1
General Discussion / Re: Nominate OPNsense and FreeBSD Foundation for Proton's Fundraiser (Big Reward)!!
« on: November 08, 2024, 04:59:17 pm »
+1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.7 Production Series / Re: 24.10 Business upgrade?
« on: October 18, 2024, 01:42:18 pm »
I did the upgrade (on a Deciso appliance) a couple of minutes ago and will report back if I have some issues. One warning though: Don't do the upgrade remote, I had to restart the fw via the console after the upgrade.
Some checks I have done:
- internet connectivity seems to be stable = OK
- OpenVPN S2S tunnel + C2S = OK
- health, connectivity and security audit check = OK
- upgrade check= "NO CRL was provided" error = EXPECTED according info on the forum (no impact)
- my plugins are still working = OK
- speedtest widget on dashboard (os-speedtest-community) is not available anymore = EXPECTED
Some anomalies / bugs detected (nothing major):
- dashboard widget "OpenVPN Client Connections" indicates no S2S clients available, but I do have a S2S tunnel active (and this was working fine pre-upgrade) - assume that I don't need to expect something here, but it is not working in the widget "OpenVPN Server Connections" neither
- dashboard widget "thermal sensors": Different cores are showed (all the same in my case), widget cannot be modified to show only the main temperature (pre-upgrade this was possible)
Some checks I have done:
- internet connectivity seems to be stable = OK
- OpenVPN S2S tunnel + C2S = OK
- health, connectivity and security audit check = OK
- upgrade check= "NO CRL was provided" error = EXPECTED according info on the forum (no impact)
- my plugins are still working = OK
- speedtest widget on dashboard (os-speedtest-community) is not available anymore = EXPECTED
Some anomalies / bugs detected (nothing major):
- dashboard widget "OpenVPN Client Connections" indicates no S2S clients available, but I do have a S2S tunnel active (and this was working fine pre-upgrade) - assume that I don't need to expect something here, but it is not working in the widget "OpenVPN Server Connections" neither
- dashboard widget "thermal sensors": Different cores are showed (all the same in my case), widget cannot be modified to show only the main temperature (pre-upgrade this was possible)
3
24.7 Production Series / Re: vnstat date format
« on: September 12, 2024, 11:11:23 am »
For changes that will persist after reboot, you need to edit:
/usr/local/opnsense/service/templates/OPNsense/Vnstat/vnstat.conf
I have the following setting to get dd/mm/yyyy:
# locale (LC_ALL) ("-" = use system locale)
Locale "-"
# date output formats for -d, -m, -t and -w
# see 'man date' for control codes
DayFormat "%d/%m/%Y"
MonthFormat "%m/%Y"
TopFormat "%d/%m/%Y"
Hope this helps?
/usr/local/opnsense/service/templates/OPNsense/Vnstat/vnstat.conf
I have the following setting to get dd/mm/yyyy:
# locale (LC_ALL) ("-" = use system locale)
Locale "-"
# date output formats for -d, -m, -t and -w
# see 'man date' for control codes
DayFormat "%d/%m/%Y"
MonthFormat "%m/%Y"
TopFormat "%d/%m/%Y"
Hope this helps?
4
24.1 Legacy Series / vnstat plugin outdated: any takers?
« on: July 02, 2024, 02:50:32 pm »
I find the vnstat plugin very useful to follow-up the traffic on my firewall. The plugin itself is working for 95%, but is very outdated. It seems that the plugin maintainer abandoned the project a couple of years ago. I don't know if the maintainer or someone else (at Deciso?) would like to bring an update of the plugin? I would do it myself, but my development knowledge is very limited.
Github:
https://github.com/opnsense/plugins/blame/2705ed92931e79732a947a293edcf147888d20a6/net/vnstat/pkg-descr
For instance, the "new" graphics of vnstat would add some visual value to the plugin in OpnSense.
Github:
https://github.com/opnsense/plugins/blame/2705ed92931e79732a947a293edcf147888d20a6/net/vnstat/pkg-descr
For instance, the "new" graphics of vnstat would add some visual value to the plugin in OpnSense.
5
24.1 Legacy Series / Re: VNSTAT: configfile overwritten after reboot
« on: June 21, 2024, 07:02:40 pm »
Thanks a lot, that's indeed easier.
Wasn't aware of this template.
Wasn't aware of this template.
6
24.1 Legacy Series / Re: VNSTAT: configfile overwritten after reboot
« on: June 21, 2024, 05:15:24 pm »
Will try to solve it by copying the saved config over the default config after boot (not tested yet), created the following file. I will not expect issues?
/usr/local/etc/rc.syshook.d/start/93-vnstat
#!/bin/sh
echo -n "Restoring vnstat config"
cp /usr/local/etc/vnstat.conf.restore /usr/local/etc/vnstat.conf
/usr/local/etc/rc.syshook.d/start/93-vnstat
#!/bin/sh
echo -n "Restoring vnstat config"
cp /usr/local/etc/vnstat.conf.restore /usr/local/etc/vnstat.conf
7
General Discussion / Re: Support Schedules in Traffic Shaper Rules
« on: June 21, 2024, 04:57:22 pm »
Had a similar issue, solved with some help and thought to let you know as well (even if it's an older topic):
Solution at https://forum.opnsense.org/index.php?topic=41141.0
Solution at https://forum.opnsense.org/index.php?topic=41141.0
8
24.1 Legacy Series / Re: Disable and enable traffic shaper via cron?
« on: June 21, 2024, 04:41:06 pm »
And some info for anyone else:
1) create /usr/local/opnsense/service/conf/actions.d/actions_enableshaper.conf
[enableshaper]
command:/sbin/ipfw set enable 0
parameters:
type:script
message:Enable Shaper
description: Enable Shaper
2) create /usr/local/opnsense/service/conf/actions.d/actions_disableshaper.conf
[disableshaper]
command:/sbin/ipfw set disable 0
parameters:
type:script
message:Disable Shaper
description: Disable Shaper
3) activate with:
service configd restart
4) test with:
configctl disableshaper disableshaper
and
configctl enableshaper enableshaper
5) if tests are fine (you should get an "OK"), you can create 2 cronjobs in the OpnSense WebGUI Cron/System to enable and disable the packet shaper when you'd like. Disadvantage of this method: it's all or nothing (not rule per rule)
(again, thanks Patrick for pointing me in the good direction!)
1) create /usr/local/opnsense/service/conf/actions.d/actions_enableshaper.conf
[enableshaper]
command:/sbin/ipfw set enable 0
parameters:
type:script
message:Enable Shaper
description: Enable Shaper
2) create /usr/local/opnsense/service/conf/actions.d/actions_disableshaper.conf
[disableshaper]
command:/sbin/ipfw set disable 0
parameters:
type:script
message:Disable Shaper
description: Disable Shaper
3) activate with:
service configd restart
4) test with:
configctl disableshaper disableshaper
and
configctl enableshaper enableshaper
5) if tests are fine (you should get an "OK"), you can create 2 cronjobs in the OpnSense WebGUI Cron/System to enable and disable the packet shaper when you'd like. Disadvantage of this method: it's all or nothing (not rule per rule)
(again, thanks Patrick for pointing me in the good direction!)
9
24.1 Legacy Series / Re: Disable and enable traffic shaper via cron?
« on: June 21, 2024, 04:23:11 pm »
update: after doing some tests, it seemed to work (and the pipes are in the config as well)
thanks a lot Patrick!
thanks a lot Patrick!
10
24.1 Legacy Series / Re: Disable and enable traffic shaper via cron?
« on: June 21, 2024, 04:06:32 pm »
Thanks for the feedback Patrick:
when enabled (via GUI):
root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
60001 set 0 pipe 10000 ip from 192.168.60.100 to any via igc1 // a3b39633-a293-4c97-a7d6-f533666706e1 wan: Limit to 20 mbps upload
60002 set 0 pipe 10001 ip from any to 192.168.60.100 via igc1 // 706561f7-1d0e-45a5-8d94-c6e11c95daaa wan: Limit to 3 mbps download
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
when disabled (via GUI):
root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
but not working when changing via the set enable/disable 0 commands:
the shaper rules are not in the config ... see below
The only difference with your config is that you are using queues and I'm using pipes.
root@opnjg29:/home/backup # ipfw set enable 0
root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
root@opnjg29:/home/backup # ipfw set disable 0
root@opnjg29:/home/backup # ipfw -S list
# DISABLED 00100 set 0 allow pfsync from any to any
# DISABLED 00110 set 0 allow carp from any to any
# DISABLED 00120 set 0 allow layer2 mac-type 0x0806,0x8035
# DISABLED 00130 set 0 allow layer2 mac-type 0x888e,0x88c7
# DISABLED 00140 set 0 allow layer2 mac-type 0x8863,0x8864
# DISABLED 00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
# DISABLED 00200 set 0 skipto 60000 ip6 from ::1 to any
# DISABLED 00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
# DISABLED 00202 set 0 skipto 60000 ip6 from any to ::1
# DISABLED 00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
# DISABLED 06000 set 0 skipto 60000 tcp from any to any out
# DISABLED 06199 set 0 skipto 60000 ip from any to any
# DISABLED 60000 set 0 return
# DISABLED 65533 set 0 allow ip from any to any
# DISABLED 65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
when enabled (via GUI):
root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
60001 set 0 pipe 10000 ip from 192.168.60.100 to any via igc1 // a3b39633-a293-4c97-a7d6-f533666706e1 wan: Limit to 20 mbps upload
60002 set 0 pipe 10001 ip from any to 192.168.60.100 via igc1 // 706561f7-1d0e-45a5-8d94-c6e11c95daaa wan: Limit to 3 mbps download
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
when disabled (via GUI):
root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
but not working when changing via the set enable/disable 0 commands:
the shaper rules are not in the config ... see below
The only difference with your config is that you are using queues and I'm using pipes.
root@opnjg29:/home/backup # ipfw set enable 0
root@opnjg29:/home/backup # ipfw -S list
00100 set 0 allow pfsync from any to any
00110 set 0 allow carp from any to any
00120 set 0 allow layer2 mac-type 0x0806,0x8035
00130 set 0 allow layer2 mac-type 0x888e,0x88c7
00140 set 0 allow layer2 mac-type 0x8863,0x8864
00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
00200 set 0 skipto 60000 ip6 from ::1 to any
00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 set 0 skipto 60000 ip6 from any to ::1
00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
06000 set 0 skipto 60000 tcp from any to any out
06199 set 0 skipto 60000 ip from any to any
60000 set 0 return
65533 set 0 allow ip from any to any
65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
root@opnjg29:/home/backup # ipfw set disable 0
root@opnjg29:/home/backup # ipfw -S list
# DISABLED 00100 set 0 allow pfsync from any to any
# DISABLED 00110 set 0 allow carp from any to any
# DISABLED 00120 set 0 allow layer2 mac-type 0x0806,0x8035
# DISABLED 00130 set 0 allow layer2 mac-type 0x888e,0x88c7
# DISABLED 00140 set 0 allow layer2 mac-type 0x8863,0x8864
# DISABLED 00150 set 0 deny layer2 not mac-type 0x0800,0x86dd
# DISABLED 00200 set 0 skipto 60000 ip6 from ::1 to any
# DISABLED 00201 set 0 skipto 60000 ip4 from 127.0.0.0/8 to any
# DISABLED 00202 set 0 skipto 60000 ip6 from any to ::1
# DISABLED 00203 set 0 skipto 60000 ip4 from any to 127.0.0.0/8
# DISABLED 06000 set 0 skipto 60000 tcp from any to any out
# DISABLED 06199 set 0 skipto 60000 ip from any to any
# DISABLED 60000 set 0 return
# DISABLED 65533 set 0 allow ip from any to any
# DISABLED 65534 set 0 deny ip from any to any
65535 set 31 allow ip from any to any
11
24.1 Legacy Series / VNSTAT: configfile overwritten after reboot [SOLVED]
« on: June 21, 2024, 02:15:23 pm »
Hello,
the vnstat configfile located in /usr/local/etc/vnstat.conf is overwritten after every reboot (or restart of the service). Since the plugin in OpnSense is not using our default date notation (YY-MM-DD and not DD-MM-YY) etc ... I have modified the config file, but how can I keep the modified config after reboot? Changing the .sample file as well didn't help.
If not possible, maybe make the parameters available in the OpnSense GUI?
the vnstat configfile located in /usr/local/etc/vnstat.conf is overwritten after every reboot (or restart of the service). Since the plugin in OpnSense is not using our default date notation (YY-MM-DD and not DD-MM-YY) etc ... I have modified the config file, but how can I keep the modified config after reboot? Changing the .sample file as well didn't help.
If not possible, maybe make the parameters available in the OpnSense GUI?
12
24.1 Legacy Series / Re: Disable and enable traffic shaper via cron?
« on: June 21, 2024, 09:46:24 am »
Nobody an idea or a point in the good direction?
13
24.1 Legacy Series / Re: Traffic shaping is driving me nuts
« on: June 19, 2024, 11:34:54 pm »
I had an issue where the shaper was not working either.
At the end, the reason (for me at least) was the "Sequence number" in the shaper rules. For one reason or another, it took previous (deleted in meantime) rule numbers into account.
Chances are smll that you'll face the same issue, but maybe try to put a sequence number in your rules that is high enough / never been used previously.
At the end, the reason (for me at least) was the "Sequence number" in the shaper rules. For one reason or another, it took previous (deleted in meantime) rule numbers into account.
Chances are smll that you'll face the same issue, but maybe try to put a sequence number in your rules that is high enough / never been used previously.
14
24.1 Legacy Series / Disable and enable traffic shaper via cron?[SOLVED]
« on: June 19, 2024, 11:27:49 pm »
Hello,
I've noticed that a scheduler for the packet shaper is not available in OpnSense and that there are no plans to implement it. Fine, but is there a possibility to disable and enable the (complete) shaper service via cron? What would the command be?
Probably not "service XXXX stop" and "service XXXX start", since the config is in the FW configfiles?
Other possibilities?
Thanks!
I've noticed that a scheduler for the packet shaper is not available in OpnSense and that there are no plans to implement it. Fine, but is there a possibility to disable and enable the (complete) shaper service via cron? What would the command be?
Probably not "service XXXX stop" and "service XXXX start", since the config is in the FW configfiles?
Other possibilities?
Thanks!
Pages: [1]