Messages

["use_backend' ignored because backend 'TESTCom_backend' has no frontend capability."]

Hello All!
A question for others who use this setup. Has anyone had the need to do a pathing setup on a single domain?

i.e. domain.com & domain.com/api/v1 point to two different backend servers? I came across https://www.haproxy.com/blog/path-based-routing-with-haproxy and was playing around in OPNSense HAProxy with Conditons and Rules but when I added the api backend rule into the main domain backend rules at the bottom I got the Warning "use_backend' ignored because backend 'TESTCom_backend' has no frontend capability." so kinda at a loss tonight and thought I would post here while giving my brain a break :D

Has anyone using this setup started to see failures in the LE Cert renewals DNS?

Looks like starting two weeks ago I started getting failures on all my ACME renewals that have been working for a year or more. I am not in a place right now to share log info but what I was seeing from debug log level 2 is that the TXT record set but when checks against LE with ACME it says the TXT record is not the expected one.

Ill drop more later.

Hello all, so figured out how to get my VirtualIP's on a different subnet from initial static ip's working and listening on the clients box but ONLY for about 30 seconds after an Interface>VirtualIP settings change on them.

I have been swapping back and forth between /24 and /32 and I see all traffic for 30 seconds then it stops. If I open a NAT port forward for 443 the internal service responds for that 30 seconds then nothing.

I have tried setting the VirtualIP's gateway manually but same results.

thoughts?

Hello again friends!
Have a client this time that got some new WAN IP's from their ISP but they are on different subnets from the original 2 IPs.

For the first setup and 2nd IP I was able to just add in a VirtualIP and it seemed to be A-OK, thinking this might be because both are on same subnet.

Tried that with new IPs and no go. Even tried setting a gateway on the VirtualIP, and creating new gateways in OPNSense for the new IPs gateway ISP gave us.

Also they have setup HAProxy to route HTTPs  traffic to different hosts in their office, if that matters any.

I have checked filterlogs and never see the new IP show up when I try to hit it from another device on different network/isp.

Anyone come across this of have ideas for me to try?

Just came across this thread which appears to be my same problem. I will follow there..

https://forum.opnsense.org/index.php?topic=41122.0

Hello everyone! Wondering if anyone else has come across this. I had been slowly troubleshooting past few weeks why a clients business appliance (OPNSense hardware) was accepting inbound traffic but could not get outbound.

Just a bit ago I stumbled across the NAT Outbound settings and noticed that while the page was set to automatic, no rules were listed.

I compared this to my personal appliance which does have auto & rules, but is not on business.

I tested this by adding a quick * * outbound NAT rule and the clients machines were talking to internet again.

Currently client is on `OPNsense 24.4.1-amd64`

Greg_E I disagree with franco a little.

The Biz edition is going to have older versions of apps so the settings might be different. In my case it was that with HAProxy CE version is newer and had some features different and I first setup on CE, then when I moved to Biz I had to redo the HAProxy setup and figure out how to set the same things on older version from what I had done with the HAProxy LE write-up on this forum.

HAProxy is a community plugin maintained by a community member.


Cheers,
Franco

Maybe but the versions are different between CE and Business editions with CE being on a newer version. This bit me in the butt setting up HAProxy on CE but then moving down to Biz a few features were missing and the guide I followed from this forum had been updated for CE version so I had to figure a few legacy things out. :D

Hello - I got an OPNsense business lic as I was under the impression it was more modern and had latest versions and security patches.

But I see that community = 24.1.4 and business = 23.10.2 which does not tell that story.

Does anyone know when will the business edition be updated?

Also is there a section in the forums for business edition? Both version chats current and legacy are versions that the business IS NOT on. :(

Posting this under 23.7 Legacy as I do not see a Business Level area of the forums. Do these exist?

My install is up to date running version: 23.10.2

I saw one of the perks of the Business Lic was to get updates and security fixes quicker but how can that be when the Community version is an entire major version newer. i.e. 24.0.1 (is what is installed on my personal firewall)

Community HA Proxy = 4.4
Business HA Proxy = 4.1.1

Which both appear to be built off HAProxy 2.6 LTS, which was released almost two years ago. 2.8 LTS has been available since 2023-05-31.

Following up on this, turns out this is a false positive and has been documented.

Hello All, I found that OPNsense had a built-in Wazuh agent so I set it up and right away I am getting an alert:

Host-based anomaly detection event (rootcheck).
- Files hidden inside directory '/boot/efi'. Link count does not match number of files (3,1).

I enabled SSH temporarily and looked at that location as root (sudo su) and not seeing anything hidden. Thinking as this is also a new install (OPNsense 23.10.2-amd64) it might be some kind of false-positive.

Has anyone seen this before in their setup of Wazuh-Agent plugin?