Messages

Hi,

We're in the process of setting up WAN failover (switch to 5G when/if the fibre connection craps out)
.
Until now we have
DNS server = 127.0.0.1
Use gateway = none
on System: Settings: General under 'DNS servers'.

However, the help text says: 'When using multiple WAN connections there should be at least one unique DNS server per gateway.'

What does that meen in practice? Or Does this only apply when using the multiple WAN connections simultaneously?

Should I have 2 entries, one for each gateway? Or can I leave this setting unaltered?

When configuring a gateway group, the help information mentions 'Link Priority' & 'Virtual IP', neither of which is actually mentioned as a configuration option.

Services -> Smart and/or the CLI confirm that the test indeed runs (parameter needs to be full device path) 

If the result of the test isn't output anywhere, what is the best way to get notified when things go awry?



Oh, and good luck with your disk, Patrick!  ;-)

Hi Franco,

'sysctl -n kern.disks | sed s:nda:nvme:g' returned indeed 'nvme0', but when I specify that as parameter, I still get:

Code Select Expand

message 0c172160-7f3a-438a-89df-69bb5fb88471 [smart test short nvme0] returned b'smartctl 7.5 2025-04-30 r5714 [FreeBSD 14.3-RELEASE-p4 amd64] (local build)\nCopyright (C) 2002-25, B'

Hi everyone,

I know that this question has been asked and answered a few years ago, but it seems to be an issue again...

When I create a task without a parameter, the backend log shows:

Code Select Expand

message 4fc16907-8409-4951-b00e-2c2f0ac74da9 [smart test short] returned b'smartctl 7.5 2025-04-30 r5714 [FreeBSD 14.3-RELEASE-p4 amd64] (local build)\nCopyright (C) 2002-25, B'When I specify '/dev/nvme0' as parameter, the backend log shows:

Code Select Expand

message 566968b0-348b-4539-b3e6-ddbe77fdc092 [smart test short /dev/nvme0] returned b'smartctl 7.5 2025-04-30 r5714 [FreeBSD 14.3-RELEASE-p4 amd64] (local build)\nCopyright (C) 2002-25, B'
In neither case does the SMART test actually seem to run.

Well, the idea is that when you save your LDAP authentication settings in 25.4.3 you likely get a validation error that prompts you to either allow memberOf sync checkbox and/or set a default group.

Ah! Yup, after I set a default group I can log in with my LDAP account again. Thanks!  :)

Does this mean I need to change something in my configuration after updating to 25.4.3 for things to work?

Looks like the bug is still present in 25.4.3?

I just updated our backup unit 25.4 -> 25.4.3, and I'm unable to log in with the LDAP-connected account. Only local user account works.

Whatever version you're on is fine. This is output from the current config.xml.

You got email  :)

Hi Evert,

Would you mind sharing the following output with us privately? Either forum PM or via mail franco@opnsense.org

# pluginctl -g system.group

Sure, no problem. Does it matter that I reverted to 25.4.1? I can update to 25.4.2 again temporarily, if that gives you the proper output.

Ok, progress :)

You can update back to 25.4.2 now and apply the patch again on your end to avoid the bad behaviour for now and we'll have a closer look internally.

Thanks  :)

I created a snapshot before updating to 25.4.2, so I think I'll revert to 25.4.1 for now, to keep our OPNsense units on the same version.

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/5d4317ee21be31
Fetched 5d4317ee21be31 via https://github.com/opnsense/core
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From 5d4317ee21be317700ebef5eff9fdd395aa71863 Mon Sep 17 00:00:00 2001
|From: Ad Schellevis <ad@opnsense.org>
|Date: Mon, 9 Jun 2025 18:52:02 +0200
|Subject: [PATCH] Auth: regression in setGroupMembership() introduced with
| https://github.com/opnsense/core/pull/8046
|
|As members are comma separated now, we should split them before processing. To keep old and new formats (arrays/csv) compatible as we now do in the rest of the codebase, we normalize arrays with cvs strings into a single list of members.
|---
| src/opnsense/mvc/app/library/OPNsense/Auth/Base.php | 3 ++-
| 1 file changed, 2 insertions(+), 1 deletion(-)
|
|diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
|index a9e545a9a6f..fe3c52d4070 100644
|--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
|+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
--------------------------
Patching file opnsense/mvc/app/library/OPNsense/Auth/Base.php using Plan A...
Hunk #1 succeeded at 156.
done
All patches have been applied successfully.  Have a nice day.

Patch applied. Rebooted.

Yup, that's the one!  Now I can't log in with evertm anymore. If I add evertm back to Admins, and then try to log in again, he gets removed from Admins.

Ok, let's try to narrow down the issue by reverting the core package to the previous version:

# opnsense-revert -r 25.4.1 opnsense-business

If it's still not working it wasn't 25.4.2 but if it works again we can go through the commits.

Applied:

Code Select Expand

Fetching opnsense-business.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20241217... done
opnsense-business-25.4.2: already unlocked
Installing opnsense-business-25.4.1...
package opnsense-business is already installed, forced install
Extracting opnsense-business-25.4.1: 100%
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
configd already running?  (pid=84996).
>>> Invoking update script 'refresh.sh'
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from opnsense-business-25.4.1:

--
What are you looking at?

After the revert I have done a reboot. Now I can log in again with the AD user evertm

(I had to add evertm to the admins group again, but now he remains in the group when I log in with the AD user)

Nope, no 'Synchronize groups'...

I'm not aware of a bug, but there have been bug-related patches. Are you using a group sync? It may remove the admin group from your user which means you don't have any privileges to view any GUI page.

Hi Franco,
No, group sync is not enabled, as far as I can tell.

I did spot this in the Audit log just now. Don't know whether it's relevant:

Code Select Expand

2025-08-13T09:54:44    Notice    audit    User: policy change for evertm unlink group admins
Hmm, I do see on System: Access: Users that user evertm is no longer a member of group admins. When I add it back to the group admins, and try to log in as evertm, the group membership gets stripped again.