Messages

Thanks passeri. Yeah valid. I will stick a DS18B20 on the Protectli and connect it to the esp32 nearby, and mqtt send  that to Home Assistant. That will be good enough for my needs, making sure it is within reasonable temps.

All the other home servers I run have a temperature reading that is very general. No sudden changes like this. This is a Protectli with N100, and that temperature query behaviour is new to me.

Cheers

I found a fair few of those posts before posting. Still am not actually sure what the real issue is, I just have an opinion. If I do understand it correctly, it appears that the graph display itself causes considerable momentary millisecond temperature spikes on the CPU, thereby making the CPU temperature always report high. Opinions vary on this being valid implementation or not, both with merit.

My summary: If testing the temperature via GUI alters the temperature by that considerable % (from reasonable to worrying), I am going to remove that small part of the GUI, and get it into another server monitor using MQTT or similar.

Beyond that, the two different commands below also report higher temperatures roughly 10C apart. I m guessing the tiny extra load on the CPU from sysctl -a is causing a few milliseconds where the CPU spikes by 10C over the sysctl dev.cpu.
"
All temperatures are valid for the tiny spec of time that they are taken. So, the most truthful one would be the "sysctl dev.cpu", as it causes the least spike due to the test itself.

In my specific case, I get these (Roughly):
GUI:               70C
sysctl -a:         47C
sysctl dev.cpu:    35C

The difference between 35C and 70C is significant, and if that measurement process raises it by that much, then it is my opinion that while it is 100% truth, it is not really a good measurement tool. In the same way as a non contact thermometer that raised the temperature of the measured surface by 35C. Also, given that the CPU can raise and fall by 35C within a few clock cycles, then maybe monitoring the CPU temperature is irrelevant, useless information, and the temperature cannot really be known. Schrödinger's cat style.

This is my current understanding, recorded for others to find, but could be proven wrong with data...

To be clear, Opnsense is a fantastic product, for which I am very thankful.

I show the CPU temperature in the dashboard. It shows around 70C

But the following shows about 35C
sysctl dev.cpu | grep temperature | sed 's/[a-z\.]*/systemp cpu/;s/\.[a-z]*\: /=/;s/.$//'

And this one shows about 47C
sysctl -a | grep temperature | sed 's/[a-z\.]*/systemp cpu/;s/\.[a-z]*\: /=/;s/.$//'

Which of these should I trust? The terminal ones seem a little more correct. If so, which one is more reliable, and how would I fix the erroneous CPU temp on the dashboard?

Thanks

I have an MQTT server and Home Assistant server on the network. I want to get the CPU temperature sent to Home Assistant via any available method, easiest is best. I tried os-telegraf, but there appears to be no option for sending the CPU temperature.

Any help on the easiest, safest method to do this would be really appreciated.

I figured out the problem. Turned out VERY simple, once I understood it. The non-root user that I created, with intent to use it to login via SSH, had login shell set to "Default". This means the user had this set behind the scenes: "/sbin/nologin".

Simply edit the user in opnsense GUI and set Login shell: to "/bin/sh". This then allows the ssh login to work.

I figured this out after I RTFM. https://docs.opnsense.org/manual/settingsmenu.html#secure-shell

That was simple.
Thanks

I will not allow the root user to use SSH. I only did that on the very first SSH connection to test that it worked. Then I:
1) removed that SSH public key from the root user
2) Disallowed the root user from SSH in the SSH configuration
3) Added my SSH public key to the user that I created for the purposes of SSH into the opnsense router

The trouble is, for some reason, I can SSH in as the root user using the public key for my SSH access, but it does not work for the other user. I don't know if maybe my logging on as the root user had created some kind of caching that lived on after I removed the key from the root user and placed it on the other user?

On my client device, I have a "~/.ssh/config" file which specifies the HostName, Port, User, IdentityFile, and IdentitiesOnly is set to yes.

The private key is on an Onlykey. When I set up the config file to use the root account, it pops up a message asking for me to touch the onlykey to prove presence, as expected. But simply changing the username to the second account I want to use in opnsense for ssh, it does not ask me to touch the onlykey, the onnlykey does not flash blue LED, and it immediately says permission denied. This makes me think something is a bit messed up on the client side, not on opnsense? But i have no idea why. The ssh key works for sure, because it works when I set up the root account in opnsense for that public key. It is just the other account that refuses to make that work.

Thanks

I have set up SSH to opnsense. I allowed the root user to have ssh access, and put my client public key in to the authorized_keys for the root user. That works fine, I can ssh in as root.

But I would rather not use the root user for ssh. So I set up a second user, and put the public key in that users authorized_keys. On my client device, I then edited ~/.ssh/config to have two entries for the opnsense server, both identical except one is root user, and the other is my new user.

I can log on fine with the root one, but not with the other user. It says

Permission denied (publickey).

I did some research, and it was indicated that I have to change the permissions and ownership of the files in ~/.ssh. Is this the case? I was reluctant to do that. Is there any documentation on getting any other user other than root to have working ssh on opnsense, with a focus on the best-practice for security?

Thank you for your time.

Replace the router with the Protectcli instead of trying to use them in series.

I intend to use the router as a WiFi AP as it is a triple mesh setup that covers the required area. I was thinking that the setup would be to use the Protectli as the router and firewall, and put the current router into a WiFi AP mode. I assume that is what you are talking about?

Hello

I currently have an out of the box WiFi router connected to HFC modem. I would like to put Op sense before the router. It is not possible to install op sense on the router, so I am looking to get a Protectli hardware device, and put it before the router. Maybe Protectli V1410. I am learning this as I go.

Can anyone recommend some links or tutorials that will walk through some options for configuration and setup? I currently have a pihole server set up on the network, and I do have a double NATed segment on the network just to keep a work device isolated from the rest of the network. Just trying to figure out the best configuration, and trying to avoid any security misconfigurations.

Thanks for any advice