Messages

An Idle OPNsense, with only a shaper enabled and some tunables memory usage is something around 1G with opened GUI.
This is with no traffic and like 10 states opened. And hostwatch disabled.

I assume your OPN is in PROD?
It seems to me you are  in the spec.

Regards,
S.

You should create a WG interface, for your WG instance as this is the recommended deployment.

SSH for the FW can bind to all interfaces or particular ones. The ones that are selected are the ones SSH daemon will listen to.
Which IP of which Interface do you try to connect to?
Is that IP of that interface you set SSH listen to?

Additionally you need rules to allow ssh traffic from source on its interface/GW.
Do you allow ssh on the WG?

I would advice as well to follow the docs rather than an AI chatbot that often misinterprets deployments and instructions
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
https://docs.opnsense.org/manual/settingsmenu.html#secure-shell

Regards,
S.

To configure it you need the proper license for both ZA instances if I remember correctly.

Without it it will not unlock you the HA configuration menu.

Refer to the docs

https://www.zenarmor.com/docs/opnsense/configuring/high-availability

Regards,
S.

You cant,

if you are looking for ZA HA, you cant do that with your current sub.

You can create a HA for OPNsense on CE and then create two independent ZA instances on two those devices.

But you will have HA only OPN not ZA.

Regards,
S.

I use them to group different rules together and can see them visually.

This is just awesome.... Thank you for the inspiration!

Regards,
S.

Would it be possible to have the Statistic section in a single row if I expand its section?

https://github.com/opnsense/core/issues/9674

Regards,
S.

Happens, but I will be honest it was bit weird why its nowhere properly stated :D

Regards,
S.

With the group rules residing "between" floating and interface rules, the "only one interface switch" effectively causes an implicit shift of two priority levels, or am I incorrect?

That would mean I have to place block rules somewhere else (at least if they apply to one interface only).

You are correct,

If your rule design was based on 1-interface based Floating, depending on how the rules is setup it will have an unwanted outcome during migration because as you said it will be demoted to Interface level rule.

You most likely need a redesign of the rule-set if you were dependent on 1-interface based Floating rules.

Regards,
S.

Now that I learned how I can apply an explicit order to group rules that makes sense :-)

So if you use the sequence inside a priority group, you have indeed full control over when rules are processed in that priority group.

I call them my little magical numbers.

But Patrick is right, this is not mentioned in the docs, even though the "sequence" gives a hint. Maybe would be great if it can be explicitly stated on the Group docs pages for us who read the docs :)

Regards,
S.

One must remember to only use allow in the group rules.

Well not necessary, I use a Block based policy as a Group. Basically I have a group with seq 0 that is above all other rules. This group is applied to all interfaces even WAN. It block stuff like:

- Qfeeds
- Malicous traffic (open source drop list)
- External DNS
- DoH & DoT DNS server (Hagezi list)
- NFS & SMB traffic
- etc.

Because this group applies as well for DDI (where the DNS server lives) one rule in this group has a source !DDI net statement to allow DDI VLAN bypass this one rule in the group and allow them to go to upstream DNS server. AS only this VLAN is allowed to do so.


Regards,
S.

But this rule "Allow any to !RFC1918" only allows access to Internet, it doesn't catch RFC1918 to RFC1918.
So an interface based rule will be still applied for RFC1918 to RFC1918.

Regards,
S.

Indeed the sequence order in the groups sets the order of those group rules when inherited into an Interface.

And you are right its not mentioned in docs just slightly hinted in
https://docs.opnsense.org/manual/how-tos/security-zones.html#setup-interface-groups

I have several groups created, cause I look at them as policies, and policies are inherited into Interfaces (I look at them as Zones). So when you do groups its necessarily to consider the sequence order because of

groups use 300000

This means 300000 + the sequence number in groups

https://docs.opnsense.org/manual/how-tos/security-zones.html#setup-interface-groups

At least that was my interpretation when doing the design.

Regards,
S.

The funny thing is, once the separators were implemented the people who cried for them never gave any feedback anymore.

Alright so that you don't feel sad about this I have one complain :)

Would it be possible to have the Statistic section in a single row if I expand its section?


It drives me nuts that its in two rows even tough I have a lot of space...

Regards,
S.

I am having the same combination, Pihole + OPN.
But I run Piholes in a HA setup cause why not.

Regards,
S.

I've ordered one and hope it will work as well as recommended.

I use it as primary AP in dumb mode, with several SSIDs bound to different VLANs. Basically the AP works as WiFI + VLAN separation.

How does quoting work in this forum software? I can't get it to work and have simply copied it manually in.

On each reply click the "QUOTE" button to quote the whole reply or highlight a word/sentence from a reply and click "QUOTE SELECTED TEXT"

Regards,
S.