Messages

Even adding a second NIC, I do not access the Internet.
On the other hand, if I connect the NIC on the Motherboard directly to the router everything works correctly.
So it is the firewall that blocks the Debian partition, while the Windows 10 partition connects without problems.

Install a different NIC - yours does not work with Linux

But in DHCP4 Lease there is a green icon, so the NIC has been detected.

I have a PC with Win 10 Pro and it works correctly: it goes to the Internet, accesses Win Update, downloads programs, etc.
I didn't have to configure anything, neither on the PC nor on OPNsense.

On this PC I created a partition with Debian 12 for Dual Boot, but already at the time of installation it doesn't recognize DHCP4.
If I configure the network manually, then I don't access the APT repositories and therefore I can't install other programs.
Then, from Debian console the ping on the firewall doesn't work either.

On DHCP4 / Lease I see the active PC (green icon9)
I can't understand what it could depend on.

I would like to activate a backup router to use in case the main one fails.
Since it has to cover 5 users, I can't imagine activating two SoHo licenses.
A license is already overpriced given that it offers the same features as the home one at quadruple the cost.

How can I handle it?

[Sophos XGS87+Xtream Protection]

The project involves the installation of OPNsense with Zenarmor for a maximum of 5 work users.
There is currently already a Sophos XGS87+Xtream Protection with an active contract for the entire current year. Is there any suggestion to integrate them?

The project includes in OPNSense mainly:

• Dual WAN with Load Balancing and Failover
• LAN;
• DMZ with 3 Virtual Servers (Windows & Linux) on Proxmox;
• VLANs for Wi-Fi accesses in the LAN and for guests and smartphones;
• VPN for access from outside;
• VPN for access to an external provider;
• HAProxy for external access to internal web services;

Thanks in advance for the advice

I'm doing some testing at my house.
I have OPNSense on an Acer PC with i5, 8GB RAM and an additional 4 NIC card.
I would like to implement CARP with a second Acer PC of a different model, always with an additional 4 NIC card.
Is this possible, even if they are not exactly the same?

I have a Zenarmor "Home" license on my PC, can I manage it on the second PC? As?

[my-domain.tld]

I'm sorry, but I stillo get errors instead.

After moving the two servers to the LAN and creating a new VirtualIP, now all the configurations correspond to the tutorial (obviously if there hadn't been some oversight on my part).

The only difference I find is in the Public Services / Type option "http-keep-alive [default]" in the snapshot of point 9 and that in this version of HAProxy is not present.

• The SSL Labs test on my-domain.tld returns "Certificate name mismatch" because it searches for *.my-domain.tld
  Instead, if I search for server.my-domain.tld the test is A and not A+
• When calling server.my-domain.tld:NumPort from the internet with Firefox I get the "connection timed out" error and in Firewall Log Live View, the public IP address of the laptop being tested reports the error "Default
  deny / state violation rule"
• When calling server.my-domain.tld from the internet with Firefox I get the "503 Service Unavailable" error without errors in Firewall Log Live View.

I'm sorry, because the architecture proposed in this Tutorial is interesting.

In Public Services 1_HTTPS_Frontend
the "SSL option pass-through" field in the tutorial ther is "curves secp384r1".
Having generated the certificate with the simple 4096, what value should be indicated in this field?

How and where should logging be enabled to pinpoint where errors occur?

Thanks in advance.

=== Update ===
I generated the certificate again with ec384, as suggested in the tutorial. I reset the "SSL option pass-through" field with the value "curves secp384r1".

Now:
1) From Internet, using the certificate for web GUI access works and the certificate was recognized.
2) From Internet, a NAS and Debian Server in DMZ are not recognized. In Firefox the error is "Connection timed out".
3) In Statistic Status the Backends are No Check.
4) The SSL Labs test on the two subdomains returns the value "A" and not "A+" in both tests. DNS CAA = No is reported. The documentation reports that for both servers https://URL (HTTP/1.1 503 Service Unavailable)
5) In Firewall /Log / Live view the WAN rule is executed.

Evidently there is something blocking the call of the two servers in DMZ. Maybe there's a rule missing?
How can I enable HAProxy logging?

=== New Update ===
I checked twice, all the parameters.
Servers continue to be unreachable with error 503.

I don't understand why I only have to listen to ports 80 and 443.
It is true that the service port is indicated in the Real Server (for example, 32400 is used in the tutorial), but in the browser I have to type MY-DOMAIN.TLD:NumberPort.
Already in the WAN rule NumberPort is not filtered because it is not in the alias.

Thanks in advance, again.

You keep saying pfSense, but nobody else does. Not sure why that is, but to be honest I didn't see your other post because I've been mostly doing 24.1 work in all of January.

I imagined that in this period you were very busy with the release of the new version.

About "pfsense", as I was saying, before posting my message I scroll through the forums a lot. I assure you that the invitation to consult the pfsense documentation is more than one; but it's not important.

My post is this, where perhaps I also understood the cause of the problems, although I didn't understand why.

[System: Gateways: Group / Trigger Level]

I reopen the post after reactivating the Multi WAN because I wanted to try a further variation by changing System: Gateways: Group / Trigger Level to "Member Down".
A new short test with just two Windows PCs would seem to cause no problems.

My reflection comes from a consideration.
Previously I had no DNS problems, nor were there any errors reported in the logs.
The page simply didn't load and you had to refresh to open it. The error was therefore due to the difficulty in reaching a URL correct and resolved; on the other hand there could be no problems simply calling up google.com.

So, too much time was spent in OPNsense, probably deciding which of the two WANs to forward the traffic to.

Changing Trigger Level from "Packet Loss and High Latency" to "Member Down" probably takes less time for forwarding although I don't understand the reason (assuming that mine is a decisive step).

What is certain is that, by doing so, in line conditions with low performance the traffic would no longer be forwarded onto the second line, but only if the first one stopped completely.

Having said all this, I'm ending the test at least until I have more information.

I also know that the license is different from the support, but having purchased it is already an important signal that I didn't just want to "eat for free".

I repeat again that this is a basic installation, redone from scratch I don't know how many times and kept basic precisely so as not to introduce any critical issues.
There are no active plugins or other services other than network ones.
There are no rules, except for the DNS one and the "all open" one.

VLANs work; the Multi WAN, on the other hand, hops like a kangaroo.
In my opinion there is a problem with DNS, but the problem is difficult to identify especially for those, like me, who come from another platform and still don't fully know the OPNSense GUI.

I don't think I wasn't assertive, but even if I was, there are many others who can't find an answer in the forum. I invite you to check it out.

I am also a person who does a lot of research on the Internet and who starts by first analyzing what I have done and only then asking if there is something that isn't working.

Honestly, I found several suggestions in the forum to search the pfSense documentation, which I find meaningless since we are talking about two different products.
If I need help with pfSense, then I stick with pfSense.

For me the discussion ends here.
I'll be back to complete the installation of the prototype. Only when it is fully functional can we talk about activating it in the company and only at this point can we talk about licenses and commercial support.

Thanks for the reply anyway.

I'll close the post with an update.
I waited for the latest version of OPNSense (now there is 24.1_1).
For a test lasting about an hour the following were used:

• A Win11 PC on the LAN with a Youtube session and web search.
• A Win10 PC on the LAN with several Windows Updates.
• Two Linux PCs on GuestNet, both with apt update and a Youtube session.
• A NAS on DMZ with a heavy Dropbox storage upgrade.

The Load Balance works because in the graph I see both the one relating to the WAN and WAN2 activated.
However, although I did not find any errors in the logs, the traffic was not continuous with frequent interruptions and the inability to open some web pages.
Only by reporting the default gateway in the rules there were no problems.
In LAN, GuestNet and DMZ there are only two rules. The one for DNS (on the default gateway) and the "Pass Any Any" one (on the Gateway Group LoadBalancing).

Not finding any support here, not even as a suggestion to activate other logs, I decide to deactivate Multi WAN.

[have already]

Franco, I find no reason to offend those who have already bought the licenses.

I have had three pfSense active 24 hours a day for over two years with multi wan and Squid working perfectly.

We have been planning the migration to OPNSense and have been unable to complete a basic installation since November; first because there were problems with Squid and now with multi wan.
I deactivated Squid and now I will also deactivate multi wan.

"Free" support in the forum is limited, that's a fact.
We will internally evaluate whether and when to move to paid support.
At the moment the results achieved are disheartening.

We will still keep the Zenarmor license in the drawer.

[the configuration is still at Basic level]

Let's try to understand each other.
A Firewall is a critical system by its nature.
However, this does not mean that its configuration is critical at this moment.

I said, and I repeat, that the configuration is still at Basic level, with a single "Pass Any Any" rule.
Do I have to pay a license to understand why a rule like this doesn't work?
Please, let's not joke.

Others in this forum have reported the same problems; people who, like me, have reinstalled OPNSense from scratch several times always obtaining the same result.
Just scroll through the forum pages to find posts with zero replies or with only one reply, that of the person who posted the post itself.

In the meantime, I already have a paid license that I am not using, thus wasting two months in vain.

I understand and agree that in a Community Forum there is no obligation to respond, but I see that others also report problems and do not receive any response.
We are not talking about a marginal infrastructure, but a critical one and here we have been stuck for weeks on problems with a "basic" configuration and little more.
Where the configurations start to be complex I am the first to ask to activate licenses and commercial support, but here we are still at "Pass Any Any" rules.
Meanwhile, we already have a Zenarmor license that we haven't activated for MONTHS because we don't want to add any more complexities.
This is not encouraging.