Messages

I think I got it, I made a copy of the condition for the acme-challenge but checked the negate option and added this condition to the https-redirect-rule. Now things work as expected.
Maybe this is a little bit more elegant to achieve with a custom rule.

Hi,

I am a little bit stuck with this situation:
Using letsencryptlugin with http-01 challenge and haproxy. Default configuration works.
Now I like to redirect the incoming http/port 80 traffic to ssl/443, which works fine by defining a condition in haproxy for not-ssl-traffic to be redirected.
But this redirect-rule seems to match before the acme-challenge-rule.
I thought if I modify the acme-rule to use the acme-condition AND not-ssl-condition it should work because it's more specific. But it doesn't.
I tried to find something about this behaviour and read somewhere http-redirect rules are always executed before the other rules but don't know if that's right.

So... what's the correct way to catch the acme-condition and send it to the backend before the ssl-redirect-rule takes effect?

Only similar thin in this forum I could find was in the german section https://forum.opnsense.org/index.php?topic=7880.msg36600#msg36600 but there isn't an answer.

Thanks

Hi,

I'm playing around with zerotier and it's really a nice and easy solution. Now I tried to make a site2site-VPN and discovered the following:

Setup zerotier like in the documentation, static IP for the OPNSense-boxes, no auto-assignment.
Routes for the networks setup as managed routes in my.zerotier, configured the network in OPNSense, everything was fine and running.
Managed routes where availible on the OPNSense-boxes and everything works - till you reboot.

When rebooting or just restarting the zerotierservice the routes from zerotier are gone.
Under the networkinformation-tab the routes are shown but they aren't in the routingtable.
Disabling the network in the zerotierplugin and re-enabling it a moment later works, the routes are there on the OPNSense-box.
It's just not really a good option to disable the network on the remotebox because re-enabling is quite hard then... :-)

So is this expected behaviour, a bug, or some setting I have to set to get the routes registered on the automatic servicestart?
I couldn't really find an option or something for the local.conf which made sense to me yesterday in the evening.

So back to OpenVPN for now, but I really like make it work with zerotier.

Thanks

  Nico

After migrating all the stuff, getting multiWAN to work (seems with gatewaygroups and routing it bevahes a bit different than on pfSense actually) I monitored the process now for a while and it works really great!
Nothing more to say, it just works! Thanks!

Ok, so this takes some days to test, because on the site where OPNSense is running I just got a static IP. On the site where I have the "problem" there is atm still some other sense running which I will migrate. Hope I can finish it this weekend (quite some stuff configured in the actual appliance and when migrating I like to clean up some things and try to get CARP running).
If the monitoring really re-inkoves the DynDNS that would just be great.
I'll let you know as soon as I migrated all the stuff. Thanks!

Thanks, yes, it does, but limited. They've done some improvements in the past, but it isn't like the options you get in OPNSense. And I had it sometimes not running reliable. So I try not to rely on the speedport and try to find out if there are other possibilities.

An approach might be to have a connection to somewhere open all the time and when it drops it should check IP change?

Hi!

My problem is, I have a router which I have to use (Speedport Hybrid) so OPNSense is behind this router. I can't get a static public IP.
So at the moment DynanimcDNS-check works either with the default interval or a cronjob which can be defined to check e.g. every minute.
I think checking is done with the dyndns-service which is hardcoded. As far as I read they'll block you if you don't have >10min intervals.
So question is, is there anything possible (don't has to be GUI-configurable) to get OPNSense notice an IP-change?
Other methods than check X minutes eventually? Having an open connection to anywhere and recheck when it drops? I really have no idea atm, so I am asking.
10 Minutes doesn't sound so much but if you want e.g. a VPN connected this ten minutes it takes to get the update will everytime be the moment you need it, you know what I mean... :-)

After deleting the big flowd.log and starting the service again with the actual version everything keeps running smoothly!

Then I'll reset the flowd-data and try again. I think I will see within a day if it runs crazy or smoothly. Thanks.

I think I am into the same problem here, updated last week to the actual version and now it seems that opnsense crashes from time to time.
Having a 1.3G flowd.log, till Sep. 29 I have 11 MB logs. flowd_aggregate seems to eat up one core completely of the server constantly.
Disables netflow now and everythings seems back to normal.

Same here, please tell which button to press ;-)

Thank you very much for your post!
So you have the tunnel with the routed /48 at your opnsense and just assign on the different interfaces the appropriate /64 subnets, right? No other routingsetting on opnsense at this point to set? That was the thing I wasn't sure about. Thank you very much.
The other thing I won't really understand at the moment is the Prefix delegation range on the DHCPv6 server how this will be used, but that is another question...

Thanks again

   Nico

The phoning home is AFAIK only the dyndns-thing, if you disable this the software isn't connecting so somewhere not configured.
The updates on it is a thing that makes me more feel bad about it. But for Windowsclients is there an alternative SSTP Server availible?

I tried softether myself a couple of days ago and don't know if it is simply a great thing or if there is something bad about it. It seems to be very versatile. Openvpn and IPsec are already in OPNSense but I couldn't really find a SSTP Server (only).
For the installation in OPNSense I couldn't help at the moment as I tried it on a windows machine because of testing the AD authentication (but I think I would like it with radius a little better in the future, because of more control)

Hi there,

really noone? If the question is so easy please some stoop to answer the question. Or is it really that hard?

Thanks :-)