Messages

Any help out here? This has been a nightmare for me. My ISP had issues since Friday and when this happens, opnsense doesn't automatically "recover". So when I'm not home when there is a network outage, everybody is affected.

It's in your HOWTO ;-)

That is, if the ZFS "autotrim" feature is not set manually. You can either set this via the OpnSense CLI with "zpool set autotrim=on zroot" or, better, add a daily cron job to to this (System: Settings: Cron) with "zroot" as parameter.
You can trim your zpool once via CLI with "zpool trim zroot".

Oh nice, I didn't know meyergru had a How To guide. Good to use for my environment then.

Based on the dpinger logs I have, dpinger is up and running when this happens. In my case, when the Internet service comes back up it looks like the WAN interface IP address does not renew or something which is why dpinger keeps on failing on the querying the monitor IP. That's just me thinking of possible causes but I'm not sure how to verify this claim in the DHCP logs.

I do not know if autotrim has always been on with OpnSense. Maybe your initial installation did have it disabled?

Did you check with "zpool get all | fgrep autotrim"? All my instances have it enabled.

Yes.

Code Select Expand

root@OPNsense:~ # zpool get all | fgrep autotrim
zroot  autotrim                       off                            default

I forgot the exact version of my initial install but it's pretty recent, like maybe June 2024 version.

Yes, I you have a ZFS pool inside your VM, the VM needs to do the trimming and scrubbing. If this pools happens to be mapped to a file in a ZFS pool of the host, the scrubbing is not needed since it is done by the host. Actually, scrubbing a virtual ZFS pool doesn't make sense.

Sorry, but this is plain wrong or at least ambiguous.. The trimming and scrubbing taking place on the VM host works on its own ZFS pools, not on the OpnSense pools.

Within those pools, you have virtual disks, which are usually ZFS volumes. What the VM OS - in this case OpnSense - does with that, is its own business and the VM host does not look into it. OpnSense could as well be installed on UFS, which Proxmox would not even understand. On the other hand, you could have LVM filesystems on Proxmox and ZFS on OpnSense. You see: Even if both OpnSense and Proxmox use ZFS pools, they are independent of one another. If this wasn't clear already, just look at the names: Proxmox names its root zpool "rpool", whereas OpnSense names its pool "zroot".

Thus taking care of filesystems (or zpools) in an OpnSense VM is just as much its business as without virtualisation. Think of logical errors in the VM itself, which are not manifested on the underlying hardware.

For the default zroot pool, autotrim is on. While you could scrub, it would only be useful if you had multiple disks. If OpnSense is operated as VM, it would be more useful if the underlying Proxmox storage was redundant.

There you go. Thanks for the detailed explanation.

Only thing I'm wondering about is why autotrim in my opnsense zpool isn't enabled?

I haven't looked into the gateway monitoring mechanisms in OPNsense, but have you tried monitoring (pinging) a directly-connected IP (the immediate next-hop) instead of a remote?

I haven't tried it yet but I can. However, I think it's still best to use a remote IP when monitoring an Internet gateway. In fact, it's what I've been doing with pfsense for several years and it's flawless even with multiWAN. That's why I'm baffled why this isn't working with opnsense with a single WAN.

After several months of using opnsense and a couple of firmware updates to it, I still get this issue:

https://forum.opnsense.org/index.php?topic=41676.msg204737#msg204737

I just experienced it today. Is this not yet fixed?

Here are some logs that triggered today:

https://gist.github.com/kevindd992002/bd55652b9847ca0af03e0d3c24f45957

The WAN gateway never went online until either I restarted the VM or manually renewed the WAN connection in the opnsense GUI.

Well, initially I had a non-ZFS FS on my opnsense VM in the ZFS pve host. Then my opnsense VM got corrupted. Did some research and a couple of people suggested that the best way to go is to reinstall opnsense on the VM with a ZFS filesystem as well, and that's what I did. Why is this suboptimal? How do I go about "mounting a host ZFS to the opnsense VM directly"?

Here's that past topic if you're interested on why I did what I did: https://forum.opnsense.org/index.php?topic=42099.msg207468#msg207468

Unless you have attached a ZFS pool to the VM, the machine hosting the zpool should do the trimming and scrubbing.

I do have another pool inside the VM. So does that mean I have to create a cron job for trimming and scrubbing? What is the difference between the trim cron job and the autotrim property?

I have OPNsense 24.7.11_2-amd64 installed in a Proxmox VM and am wondering if it has ZFS trim and scrub scheduled by default? Or do I still need to add both tasks as a cron job?

If they're not enabled by default, why? Is there a reason we don't want these two?

Looks I did not respond here...

root@OPNsense:~ # opnsense-patch -a punktDeForks -c plugins a1f6543
fetch: https://github.com/punktDeForks/plugins/commit/a1f6543.patch: Not Found

How do I change the path to "opnsense-plugins" instead?

Since the repo is called "opnsense-plugins" just give it from the command line...

# opnsense-patch -a punktDeForks -c plugins -r opnsense-plugins a1f6543

However, there are a few bugs that I have to address for separate accounts and alternative repository names that don't match our defaults.


Cheers,
Franco

Got it. So don't use that method for now?

Sent from my SM-S916B using Tapatalk

The patch in question was added to 24.7.x already. You can add the "Manual gateway switch" cron job to adjust the situation.

I don't know about the other *sense. You trade a bug for another either way I think, but whatever works works.


Cheers,
Franco

I'm running 24.7.4_1 when this happened yesterday. Is the "manual gateway switch" created mainly as a workaround for this issue?

I had this happen again today. Internet connection went down overnight because of maintenance. I woke up to no Internet. I had to go gateways, edit the gateway and save.

Is there any update to this? Is this happening to pfsense too?

Thanks for the help!

Sent from my SM-S916B using Tapatalk

Looks good. Although, I noticed that the opnsense firewall itself is not "upgraded" as a radius client:

2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: Once the client is upgraded, set "require_message_authenticator = true" for client OPNsense   
2024-10-18T15:31:25           Error: UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.   
2024-10-18T15:31:25           Error: The packet does not contain Message-Authenticator, which is a security issue.   
2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: Setting "limit_proxy_state = true" for client OPNsense   
2024-10-18T15:31:25           Error: BlastRADIUS check: Received packet without Proxy-State.   
2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: Once the client is upgraded, set "require_message_authenticator = true" for client OPNsense   
2024-10-18T15:31:25           Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.   
2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: Setting "require_message_authenticator = false" for client OPNsense   
2024-10-18T15:31:25           Error: BlastRADIUS check: Received packet without Message-Authenticator.