Messages

Thanks Franco.

The issue that's bitten me a couple of times now doing upgrades of Business Edition at a remote office is something triggers a kernel panic on reboot, the firewall drops to KDB and just sits there until someone can physically access the console and restart it.

For a production firewall I would far rather have it auto reboot after 15 seconds

The Kernel Debugging chapter of the handbook says:

The third way is that any panic condition will branch to DDB if the kernel is configured to use it. For this reason, it is not wise to configure a kernel with DDB for a machine running unattended.
To obtain the unattended functionality, add:

options    KDB_UNATTENDED

to the kernel configuration file and rebuild/reinstall.

In the Glossary it says:

options KDB_UNATTENDED: change the default value of the debug.debugger_on_panic sysctl to 0, which controls whether the debugger is entered on panic. When options KDB is not compiled into the kernel, the behavior is to automatically reboot on panic; when it is compiled into the kernel, the default behavior is to drop into the debugger unless options KDB_UNATTENDED is compiled in. If you want to leave the kernel debugger compiled into the kernel but want the system to come back up unless you're on-hand to use the debugger for diagnostics, use this option.

I see DDB and KDB options in the kernel, but not KDB_UNATTENDED.

I'll submit a feature request to add this.

Cheers.

Hi Franco,

Thanks for the reply.

Don't sync users if you want to keep the local copies or use different usernames here.

If that is the case, I think the documentation needs to be updated to be explicit about this.

Currenty it says the existing API key+secret (I assume this means the one on the machine, but that's ambiguous as the docs are written) will be merged - which is the correct and sensible behaviour - but that isn't happening and access breaks as soon as you sync users.

This is a major flaw for something billed as a central management solution.

The documentation for opncentral says:

When users and groups are synchronized, the existing api key+secret is merged into the user with the same name to prevent access issues after reconfigure. To avoid issues, make sure there's a unique username with proper credentials before using the synchronization.

What conditions are required to make this work?

Running OPNcentral on OPNsense 25.10.2_4-amd64 if I have an 'opncentral' user on the firewall being managed, and I generate an API for that user and use it to connect to the firewall from OPNcentral, as soon as I provision the managed firewall the API key either gets erased if there isn't one on the OPNcentral machine, or overwritten by the one on the OPNcentral machine if there is. That immediately breaks access to the managed device until I regenerate an API key and add it back in to OPNcentral.

It seems like this is not the intended behaviour, but I can't figure out what the settings need to be to make this work.

Can anyone enlighten me?

Thanks.

After a recent upgrade to Business Edition 25.10.2 resulted in a kernel panic that required on-site assisance to recover because it hung the firewall I went looking at the 'panic' related sysctls and noticed the sysctl

Code Select Expand

debug.debugger_on_panic is set to 1.

Having this set means the firewall requires on site intervention to recover from a kernel panic which is suboptimal for a remote office firewall.

What's the purpose of this setting in OPNsense?

Thanks.

[Find Serial Ports]

Getting a serial console working on the first serial port (uart0/COM1) is simple and works as per the instructions.

On some servers the second serial port is the one that redirects to the BMC so if you want the console available via SSH to the BMC you have to use the correct port.

Getting a serial console working on a different serial port is less obvious, but quite possible and can be done entirely from the web GUI.

Find Serial Ports

Code Select Expand

firewall:~ # dmesg | grep uart
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0

This shows two serial ports, uart0 with base address 0x3f8, and uart1 with base address 0x2f8 which is the one I want because it redirects to the BMC shell.

Test Serial Port
You can check you've got the correct one by connecting to and then starting a getty on it from a separate root shell on the firewall, e.g.

Code Select Expand

/usr/libexec/getty 3wire.19200 ttyu1
Adjust the speed (19200 in this case). Search /etc/gettytab for '3wire' to see available speeds.

If you need to restart it to try a different speed or whatever, kill the getty with

Code Select Expand

pkill -f 'getty.*ttyu1
Configure Serial Port For Console
To use the serial port at uart1, make a note of the base address from the dmesg output then go to System: Settings: Tunables and add two new tunables, adapting the base address and speed to match your hardware:

Tunable hw.uart.console
Value io:0x2f8,br:19200
Description Use second serial port as the serial console for redirection to BMC

Tunable comconsole_port
Value 0x2F8
Description Force serial console to use second serial port

Connect to the relevant serial port and reboot the firewall to make sure it's working as expected. The settings are boot-time and 'm not aware of a way to apply it without a reboot.

Any idea when install images for 25.4.2 Business Edition will be available? I only see 25.4.1 on the site at the moment.

Thanks.

I wrote a script to convert the ISC mappings to DnsMasq CSV file, hopefully someone finds that useful:

https://gist.github.com/wrobelda/403fe4e7ff542ce14a4bba9a06e40777

Thank you for this, it was very useful to me.

I suspect this is a real corner-case situation, but I'm curious as to why it's not possible.

I've been testing OPNcentral, and as part of that I built an OPNcentral VM. Not knowing at the time how OPNcentral works I created the VM with only a WAN interface because it's a dedicated management device that doesn't need any other interfaces.

Unfortunately to be able to sync firewall rules to my managed firewalls the OPNcentral device needs to have the same interfaces as all the managed firewalls, so I started adding them.

I found there is no way to add a LAN interface via the WebGUI. The only way to do it is via the initial setup menus, but doing that breaks the WAN interface.

Am I missing something that would allow me to create the LAN interface without disrupting the WAN interface, or is this just not possible because who in their right mind would set up a firewall with only one interface?

Thank you Eric.

Sorry for the reply lag, I failed to turn on notifications for this topic.

I can use the configuration history to see the changes. Even though reading the XML isn't ideal, it'll do.

It's unfortunate that one can't easily discard changes or 'Apply' a rolled-back config without rebooting the whole box. That's quite painful for an enterprise firewall.

It seems like some things, like firewall categories do change immediately when the configuration is rolled back. For rules, they show up back in the UI list but the "Apply" button isn't there.

Toggling a trivial change, like whether a rule logs or not, does make the Apply button appear though, and clicking that will apply the whole ruleset as seen in the UI. It's not a great user experience, but it does seem to work.

Thanks for pointing me in the right direction.

Thank you. I'll email you now.

Having manually installed the Zabbix Agent plugin, it turns out OPNcentral can't configure it anyway :(

OPNcentral can do firwmare upgrades on managed firewalls, but I can't see any way to get it to install plugins that are missing.

If I've got something like Zabbix Agent config on my OPNcentral device and I sync that to a managed firewall it just doesn't work because the plugin isn't there, and it doesn't seem to attempt to install the plugin.

Given how cumbersome it is to install multiple plugins, and how slow the post-install update is on Business Edition after every plugin install, this makes the process of building a new firewall quite painful.

I was really hoping I'd be able to install the base system, a license, and just enough config to get OPNcentral talking to it and do the rest from there.

Am I missing something, or can OPNcentral not do plugin installs for managed firewalls?

Thanks.

I'm testing OPNcentral to manage office firewalls.

So far it has promise but is missing some really critical features to be usable across an enterprise fleet.

One thing I cannot get to work at all is syncing WebGUI config and user config without breaking OPNcentral's access to the firewall it is configuring. I'm not sure if I'm doing something wrong, or if OPNcentral just isn't intended to be used to sync those things.

The situation I have is that the managed firewalls have a hostname that is in our internal DNS and not resolveable over the Internet. They have Caddy set up to reverse proxy the management interface (with appropriate ACLs) and handle TLS certificates. There is a publicly resolveable domain set up in Caddy, and that is the URL set up for the firewall in OPNcentral.

Because OPNcentral connects to the managed firewalls on this public URL, which is different (by policy) from the hostname of the device, they need to have 'Alternate Hostnames' configured under System -> Settings -> Administration. Disabling the DNS Rebind Check is not an option.

The problem is that whenever the OPNcentral machine configures WebGUI it overwrites the Alternate Hostnames, which immediately breaks its ability to manage the firewall.

The only way around this seems to be to either not sync WebGUI settings at all, and risk having them drift; or to set every Alternate Hostname in OPNcentral and have it set all of them on all of the managed firewalls.

Neither option is great. Technically I could get around this by getting rid of Caddy and setting up a VPN between the OPNcentral instance and the managed firewalls, but that gets me into exactly the same situation where VPN configuration is one of the big things I want to be able to manage centrally. Given the issues I'm having here, I doubt that is actually possible.


The other issue I'm having is that every time I sync users and groups, OPNcentral deletes the API key for the user it is using to access the device, which immediately breaks the rest of the sync.

I don't know what I'm missing here, but I can't see a way to sync users and groups to my managed firewalls (which is one of our key requirements) without having the API key generated on teh OPNcentral box and therefore be the same across all of the managed firewalls, which is not an option for us.

Am I missing something here, or is OPNcentral really just for making exact clones of itself and not for actually manging firewalls that may have configuration differences?

This seems to come back to a couple of critical missing capabilities in OPNcentral - namely the ability to selectively apply things to different firewalls so you can e.g. sync users except the user bound to the API key OPNcentral is using; and the ability to have some kind of macro or variable expansion configured per managed device so you can do things like push different Alternate Hostnames, or have different domains in Caddy configuration, etc.

Are these things solveable, or am I expecting too much out of OPNcentral?

Thank you, that worked for me. It also exposed a bunch of other limitations in the HA configuration :( but those are separate problems.

Is there a way to see what changes will be applied to firewalls from the web GUI?

I can do it by diffing the config.xml and the most recent backup, but that's kind of ugly.

Same with cancelling the changes.

At the moment the big "Apply Changes" button can appear in the firewall rules section without any obvious cause. Clicking the "disable log" button and re-enabling it makes it appear just as much as adding a "pass any/any in on WAN" rule does, and there's no way to review the changes without SSH'ing in and diffing the XML.

This is quite a big issue for production environments.

Thanks.