Messages

According to the docs OPNsense adds 'reply-to' by default on WAN rules for this reason:

https://docs.opnsense.org/manual/firewall_settings.html#disable-reply-to

I don't see anything in the 26.1 release notes indicating that this has changed.  Did you check the setting under Firewall->Settings->Advanced?

I did check that first...it is currently unchecked as it always has been. The only way for me to get "New" rules to work was to change it to reply-to WAN2Xfinity_GW. Everything seems good now.

The migration worked for the most part, with one exception...My WAN2 interface rule didn't work.
I found Asymmetric routing where my external monitoring was coming in on my WAN2 and going back out on WAN1.

This worked in Legacy rules with a simple rule as follows :
 

Code Select Expand

Interface: WAN2Xfinity

Direction: In

Protocol: any

Source: Monitoring_Alias

Destination: WAN2Xfinity

Gateway: Default

In the New rules section I had that same rule and that's when external pings started failing.
That is where I saw packets coming in WAN2 and out WAN1.


Anyhow, in order to get it to work I needed to set reply-to (Advanced-View) to the WAN2Xfinity interface.

Code Select Expand

Interface: WAN2Xfinity

Direction: in

Action: Pass

Protocol: ICMP

Source: Monitoring_Alias

Destination: WAN2Xfinity

Reply-To : WAN2Xfinity
Other than that, all my other rules cut over just fine.

I have this working on OPNsense 25.7.1_1-amd64. There were bugs in prior versions and I was unable to make it work. I would give it a go. If you are still having problems, let me know and I'll try to assist.

I am running 2 Tunnels and BGP. 1 tunnel is preferred with lower metric (100 vs 200). Failover works and happy with my setup.

Is something lacking or not updating in the business edition? We manage a number of them and the GeoIP database is from 2024-11-22T18:41:22.  On my personal FW, it is 2025-02-07T11:43:20

PR created ... Hope this finally gets some traction.

https://github.com/opnsense/core/pull/8241

Hey all,

I submitted the following Issue/Feature request. If you would also find this helpful and a better solution than what we have, please respond and let the Devs know you are interested :)

https://github.com/opnsense/core/issues/8239

The current setup of 2FA is a bit janky....Does it work, sure, but prepending/appending is a hassle when using a password manager.

Seems you can set the following in /usr/local/etc/rc.d/snmpd to have it run as root.
Just curious why Business vs Community causes this break.

snmpd_sugid="NO"

We have a number of Business editions rolled out and noticing that we can't query services.

When running with the following we only get back the snmpd service

snmpd  47456   0.0  0.2   38816 26476  -  S    08:01       0:00.01 /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid -u snmpd -g snmpd

zabbix:~$ snmpwalk -v2c -cExample foo.bar.com .1.3.6.1.2.1.25.4.2.1.2
iso.3.6.1.2.1.25.4.2.1.2.47456 = STRING: "snmpd"

If I kill the process and start as root, we get the full list.

root   93943   0.0  0.2   38816 26296  -  S    08:02       0:00.01 /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid

zabbix:~$ snmpwalk -v2c -cExample foo.bar.com .1.3.6.1.2.1.25.4.2.1.2
iso.3.6.1.2.1.25.4.2.1.2.20 = STRING: "lighttpd"
iso.3.6.1.2.1.25.4.2.1.2.315 = STRING: "python3.11"
iso.3.6.1.2.1.25.4.2.1.2.317 = STRING: "python3.11"
iso.3.6.1.2.1.25.4.2.1.2.563 = STRING: "devd"
iso.3.6.1.2.1.25.4.2.1.2.8724 = STRING: "ntpd"
iso.3.6.1.2.1.25.4.2.1.2.12072 = STRING: "dpinger"
iso.3.6.1.2.1.25.4.2.1.2.12829 = STRING: "daemon"
iso.3.6.1.2.1.25.4.2.1.2.13264 = STRING: "php"
iso.3.6.1.2.1.25.4.2.1.2.13324 = STRING: "syslog-ng"
iso.3.6.1.2.1.25.4.2.1.2.13761 = STRING: "syslog-ng"
iso.3.6.1.2.1.25.4.2.1.2.21025 = STRING: "csh"
iso.3.6.1.2.1.25.4.2.1.2.25394 = STRING: "daemon"

I don't see this issue with the non Business edition. It always seems to start as root and not the snmpd user.

Seeing the same thing on Business 24.4

We have 2 Relays, 1 for VLAN 10 and 1 for VLAN 50. VLAN 50 continues to work, VLAN 10 drops randomly.
A quick disable/enable fixes it until it fails again

Is there any way to sync only certain Aliases?

For most of our clients, this works great. However we have a couple clients that have additional aliases for Cameras and the likes.
With those clients, it does sync our global Alias for access, but Provisioning always shows it is out of sync.

Would be great if we could select which aliases we want to be part of the sync.

Thanks,
Mike

Having a similar issue with Business 24.4 release.

We have 3 VLANs (default, Vlan10 and vlan50).

We started seeing 169.254 ips on vlan10, but vlan50 was fine. My first thought was dhcp guarding on Unifi as we have had this blow up in the past in some environments.

Further investigations via `sudo nmap -e vlan10 --script broadcast-dhcp-discover` and `sudo nmap -e vlan50 --script broadcast-dhcp-discover` showed we were getting no response on vlan10.

I stopped/started the relay on Vlan10 and things started working again.