Messages

I compared the config.xml files that I got from the backup and realized that I was getting an increasing amount of <vip> entries in the files. This seems to have been caused by me at the same time selecting
a) Interfaces > Virtual IPs > Settings > $EACH_of_my_VIPs > No XMLRPC Sync
b) System > High Availability > Settings > Services to synchronize > Virtual IPs

The reason I selected a) was that I wanted to set individual advskew on my HA devices but the XMLRPC sync overwrote this everytime. After selecting a) I should obviously have deselected b) but forgot.

Still don't know why it was creating an increasing amount of VIPs with every sync then but at least that resolves my issue. Hope it helps.

Hi,

I have a Deciso DEC2700 as my HA Master and an APU Board as a weak HA Backup, both running OPNsense 25.1.7 . That worked so far but today I noticed that my Backup was not responsive to anything. SSH super slow. Rebooted. Took forever.

I looked at it with the Serial interface and can see every single step take forever, like every "Configuring XXX interface...done." takes about 2 minutes. After about ~20min it is now finally booted and I get SSH access.

The Backend Log shows a bunch of Timeout Errors from configd.py.

Now an interesting thing I noticed: I do a config backup through os-nextcloud-backup every day and found that through the last 10 days the XML file size has been increasing a lot each time. Started at 287 kB, then 327, 374, 467, 467, 654, 1MB, 1MB, 1MB, 1MB, 1.8MB, 1.8MB, 3.3MB, 6.3MB, 6.3MB.
Those file sizes don't correlate with anything going on on my network. I need to think whether I modified anything significant on the WebGUI but I think not.

Do you have any idea what's going on here? The Backup is basically unusable at this point.

Thank you for your support,
qj

PS: Aside from os-nextcloud-backup, I only have os-telegraf and os-cpu-microcode-amd installed on the Backup System.

Hi,

I have two OPNsense routers configured with High Availability. Unbound is running as DNS resolver for the network.
Whenever I reboot one of the machines, Unbound seems to "restart" on the other machine. For my network, the DNS is unavailable as long as Unbound needs. Previously that has been some minutes because I had configured some blocklists that it took a while to load. Now it still takes ~20s which is not too bad but I don't see why it is doing it.

When I reboot the BACKUP device, why would Unbound reload? (I'd also question why it would reload when the MASTER device becomes unavailable since it seems to defeat the purpose of HA).

All other services perform nicely whenever one HA device becomes unavailable but Unbound does not.

In the logs of Unbound on the MASTER device I only the following when I reboot the BACKUP device:
Closing logger
notice: init module 0: python
daemonize unbound dhcpd watcher
notice: init module 1: validator
notice: init module 2: iterator
Backgrounding unbound logging backend

This sounds like Unbound is re-initializing. Is there a way to prevent this? For me this is a serious issue because it means when I run a major update on the Backup device it should not affect my Master device. And when I enable the blacklists, not having DNS for a few minutes is not really acceptable in our network.

Would be happy for your support/ideas/insights. Thanks!

Hi,
I would like to enable 2FA to login to the WebUI. But if I see this correctly, HA uses just a normal WebUI-password to synchronize which is not compatible with 2FA.
So is there a way to enable 2FA for everything but HA?
Creating a separate user for HA with a decent password and without 2FA would be reasonable. But I don't see how you could do that.
Any recommendations/ideas on how to get this working?

Thanksalot,
qj

Hi,
How can I remove all the reservations from the KEA-DHCP(4) table? In the GUI I can delete individual entries but this is a lot of effort if you want to overhaul your whole subnet.
Deleting the reservation entries in

Code Select Expand

/usr/local/etc/kea/kea-dhcp4.conf is being overwritten with the next restart of KEA.

Thanks for your help!

Thank you for the instructions, very helpful.

Despite that I was struggling to get this to work because I did not correctly follow step 7):

"Trigger a full sync" is an obscure little button in the form of a cloud. I somehow presumed that by pressing "Perform Synchronization" in System/High Availability/Settings the Sync would be triggered. But no, you need to click this little cloud.

After that the sync worked and everything else suddenly made sense. Hope that helps other people

Nothing there. No bridges or other interfaces. Anything fancy should also show up in the routing table, though.

After the n-th reboot it now works even without the "Far Gateway" option enabled. I did not change anything aside from that option. Will see how it develops.

Anyway, would you have a hint on how to debug a failing route when the routing table seems correct?

I'll update this if anything new pops up.

This only ever happens when the attached subnet / netmask disagrees about it for a valid (but sometimes obscure) reason.

Fully agree that it appears that way. But I don't see anywhere that this is the case. And it is rather strange considering I did not change much of the defaults here. Any idea where I can dig deeper?

Sorry I just wanted to obscure the subnet. That is 192.168.178.0/24. But shouldn't matter. So everything here was from that subnet. Fixed in the original post.

[ifconfig]

Hi,

I set up a pretty standard OPNsense config behind a router from my ISP.
WAN interface (igb3) points to the router and gets IP via DHCP. IP is optained as 192.168.1.3, Router is set as Gateway at 192.168.1.1
LAN interface (igb2) has my laptop and assigns IPs via Kea DHCP (10.0.1.0/24) subnet.

From my laptop I can access the OPNsense host nicely, everything on the LAN side seems to work.

However, from the OPNsense host I have no access towards the router (I still believe that it was working nicely until recently, so maybe the upgrade to 24.1.10 changed something).

So I could not ping my ISP router (192.168.1.1), getting

Code Select Expand


PING 192.168.1.1 (192.168.1.1): 56 data bytes                                                                                                                                                                                             
ping: sendto: Invalid argument


Anything outside my local net (LAN) cannot be pinged. Unbound also didnt work (unsurprisingly). The only somewhat unhelpful message I found in the logs was:

Code Select Expand


arpresolve: can't allocate llinfo for 192.168.1.1 on igb3


With the above error I came to set the gateway to "Far Gateway" which is supposed to be for This will allow the gateway to exist outside of the interface subnet.
But my Gateway at 192.168.1.1 is in the WAN subnet of 192.168.1.3/24 ?

From the setup of routes and gateway everything looks fine as far as I can tell.
ifconfig

Code Select Expand


igb2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 00:0d:b9:61:ad:f6
        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb3: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 00:0d:b9:61:ad:f7
        inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


netstat -rn

Code Select Expand


Destination        Gateway            Flags     Netif Expire
default            192.168.1.1      UGS        igb3
10.0.1.0/24        link#3             U          igb2
10.0.1.1           link#3             UHS         lo0
127.0.0.1          link#6             UH          lo0
192.168.1.3      link#4             UHS         lo0


Setting the "Far Gateway" option for the configured gateway adds one entry to the above routes:

Code Select Expand


192.168.1.1      link#4             UHS        igb3


I am at a loss why this is happening and why I have to set the "Far Gateway" option when my Gateway appears to be in the same subnet as the WAN interface.

Related:
https://forum.opnsense.org/index.php?topic=11991.0
But for me manually saving the WAN interface configuration did not change anything.

Possibly related:
https://forum.opnsense.org/index.php?topic=34340.0