Messages

You could even use the API of the opnsense to pull a backup, which would be more secure than SCP since you do not need elevated rights. [...] In german but just as reference:
https://andersgood.de/kurz-notiert/opnsense-per-api-verschluesseltes-backup-der-konfiguration-anlegen

Oh yes, that's very helpful, thanks. The page you linked mentions monit, so I will look into that too.

Pulling via SSH gives you a "no additional infrastructure necessary" way to achieve the same. And my impression was that was your primary concern.

That's right, my main goal is simplicity. But I also have the secondary goal of understanding the common logic behind it, as it affects how I think about setting things up in the future.

IT isn't my profession, and ideally, I won't log into OPNsense frequently. I see network services as "set up and forget." So I can already picture myself scratching my head trying to remember where the backup is configured in a few months (or years). I will try to find the configuration somewhere in OPNsense GUI, then I might google for it and find this thread, to finally remember that the logic is actually on a different server. :)

If your NAS system is configured to send email, then failing cron jobs should generate a mail with the error message.

Thanks, I'll look into that. Until now, I thought it was the system's job to push the data to the backup destination and send an alert if something went wrong. That made sense to me, since the system knows what needs to be backed up and can pick the best time when files aren't being modified.

But you're all suggesting it's actually the backup destination's responsibility to pull the data and manage alerts if something fails. This is quite different from what I expected, and the opposite of what I've experienced with OpenMediaVault and Home Assistant, which are the only two services I'm currently running. I'm also surprised, as I assumed backup destinations in general (and especially cloud-based ones) are passive and just store data.

This one logs in via ssh and copies config.xml to the current directory (.). Just put some datetime variable into there, use ssh keys, and put that line into a cronjob and you are essentially done.

Thanks a lot! The only question left is how to get alerted if something goes wrong. I had this exact issue with an automated Home Assistant backup to my NAS a while back—when I changed the NAS's IP address, the scheduled backups from Home assistant to it stopped working. Since there was no alert in place, I didn't notice for weeks. Luckily, I caught it by accident and fixed it before anything happened.

That's exactly what I'm trying to avoid this time. I was hoping there's a script that includes error notifications so I don't miss any issues in the future.

I haven't used this util in a couple of years and it does work with OPNsense..
https://github.com/KoenZomers/pfSenseBackup

Thanks. I'm a bit unsure if I really want to try that tool. No real documentation, mostly made for Windows, hardly any users, very few commits in the past years, old github issues mentioning that updating OPNsense breaks it and no alerting if the backup fails. But thanks, I will keep it in mind as last resort.

What brandof NAS are you using? I'm running a git server on my Synology, and using that as backup. There's an official Synology package for that (I'm using a different one but it shouldn't matter).

My NAS is running Open Media Vault (plus rclone), currently on a Pi 4. I'm planning to merge multiple Pi running different services (e.g. Home Assistant) into a single Mini-PC with Proxmox. And as my needs for smb are very, very limited, I'd probably replace Open Media Vault by simply enabling samba in Proxmox. I just use it for storing backups and syncing these to the cloud.

So there's really not the shell script people are using for local backups? How strange.

Thanks for the info! So it looks like the GUI only supports Google Drive, Nextcloud, and Git for backups. There's no built-in rsync option either, as far as I can tell.

Unfortunately, I have zero knowledge of writing Linux shell scripts, so if anyone has a working script (ideally with error alerts), I'd really appreciate it. I imagine I'm not the only one looking to back up to a local server. I'm kind of surprised OPNsense doesn't include such a backup feature out of the box.

I'm a bit worried that one day my OPNsense NVMe drive might crash, and I'd have to set up OPNsense from scratch, which is why I really want to get a proper backup going. As for Google Drive or Nextcloud, I've never really felt the need for either. I use iCloud. I don't have any extra hardware for running a Nextcloud instance, and I prefer not to use additional Google services. Plus, I would like to have my OPNsense backup in the same place I have all other backups too – my NAS, which uses rclone to sync to the cloud.

As for my NAS, I'm using OpenMediaVault, and there doesn't seem to be a GUI for regularly pulling files via SSH either.

Hi everyone, I've been using OPNsense for about a month, so I'm still a new user. Apologies if I'm missing something obvious.

I'm looking for the best way to regularly back up the OPNsense configuration (including plugin configs like Zenarmor) to my local NAS, preferably via SMB. I noticed there's an option to back up to Google Drive, and there are plugins for Nextcloud and Git, but I don't have a Git or Nextcloud server. My goal is to backup the OPNsense config to my NAS, which I already back up to the cloud (encrypted).

Does anyone have a script or cron job that achieves this? I'm surprised there's no built-in option in the GUI for local NAS backups, and unfortunately, I'm not familiar with writing shell scripts (especially when it comes to adding error alerts).

Any advice or examples would be greatly appreciated. Thanks in advance!

Leider gibt es auf Amazon so viele Angebot, das ich die Übersicht verloren habe. Ich habe mir die Protectli angeguckt, aber diese ist relativ teuer. Könnt ihr mir eine gute Appliance empfehlen, die gut, aber nicht unbedingt mehr als 250€ kostet?

August, poste hier, sobald du dich entschieden hast. Bei mir wurde es vor ein paar Wochen eine Protectli V1410 (8GB, 256GB NVMe). Protectli bietet guten Support, das Gerät ist klar für den headless 24/7-Betrieb ausgelegt und passiv gekühlt. Der COM-Port mit macOS Support ist ein großer Vorteil, falls die Firewall an einem schwer zugänglichen Ort steht und man im Problemfall nicht einfach Monitor und Tastatur anschließen kann, sondern nur den Laptop. Die 380 Euro haben mich zwar etwas schlucken lassen, aber dafür habe ich nicht die Sorge, stundenlang Probleme lösen zu müssen, weil etwas nicht passt. Je mehr Expertenwissen man hat, desto leichter lassen sich solche Probleme beheben. Ich persönlich tue mich jedoch schwer mit BIOS-Einstellungen, da ich seit Ewigkeiten nur Mac benutze – da gibt es diesen technischen Kauderwelsch nicht. Und wer weiß, wie unzuverlässig ein BIOS von einem Aliexpress-Gerät sein kann.

I ended up purchasing a Protectli V1410 with an N5105 CPU, 4x Intel NICs, 8GB RAM, passive cooling, and a USB-C COM port. It is their most affordable and newest 4-port model.

I chose Protectli over Aliexpress brands because I trust their reputation, appreciate the support, and value that it's designed for 24/7 operation. The downside is the soldered RAM – 8GB feels limiting, and the 2-port V1210 only comes with 4GB. I'm holding out for future models with more RAM and newer CPUs (Intel N95/N97/N100/N250), as I'm aiming to set up a compact home server for Proxmox.

Interestingly, they recently pulled the 6-port V1610 from their website, even though it was just released.

Any chances you might have "Anonymize IP address" settings enabled in Zenarmor -> Settings -> Privacy?

Thanks a lot, that seems to be the issue. When I upgraded from the Free to Home edition, I must have gone through all the settings and mistakenly checked that option, assuming it was about privacy towards Sunny Valley rather than my LAN users (which is mostly just my family).

It would be less confusing if the anonymized data in the reports showed [redacted] instead of random 10.x.x.x addresses, or at least had a note explaining that Zenarmor uses 10.x.x.x for anonymizing. I also hope it switches to a different subnet if the LAN is configured to use 10.0.0.0/8.

[Reports > Facts]

Hi all,

I've recently set up Zenarmor and noticed an issue where it logs traffic with 10.x.x.x source IPs, but none of this appears in OPNsense. My LAN runs on the 192.168.1.x subnet with around 20 devices (mostly Apple and IoT, all with fixed IPs). I don't have any 10.x.x.x networks configured in OPNsense, just an unused 192.168.20.x VLAN and an unused 192.168.33.x WireGuard interface. I also don't think there's anything unusual in my firewall rules.

The Zenarmor Live Sessions show proper device hostnames, but in the "Src hostname" column I'm seeing randomised 10.x.x.x IPs instead of the 192.168.1.x IPs the devices really have.

Could blocking DNS over HTTPS/TLS be causing devices to randomize their source IPs in the 10.x.x.x range for DNS requests?

I'm running OPNsense 24.7.4 on a Protectli device with Unbound DNS (DNS over TLS enabled, using Cloudflare, Google, and Quad9). Zenarmor is installed as a plugin and only monitors the LAN interface (igc1). My switch is from UniFi, and I use a Linksys Velop mesh system in bridge mode, with the child node connected wirelessly.

The problem is that Zenarmor's reports are nearly unusable. None of my real devices show up, and both the top local and remote hosts are filled with random 10.x.x.x IP addresses. The Egress New Connections Heatmap is also completely populated by these 10.x.x.x IPs.

I initially set Zenarmor to block DNS over HTTPS/TLS in its default policy, but the 10.x.x.x traffic didn't appear immediately. I've since turned off the DNS over HTTPS/TLS block to see if it resolves the problem, but it hasn't yet. I'm wondering if it might take hours or days for my devices to realize that DNS over HTTPS/TLS isn't blocked anymore. The 10.x.x.x issue appeared around the same time I upgraded from the free to the home version of Zenarmor.

I also tried switching to the emulated netmap driver, but that didn't help either. And a block rule on OPNSense blocking all traffic from 10.0.0.0/8 doesn't show a single hit. So why is Zenguard mainly seeing traffic to and from 10.x.x.x?

Any suggestions on how to troubleshoot this?
Thanks for your help!

EDIT: Here is Reports > Facts for the past 30 minutes:

Code Select Expand

Connections: 2.670
Bytes Uploaded: 5.8 MB
Bytes Downloaded: 128.8 MB
Packets Uploaded: 32.258
Packets Downloaded: 162.663
Active Users: 1
Total Authenticated Users: 0
Unique Local IP Addresses: 2.670
Unique Remote IP Addresses: 2.670
Unique Apps: 55
Unique Local Devices: 16

Isn't that weird? Exactly 2.670 connections, unique local IP addresses (!) and unique remote IP addresses? In 30 minutes, with only 16 local devices?

Thanks. After preparing a boot image and reinstalling OPNSense, I had the login prompt available and also could connect to the firewall via the GUI.

What a challenge. I'm staring at this and cannot figure out how to initiate the installer:

Code Select Expand

>>> Invoking start script 'newwanip'
>>> Invoking start script 'freebsd'
>>> Invoking start script 'syslog'
>>> Invoking start script 'carp'
>>> Invoking start script 'cron'
Starting Cron: ^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[A^[[AOK
>>> Invoking start script 'openvpn'
>>> Invoking start script 'sysctl'
Service `sysctl' has been restarted.
>>> Invoking start script 'beep'
^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[BRoot file system: zroot/ROOT/default
Wed Sep 11 11:41:13 UTC 2024

*** OPNsense.localdomain: OPNsense 24.1 ***

LAN (igc1)      -> v4: 192.168.1.1/24
WAN (igc0)      ->

HTTPS: SHA256 58 54 ** ** ** ** ** ** ** ** ** ** ** 36 0A A8
               EC D9 ** ** ** ** ** ** ** ** ** ** ** ** F7 72

Sigh, in multi user boot it will boot but remain without login prompt. In single user boot it will drop me into the shell, but trying to run the installer leads to:

Code Select Expand

root@:/ # opnsense-installer
mkdir: /tmp/bsdinstall_etc: Read-only file system
mkdir: /tmp/bsdinstall_boot: Read-only file system
/usr/sbin/bsdinstall: cannot create /tmp/bsdinstall_log: Read-only file system

I really wish I could find an installation guide for preinstalled setups.

Thanks. I tried rebooting, then CoolTerm displayed a lot of garbled characters like:

Code Select Expand

;44H∫∫∫∫∫∫∫1. Boot Multi user [Enter][12;5)


I then installed minicon via brew, connected and rebooted and now am displayed:

Code Select Expand

______  _____  _____
            /  __  |/ ___ |/ __  |
            | |  | | |__/ | |  | |___  ___ _ __  ___  ___
            | |  | |  ___/| |  | / __|/ _ \ '_ \/ __|/ _ \
            | |__| | |    | |  | \__ \  __/ | | \__ \  __/
            |_____/|_|    |_| /__|___/\___|_| |_|___/\___|

����������������������[22;3H���������������������[10;2H@@@@@@@@@@@@@@@@@@@@@
                                               @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    1. Boot Multi user [Enter]                 @@@@@                    @@@@@
    2. Boot Single user                            @@@@@            @@@@@
    3. Escape to loader prompt                  @@@@@@@@@@@       @@@@@@@@@@@
    4. Reboot                                        \\\\\         /////
    5. Cons: Serial                            ))))))))))))       (((((((((((
                                                     /////         \\\\\
    Options:                                    @@@@@@@@@@@       @@@@@@@@@@@
    6. Kernel: default/kernel (1 of 1)             @@@@@            @@@@@
    7. Boot Options                            @@@@@                    @@@@@
                                               @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                                               @@@@@@@@@@@@@@@@@@@@@@@@@@@@

   Autoboot in 0 seconds. [Space] to pause         24.1   ``Savvy Shark''    -

I'll search how to continue from here. I'm unsure how to do the setup now. I will try to stop the auto boot and then try all the boot options, hoping that one will lead me to the setup.

Hi OPNsense community,

I'm a complete novice and could really use some help setting up my Protectli Vault preconfigured with OPNsense. It was just delivered, but I'm stuck trying to connect. I've searched everywhere and can't find clear steps for the initial setup. Here's what I've tried so far:

1. Ethernet Connection (Firewall to Router):
I connected Port 1 of the firewall to my Linksys Velop router. The firewall was assigned the IP 192.168.1.201, and the router shows an OPNsense device at this IP. However, trying to SSH (ssh root@192.168.1.201) results in a timeout.

2. Web Interface Access:
I attempted to access the web UI at the IP the firewall was assigned via https://192.168.1.201, but no luck.

3. Serial Console (via CoolTerm):
I used the provided COM port cable, connected it to my MacBook Air, and used CoolTerm. The settings are 115200/8-N-1, and it shows the RTS and DTR indicators as active (green). While it shows I'm connected and the byte count increases when I press Enter, the screen remains blank. Other baud settings (e.g. 9600) didn't help either.

4. Direct Ethernet Connection (Mac to Firewall):
I connected my MacBook Air via a Belkin 2,5G Ethernet dongle to Port 4 of the firewall, disabling all other network interfaces in macOS. My Mac assigned a self-assigned IP (169.254.147.18), and I still couldn't reach the firewall.

Unfortunately, I don't have an HDMI screen or a USB keyboard to connect directly to the device. I've taken a day off to set up the firewall, but I can't even connect to it. I would greatly appreciate any advice on what I should try next.

Thanks in advance for your help!