Messages

Hi,

Thanks for the reply, I think I got a answer to my question although it was not what I wanted to hear ;-)

By "running from the SD Card" I mean like a normal installation that mounts root directly from the disk.
I come from a vyos installation that has run for years on crappy HW (but now needs an upgrade). That installation loads the entire OS including the root file system into RAM and only uses a USB stick/SD card for storing config changes (that are all stored in special folder that get mounted on the disk). I got the impression that the nano installation was something similar but I guess not.

Yes I am aware that I can use the SATA ports on the machine but then I lose the redundancy
/possibility to change HDDs/SSDs on the fly if one breaks that I get with the raid card (We have plenty of SDDs/HDDS laying around but I trust none to run for more than a year or so).

 

Hi,

I have a installation of opnsense 19.1 nano and when I am configuring multiple vlan interfaces, the system becomes unresponsive for a while (and restarts?). I understand that a interface becomes temporarliy unresponsive when I modify it but the entire system becomes unresponsive (ie all interfaces drop the network connection).

In my setup I have one physical external interface (ix0) that connects to WAN (static IP, no vlan) and one physcial internal interface (ix1) that trunk around 10 vlans.

When I install the system and setup WAN and the LAN interface (connected to one vlan on ix1) the system is stable but as I add more vlan interfaces to ix1 the system becomes unstable.

By unstable I mean when add or modify one vlan interface in the UI and press save, the whole system stops responding for a while (maybe 2-5 minutes) and sometimes the changes I did is not saved. I cannot confirm this but it looks like the system restarted or reload the old config after a timeout. I can confirm that all interfaces drop the network connection during the interuption.

During the setup phase this is not so crucial. However, as I might need to reconfigure the interfaces (add or modify vlan id) when the system is in production, it would be a disaster if the entire system stopped working on modifications of a unrelated interface.

Hi,

Sorry if this is answered or explained before but I tried to search and I could not find it.

As I understood it the nano installation would run from RAM (to not wear down the sd card and be faster) but in my basic installation of opnsense 18.7 nano (using the defaults) it feels like it is running the entire OS from the CF card except /tmp and /var, is this the case ?

If this is so, I do not understand the difference between the nano and a regular install with the option set to store tmp and var on a ramdisk. Maybe I misunderstood the point of the nano installation but I thought the idea was to run in RAM to not wear down the sd card and overcome the slow read/write speeds of the sd card.
I run the installation from a old reused server but it has 8 x Intel Xeon E5606 @ 2.13GHz and 48 GB and the sd reader is a built in DELL (the server used to be a esxi host booted from sd card in the past).   

The reason I ask is that the system is very slow when I would expect it to be very snappy if run from RAM. Also when looking at the installation (My FreeBSD skills is not the best) the fstab looks like this :
/etc/fstab
# Device      Mountpoint   FStype   Options      Dump   Pass#
/dev/ufs/OPNsense_Nano   /      ufs   rw      1   1   # notrim

and these are the mount points :
mount
/dev/ufs/OPNsense_Nano on / (ufs, local, soft-updates)
devfs on /dev (devfs, local, multilabel)
tmpfs on /var (tmpfs, local)
tmpfs on /tmp (tmpfs, local)
devfs on /var/unbound/dev (devfs, local, multilabel)
devfs on /var/dhcpd/dev (devfs, local, multilabel)

Unless /dev/ufs/OPNsense_Nano is a special device (it does not look like it) I would say that everything except /var/ /tmp/ is run from the sd card, please correct me if I am wrong.

If anyone wonder why I am not using a regular installation on this powerfull machine is that (atleast with 18.7) the kernel hanged when loading the modules for the raid card. Me and a colleague tried for a couple of days to force freebsd to not load any raid drivers and use the bios disk that the raid card supplied but gave up. All HW works and all disks (as configured in the HW raid card) show up in linux OOB (I used ubuntu 18.04 to test only because we are much more linux savvy than freebsd savvy).

Hi,

I flashed the nano image to a new flashcard (32GB sony, good qualty card) but it gets stuck at boot after detecting the flashcard reader  (one time it also got stuck after loading the cdrom driver).
Tried to reflash it with the same result. Both flashcard and flashcardreader tested and works.

The machine I tried to boot is a Dell poweredge r610 updated with latest firmware and bios levels. The flashcard is mounted in the builtin flashcard reader.

If someone wonders why I tried to use the flashcard instead of ie the raidcard of the server is that freebsd hangs while loading the raid card driver (linux and freedos works so no HW fault).

I start to think that the server is jinxed by some bsd demon. 

I suspect you are missing an outbound NAT rule for the admin network source, you may need to manually add it.

I thought so to, however I have added a second openvpn server that uses the exact same subnet range and that added a outbound nat on my WAN interface  (that works). So in theory the nat rules should already be in place (by the second vpn server).

Sorry for the noob questions but I do not fully understand what opnsense does when I run the openvpn wizard. I suspects it adds a "hidden"/virtual interface and add some firewall/nat rules but since I do not know the exact procedure it is very difficult for me to debug this.

Hi,

I have multiple VLAN/subnets (one subnet per vlan), only certified personel should have access to the mgmt subnets.
I have a problem with cso where I get no traffic through the firewall to my internal lan when using a different tunnel network from the one I specify on the server page. I had this working in pfsense but I cannot get it working in opnsense.

Current setup:
I have two openvpn servers, one for admins and one for clients, "user" tunnel network is 10.0.8.0/24 and admin uses 10.0.10.0/24.
I block all outgoing traffic to the admin lans from 10.0.8.0/24 on the openvpn interface.
This works but is cumbersome.

What I would like to have:
1 openvpn server and use cso to put the admin personal on a different tunnel network (ie 10.0.10.0/24) so I can filter this in the firewall later.

The cso works to the extent that when I connect with a user that matches the cso, I get 10.0.10.1 as gateway  (strangely also a route to 10.0.8.5). However I cannot ping any ip on the other side of the tunnel (10.0.10.2, my side of the tunnel works).

Any clues on where to start debugging would be helpful since I cannot see anything in the logs.