Messages

Thanks very much for the command.
It confirms my clients are set correctly.

I can see a raspberry pi get the correct time (which is also behind a peplink router, which is then connected to the opnsense router) so client side and through another router is working. Woohoo.

I was wondering more about the outbound ports from the opnsense / chrony out through the WAN to the time servers.
I wasn't expecting to see anything other than port 123, but I definitely see a few outbound to 178.62.68.79:8123
And when I do an IP lookup, this IP resolves to ntp2.glypnod.com which is one of the time servers I specified in chrony.

The use of port 8123 caught me by surprise a bit

I think I might be worrying about nothing.

This article and some comments in it mention port 4460 for some of the time servers I selected

https://weberblog.net/setting-up-nts-secured-ntp-with-ntpsec/

So I think this is normal.

Seeing these other ports being allowed took me off guard. I could not see these port numbers mentioned anywhere in the chrony tabs and was OMG!!! Something is wrong.

Noob moment over :-)

Hi,

I hope someone can help.

Using OPNsense 25.4, I setup chrony and firewall NAT port forwards for port 123. (And the default network time service is off and no time servers are listed)

I used this list for nts servers

https://github.com/jauderho/nts-servers

Chrony listen port: 123
Nts client support: enabled
NTP peers: ntp2.glypnod.com time.cloudflare.com ntppool.time.nl ptbtime.ptb.de paris.time.system76.com

Then I watched the logs to see if it was all set right.

And I can see lots of UDP 123 pass rules to the time servers.

But I have seen a couple of pass rules on the wan interface for tcp port 4460 to (let out anything from firewall host itself (force gw))-

162.159.200.1 (time.cloudflare.com)
178.62.68.79 (ntp2.glypnod.com)
162.159.200.123 (time.cloudflare.com)
15.237.97.214 (paris.time.system76.com)

And more pass rule on TCP port 8123 to (same rule) -
178.62.68.79 (ntp2.glypnod.com)

And 1 blocked inbound on TCP port 8123 from -
65.49.1.220 (scan-77-08.shadowserver.org)


I was expecting to only see port 123 mentions in the logs and I've not seen anyone mention other ports being used in the chrony posts.

I've disconnected from the internet for now. Is this normal behaviour on chrony?
Or have I set something wrong?
I can't see ports 8123 or 4460 being allowed anywhere in my rules and its just a bare network for now (there's no clients connected to my subnets) just my admin PC which is only allowed GUI access.


Thanks in advance

You first need to start the setup from USB.
At some point, you get the choice of using the importer.
Then the choice to do manual or automatic interface configuration.
That gets you to a live environment. OpnSense is running but nothing is persisted to disk just yet.
Logging in as installer starts the process of persisting the live environment to disk.
That's when you are asked about UFS/ZFS, which disk to use.

Wrt System > Firmware > Changelog, it appears to contain all historical versions of OPN, with the current one highlighted.
It is not a history of installed firmware versions.

Thanks for the tips and good to know about the change log. Thank you

I would try first connecting with the serial cable, boot to single mode choosing option 2, press Enter whan asked about the shell to use, then run these commands:

Code Select Expand


/sbin/mount -u /

/sbin/zfs mount -a

rm -f /conf/config.xml

reboot
These steps would bring you the initial configuration wizard - however anything else you may have installed is still on the disk albeit with no configuration present.

If the above fails - i.e. you have other problems - then get the 24.10 ISO and image it to a stick, then do a fresh install.

This was amazing! Thanks! It worked. I'm back to the beginning.

It's so frustrating. I do not know what I had done wrong. I'd been reading, going slow, I had made some basic changes and then after going online and updating.... Blammo

So, I had given up and was trying to do a fresh install from USB and encountering other problems. None of install the guides really cover everything.
Like, no matter what I did, I could not see a press any key option to start the configuration importer message. I had to press esc and choose boot manager to get it to boot from the usb. After logging in as installer and choosing a zfs install, I was receiving a not enough disks for zpool message after selecting stripe.

I searched zpool in the forums here and 8 pages of threads. The contents of which made me realise how little I know.

And then I thought to check to see if I had a reply to my post.
Thank you very much. I will save your advice.

I can log back in on default ports and password.
And the version is
OPNsense 24.10.2_6-amd64
FreeBSD 14.1-RELEASE-p7
OpenSSL 3.0.15
And the license registration appears to have stuck as it shows an expiry date in Mar 2026
And system>firmware>status shows the update on 4th April.

Are updates often so dramatic?

I noticed in System>Firmware>Changelog that I am seeing versions and dates going back to 20.1 2020-01-30
Do you know if these are actually install dates of previous versions?
Is my brand new DEC750 actually 5 years old?

I couldn't immediately locate a manual but there appears to be a standard pin hole on the front panel (between the console plug and the power LED).

Thank you. I believe the pinhole serves as an on/off function. Not like a reset on other devices.

Hi,

I'm new to Opnsense. Hopefully someone can help
I have a DEC750 which I purchased about 2 weeks ago.

I had kept the unit disconnected from the internet. I've been reading guides, experimenting with settings, familiarising with the UI and all things new to me.

I'd moved the LAN to a SFP port, created a new admin, changed the password for root then disabled root for the GUI.

And it all worked.

I connected the unit to the internet today, pasted the license key, started an update.
The updates completed and after a reboot I logged back in and then got disconnected shortly after. And I cannot connect to the DEC750 anymore.

My laptop doe not receive an IP address using my normal connection (or on any of the ports on the DEC750).

I thought no worries. Just use the console connection and reset to default.
My new admin login is recognised but I receive a message "This account is currently not available" and I'm logged out.
I then tried root and my new password or the default password are not recognised.

How can I factory reset this unit please?

Thanks in advance.