Messages

Major version upgrades are always just a couple of clicks in the UI on a live system. Disregarding possible bugs or other failures you bever need to reinstall.

Best install with ZFS so you can use the snapshot feature before any update. Also always keep a current backup of your configuration. Just in case.

Thank you. I did see the feature to take a snapshot, I must investigate if these can be saved to a usb drive for restoration in the event of trouble.
I will leave updating to the latest version for a while so any bugs will be hopefully solved.
Am pleased to hear it should be just a matter of using the update feature under the GUI.

Thanks for posting.

Well if you waited so long you can certainly wait a week longer to get on 25.1, no need to take risks when you're relatively new and unfamiliar with a platform.

And as a general rule, OPNsense has security and reliability updates every two to three weeks, waiting for months between upgrades is not particularly secure.

I have been updating all along, I said I updated again yesterday, meaning there were previous updates.

My worry is do people on 24.7 need to do a fresh install or will simply clicking
check for updates and updating work for 25.1, or is a fresh install required between
major version updates.

Hi,am new to OPNsense

I installed OPNsense a few months ago and updated it again yesterday.

I am wondering if I will be able to update to the upcoming 25.1.RC1
version from the GUI or will going from 24 to 25 require a fresh install.

Thank to all.

You're almost two major versions behind. 25.1.RC1 lands next week and on the 29th 25.1 will be generally available.
If that FW is directly on the internet worrying about secure DNS wouldn't be the first thing to be concerned about - when every two-three weeks new security and / or reliability updates are available yet you don't deem important enough to install.

A fully patched OPNsense with the default configuration will always be more secure than a 7+ months old one with a random hardening thing applied here or there.

I am new to OPNsense and have a question regarding updating. I read above there is a new 25.1.RC1 coming soon, will I be able to upgrade to this using the update feature from the gui, or does going from 24 to 25 require a complete re install. I ask as am going to be making some changes and I don't want to have to do them all over again if I have to do a new install. Thanks, and I do not mean to derail this thread, its just I see the new update mentioned above.

How can I block an IP / my NVR's IP if it turns out to be dynamic, I am awaiting the
NVR in the mail, and can not find any information regarding whether it has a fixed IP
or a dynamic one.

I would expect it will allow you to either configure a fixed IP address or use DHCP. If you choose DHCP (or if there's no option), you could create a reservation in OPNsense's DHCP server to assign it a specific IP address of your choosing (which should be outside the pool for dynamic addresses).

Looking online I  see these NVR's have two IP settings, one for the Switch that provides POE connectivity and one for the internal NIC that connects to your network.
The IP for the switch can be changed, but I read it is better to allow the NVR to assign one via its own DHCP and then to remove the tick and this will make it static.
Saying this, this is not the IP required to access the NVR, it has to be left alone as it is a static IP that the NVR uses to talk to the switch, and changing it am told results in the connected cameras being unable to communicate with the switch in the NVR.

I will see how it goes, and ask again when I get stuck.

One thing though, how does one create a reservation in OPNsense's DHCP server.
Am beyond new to all this network stuff, I hear of subnets and this is even more cconfusing,
as is different ip ranges, all greek to me.

You could assign igc3 as another interface, and give it its own subnet (not overlapping with your existing LAN), and create firewall rules to explicitly allow whatever communication you deem appropriate...

... or you could put the NVR on your LAN and block it from accessing the internet... but it would still be able to talk to other hosts on your LAN without going through the firewall - that may or may not be a concern, depending on how much you distrust the NVR...

Thank you for commenting.
How can I block an IP / my NVR's IP if it turns out to be dynamic, I am awaiting the
NVR in the mail, and can not find any information regarding whether it has a fixed IP
or a dynamic one.

Thank you for posting.
You bring up some good points, regarding trusting I am unsure but in general I do
not trust anything and thus my blocking idea.
I am awaiting the NVR in the post, and as of yet do not know whether it has a static
or dynamic IP, I am only assuming a static IP could be blocked easier than a dynamic one.

I have what I think is an odd setup, I only have mobile internet access.
I set up OPNsense and use a portable router connected by cable to the OPNsense WAN port and
set to bridge mode.
This portable router bridges to my phone to provide my entire wired network with internet access.
This also means I can leave my phone in the same room as the routers and connect via Ethernet
to my network in another part of the house and use apps on my laptop rather than the apps on the
phone, open source apps that is, I have zero trust in my phone not to be listening in and sending big
brother info from any app I would use on that device, so I use computers instead to communicate.

Now, I have decided to add some IP cameras, and am quite lost, I went the NVR route as in
testing it would take a very fast computer to record my 8mp cameras and display them, I tried
with zoneminder, memory was ate up until the system frooze every time a camera was triggered
it would record so much then freeze the computer, so I will now use an NVR which must use
a GPU to do its work, the chips inside these things are rarely marked so its a guessing game.

You could assign igc3 as another interface, and give it its own subnet (not overlapping with your existing LAN), and create firewall rules to explicitly allow whatever communication you deem appropriate...

... or you could put the NVR on your LAN and block it from accessing the internet... but it would still be able to talk to other hosts on your LAN without going through the firewall - that may or may not be a concern, depending on how much you distrust the NVR...

Thank you for commenting.
How can I block an IP / my NVR's IP if it turns out to be dynamic, I am awaiting the
NVR in the mail, and can not find any information regarding whether it has a fixed IP
or a dynamic one.

Hi everyone.
I am putting together an ip camera system that connects to an NVR.
I want to put the NVR in a safe place and access it over my network.

My router runs OPNsense, it has four ports, it is in default configuration
with nothing set up yet, igc1 is the Wan port and igc0 is the lan port.

That leaves two more ports on the router, igc3 and igc4.
Is there a way I can set one of these ports / igc3 for example, so that I can connect my NVR
to it and access it over the lan / igc1 port, but make sure the NVR connected
to igc3 in this example can not access the WAN / internet.

I am completely new to OPNsense, networking and ip cameras, so a simple
solution is what am after.

Thanks to all.

Thanks, I have secure boot off, will leave fast boot alone seeing as it is no security threat.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

Are you sure you want to bridge the lan and wan, seems very odd thing to do.

Hi everyone, my first post.
Should I disable secure boot and fast boot in the BIOS.
I want to take it one step at a time and I usually disable these settings when I install Linux.

Is there any security benefit to be had by leaving both of these settings enabled.

Thanks to all.