Messages

Does anyone have a working setup using the os-OPENWAF plugin to reverse proxy the web GUI?

No matter what I try I just get a 'Forbidden' page.

There is excellent and extensive documentation for doing this with Caddy, but the documentation for os-OPENWAF is a lot less comprehensive.

Thanks.

Why don't you set it to 0, then? You can add arbitrary tunables from the UI.

I do now. I don't think I should have had to deal with firewalls going offline and requiring remote hands to diagnose the issue and reboot to figure out I needed to do that though.

Requires onsite visit? Do you mean to be able to do "reboot" from the console, or recycle the power?
If that's the type of remote location it is, then maybe some form of out-of-band console access should be there?

Or, set that option to 0, and still evaluate OOB access.

Yes, it requires someone to be on-site to do a reboot from the console.

It's fine to have this feature available in the event that someone is experiencing persistent problems and needs debug information but there's no way it should be the default on a production firewall. The FreeBSD hadnbook even says this outright.

Brilliant, thank you.

[Services: Caddy: Reverse Proxy]

Mostly posting this for the search. The explanation and solution is in https://forum.opnsense.org/index.php?topic=51150

If you have a setup where you use OIDC and your web GUI is behind Caddy reverse proxy, the upstream change to Caddy will break OIDC because the OIDC provider will see the redirect_uri as being https://localhost:8443/api/oidc/rp/finalize/Keycloak which is obviously invalid.

Adding the {host} header fixes it.

Services: Caddy: Reverse Proxy -> 'Headers' tab and add the header per the linked post.
Services: Caddy: Reverse Proxy -> 'Handlers' tab, edit your reverse proxy handler, go to Transport > HTTP Headers and select your custom header from the dropdown.

Apologies Franco, I completely missed that you'd replied.

Thank you for the fix.

I've applied that extension on my test firewall and it does prevent the API key from being overwritten.

It does leave the 'Users and groups' section always marked as out of sync though.

Thanks again.

Thanks Franco.

The issue that's bitten me a couple of times now doing upgrades of Business Edition at a remote office is something triggers a kernel panic on reboot, the firewall drops to KDB and just sits there until someone can physically access the console and restart it.

For a production firewall I would far rather have it auto reboot after 15 seconds

The Kernel Debugging chapter of the handbook says:

The third way is that any panic condition will branch to DDB if the kernel is configured to use it. For this reason, it is not wise to configure a kernel with DDB for a machine running unattended.
To obtain the unattended functionality, add:

options    KDB_UNATTENDED

to the kernel configuration file and rebuild/reinstall.

In the Glossary it says:

options KDB_UNATTENDED: change the default value of the debug.debugger_on_panic sysctl to 0, which controls whether the debugger is entered on panic. When options KDB is not compiled into the kernel, the behavior is to automatically reboot on panic; when it is compiled into the kernel, the default behavior is to drop into the debugger unless options KDB_UNATTENDED is compiled in. If you want to leave the kernel debugger compiled into the kernel but want the system to come back up unless you're on-hand to use the debugger for diagnostics, use this option.

I see DDB and KDB options in the kernel, but not KDB_UNATTENDED.

I'll submit a feature request to add this.

Cheers.

Hi Franco,

Thanks for the reply.

Don't sync users if you want to keep the local copies or use different usernames here.

If that is the case, I think the documentation needs to be updated to be explicit about this.

Currenty it says the existing API key+secret (I assume this means the one on the machine, but that's ambiguous as the docs are written) will be merged - which is the correct and sensible behaviour - but that isn't happening and access breaks as soon as you sync users.

This is a major flaw for something billed as a central management solution.

The documentation for opncentral says:

When users and groups are synchronized, the existing api key+secret is merged into the user with the same name to prevent access issues after reconfigure. To avoid issues, make sure there's a unique username with proper credentials before using the synchronization.

What conditions are required to make this work?

Running OPNcentral on OPNsense 25.10.2_4-amd64 if I have an 'opncentral' user on the firewall being managed, and I generate an API for that user and use it to connect to the firewall from OPNcentral, as soon as I provision the managed firewall the API key either gets erased if there isn't one on the OPNcentral machine, or overwritten by the one on the OPNcentral machine if there is. That immediately breaks access to the managed device until I regenerate an API key and add it back in to OPNcentral.

It seems like this is not the intended behaviour, but I can't figure out what the settings need to be to make this work.

Can anyone enlighten me?

Thanks.

After a recent upgrade to Business Edition 25.10.2 resulted in a kernel panic that required on-site assisance to recover because it hung the firewall I went looking at the 'panic' related sysctls and noticed the sysctl

Code Select Expand

debug.debugger_on_panic is set to 1.

Having this set means the firewall requires on site intervention to recover from a kernel panic which is suboptimal for a remote office firewall.

What's the purpose of this setting in OPNsense?

Thanks.

[Find Serial Ports]

Getting a serial console working on the first serial port (uart0/COM1) is simple and works as per the instructions.

On some servers the second serial port is the one that redirects to the BMC so if you want the console available via SSH to the BMC you have to use the correct port.

Getting a serial console working on a different serial port is less obvious, but quite possible and can be done entirely from the web GUI.

Find Serial Ports

Code Select Expand

firewall:~ # dmesg | grep uart
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0

This shows two serial ports, uart0 with base address 0x3f8, and uart1 with base address 0x2f8 which is the one I want because it redirects to the BMC shell.

Test Serial Port
You can check you've got the correct one by connecting to and then starting a getty on it from a separate root shell on the firewall, e.g.

Code Select Expand

/usr/libexec/getty 3wire.19200 ttyu1
Adjust the speed (19200 in this case). Search /etc/gettytab for '3wire' to see available speeds.

If you need to restart it to try a different speed or whatever, kill the getty with

Code Select Expand

pkill -f 'getty.*ttyu1
Configure Serial Port For Console
To use the serial port at uart1, make a note of the base address from the dmesg output then go to System: Settings: Tunables and add two new tunables, adapting the base address and speed to match your hardware:

Tunable hw.uart.console
Value io:0x2f8,br:19200
Description Use second serial port as the serial console for redirection to BMC

Tunable comconsole_port
Value 0x2F8
Description Force serial console to use second serial port

Connect to the relevant serial port and reboot the firewall to make sure it's working as expected. The settings are boot-time and 'm not aware of a way to apply it without a reboot.

Any idea when install images for 25.4.2 Business Edition will be available? I only see 25.4.1 on the site at the moment.

Thanks.

I wrote a script to convert the ISC mappings to DnsMasq CSV file, hopefully someone finds that useful:

https://gist.github.com/wrobelda/403fe4e7ff542ce14a4bba9a06e40777

Thank you for this, it was very useful to me.

I suspect this is a real corner-case situation, but I'm curious as to why it's not possible.

I've been testing OPNcentral, and as part of that I built an OPNcentral VM. Not knowing at the time how OPNcentral works I created the VM with only a WAN interface because it's a dedicated management device that doesn't need any other interfaces.

Unfortunately to be able to sync firewall rules to my managed firewalls the OPNcentral device needs to have the same interfaces as all the managed firewalls, so I started adding them.

I found there is no way to add a LAN interface via the WebGUI. The only way to do it is via the initial setup menus, but doing that breaks the WAN interface.

Am I missing something that would allow me to create the LAN interface without disrupting the WAN interface, or is this just not possible because who in their right mind would set up a firewall with only one interface?

Thank you Eric.

Sorry for the reply lag, I failed to turn on notifications for this topic.

I can use the configuration history to see the changes. Even though reading the XML isn't ideal, it'll do.

It's unfortunate that one can't easily discard changes or 'Apply' a rolled-back config without rebooting the whole box. That's quite painful for an enterprise firewall.

It seems like some things, like firewall categories do change immediately when the configuration is rolled back. For rules, they show up back in the UI list but the "Apply" button isn't there.

Toggling a trivial change, like whether a rule logs or not, does make the Apply button appear though, and clicking that will apply the whole ruleset as seen in the UI. It's not a great user experience, but it does seem to work.

Thanks for pointing me in the right direction.