Messages

Thanks for the feedback!

1) I only do this once (or at least exceptional), because the "daily" OpnSense changes are saved to the configuration.xml backup file.

2) In meantime I made the script and descriptions more generic, I assume that anyone using this type of script knows that the SSD should be removed and installed in an enclosure. Should work for other use-cases now as well.

3) I had issues to get anything booted from USB stick on my 750 appliance (could be a local issue), solved by this script since my FreeBSD system is not changing that much. Wanted to have a certain point-in-time disk clone to have a fallback when the disk crashes.

4) Other tools available? Most probably yes, but the more tools, the more choice :)

Hello all,

I needed a way to clone my Deciso 750 SSD to a file (to be able to restore later on the whole installation after a crash or hardware issue). Since booting CloneZilla via an USB stick didn't worked out, I started creating a simple script that was able to do the same from my Mac. A couple of hours later and with some help from AI, an interactive script to clone and restore from/to NVMe was born. Claude assisted in refactoring and here it is. Should be able to handle other use-cases as well (e.g. upgrading to a larger SSD, cloning other appliances etc).

To be able to read the SSD you will need a M.2 SSD NVMe enclosure, I can recommend this one for speed and reliability on Mac, but others should work as well.

If interested, have a look at:
https://github.com/svendt/Clone-NVMe-for-MacOS

Feedback welcome (and be careful when opening the appliance to retrieve the SSD, warranty might be voided).

On my MBP without USB-A ports, I use an USB-C to USB-A converter --> to serial cable and use command:

screen /dev/tty.usbmodemXXXXXXX 115200

(where XXXX is system dependent of course)

Same here, 24.10.1 on a DEC750 and at this moment 53 days uptime ...

+1

I did the upgrade (on a Deciso appliance) a couple of minutes ago and will report back if I have some issues. One warning though: Don't do the upgrade remote, I had to restart the fw via the console after the upgrade.

Some checks I have done:
- internet connectivity seems to be stable = OK
- OpenVPN S2S tunnel + C2S = OK
- health, connectivity and security audit check = OK
- upgrade check= "NO CRL was provided" error = EXPECTED according info on the forum (no impact)
- my plugins are still working = OK
- speedtest widget on dashboard (os-speedtest-community) is not available anymore = EXPECTED

Some anomalies / bugs detected (nothing major):
- dashboard widget "OpenVPN Client Connections" indicates no S2S clients available, but I do have a S2S tunnel active (and this was working fine pre-upgrade) - assume that I don't need to expect something here, but it is not working in the widget "OpenVPN Server Connections" neither
- dashboard widget "thermal sensors": Different cores are showed (all the same in my case), widget cannot be modified to show only the main temperature (pre-upgrade this was possible)

For changes that will persist after reboot, you need to edit:
/usr/local/opnsense/service/templates/OPNsense/Vnstat/vnstat.conf

I have the following setting to get dd/mm/yyyy:

# locale (LC_ALL) ("-" = use system locale)
Locale "-"

# date output formats for -d, -m, -t and -w
# see 'man date' for control codes
DayFormat    "%d/%m/%Y"
MonthFormat  "%m/%Y"
TopFormat    "%d/%m/%Y"

Hope this helps?

I find the vnstat plugin very useful to follow-up the traffic on my firewall. The plugin itself is working for 95%, but is very outdated. It seems that the plugin maintainer abandoned the project a couple of years ago. I don't know if the maintainer or someone else (at Deciso?) would like to bring an update of the plugin? I would do it myself, but my development knowledge is very limited.

Github:
https://github.com/opnsense/plugins/blame/2705ed92931e79732a947a293edcf147888d20a6/net/vnstat/pkg-descr

For instance, the "new" graphics of vnstat would add some visual value to the plugin in OpnSense.

Thanks a lot, that's indeed easier.
Wasn't aware of this template.

Will try to solve it by copying the saved config over the default config after boot (not tested yet), created the following file. I will not expect issues?

/usr/local/etc/rc.syshook.d/start/93-vnstat


#!/bin/sh

echo -n "Restoring vnstat config"
cp /usr/local/etc/vnstat.conf.restore /usr/local/etc/vnstat.conf

Had a similar issue, solved with some help and thought to let you know as well (even if it's an older topic):
Solution at https://forum.opnsense.org/index.php?topic=41141.0

And some info for anyone else:

1) create /usr/local/opnsense/service/conf/actions.d/actions_enableshaper.conf

[enableshaper]
command:/sbin/ipfw set enable 0
parameters:
type:script
message:Enable Shaper
description: Enable Shaper

2) create /usr/local/opnsense/service/conf/actions.d/actions_disableshaper.conf
[disableshaper]
command:/sbin/ipfw set disable 0
parameters:
type:script
message:Disable Shaper
description: Disable Shaper

3) activate with:
service configd restart

4) test with:
configctl disableshaper disableshaper
and
configctl enableshaper enableshaper

5) if tests are fine (you should get an "OK"), you can create 2 cronjobs in the OpnSense WebGUI Cron/System to enable and disable the packet shaper when you'd like. Disadvantage of this method: it's all or nothing (not rule per rule)

(again, thanks Patrick for pointing me in the good direction!)

update: after doing some tests, it seemed to work (and the pipes are in the config as well)
thanks a lot Patrick!

Thanks for the feedback Patrick:
when enabled (via GUI):

root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
60001 set 0 pipe 10000 ip from 192.168.60.100 to any via igc1 // a3b39633-a293-4c97-a7d6-f533666706e1 wan: Limit to 20 mbps upload
60002 set 0 pipe 10001 ip from any to 192.168.60.100 via igc1 // 706561f7-1d0e-45a5-8d94-c6e11c95daaa wan: Limit to 3 mbps download
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any

when disabled (via GUI):

root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any


but not working when changing via the set enable/disable 0 commands:
the shaper rules are not in the config ... see below
The only difference with your config is that you are using queues and I'm using pipes.

root@opnjg29:/home/backup # ipfw set enable 0
root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
root@opnjg29:/home/backup # ipfw set disable 0
root@opnjg29:/home/backup # ipfw -S list
# DISABLED 00100 set 0 allow pfsync from any to any
# DISABLED 00110 set 0 allow carp from any to any
# DISABLED 00120 set 0 allow layer2 mac-type 0x0806,0x8035
# DISABLED 00130 set 0 allow layer2 mac-type 0x888e,0x88c7
# DISABLED 00140 set 0 allow layer2 mac-type 0x8863,0x8864
# DISABLED 00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
# DISABLED 00200 set 0 skipto 60000 ip6 from ::1 to any
# DISABLED 00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
# DISABLED 00202 set 0 skipto 60000 ip6 from any to ::1
# DISABLED 00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
# DISABLED 06000 set 0 skipto 60000 tcp from any to any out
# DISABLED 06199 set 0 skipto 60000 ip from any to any
# DISABLED 60000 set 0 return
# DISABLED 65533 set 0 allow ip from any to any
# DISABLED 65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any

Hello,

the vnstat configfile located in /usr/local/etc/vnstat.conf is overwritten after every reboot (or restart of the service). Since the plugin in OpnSense is not using our default date notation (YY-MM-DD and not DD-MM-YY) etc ... I have modified the config file, but how can I keep the modified config after reboot? Changing the .sample file as well didn't help.

If not possible, maybe make the parameters available in the OpnSense GUI?