Messages

Incredibly helpful info, thank kindly! I appreciate your efforts.

Ah I see, that makes sense.
How about bitflips (eg cosmic ray)? This would mitigate them wouldn't it?
I gather they are very rare but nevertheless, would my scheme work?

As I understand it, ZFS computes and stores checksums for everything (blocks?). It uses these to determine whether the block is in tact or damaged. If damaged then it will refer to the mirror to see if that block is in tact. It will then automatically write the undamaged block over the damaged one - thus self healing.  With only one copy of the data then self healing isn't possible.
Isn't that accurate?

In other words, this is the only way I can defend against bitrot, on this hardware. If I can do more I would love to do so.

My ZFS root accumulated some file damage and then refused to mount.
I will rebuild the filesystem from scratch but want to increase resiliency by making use of ZFS's self healing abilities which requires mirrored data.
I'm using a Protectli device which only has one drive bay (a mini pcie port for mSATA cards).
My idea is to split that 128gb drive into two 64GB partitions then make the OPNSense system root a mirrored zpool across the two.

I will also run daily snapshots to external drives and so on, but I want better prevention rather than just better cures.

Is this a good plan?

Hi. The VPN > OpenVPN > Instances GUI page has a 'delete selected' button at the bottom of the list, but the items in the list do not have a 'select' checkbox so  I am unable to delete the instance I have defined there.

Is this a GUI bug perhaps?


N.B. The logs are showing this error:

Code Select Expand

Error openvpn /usr/local/opnsense/scripts/openvpn/ovpn_service_control.php: The command '/usr/local/sbin/openvpn --config '/var/etc/openvpn/instance-2f5ea79b-4cb0-4e59-bbbf-d87bd9ab72e3.conf'' returned exit code '1', the output was ''

Solved:

- DNS: your.domain:
   - A   record points to WAN2 IPv4 public address

- Static Route:
   - Not needed

- Firewall > NAT > Port Forward > + Add
   Interface: WAN2
   TCP/IP Version:   IPv4
   Protocol: TCP
   Destination: This Firewall
   Destination Port Range:   <port> -> <port>
   Redirect target IP:   <file_server>
   Redirect target port: <port>
   NAT reflection: Use system default [enabled]

- Firewall > Rules > LAN >+ Add
   Action: Pass
   Interface: LAN
   Direction: in
   TCP/IP Version: IPv4
   Protocol:   TCP
   Source:   <file_server>
   Destination:   any
   Destination port ranges: any -> any
   Gateway:   WAN2

- Firewall > Rules > WAN2 > + Add
   This will get automatically created:
   Protocol: IPv4, TCP
   Destination: <file_server> : <port>

Are VLANs the answer?

Is it possible to host a public file server from just one specific WAN gateway when I have two WAN gateways attached?
See attached diagram.

My two WAN connections:
- WAN1: IPv6 with a static public IP address, plus IPv4 using CGnat (no public IP address)
- WAN2: IPv4 with a static public IP address, no IPv6

I have these configured in OPNSense as a fail-over multi-WAN group with WAN1 as primary.

The problem is that I have external clients who need to reach the file server but they themselves are on IPv4-only connections and therefore cannot reach the fileserver which spends 99% of its time on the IPv6 connection only.

Is there a way to allow external IPv4 clients to reach that internal file server while keeping the fail over multi-wan policy in place?