Messages

I guess its a bug: https://github.com/opnsense/core/issues/8324

bumping

Im facing problem with returning traffic from service. Some diagram displayed on screen.
Problem in this specific situation: when traffic goes through opnsense-1, there is no problem and opnsense-1 know about this state. When it comes through opnsense-2(secondary, slave), tcp SYN ACK comes back only through opnsense-1, and it doesnt know about state of opnsense-2
There is no way to realize standart HA CARP+pfsync due to cloud platform architecture. Despite that I can use PFSYNC, but cant understand how to understand, if it works. Will be nice to have step-by-step instructions to perform PFSYNC between ngfw-s

Try this:

1. System > Settings > Tunables
2. Add tunable, name=hw.vtnet.csum_disable, value=1
3. Save and reboot

Thanks! It worked out. Can you explain nature of the problem and why it happened? So, it is some checksum calculation? Am I getting it right, without checksum there will be more resource utilization?

KVM based cloud and VirtIO network interfaces? Please check and report back.

Yes, https://yandex.cloud/en/docs/vpc/concepts/software-accelerated-network#reg-vm and https://yandex.cloud/en/docs/compute/operations/image-create/custom-image#requirements

We have Opnsense instance in cloud environment between separated from each other networks. For some reason, there is serious speed limitations: ~300KB/S-800KB/S. Cloud provider didnt register any problems with cloud platform. If traffic dont go through Opnsense, speed is normal. There is no traffic shaping rules. Rebooted opnsense, didnt work either. Can you point, where should I look and what exactly?

It would be nice, if someone can approve my thoughts :'(. Thanks

There is a goal to achieve HA setup in cloud infrastructure. Following this guide, I need a dedicated interface to organize sync and high availability between opnsense firewalls. There is some limitations in Yandex cloud: https://yandex.cloud/en/docs/vpc/concepts/network-overview#limits
Including:

2.3. Network protocols that require a single virtual IP address (VIP) across VMs, such as HSRP, VRRP, or GLBP, are not supported.

There is also no functionality to create virtual interface(only binded to specific network)
Am I getting this right, that its impossible to provide HA architecture? Also, it will not be able to sync firewall config and other states

Hey franco
Is anything changed? Currently facing problem when interfaces getting default addresses in cloud environment and I lose connectivity to virtual machine even through COM console. Downloaded freebsd with cloud-init image and installed with opnsense, but looks like cloud-init cant fetch data from cloud platform. Before opnsense installation, on clear freebsd, metadata fetches. Is there a functionality to autoconfigure interface ips with cloud-init?

Also an assumption: it stops to give any output and probably losing connectivity, because its assigning default(?) ip's for interfaces, and that is not the addresses, assigned to VM by cloud platform. Is there any way to specify ip and mask during bootstrap installation ?

Figured out how to install opnsense on freebsd with cloud-init. Connected to machine via COM port and run bootstrap script. Machine reboots and then I dont have any output and cant perform any input on that stage. Before that tried to install with ssh session, but as documentation says(https://docs.opnsense.org/manual/how-tos/serial_access.html#connecting-to-the-serial-console), if I'm using serial in installation process, this wont be disabled. So is it something with serial or opnsense in general?

So I just used opnsense-bootstrap script on clear FreeBSD(didnt do any changes), rebooted and cant see any difference on system. Also cant see any errors either.
Also, I guess opnsense after installation must be on /usr/local/opnsense/, but there is nothing but some files(image included)
Am I getting this right, that the 'opnsense-bootstrap' script will build an OPNSense on my FreeBSD system?

Faced problem with required preconfiguration to install OPNSense in cloud environment.
There is instructions:
https://yandex.cloud/en/docs/compute/operations/image-create/custom-image

Boot disk images must meet the following requirements:
   

The virtio-net, virtio-blk, and virtio-pci drivers are installed. If you are going to attach file storages to your VM, you also need to install the virtiofs driver. For more information, refer to this guide.
    The ttyS0 terminal (COM1 port) is set up as a serial console. For more information, refer to this guide.
    The network interface runs correctly when starting a VM and obtains the IP address via DHCP.
    The cloud-init package is installed and configured to work with our metadata service. To install the package for CentOS, run the sudo yum install cloud-init command. To install it for Debian or Ubuntu, run sudo apt update && sudo apt install -y cloud-init.
    If you created an image based on an Amazon Machine Image (AMI), verification of the cloud platform where the VM instance is run is disabled in the cloud-init settings. For more information, refer to this guide.
    In the system firewall settings, the minimum required set of ports for running your applications and a port for SSH access (by default, 22 TCP) are open.
    The SSH server starts automatically at VM startup.
    Services running your application are resistant to VM reboots.
    The boot disk uses MBR partitioning.
    The disk is mounted by its UUID rather than by name.
    The file system is not encrypted.

I guess there is 2 ways:
1) Use prebuild VHD, VDI to place it on cloud plarform
2) Build an image, that can correctly be used to install instances of OPNSense
I guess having an prebuild preparted image is a more correct and convinient way, so now I'm trying to move this way.

So i assume, my current step-by-step guide is:
1) Install FBSD 13.2 on some virtualization platform(I'm using VirtualBox)
2) Make required changes by Yandex Cloud
3) Build OPNSense dvd, using "tools" repository - https://github.com/opnsense/tools

So, I need clear OPNSense but with some modification, required for cloud platform Yandex Cloud
I though "tools" repository will copnfigure OPNSense on top of FreeBSD, but seems it's not.
Also found bootstrap script https://github.com/opnsense/update?tab=readme-ov-file#opnsense-bootstrap, but getting exit code "Must be amd64 architecture", despite "uname -p" returning "amd64".
So need to say I'm absolute noob at FreeBSD and OPNSense, so just need a way to create my image and then learn and maintain FreeBSD with OPNSense. Will be grateful for any help!

Maybe wrong topic, sorry