Messages

Latest update to 24.7.7 fixed this!

When I edit the certificate all the options other than "manual" are greyed out... Any idea?

Hi,

in order to get ACME working with an internal ACME instance I need to import the root CA used into OPNSense. If I import the crt contents to my pfsense installation all is fine. But on OPNsense I get

Unexpected error, check log for details

and in the log

Code Select Expand

<147>1 2024-10-30T19:45:36+01:00 OPNsense1.localdomain config 64536 - [meta sequenceId="2"] [OPNsense\Trust\Cert:cert.4811211f-f7fd-44bc-9005-340f2f3a74b6.caref] Please select a valid certificate from the list{67227ed0e74ce}
<147>1 2024-10-30T19:50:15+01:00 OPNsense1.localdomain config 54947 - [meta sequenceId="1"] [OPNsense\Trust\Cert:cert.374837b5-c3e5-46d6-9779-840e74649a2c.caref] Please select a valid certificate from the list{67227fe78b7e8}
<147>1 2024-10-30T19:50:15+01:00 OPNsense1.localdomain config 54947 - [meta sequenceId="2"] [OPNsense\Trust\Cert:cert.4811211f-f7fd-44bc-9005-340f2f3a74b6.caref] Please select a valid certificate from the list{67227fe78b7e8}


The crt data appears perfect. Checked the attributes etc. I am at a loss at the moment. Any idea? Trying to import it as a certificate works however then the ACME service is not able to communicate with my local ACME service (Wireshark shows OPNsense to terminate the TLS 1.3 handshake with "Unknown CA").

Have you ever found a solution to this? I am stuck in the same problem. The detection that an IPSEC tunnel is actually down (despite DPD etc.) takes forever.

Hi,

with the hosting service I am using I can easily get two virtual servers running OPNSense and create as many virtual networks and virtual network cards as I want. BUT: When it comes to external public IP addresses I am (currently) not able to get a /29 or similar network assigned to the WAN network. I can book one or three individual IP addresses but these would not come from the same network/broadcast domain.

Question: Can this be made to work with CARP on OPNSense. I have read in other forums with pf/CARP that you could assign a private network to the WAN interfaces and give each firewall one unique private IP of this network and configure CARP on that. Then create a virtual CARP IP (public IP not part of the pseudo WAN network) on the WAN interface. Is this common consensus that this should actually work?

The two firewalls will have to communicate with the CARP protocol on the WAN network via their private unique IP addresses correct? This is not only done via the internal CARP networks (LAN interface, pfsync etc.).

Even if it works and is supported (which I hope) I assume it would be nice to still have fixed public IP addresses attached to the individual firewalls. Would I be able to do that?


- WAN Interface 192.168.100.0/24 / WAN FW 1 192.168.100.1, WAN FW 2 192.168.100.2
- public IP floating / virtual IP CARP on WAN interface 1.2.3.4/24
- public IP non floating on Firewall 1, virtual IP WAN interface IP Alias 4.5.6.7
- public IP non floating on Firewall 2, virtual IP WAN interface IP Alias 5.6.7.8

Would this work? Reading the documentation I assume I will not be able to use IPSec, OpenVPN, HA-Proxy etc with the IP Aliases on the WAN interfaces but those should go to the virtual CARP address anyway.


Or can the fixed WAN IPs (that are also being used for CARP) also come from different networks like this?

- WAN FW 1 4.5.6.7, WAN FW 2 5.6.7.8
- public IP floating / virtual IP CARP on WAN interface 1.2.3.4/24


Regards
JP