Messages

Hello,

After upgrading to 23.7.7, i do not have health report for cpu temp working anymore.

I've the « Please wait for logging data » spinning forever.

Errors in log :

2023-10-26T08:23:18   Error   configd.py   [6238b2a5-b0aa-461f-8e1c-c08b5e7a1502] Script action failed with Command '/usr/local/opnsense/scripts/health/fetchData.py 'system-cputemp'' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 44, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/health/fetchData.py 'system-cputemp'' returned non-zero exit status 1.

The widget on the dashboard show the actual temperature.

Thanks for your help.

Hello,

I've installed the new version 1.15 (Home licence) and for those features/improvements, I can not find them (I've refresh the OPNsense UI)

1) Improvement: Several new web categories are introduced in Zenarmor, including "Low-THC Cannabis Products," "DNS over HTTPS," "Compromised Websites," "Keyloggers and Monitoring," "Spyware and Adware," and "Generative AI," enhancing your web content filtering capabilities for a more comprehensive and secure browsing experience.

"DNS over HTTPS", "Compromised Websites", "Keyloggers and Monitoring," "Spyware and Adware," are not in the Web Categories list


Thanks for the help.

Hello,

I've made the change and it works :) Kids AP is in VLAN 10 and DHCP is working.
Zenarmor set to watch VLAN 10 too and looks good.

Thank you so much for such a great help and explanations !

Do i have to do all those steps in a specific order ?

I've created the VLAN 10 and affected to the LAN_Kids (and igc1 interface as parent, same interface than the LAN)
I've created the VLAN 1 but didn't affected it to original LAN Interface (on igc1 for now and need to be set to VLAN 1).

Will i break something if i affect the VLAN 1 to LAN interface (communication lost etc ...).
I'm a homeworker so i'm trying to reduce to 0 the number of issue of my internet connexion :) So this is why i'm asking if all the setup need to be set in certain order and if some of them are safer than others :)

I'm using my AP on switch 2 to managed opnsense so i something goes wrong, i will have to connect to a interface of opnsense (i've setup a inteface named bachlup with DHCP and a lan cable already in place just in case)

Really appreciate your help and patience.
Thanks.

I will try !

So I need to create a new VLAN_Normal with tag 1 on opnsense or it is not necessary ?

In the switch, I will have 3 VLAN :
1, 5 (LAN) and 10 (LAN_Kids) with :

Port 1 is the one connected to opnsense
Port 2 is the one connected to the second switch

What will the other ports be used for? Access to 'LAN'?

On the second switch :
AP Wifi is connected on port 2
Port 3 is used for connection with the Switch 1

What will the other ports be used for? And does the AP only have one SSID (for 'LAN_Kids')?

On switch 1 :
Port 1 : opnsense
Port 2 : connexion to the second switch
Port 3 to 8 : devices that use LAN (ps5, Xbox, Apple TV etc ...) and internet (they can talk each other and with devices on switch 2)

On switch 2 :
Port 2 : Kids AP with only one SSiD and need to be in LAN_Kids (only the kids device can connect to this one)
Port 3 : Connexion to the switch 1
Port 1, 4-8 : devices that use LAN (NAS, wifi AP for lan with 2 ssid : « normal (all devices exceptt iot)» and « guest (iot) », servers etc...) and internet, they can talk each other an with devices on switch 1

The KIDS AP need to be able to connect to LAN (The NAS, printer etc ...)
For LAN_Kids I enforce some Firewall rules and use a AdguardHome installed on the AP for kids as DNS Severs.
Zenarmor will be used too only on  LAN_Kids

Thank you again

In the switch, I will have 3 VLAN :
1, 5 (LAN) and 10 (LAN_Kids) with :

Port 1 is the one connected to opnsense
Port 2 is the one connected to the second switch

VLAN 1 : All ports, no tags ?
VLAN 5 : All ports or only the 1 ? tag on port 1 ?
VLAN 10 : Ports 1 and 2, and tags on both or only 1?
For the PVID, 5 for port 1 and 10 for port 2 ? Or every port/or the rest on 1 or 5 ?

On the second switch :
AP Wifi is connected on port 2
Port 3 is used for connection with the Switch 1

VLAN 1 : All port, no tags ?
VLAN 5 : All ports or only the 3 ? tag on port 3 ?
VLAN 10 : Ports 2 and 3, and tags on both or only 3?
For the PVID, 5 for port 3 and 10 for port 2 ? And the other port on 1 or 5?

Thanks.

So the idea is to create 2 VLAN ? VLAN_Kids and VLAN_Normal on the same physical interface ? or 2 LAN on 2 physical Interface ?

I do not have LAN_Kids, only one LAN interface for the moment. The wire are already in the wall, so I do nove have so much choice  :)

Sorry I'm not an expert of the VLAN, so if you can explain me juste a little more, and I promise I will try to understand everything you will learn to me :)

Thanks again for your support and patience.

Hello,

I've an opnsense box with 4 ports. I've connected one port for my WAN and the second for the LAN to a managed switch (TPLINK TL-SG108E latest firmware).

I've created a VLAN on opnsense (latest version and patches), VLAN 10, attached to the LAN interface as parent and set the DCHP service (static IP 192.168.1.1/24 and a range of 192.168.3.3 to 192.168.3.254).
Everyhting is started and enabled in opnsense.

Opnsense is connected to the switch at port 1. I've connected a laptop on the switch at port 8.

On the switch, I've set the port 1 and 8 for VLAN 10. And on the port 8 the PVID 10. (no tagged port)

But, the laptop receive only IPs from the LAN CIDR (192.168.1.X), as it looks like the VLAN does not exist or it is not recognized at all ....

My future setup will be more complex with  2 managed switches in cascade, but this simple setup seems to not work well ...

Do you have some ideas to help me please ?

The future setup will have 2 managed switches in cascade. On the second switch, only one port will be used with a Wifi AP for Kids in this VLAN 10. I've try to setup things like that, but it doesn't work too (ip of the LAN too).

On Switch 1 connected to the router : Port 1 and 2 in the VLAN 10. Port 2 tagged. All ports with PVID 1 (VLAN 1 configuration by default, 1-9 ports, no tag)
On Switch 2 : Port 3 and 2 in the VLAN 10. Port 3 tagged (the one connected to the other switch) and PVID set to 10 for the port 2 with the AP router connected on it.

Maybe I'm doing something wrong ...

The idea is to have the AP o na separate VLAN to enforce DNS servers and other stuff at the firewall level. But the device can still have access to the LAN (NAS etc ...). So if you have idea or tutorials for that it will be great !

Thanks a lot for the help.

Hello,

In the logs i can see those kind of errors every day at 1:00am (i've scheduled backup at this time) :

2023-08-25T01:00:03   Error   php   remove config-1692313200.xml from Google Drive   
2023-08-25T01:00:01   Error   php   backup configuration as config-1692918001.xml

But the files are removed and backup in google drive (i've to check the content).

I've just tried to test the setup and same thing in the logs :

2023-08-25T09:41:12   Error   php-cgi   remove config-1692399600.xml from Google Drive   
2023-08-25T09:41:10   Error   php-cgi   backup configuration as config-1692949269.xml

But the test is OK and a new backup file is in google drive. I'm keeping 7 backups.

It sems that sometimes it has some trouble to remove file and i've 8 files instead of 7. After a new backup, i've 7 files.

Is it a false error or something might be buggy ?

How do you create your service ? With a ClusterIP or not ? Even with a nodePort it does not take any IP on your subnet.

In fact you can use a k8s cluster with full overlay network (pods and services) and only nodes have a ip of your subnet.

So normally, only your node IP will count for zenarmor licence and not the pods id or service. With ip tables or IPVS it's the case so i do not know how your cluster is configurer, or something with netmap see the overlay ip as a « real » one.
But if it's the case, choose 2 different subnet for pods and services during installation and set them as exempted network in zenamor. Can you try ?

LGTM

What kind of network driver (CNI) are you using with your k8s cluster ? Is it flannel or cilium or something else ?
Does your pods take an ip your VLAN/subnet ?

Can you give us a screenshot of the blocked session in zenarmor live sessions UI ?

Look ok with me too but it will better to have new packages instead of reinstalling the same package number.
Like 1.14.3 instead of having multiple version of 1.14.2