Messages

Hi,

Thanks for the tip.
I checked the advskew values on master and backup, they were already set to 0 (on the master) and 100 (on the backup).
I now changed the ones on the backup to 254.
In case it matters : the advbase values are "1" on both hosts.

I'll give feedback in a few days whether this change helps or not

No one out there with a similar problem while using HA?
It also seems to cause some issues with DNS (when the secondary is the active one)

Hi,

My setup in short:
- Primary OPNsense and backup OPNsense each in a VM on ESX, same hardware specification for the VM
- 4 regular interfaces (LAN, WAN, DMZ, GUEST)
- 1 trunk interface 
- 1 "sync" interface for any HA and sync purposes
- 3 CARP interfaces with a virtual IP: LAN, GUEST, DMZ (each time and IP ending with .1)
Configuration seems to sync fine. When I check the status of the virtual IP's on the primary, I see that they all 3 are "Master"

The addressing is as follows:
.1 = the virtual IP
.2 = the primary firewall
.3 = the secondary firewall

To go to the web UI, I'm using the .1 virtual ip address of the LAN.
Although the primary is always master, the .1 seems to switch randomly and often between primary and backup (even though the primary is always master)

Is this expected behavior?
If not, how can this be fixed?

I appreciate the feedback

L.

It didn't work when I was preparing the HA setup, I guess it only works once the HA setup is active.
Now it works.

(bump?)

Hi,

I'm trying to migrate from a single Opnsense to a dual HA Opnsense setup.
Lan side only (each opnsense box would be connected to a different isp). Most important for me would be to keep configuration/settings (alias, rules, dhcp, dynamic dns, openvpn, ....) in sync.
I don't mind sessions needing to be restarted when the failover takes place.

The first question: can the VIP on the LAN site also be used to access & manage the master box?
example:
node 1 has IP .2 (=master)
node 2 has IP .3 (=backup/slave)
VIP = .1
Can node 1 also be managed (via the GUI) via the .1 address?

Hi,

I've a question regarding Firewall Aliases (the URL Table type)
When I add more than one URL, each pointing to a different list of IP networks, if between those different lists, some networks are the same, or listed multiple times, does Opnsense automatically do depluplication (I mean, when building the internal table for this alias, list those duplciate networks only once)?

Thanks

Ok thanks.

Problem solved, case closed  :)

Hi,

so in opnsense you cannot "name" the certificate itself anymore like in pfsense?

Opnsense


pfsense


Changing the name to the domainname works, but now, sadly, the ACME script wipes all my "dynamic A" records at Namecheap.

Hi,

I'm planning to migrate from pfsense to OPNsense. So I'm checking/testing service by service.
One of these is the ACME client for Letsencrypt. Using the same (or similar) settings from what I have on pfsense, I'm running into an issue on Opnsense...

the domain myvpn.loftnet.xyz exists, and on pfsense, a certificate is issues without any error.
I don't know where the "Domain name contains an invalid character" comes from?
Anyone any idea?

Code Select Expand

2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] Diagnosis versions:
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] Please add '--debug' or '--log' to check more details.
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] _on_issue_err
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] skip dns.
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] dns_entries
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] _clearupdns
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] No need to restore nginx, skip.
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] pid
}
"status": 400
"detail": "Error creating new order :: Cannot issue for \"cert_loftnet_ext_myvpn_v2\": Domain name contains an invalid character",
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] Create new order error. Le_OrderFinalize not found. {
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:51 CEST 2023] Le_OrderFinalize
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] Le_LinkOrder
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] code='400'
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] _ret='0'
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] POST
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] _ret='0'
2023-06-02T16:40:50 acme.sh [Fri Jun 2 16:40:50 CEST 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L -I '
2023-06-02T16:40:50 acme.sh [Fri Jun 2 16:40:50 CEST 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
2023-06-02T16:40:50 acme.sh [Fri Jun 2 16:40:50 CEST 2023] HEAD
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] RSA key
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] payload='{"identifiers": [{"type":"dns","value":"CERT_LOFTNET_EXT_MYVPN_V2"},{"type":"dns","value":"myvpn.loftnet.xyz"}]}'
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] d
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] d='myvpn.loftnet.xyz'
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] Getting domain auth token for each domain
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] Multi domain='DNS:CERT_LOFTNET_EXT_MYVPN_V2,DNS:myvpn.loftnet.xyz'
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] _createcsr
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] The domain key is here: /var/etc/acme-client/home/CERT_LOFTNET_EXT_MYVPN_V2/CERT_LOFTNET_EXT_MYVPN_V2.key
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Using RSA: 4096
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Use length 4096
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Using config home:/var/etc/acme-client/home
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Creating domain key
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Read key length:2048
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _saved_account_key_hash is not changed, skip register account.
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] d
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _currentRoot='dns_namecheap'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Check for domain='myvpn.loftnet.xyz'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] d='myvpn.loftnet.xyz'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _currentRoot='dns_namecheap'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Check for domain='CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] d='CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Le_LocalAddress
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _chk_alt_domains='myvpn.loftnet.xyz'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _chk_main_domain='CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _on_before_issue
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_NEW_AUTHZ
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ret='0'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] timeout=
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] url='https://acme-v02.api.letsencrypt.org/directory'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] GET
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] _init api for server: https://acme-v02.api.letsencrypt.org/directory
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] DOMAIN_PATH='/var/etc/acme-client/home/CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] Using config home:/var/etc/acme-client/home
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] _alt_domains='myvpn.loftnet.xyz'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] _main_domain='CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] Running cmd: issue

If its just about collapse you can try categories

I tried that, but it is different ... how do I explain .... categories do not enforce or are not "inline" with the order of the rules. If you know what I mean?

Hi,

I'm planning to migrate from pfsense to OPNsense.

I know this is an old topic, and I don't want to upset anyone, but I do have a question regarding this topic.
Me too, I would love to see some kind of separation, segregation between blocks of rules within an interface or group. Besides using that a lot in my pfsense, also in my professional life, all firewalls I worked with (Fortinet, Checkpoint, Fortinet, Juniper, ...) have one way or another to separate or group blocks of rules.

I already read that the OPNsense developers are unlikely to implement rule separation headers like in pfsense. I can understand most of the points they raised about this, but....

It seems to me, it is already possible (in a way)? Because I see exactly that, when looking at the line "Automatically generated rules"... it has all I would like:
- a set of rules grouped together
- can be collapsed/expanded

https://imgur.com/a/OKY2jYg

Is it not possible to open up that feature for when we add rules ourselves?