Messages

My HA is working, but the Master will not be promoted to Master after a reboot.
My CARP IPs have the folowing VirtualIP CARP settings:
Backup Server: Advbase set to 1 and Advskew set to 100, Disable preempt: off
Master Server: Advbase set to 1 and Advskew set to 0,   Disable preempt: on

thank you for your patience. Now it works.

I#ve got the following error:

There were error(s) loading the rules: /tmp/rules.debug:187: no translation address with matching address family found. - The line in question reads [187]: rdr on vtnet1 inet6 proto {tcp udp} from {(vtnet1:network)} to $CARP_DMZ_IP port {53} -> 127.0.0.1 port 53 # CARP DNS forwarding

Where should I do this?
I have Adguard running on DNS Port 53. Unbound runs on Port 5354

Hello Patrick,
this is not working. same result. pls. see attached screenshots. I've defined the nat rule you suggested.

Hello,
I have a CARP-IP (10.8.99.1) on my INT ernal Interface and a physical IP (10.8.99.3).
my client gets per KEAdhcp the DNS serverIP as CARP-IP (10.8.99.1).
a nslookup to google.com from client cli gets the error, that the info is expected from 10.8.99.1#53, but 10.8.99.3#3 responded.
The client drops the dns info, because its not from the CARP-IP.
How to configure, that Unbound uses the CARP-IP and not the physical IP from node1 in the HA config.

Hi, I try to run Homeassistant (running on port 8123) behind the nginx plugin.
in homeassistant configuration.yaml in section http: I have the entries use_x_forwarded_for: true and trusted_proxies: <lan address of opnsense>

in nginx logs http access, I get error status codes 304 400 499

according to
https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954

there are headers needed like:
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

but I can not get it to run.

Is there a way to set the headers via the opnsense web gui?

installiere auch das crowdsec plugin.

Hi,
habe ähnliche konfig. FritzBox (FB) und dahinter eine esxi vm mit opnsense.
In der FB habe ich die opnsense ip als exposed host eingetragen. Die FB filtert somit nicht. das soll alles opnsense machen. dyndns macht ausschließlich opnsense. Ich habe noch in der dmz (2.eth anschluß) einen mailserver, hängen, der smtp anbietet sowie eine weboberfläche zum emial handling.
Dafür verwende ich nginx proxy. haproxy habe ich nicht installiert. nginx hört auf port 443 und leitet das zum port 80 des mailservers. das zertifikat handling macht somit ausschließlich nginx auf der opnsense mit dem acme client.
ich habe mehrere zertifakte für webmail.mydomain.xx ftp.mydomain.xx usw. nginx proxy kann dann anhand dieser domains auf die enzelnen upstream server in der dmz verzweigen.

in der firewall alias section:
definiere einen alias namen webaccess mit dem content 80 und 443
weitere aliase, je nach Bedarf e.g. für ftp ical usw.

in der firewall rules WAN section jeweils einen entry erzeugen:
protocol:IP4 Source:* Port:* Destination:WAN address Port:webaccess Gateway:* Schedule:*

NAT brauchst du für die einzelnen nginx upstream server nicht. Brauchst du nur für services die den nginx proxy nicht verwenden. e.g. ftp

any news or solutions for that problem?

according to this message:
https://forum.opnsense.org/index.php?topic=38694.0
I reinstalled acme. But same result. certs can not be renewed

my response for http://<internal IP of my openses>/.well-known/acme-challenge/XXXXidXXXXX
is still forbidden.  Opensense Version OPNsense 24.1_1-amd64

my last automatic cert renewal was executed last December. After upgrading opensense, (couldnt remeber when), cert renewals are failing. I looks like that the lighthtpd process running on port 43580 respond with Forbidden.

1. test on opensense root cli:
# fetch http://localhost:43580
fetch: http://localhost:43580: Forbidden

2. test on desktop firefox, calling
http://<internal IP of my openses>/.well-known/acme-challenge/XXXXidXXXXX....
results in Forbidden


sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     lighttpd   94028 4  tcp4   127.0.0.1:43580       *:*

I have the same problem, if I'm connected to my Wlan behind opensense.
Unbound DNS: Blocklist /  Force SafeSearch is OFF
Connecting to my RouterWlan (it's my guest wlan) I have no issue.

thank you, it's working.
I used an alternative service, which sent me an eicar email.