had a family emergency to attend. Please allow me some time to look through the responses and revert with questions. Thank you for your continued support.

11

General Discussion / Unbound + dnsmasq

« on: November 28, 2023, 08:49:41 pm »

Hello experts,
I have the following setup:
Internet<--DoT-->Unbound(also maintains DHCP mappings)<--(normal_DNS)-->Pihole<--(normal_DNS)-->clients
clients are configured w/ Pihole addresses. Pihole is configured with Unbound as upstream DNS. Unbound is configured with DNS over TLS for WAN resolution.

Recently, I purchased a roborock S8 vacuum cleaner. Created a firewall rule to allow VLAN_x traffic to certain FQDN (

mqtt-us.roborock.com)over 8883 port. It worked great for a day. App stopped working the next day. A quick dig revealed the issue. Destination IP addresses had changed. So, I manually updated the address in firewall rule. Great. Day#2 same issue. Same solution. Day#3 same issue. So on and so forth. A more elegant solution was required.

$ dig mqtt-us.roborock.com

; <<>> DiG 9.10.6 <<>> mqtt-us.roborock.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46538
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mqtt-us.roborock.com.		IN	A

;; ANSWER SECTION:
mqtt-us.roborock.com.	583	IN	CNAME	mqtt-slb-1st-1913472363.us-east-1.elb.amazonaws.com.
mqtt-slb-1st-1913472363.us-east-1.elb.amazonaws.com. 60	IN A 44.209.56.31
mqtt-slb-1st-1913472363.us-east-1.elb.amazonaws.com. 60	IN A 52.7.27.196
mqtt-slb-1st-1913472363.us-east-1.elb.amazonaws.com. 60	IN A 54.235.188.250

;; Query time: 355 msec
;; SERVER: a.b.c.d#53
;; WHEN: Tue Nov 28 11:11:30 PST 2023
;; MSG SIZE  rcvd: 159

Their servers are hosted in AWS fronted via application loadbalancers. Therefore, A/AAAA addresses keep changing (not just rotating).

The answer to this problem seems to lie in https://forum.opnsense.org/index.php?topic=27650.0 thread. Meaning, use dnsmasq to resolve a wildcard / specific_domain, store result in an alias which is used in Opnsense firewall rule. Details of which points to https://github.com/opnsense/core/issues/4145. Great! I'd like to try it. But, my issue: how to enable dnsmasq with unbound just for those domains?

It took a long time to make end-to-end DNS flows in the home setup functional. How does one go about enabling dnsmasq to work together w/ unbound with minimal changes? Because unbound is running on 53, at minimum, i'll assume i can't run dnsmasq on the same port? If case be, how to configure dnsmasq and only have it respond to wildcard queries, from unbound, related to

mqtt*.roborock.com? google gods aren't showing mercy.

Help please.

12

General Discussion / LAGGy thoughts

« on: January 05, 2023, 03:32:19 am »

In trying to configure new hardware (capable of 2x25G), I’m running into issues wrt importing configuration from old hardware. Specifically interested in link aggregation (IEEE 802.3ad, 802.1ax). Link aggregation is strictly an OSI Layer-2 concept. I have LACP appropriately configured on the switch side. But, in order to employ LAGG, opnsense seems to require enabling the LAGG interface; doing so requires it be given an IP address. So, this is a bit puzzling to me. Any particular reason for why opnsense designers and/or FreeBSD folks chose such an approach?

I have over 30 VLANs, 300+ devices, and a rather large number of firewall rules currently serving non-LAGG’ed interfaces. Trying to find the right way to design the opnsense rule system. A penny for your thoughts?

vlan3: IP range IPR1 (Main LAN)
Vlan2: IPR2 (opt2)
vlan100: IPR3 (opt3)
etc
IP Ranges are non-overlapping.
FW Rules are based on above lans; not directly on interfaces - to allow future portability.
Switch has default gw set on IP1 in IPR1.

Now to create a lag, opnsense adds the following to config.xml

<lagg>igb0, igb2, igb3 … </lagg>
To enable LAGG, an IP address range seems mandatory.

<lan><if>lagg0</if><enable>1</enable></lagg>
I’d rather not change my existing VLAN setup else my fw rules will be wonky.

Would there be a way to directly achieve this via config.xml? Conceptually, if assign a new IP range to lagg0, will the range have to cover IP ranges of all VLANs? If so, then I won’t be able to have granular per VLAN rules (which are per IP range based off vlan ids. If I select a new IP range then how will it carry traffic belonging to IP addresses not part of its range on trunk interface towards switch?

13

Tutorials and FAQs / Re: FAQ How to use the opnsense-importer?

« on: January 01, 2023, 10:30:05 pm »

Running Importer

root@OPNsense:~ # opnsense-importer -V
+ DO_DEV=''
+ DEVS=''
+ POOLS=''
+ [ -n '' ]
+ trap bootstrap_and_exit 2
+ [ -n '' ]
+ zfs_load
+ kldstat -qm zfs
+ zfs_probe
+ zpool import -aNf
+ zpool get -H cachefile
+ read ZPOOL ZMORE
+ zpool get -H guid zroot
+ awk '{ print $3 }'
+ ZGUID=3193628858977921937
+ zpool get -H size zroot
+ awk '{ print $3 }'
+ ZSIZE=945G
+ mount
+ grep -w /
+ grep -c zroot
+ [ 1 '=' 0 ]
+ echo 'zroot 3193628858977921937 945G'
+ read ZPOOL ZMORE
+ export 'POOLS=zroot 3193628858977921937 945G'
+ [ -n '' ]
+ camcontrol devlist
+ echo 'zroot 3193628858977921937 945G'
+ read ZPOOL ZGUID ZSIZE ZMORE
+ [ -z zroot ]
+ printf '%-35s%s\n' '<3193628858977921937 945G>' 'ZFS pool (zroot)'
+ read ZPOOL ZGUID ZSIZE ZMORE
+ gmirror status -s
+ graid status -s
+ DEVS='<SanDisk Extreme Pro 55AF 1084>    at scbus0 target 0 lun 0 (da0,pass0)
<SanDisk SES Device 1084>          at scbus0 target 0 lun 1 (ses0,pass1)
<3193628858977921937 945G>         ZFS pool (zroot)'
+ :
+ [ -z '' ]
+ echo

+ echo '<SanDisk Extreme Pro 55AF 1084>    at scbus0 target 0 lun 0 (da0,pass0)
<SanDisk SES Device 1084>          at scbus0 target 0 lun 1 (ses0,pass1)
<3193628858977921937 945G>         ZFS pool (zroot)'
<SanDisk Extreme Pro 55AF 1084>    at scbus0 target 0 lun 0 (da0,pass0)
<SanDisk SES Device 1084>          at scbus0 target 0 lun 1 (ses0,pass1)
<3193628858977921937 945G>         ZFS pool (zroot)
+ echo

+ read -p 'Select device to import from (e.g. ada0) or leave blank to exit: ' DEV
Select device to import from (e.g. ada0) or leave blank to exit: 
+ echo

+ [ -z da0 ]
+ [ da0 '=' ! ]
+ import_start da0
+ local 'DEV=da0'
+ export 'PART='
+ export 'TYPE='
+ export 'POOL='
+ [ -e /dev/da0s1a ]
+ [ -e /dev/da0p3 ]
+ echo zroot 3193628858977921937 945G
+ grep -c '^da0 '
+ [ 0 '!=' 0 ]
+ [ -e /dev/da0s1 ]
+ [ -e /dev/da0p1 ]
+ export 'PART=/dev/da0p1'
+ export 'TYPE=msdos'
+ return 0
+ mkdir -p /tmp/hdrescue
+ [ -n /dev/da0p1 -a -n msdos ]
+ echo $'Starting import for partition \'/dev/da0p1\'.'
Starting import for partition '/dev/da0p1'.
+ echo

+ [ msdos '=' ufs ]
+ mount -t msdos /dev/da0p1 /tmp/hdrescue
+ [ -n '' ]
+ [ -n '' ]
+ [ -f /tmp/hdrescue/conf/config.xml ]
+ grep -cx -- '---- BEGIN config.xml ----' /tmp/hdrescue/conf/config.xml
+ [ 0 '!=' 0 ]
+ rm -rf /conf/backup /conf/config.xml /conf/event_config_changed.json /conf/sshd
+ [ -f /tmp/hdrescue/conf/captiveportal.sqlite ]
+ [ -f /tmp/hdrescue/conf/config.xml ]
+ echo -n 'Restoring config.xml...'
Restoring config.xml...+ cp /tmp/hdrescue/conf/config.xml /conf
+ echo done.
done.
+ [ -f /tmp/hdrescue/conf/dhcpleases.tgz ]
+ [ -f /tmp/hdrescue/conf/dhcp6c_duid ]
+ [ -f /tmp/hdrescue/conf/netflow.tgz ]
+ [ -f /tmp/hdrescue/conf/rrd.tgz ]
+ [ -d /tmp/hdrescue/conf/backup ]
+ mkdir -p /conf/backup
+ [ -d /tmp/hdrescue/conf/sshd ]
+ mkdir -p /conf/sshd
+ find /conf/sshd -type f -name '*key'
+ break
+ [ -z '' ]
+ echo 'Please reboot.'
Please reboot.
+ bootstrap_and_exit 0
+ RET=0
+ mkdir -p /conf/backup
+ mkdir -p /conf/sshd
+ [ ! -f /conf/config.xml ]
+ mount
+ grep -cw /tmp/hdrescue
+ [ -d /tmp/hdrescue -a 1 '!=' 0 ]
+ [ -n /dev/da0p1 ]
+ umount /tmp/hdrescue
+ zfs_unload
+ [ -n '' ]
+ [ -z 0 ]
+ exit 0

config importer seems to have worked correctly due to presence of hostname of my choice

root@OPNsense:~ # cat /conf/config.xml | grep Morik
    <hostname>MorikCage</hostname>
root@OPNsense:~ #

dmesg output post-boot

root@OPNsense:~ # dmesg
Copyright (c) 1992-2021 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 13.1-RELEASE-p2 stable/22.10-n250241-9055fb5e5b4 SMP amd64
FreeBSD clang version 13.0.0 (git@github.com:llvm/llvm-project.git llvmorg-13.0.0-0-gd7b669b3a303)
VT(vga): resolution 640x480
CPU: AMD EPYC 3251 8-Core Processor                  (2495.44-MHz K8-class CPU)
  Origin="AuthenticAMD"  Id=0x800f12  Family=0x17  Model=0x1  Stepping=2
  Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT>
  Features2=0x7ed8320b<SSE3,PCLMULQDQ,MON,SSSE3,FMA,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
  AMD Features=0x2e500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM>
  AMD Features2=0x35c233ff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,OSVW,SKINIT,WDT,TCE,Topology,PCXC,PNXC,DBE,PL2I,MWAITX>
  Structured Extended Features=0x209c01a9<FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA>
  XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES>
  AMD Extended Feature Extensions ID EBX=0x1007<CLZERO,IRPerf,XSaveErPtr,IBPB>
  SVM: NP,NRIP,VClean,AFlush,DAssist,NAsids=32768
  TSC: P-state invariant, performance statistics
real memory  = 68717379584 (65534 MB)
avail memory = 66675609600 (63586 MB)
Event timer "LAPIC" quality 600
ACPI APIC Table: <INSYDE WALLABY>
FreeBSD/SMP: Multiprocessor System Detected: 16 CPUs
FreeBSD/SMP: 1 package(s) x 2 cache groups x 4 core(s) x 2 hardware threads
random: registering fast source Intel Secure Key RNG
random: fast provider: "Intel Secure Key RNG"
random: unblocking device.
ioapic0: MADT APIC ID 128 != hw id 0
ioapic1: MADT APIC ID 129 != hw id 0
ioapic0 <Version 2.1> irqs 0-23
ioapic1 <Version 2.1> irqs 24-55
Launching APs: 13 7 2 11 14 3 6 5 9 10 1 4 12 8 15
random: entropy device external interface
wlan: mac acl policy registered
kbd0 at kbdmux0
WARNING: Device "spkr" is Giant locked and may be deleted before FreeBSD 14.0.
vtvga0: <VT VGA driver>
efirtc0: <EFI Realtime Clock>
efirtc0: registered as a time-of-day clock, resolution 1.000000s
smbios0: <System Management BIOS> at iomem 0x7945e000-0x7945e01e
smbios0: Version: 3.0, BCD Revision: 3.0
aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS,SHA1,SHA256>
acpi0: <INSYDE WALLABY>
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff irq 0,8 on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 950
Event timer "HPET" frequency 14318180 Hz quality 350
Event timer "HPET1" frequency 14318180 Hz quality 350
Event timer "HPET2" frequency 14318180 Hz quality 350
atrtc0: <AT realtime clock> port 0x70-0x71 on acpi0
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: <AT timer> port 0x40-0x43 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
apei0: <ACPI Platform Error Interface> on acpi0
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <32-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pci0: <base peripheral, IOMMU> at device 0.2 (no driver attached)
pcib1: <ACPI PCI-PCI bridge> at device 1.3 on pci0
pci1: <ACPI PCI bus> on pcib1
nvme0: <Generic NVMe Device> mem 0x80900000-0x80903fff at device 0.0 on pci1
pcib2: <ACPI PCI-PCI bridge> at device 1.4 on pci0
pci2: <ACPI PCI bus> on pcib2
igb0: <Intel(R) I210 Flashless (Copper)> port 0x5000-0x501f mem 0x80800000-0x8081ffff,0x80820000-0x80823fff at device 0.0 on pci2
igb0: NVM V0.6 imgtype6
igb0: Using 1024 TX descriptors and 1024 RX descriptors
igb0: Using 4 RX queues 4 TX queues
igb0: Using MSI-X interrupts with 5 vectors
igb0: Ethernet address: f4:90:ea:00:a2:06
igb0: netmap queues/slots: TX 4/1024, RX 4/1024
pcib3: <ACPI PCI-PCI bridge> at device 1.5 on pci0
pci3: <ACPI PCI bus> on pcib3
igb1: <Intel(R) I210 Flashless (Copper)> port 0x4000-0x401f mem 0x80700000-0x8071ffff,0x80720000-0x80723fff at device 0.0 on pci3
igb1: NVM V0.6 imgtype6
igb1: Using 1024 TX descriptors and 1024 RX descriptors
igb1: Using 4 RX queues 4 TX queues
igb1: Using MSI-X interrupts with 5 vectors
igb1: Ethernet address: f4:90:ea:00:a2:07
igb1: netmap queues/slots: TX 4/1024, RX 4/1024
pcib4: <ACPI PCI-PCI bridge> at device 1.6 on pci0
pci4: <ACPI PCI bus> on pcib4
igb2: <Intel(R) I210 Flashless (Copper)> port 0x3000-0x301f mem 0x80600000-0x8061ffff,0x80620000-0x80623fff at device 0.0 on pci4
igb2: NVM V0.6 imgtype6
igb2: Using 1024 TX descriptors and 1024 RX descriptors
igb2: Using 4 RX queues 4 TX queues
igb2: Using MSI-X interrupts with 5 vectors
igb2: Ethernet address: f4:90:ea:00:a2:08
igb2: netmap queues/slots: TX 4/1024, RX 4/1024
pcib5: <ACPI PCI-PCI bridge> at device 1.7 on pci0
pci5: <ACPI PCI bus> on pcib5
igb3: <Intel(R) I210 Flashless (Copper)> port 0x2000-0x201f mem 0x80500000-0x8051ffff,0x80520000-0x80523fff at device 0.0 on pci5
igb3: NVM V0.6 imgtype6
igb3: Using 1024 TX descriptors and 1024 RX descriptors
igb3: Using 4 RX queues 4 TX queues
igb3: Using MSI-X interrupts with 5 vectors
igb3: Ethernet address: f4:90:ea:00:a2:09
igb3: netmap queues/slots: TX 4/1024, RX 4/1024
pcib6: <ACPI PCI-PCI bridge> at device 3.1 on pci0
pci6: <ACPI PCI bus> on pcib6
ice0: <Intel(R) Ethernet Network Adapter E810-XXV-2 - 1.34.2-k> mem 0x7fcfc000000-0x7fcfdffffff,0x7fcfe010000-0x7fcfe01ffff at device 0.0 on pci6
ice0: Loading the iflib ice driver
ice0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.27.0, track id 0xc0000001.
ice0: fw 6.2.9 api 1.7 nvm 3.20 etid 8000d853 netlist 3.20.5000-1.e.0.495c77bc oem 1.3146.0
ice0: Using 8 Tx and Rx queues
ice0: Using MSI-X interrupts with 9 vectors
ice0: Using 1024 TX descriptors and 1024 RX descriptors
ice0: Ethernet address: f4:90:ea:00:9f:72
ice0: PCI Express Bus: Speed 8.0GT/s Width x8
ice0: Firmware LLDP agent disabled
ice0: link state changed to DOWN
ice0: netmap queues/slots: TX 8/1024, RX 8/1024
ice1: <Intel(R) Ethernet Network Adapter E810-XXV-2 - 1.34.2-k> mem 0x7fcfa000000-0x7fcfbffffff,0x7fcfe000000-0x7fcfe00ffff at device 0.1 on pci6
ice1: Loading the iflib ice driver
ice0: Module is not present.
ice0: Possible Solution 1: Check that the module is inserted correctly.
ice0: Possible Solution 2: If the problem persists, use a cable/module that is found in the supported modules and cables list for this device.
ice0: Module is not present.
ice0: Possible Solution 1: Check that the module is inserted correctly.
ice0: Possible Solution 2: If the problem persists, use a cable/module that is found in the supported modules and cables list for this device.
ice1: DDP package already present on device: ICE OS Default Package version 1.3.27.0, track id 0xc0000001.
ice1: fw 6.2.9 api 1.7 nvm 3.20 etid 8000d853 netlist 3.20.5000-1.e.0.495c77bc oem 1.3146.0
ice1: Using 8 Tx and Rx queues
ice1: Using MSI-X interrupts with 9 vectors
ice1: Using 1024 TX descriptors and 1024 RX descriptors
ice1: Ethernet address: f4:90:ea:00:9f:73
ice1: PCI Express Bus: Speed 8.0GT/s Width x8
ice1: Firmware LLDP agent disabled
ice1: link state changed to DOWN
ice1: netmap queues/slots: TX 8/1024, RX 8/1024
pcib7: <ACPI PCI-PCI bridge> at device 7.1 on pci0
pci7: <ACPI PCI bus> on pcib7
pci7: <unknown> at device 0.0 (no driver attached)
ice1: Module is not present.
ice1: Possible Solution 1: Check that the module is inserted correctly.
ice1: Possible Solution 2: If the problem persists, use a cable/module that is found in the supported modules and cables list for this device.
ice1: Module is not present.
ice1: Possible Solution 1: Check that the module is inserted correctly.
ice1: Possible Solution 2: If the problem persists, use a cable/module that is found in the supported modules and cables list for this device.
pci7: <encrypt/decrypt> at device 0.2 (no driver attached)
xhci0: <XHCI (generic) USB 3.0 controller> mem 0x80200000-0x802fffff at device 0.3 on pci7
xhci0: 64 bytes context size, 64-bit DMA
usbus0: waiting for BIOS to give up control
xhci_interrupt: host controller halted
usbus0 on xhci0
usbus0: 5.0Gbps Super Speed USB v3.0
pcib8: <ACPI PCI-PCI bridge> at device 8.1 on pci0
pci8: <ACPI PCI bus> on pcib8
pci8: <unknown> at device 0.0 (no driver attached)
pci8: <encrypt/decrypt> at device 0.1 (no driver attached)
hdac0: <AMD X370 HDA Controller> mem 0x80180000-0x80187fff at device 0.3 on pci8
ax0: <AMD 10 Gigabit Ethernet Driver> mem 0x80160000-0x8017ffff,0x80140000-0x8015ffff,0x80188000-0x80189fff at device 0.4 on pci8
ax0: Using 2048 TX descriptors and 2048 RX descriptors
ax0: Using 8 RX queues 8 TX queues
ax0: Using MSI-X interrupts with 12 vectors
ax0: Ethernet address: f4:90:ea:00:a2:0a
ax0: xgbe_config_sph_mode: SPH disabled in channel 0
ax0: xgbe_config_sph_mode: SPH disabled in channel 1
ax0: xgbe_config_sph_mode: SPH disabled in channel 2
ax0: xgbe_config_sph_mode: SPH disabled in channel 3
ax0: xgbe_config_sph_mode: SPH disabled in channel 4
ax0: xgbe_config_sph_mode: SPH disabled in channel 5
ax0: xgbe_config_sph_mode: SPH disabled in channel 6
ax0: xgbe_config_sph_mode: SPH disabled in channel 7
ax0: RSS Enabled
ax0: Receive checksum offload Enabled
ax0: VLAN filtering Enabled
ax0: VLAN Stripping Enabled
ax0: Checking GPIO expander validity
ax0: Input port registers: 0x0
ax0: Output port registers: 0x7777
ax0: Polarity port registers: 0x0
ax0: Configuration port registers: 0x77ff
ax0: xgbe_phy_sfp_signals: port_sfp_inputs: 0x7
ax0: xgbe_phy_sfp_detect: mod absent
ax0: netmap queues/slots: TX 8/2048, RX 8/2048
ax1: <AMD 10 Gigabit Ethernet Driver> mem 0x80120000-0x8013ffff,0x80100000-0x8011ffff,0x8018a000-0x8018bfff at device 0.5 on pci8
ax1: Using 2048 TX descriptors and 2048 RX descriptors
ax1: Using 8 RX queues 8 TX queues
ax1: Using MSI-X interrupts with 12 vectors
ax1: Ethernet address: f4:90:ea:00:a2:0b
ax1: xgbe_config_sph_mode: SPH disabled in channel 0
ax1: xgbe_config_sph_mode: SPH disabled in channel 1
ax1: xgbe_config_sph_mode: SPH disabled in channel 2
ax1: xgbe_config_sph_mode: SPH disabled in channel 3
ax1: xgbe_config_sph_mode: SPH disabled in channel 4
ax1: xgbe_config_sph_mode: SPH disabled in channel 5
ax1: xgbe_config_sph_mode: SPH disabled in channel 6
ax1: xgbe_config_sph_mode: SPH disabled in channel 7
ax1: RSS Enabled
ax1: Receive checksum offload Enabled
ax1: VLAN filtering Enabled
ax1: VLAN Stripping Enabled
ax1: Checking GPIO expander validity
ax1: Input port registers: 0x0
ax1: Output port registers: 0x7777
ax1: Polarity port registers: 0x0
ax1: Configuration port registers: 0x77ff
ax1: xgbe_phy_sfp_signals: port_sfp_inputs: 0x7
ax1: xgbe_phy_sfp_detect: mod absent
ax1: netmap queues/slots: TX 8/2048, RX 8/2048
isab0: <PCI-ISA bridge> at device 20.3 on pci0
isa0: <ISA bus> on isab0
uart2: <16x50 with 256 byte FIFO> iomem 0xfedc9000-0xfedc9fff,0xfedc7000-0xfedc7fff irq 3 on acpi0
uart2: console (115384,n,8,1)
hwpstate0: <Cool`n'Quiet 2.0> on cpu0
Timecounter "TSC-low" frequency 1247655590 Hz quality 1000
Timecounters tick every 1.000 msec
ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
ugen0.1: <AMD XHCI root HUB> at usbus0
uhub0 on usbus0
uhub0: <AMD XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
nvd0: <TS1TMTE662T2> NVMe namespace
nvd0: 976762MB (2000409264 512 byte sectors)
Trying to mount root from zfs:zroot/ROOT/default []...
uhub0: 8 ports with 8 removable, self powered
Root mount waiting for: usbus0
usb_msc_auto_quirk: UQ_MSC_NO_PREVENT_ALLOW set for USB mass storage device SanDisk Extreme Pro 55AF (0x0781:0x55af)
ugen0.2: <SanDisk Extreme Pro 55AF> at usbus0
umass0 on uhub0
umass0: <SanDisk Extreme Pro 55AF, class 0/0, rev 3.20/10.84, addr 1> on usbus0
umass0:  SCSI over Bulk-Only; quirks = 0x8000
umass0:0:0: Attached to scbus0
Root mount waiting for: usbus0 CAM
da0 at umass-sim0 bus 0 scbus0 target 0 lun 0
da0: <SanDisk Extreme Pro 55AF 1084> Fixed Direct Access SPC-4 SCSI device
da0: Serial Number 323232354534343031373436
da0: 400.000MB/s transfers
da0: 1907697MB (3906963617 512 byte sectors)
da0: quirks=0x2<NO_6_BYTE>
ses0 at umass-sim0 bus 0 scbus0 target 0 lun 1
ses0: <SanDisk SES Device 1084> Fixed Enclosure Services SPC-4 SCSI device
ses0: Serial Number 323232354534343031373436
ses0: 400.000MB/s transfers
ses0: SES Device
intsmb0: <AMD FCH SMBus Controller> at device 20.0 on pci0
smbus0: <System Management Bus> on intsmb0
lo0: link state changed to UP
amdsmn0: <AMD Family 17h System Management Network> on hostb0
amdtemp0: <AMD CPU On-Die Thermal Sensors> on hostb0
pflog0: permanently promiscuous mode enabled

Device hardware post-boot

root@OPNsense:~ # sysctl -a | grep dev.ice.0.%desc
dev.ice.0.%desc: Intel(R) Ethernet Network Adapter E810-XXV-2 - 1.34.2-k
root@OPNsense:~ # sysctl -a | grep dev.ice.1.%desc
dev.ice.1.%desc: Intel(R) Ethernet Network Adapter E810-XXV-2 - 1.34.2-k
root@OPNsense:~ # sysctl -a | grep dev.ax.0.%desc
dev.ax.0.%desc: AMD 10 Gigabit Ethernet Driver
root@OPNsense:~ # sysctl -a | grep dev.ax.1.%desc
dev.ax.1.%desc: AMD 10 Gigabit Ethernet Driver
root@OPNsense:~ #

End-result — booting to factory setting

root@OPNsense:~ # cat /conf/config.xml | grep Morik
root@OPNsense:~ # cat /conf/config.xml | grep localdomain
    <domain>localdomain</domain>
          <localdomains/>
root@OPNsense:~ #

14

Tutorials and FAQs / Re: FAQ How to use the opnsense-importer?

« on: January 01, 2023, 09:57:50 pm »

Indeed, i didn't mean to waste your precious time. Please allow me a few hours and I'll have

opnsense-importer -V and

dmesg output. I've already verified that physical interfaces match (per kernel loading as Decisio factory default settings).

15

Tutorials and FAQs / Re: FAQ How to use the opnsense-importer?

« on: January 01, 2023, 07:33:19 am »

(Apologies for posting on an FAQ thread. Please do feel free to move it as seen fit)
I recently purchased a DEC4040 which came with OPNSense business edition. I have a Protectli box with well-configured settings running smoothly. To minimize disruption to the network, per recommendation here, I copied entire

/conf contents onto a USB, changed interface names (

igbX-igbY remained same, added

ax0,ax1,ice0,ice1 to LAGG'ed config) + few other changes (to conform to business edition's schema/values), and ran

opnsense-importer. I ran it both

verbose and regular mode. Both times no errors were shown. A quick reboot (both times) from the console window. Both times, it booted to its default factory-shipped state.

dmesg output doesn't show any major show stoppers. Is this the expected behavior from importer utility? Any idea on where/how to start troubleshooting? Below is a sample of the interface names/values.

 <vlans version="1.0.0">
    <vlan uuid="97c6384c-7339-46f3-bf83-149b14254cb0">
      <if>lagg0</if>
      <tag>2</tag>
      <pcp>1</pcp>
      <descr>VLAN tag for Esco Ghaar CCTV Cameras Traffic</descr>
      <vlanif>vlan02</vlanif>
    </vlan>
    <vlan uuid="07eddf31-04cd-4a76-8377-57a667b56315">
      <if>lagg0</if>
      <tag>3</tag>
      <pcp>2</pcp>
      <descr>Original LAN untagged traffic </descr>
      <vlanif>vlan03</vlanif>
    </vlan>
    <vlan uuid="19324450-009b-41ce-960a-2dcd840ffb3a">
      <if>lagg0</if>
      <tag>120</tag>
      <pcp>2</pcp>
      <descr>Storage</descr>
      <vlanif>vlan0.120</vlanif>
    </vlan>
    <vlan uuid="ea3bdbc6-ff45-4e61-bc08-bca5c481dd06">
      <if>lagg0</if>
      <tag>140</tag>
      <pcp>2</pcp>
      <descr>Supervisor</descr>
      <vlanif>vlan0.140</vlanif>
    </vlan>
    <vlan uuid="9d497323-d1c2-462b-b048-130d6d7eb2fa">
      <if>lagg0</if>
      <tag>250</tag>
      <pcp>0</pcp>
      <descr>IoT</descr>
      <vlanif>vlan0.250</vlanif>
    </vlan>
    <vlan uuid="a4ea1ac8-71d2-4087-bb7e-d77491af6c9d">
      <if>lagg0</if>
      <tag>100</tag>
      <pcp>7</pcp>
      <descr>Servers</descr>
      <vlanif>vlan0.100</vlanif>
    </vlan>
    <vlan uuid="3c94f447-b2ef-49b3-b807-cf52c48b7fa2">
      <if>lagg0</if>
      <tag>1</tag>
      <pcp>0</pcp>
      <descr>Default VLAN#1 traffic</descr>
      <vlanif>vlan0.1</vlanif>
    </vlan>
  </vlans>

  <laggs>
    <lagg>
      <members>igb0,igb2,ax0,ax1,ice0,ice1</members>
      <descr>LAGGy_Interface</descr>
      <laggif>lagg0</laggif>
      <proto>lacp</proto>
      <mtu/>
    </lagg>
  </laggs>
  <dhcpdv6/>
  <ifgroups>
    <ifgroupentry>
      <members>opt5 lan opt6 opt3 opt4 opt2</members>
      <ifname>FG_ALL_VLANs</ifname>
    </ifgroupentry>
    <ifgroupentry>
      <members>lan opt6 opt3 opt4</members>
      <ifname>FG_CRITICAL_LAN</ifname>
    </ifgroupentry>
  </ifgroups>

<interfaces>
    <wan>
      <if>igb1</if>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>dhcp</ipaddr>
      <dhcphostname/>
      <alias-address/>
      <alias-subnet>32</alias-subnet>
      <dhcprejectfrom/>
      <adv_dhcp_pt_timeout/>
      <adv_dhcp_pt_retry/>
      <adv_dhcp_pt_select_timeout/>
      <adv_dhcp_pt_reboot/>
      <adv_dhcp_pt_backoff_cutoff/>
      <adv_dhcp_pt_initial_interval/>
      <adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
      <adv_dhcp_send_options/>
      <adv_dhcp_request_options/>
      <adv_dhcp_required_options/>
      <adv_dhcp_option_modifiers/>
      <adv_dhcp_config_advanced/>
      <adv_dhcp_config_file_override/>
      <adv_dhcp_config_file_override_path/>
    </wan>
    <lan>
      <enable>1</enable>
      <if>vlan03</if>
      <ipaddr>192.168.1.1</ipaddr>
      <subnet>23</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <subnetv6>64</subnetv6>
      <media/>
      <mediaopt/>
      <track6-interface>wan</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
      <descr>LAN</descr>
    </lan>
    <lo0>
      <internal_dynamic>1</internal_dynamic>
      <descr>Loopback</descr>
      <enable>1</enable>
      <if>lo0</if>
      <ipaddr>127.0.0.1</ipaddr>
      <ipaddrv6>::1</ipaddrv6>
      <subnet>8</subnet>
      <subnetv6>128</subnetv6>
      <type>none</type>
      <virtual>1</virtual>
    </lo0>
    <openvpn>
      <internal_dynamic>1</internal_dynamic>
      <enable>1</enable>
      <if>openvpn</if>
      <descr>OpenVPN</descr>
      <type>group</type>
      <virtual>1</virtual>
      <networks/>
    </openvpn>
    <opt2>
      <if>vlan02</if>
      <descr>vCamsTraffic</descr>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>192.168.2.1</ipaddr>
      <subnet>27</subnet>
    </opt2>
    <opt1>
      <descr>LAGGy_LAN</descr>
      <if>lagg0</if>
    </opt1>
    <FG_ALL_VLANs>
      <internal_dynamic>1</internal_dynamic>
      <enable>1</enable>
      <if>FG_ALL_VLANs</if>
      <descr>FG_ALL_VLANs</descr>
      <virtual>1</virtual>
      <type>group</type>
      <networks/>
    </FG_ALL_VLANs>
    <opt3>
      <if>vlan0.120</if>
      <descr>Storage</descr>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>192.168.120.1</ipaddr>
      <subnet>24</subnet>
    </opt3>
    <opt4>
      <if>vlan0.140</if>
      <descr>Supervisor</descr>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>192.168.140.1</ipaddr>
      <subnet>24</subnet>
    </opt4>
    <opt5>
      <if>vlan0.250</if>
      <descr>IoT</descr>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>192.168.250.1</ipaddr>
      <subnet>24</subnet>
    </opt5>
    <opt6>
      <if>vlan0.100</if>
      <descr>Servers</descr>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>192.168.100.1</ipaddr>
      <subnet>24</subnet>
    </opt6>
    <FG_CRITICAL_LAN>
      <internal_dynamic>1</internal_dynamic>
      <enable>1</enable>
      <networks/>
      <if>FG_CRITICAL_LAN</if>
      <descr>FG_CRITICAL_LAN</descr>
      <virtual>1</virtual>
      <type>group</type>
    </FG_CRITICAL_LAN>
    <opt7>
      <descr>default</descr>
      <if>vlan0.1</if>
    </opt7>
  </interfaces>

Pages: [1] 2