Messages

Hi everyone,

If you can fix this, please adjust it so that you also use password + keyfile authentication, because on TrueNAS, that's the default.

Just a question for clarification, why is only the public key requested? If I want to save a backup from Opnsense to, for example, my TrueNAS, would I have to enter the public key in the module for authentication, or am I misunderstanding this?

Thanks for the clarification.

Hi all,

i have the following problem.

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.1.1 (amd64) at Thu Mar 13 20:55:11 CET 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
All repositories are up to date.
Checking for upgrades (66 candidates): .......... done
Processing candidates (66 candidates): .......... done
The following 66 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   abseil: 20240722.0 -> 20250127.0 [OPNsense]
   bind-tools: 9.20.5 -> 9.20.6 [OPNsense]
   boost-libs: 1.86.0_1 -> 1.87.0_1 [OPNsense]
   ca_root_nss: 3.104 -> 3.108 [OPNsense]
   clamav: 1.4.2,1 -> 1.4.2_1,1 [OPNsense]
   crowdsec: 1.6.4_1 -> 1.6.5_2 [OPNsense]
   curl: 8.12.0 -> 8.12.1 [OPNsense]
   diffutils: 3.8_1 -> 3.11 [OPNsense]
   dnsmasq: 2.90_4,1 -> 2.90_5,1 [OPNsense]
   easy-rsa: 3.2.1_3,1 -> 3.2.2,1 [OPNsense]
   icu: 74.2_1,1 -> 76.1,1 [OPNsense]
   indexinfo: 0.3.1 -> 0.3.1_1 [OPNsense]
   krb5: 1.21.3 -> 1.21.3_1 [OPNsense]
   libpsl: 0.21.5_1 -> 0.21.5_2 [OPNsense]
   lighttpd: 1.4.77 -> 1.4.77_1 [OPNsense]
   mpd5: 5.9_18 -> 5.9_19 [OPNsense]
   nano: 8.2 -> 8.3 [OPNsense]
   nss: 3.107 -> 3.109 [OPNsense]
   ntp: 4.2.8p18_1 -> 4.2.8p18_4 [OPNsense]
   openldap26-client: 2.6.9 -> 2.6.9_1 [OPNsense]
   openssh-portable: 9.9.p1_1,1 -> 9.9.p2_1,1 [OPNsense]
   opnsense: 25.1.1 -> 25.1.3 [OPNsense]
   opnsense-update: 25.1.1 -> 25.1.3 [OPNsense]
   os-acme-client: 4.8 -> 4.9 [OPNsense]
   os-dmidecode: 1.1_1 -> 1.2 [OPNsense]
   os-theme-rebellion: 1.9.2 -> 1.9.2_1 [OPNsense]
   os-theme-vicuna: 1.48 -> 1.48_1 [OPNsense]
   pftop: 0.10_1 -> 0.12 [OPNsense]
   php83: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-ctype: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-curl: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-dom: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-filter: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-gettext: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-ldap: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-mbstring: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-pcntl: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-pdo: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-session: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-simplexml: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-sockets: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-sqlite3: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-xml: 8.3.16 -> 8.3.17_1 [OPNsense]
   php83-zlib: 8.3.16 -> 8.3.17_1 [OPNsense]
   postfix: 3.9.1,1 -> 3.10.1,1 [OPNsense]
   protobuf: 29.3,1 -> 29.3_1,1 [OPNsense]
   protobuf-c: 1.4.1_8 -> 1.5.1 [OPNsense]
   py311-Jinja2: 3.1.4 -> 3.1.6 [OPNsense]
   py311-beautifulsoup: 4.12.3 -> 4.13.3_1 [OPNsense]
   py311-certifi: 2024.12.14 -> 2025.1.31 [OPNsense]
   py311-cryptography: 42.0.8_6,1 -> 42.0.8_7,1 [OPNsense]
   py311-duckdb: 1.1.3 -> 1.2.0 [OPNsense]
   py311-numpy: 1.26.4_2,1 -> 1.26.4_5,1 [OPNsense]
   py311-pyasn1-modules: 0.4.0 -> 0.4.1 [OPNsense]
   py311-pylsqpack: 0.3.18 -> 0.3.19 [OPNsense]
   py311-trio: 0.28.0 -> 0.29.0 [OPNsense]
   py311-truststore: 0.10.0 -> 0.10.1 [OPNsense]
   re2: 20240702 -> 20240702_1 [OPNsense]
   rspamd: 3.11.0 -> 3.11.0_1 [OPNsense]
   socat: 1.8.0.2 -> 1.8.0.3 [OPNsense]
   sqlite3: 3.46.1,1 -> 3.46.1_1,1 [OPNsense]
   suricata: 7.0.8_1 -> 7.0.8_2 [OPNsense]
   syslog-ng: 4.8.1_4 -> 4.8.1_5 [OPNsense]
   zstd: 1.5.6 -> 1.5.7 [OPNsense]

Installed packages to be REINSTALLED:
   kea-2.6.1_2 [OPNsense] (required shared library changed)
   sudo-1.9.16p2_1 [OPNsense] (option removed: SSSD2)

Number of packages to be upgraded: 64
Number of packages to be reinstalled: 2

The process will require 81 MiB more space.
162 MiB to be downloaded.
[1/66] Fetching py311-cryptography-42.0.8_7,1.pkg: .......... done
[2/66] Fetching lighttpd-1.4.77_1.pkg: .......... done
[3/66] Fetching php83-filter-8.3.17_1.pkg: ... done
[4/66] Fetching opnsense-update-25.1.3.pkg: ..... done
[5/66] Fetching re2-20240702_1.pkg: .......... done
[6/66] Fetching php83-curl-8.3.17_1.pkg: ...... done
[7/66] Fetching boost-libs-1.87.0_1.pkg: .......... done
[8/66] Fetching py311-numpy-1.26.4_5,1.pkg: .......... done
[9/66] Fetching nss-3.109.pkg: .......... done
[10/66] Fetching py311-pyasn1-modules-0.4.1.pkg: .......... done
[11/66] Fetching php83-ldap-8.3.17_1.pkg: ..... done
[12/66] Fetching easy-rsa-3.2.2,1.pkg: ....... done
[13/66] Fetching crowdsec-1.6.5_2.pkg: .......... done
[14/66] Fetching krb5-1.21.3_1.pkg: .......... done
[15/66] Fetching icu-76.1,1.pkg: .......... done
[16/66] Fetching dnsmasq-2.90_5,1.pkg: .......... done
[17/66] Fetching bind-tools-9.20.6.pkg: .......... done
[18/66] Fetching php83-simplexml-8.3.17_1.pkg: ... done
[19/66] Fetching php83-pdo-8.3.17_1.pkg: ....... done
[20/66] Fetching ntp-4.2.8p18_4.pkg: .......... done
[21/66] Fetching diffutils-3.11.pkg: .......... done
[22/66] Fetching syslog-ng-4.8.1_5.pkg: .......... done
[23/66] Fetching os-dmidecode-1.2.pkg: . done
[24/66] Fetching php83-sockets-8.3.17_1.pkg: ...... done
[25/66] Fetching libpsl-0.21.5_2.pkg: ........ done
[26/66] Fetching protobuf-c-1.5.1.pkg: .......... done
[27/66] Fetching os-acme-client-4.9.pkg: .......... done
[28/66] Fetching os-theme-rebellion-1.9.2_1.pkg: .......... done
[29/66] Fetching clamav-1.4.2_1,1.pkg: .......... done
[30/66] Fetching php83-pcntl-8.3.17_1.pkg: ... done
[31/66] Fetching ca_root_nss-3.108.pkg: .......... done
[32/66] Fetching php83-sqlite3-8.3.17_1.pkg: .... done
[33/66] Fetching py311-trio-0.29.0.pkg: .......... done
[34/66] Fetching abseil-20250127.0.pkg: .......... done
[35/66] Fetching php83-session-8.3.17_1.pkg: ..... done
[36/66] Fetching py311-certifi-2025.1.31.pkg: .......... done
[37/66] Fetching kea-2.6.1_2.pkg: .......... done
[38/66] Fetching php83-mbstring-8.3.17_1.pkg: .......... done
[39/66] Fetching php83-gettext-8.3.17_1.pkg: . done
[40/66] Fetching php83-zlib-8.3.17_1.pkg: ... done
[41/66] Fetching zstd-1.5.7.pkg: .......... done
[42/66] Fetching socat-1.8.0.3.pkg: .......... done
[43/66] Fetching php83-ctype-8.3.17_1.pkg: . done
[44/66] Fetching curl-8.12.1.pkg: .......... done
[45/66] Fetching rspamd-3.11.0_1.pkg: .......... done
[46/66] Fetching php83-8.3.17_1.pkg: .......... done
[47/66] Fetching py311-truststore-0.10.1.pkg: ..... done
[48/66] Fetching openssh-portable-9.9.p2_1,1.pkg: .......... done
[49/66] Fetching indexinfo-0.3.1_1.pkg: . done
[50/66] Fetching nano-8.3.pkg: .......... done
[51/66] Fetching php83-xml-8.3.17_1.pkg: ... done
[52/66] Fetching suricata-7.0.8_2.pkg: .......... done
[53/66] Fetching php83-dom-8.3.17_1.pkg: .......... done
[54/66] Fetching mpd5-5.9_19.pkg: .......... done
[55/66] Fetching sqlite3-3.46.1_1,1.pkg: .......... done
[56/66] Fetching py311-pylsqpack-0.3.19.pkg: ........ done
[57/66] Fetching openldap26-client-2.6.9_1.pkg: .......... done
[58/66] Fetching protobuf-29.3_1,1.pkg: .......... done
[59/66] Fetching py311-beautifulsoup-4.13.3_1.pkg: .......... done
[60/66] Fetching opnsense-25.1.3.pkg: .......... done
[61/66] Fetching os-theme-vicuna-1.48_1.pkg: .......... done
[62/66] Fetching py311-duckdb-1.2.0.pkg: .......... done
[63/66] Fetching sudo-1.9.16p2_1.pkg: .......... done
[64/66] Fetching pftop-0.12.pkg: ........ done
[65/66] Fetching py311-Jinja2-3.1.6.pkg: .......... done
[66/66] Fetching postfix-3.10.1,1.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/66] Upgrading indexinfo from 0.3.1 to 0.3.1_1...
[1/66] Extracting indexinfo-0.3.1_1: .... done
[2/66] Upgrading py311-truststore from 0.10.0 to 0.10.1...
[2/66] Extracting py311-truststore-0.10.1: .......... done
[3/66] Upgrading py311-cryptography from 42.0.8_6,1 to 42.0.8_7,1...
[3/66] Extracting py311-cryptography-42.0.8_7,1: .......... done
[4/66] Upgrading py311-pyasn1-modules from 0.4.0 to 0.4.1...
[4/66] Extracting py311-pyasn1-modules-0.4.1: .......... done
[5/66] Upgrading abseil from 20240722.0 to 20250127.0...
[5/66] Extracting abseil-20250127.0: .......... done
[6/66] Upgrading py311-certifi from 2024.12.14 to 2025.1.31...
[6/66] Extracting py311-certifi-2025.1.31: .......... done
[7/66] Upgrading py311-numpy from 1.26.4_2,1 to 1.26.4_5,1...
[7/66] Extracting py311-numpy-1.26.4_5,1: .......... done
[8/66] Upgrading krb5 from 1.21.3 to 1.21.3_1...
[8/66] Extracting krb5-1.21.3_1: .......... done
[9/66] Upgrading php83 from 8.3.16 to 8.3.17_1...
[9/66] Extracting php83-8.3.17_1: .......... done
[10/66] Upgrading sqlite3 from 3.46.1,1 to 3.46.1_1,1...
[10/66] Extracting sqlite3-3.46.1_1,1: .......... done
[11/66] Upgrading py311-pylsqpack from 0.3.18 to 0.3.19...
[11/66] Extracting py311-pylsqpack-0.3.19: .......... done
[12/66] Upgrading protobuf from 29.3,1 to 29.3_1,1...
[12/66] Extracting protobuf-29.3_1,1: .......... done
[13/66] Upgrading icu from 74.2_1,1 to 76.1,1...
[13/66] Extracting icu-76.1,1: .......... done
[14/66] Upgrading libpsl from 0.21.5_1 to 0.21.5_2...
[14/66] Extracting libpsl-0.21.5_2: .......... done
[15/66] Upgrading protobuf-c from 1.4.1_8 to 1.5.1...
[15/66] Extracting protobuf-c-1.5.1: .......... done
[16/66] Upgrading py311-trio from 0.28.0 to 0.29.0...
[16/66] Extracting py311-trio-0.29.0: .......... done
[17/66] Upgrading php83-zlib from 8.3.16 to 8.3.17_1...
[17/66] Extracting php83-zlib-8.3.17_1: ........ done
[18/66] Upgrading zstd from 1.5.6 to 1.5.7...
[18/66] Extracting zstd-1.5.7: .......... done
[19/66] Upgrading php83-xml from 8.3.16 to 8.3.17_1...
[19/66] Extracting php83-xml-8.3.17_1: ......... done
[20/66] Upgrading boost-libs from 1.86.0_1 to 1.87.0_1...
[20/66] Extracting boost-libs-1.87.0_1: .......... done
[21/66] Upgrading nss from 3.107 to 3.109...
[21/66] Extracting nss-3.109: .......... done
[22/66] Upgrading easy-rsa from 3.2.1_3,1 to 3.2.2,1...
[22/66] Extracting easy-rsa-3.2.2,1: .......... done
[23/66] Upgrading bind-tools from 9.20.5 to 9.20.6...
[23/66] Extracting bind-tools-9.20.6: .......... done
[24/66] Upgrading php83-pdo from 8.3.16 to 8.3.17_1...
[24/66] Extracting php83-pdo-8.3.17_1: .......... done
[25/66] Upgrading php83-session from 8.3.16 to 8.3.17_1...
[25/66] Extracting php83-session-8.3.17_1: .......... done
[26/66] Upgrading php83-mbstring from 8.3.16 to 8.3.17_1...
[26/66] Extracting php83-mbstring-8.3.17_1: .......... done
[27/66] Upgrading socat from 1.8.0.2 to 1.8.0.3...
[27/66] Extracting socat-1.8.0.3: ......... done
[28/66] Upgrading curl from 8.12.0 to 8.12.1...
[28/66] Extracting curl-8.12.1: .......... done
[29/66] Upgrading openldap26-client from 2.6.9 to 2.6.9_1...
[29/66] Extracting openldap26-client-2.6.9_1: .......... done
[30/66] Upgrading py311-beautifulsoup from 4.12.3 to 4.13.3_1...
[30/66] Extracting py311-beautifulsoup-4.13.3_1: .......... done
[31/66] Upgrading lighttpd from 1.4.77 to 1.4.77_1...
===> Creating groups
Using existing group 'www'
===> Creating users
Using existing user 'www'
[31/66] Extracting lighttpd-1.4.77_1: .......... done
[32/66] Upgrading php83-filter from 8.3.16 to 8.3.17_1...
[32/66] Extracting php83-filter-8.3.17_1: ......... done
[33/66] Upgrading opnsense-update from 25.1.1 to 25.1.3...
[33/66] Extracting opnsense-update-25.1.3: .......... done
[34/66] Upgrading re2 from 20240702 to 20240702_1...
[34/66] Extracting re2-20240702_1: .......... done
[35/66] Upgrading php83-curl from 8.3.16 to 8.3.17_1...
[35/66] Extracting php83-curl-8.3.17_1: .......... done
[36/66] Upgrading php83-ldap from 8.3.16 to 8.3.17_1...
[36/66] Extracting php83-ldap-8.3.17_1: ........ done
[37/66] Upgrading dnsmasq from 2.90_4,1 to 2.90_5,1...
[37/66] Extracting dnsmasq-2.90_5,1: .......... done
[38/66] Upgrading php83-simplexml from 8.3.16 to 8.3.17_1...
[38/66] Extracting php83-simplexml-8.3.17_1: ......... done
[39/66] Upgrading ntp from 4.2.8p18_1 to 4.2.8p18_4...
[39/66] Extracting ntp-4.2.8p18_4: .......... done
[40/66] Upgrading syslog-ng from 4.8.1_4 to 4.8.1_5...
[40/66] Extracting syslog-ng-4.8.1_5: .......... done
[41/66] Upgrading php83-sockets from 8.3.16 to 8.3.17_1...
[41/66] Extracting php83-sockets-8.3.17_1: .......... done
[42/66] Upgrading php83-pcntl from 8.3.16 to 8.3.17_1...
[42/66] Extracting php83-pcntl-8.3.17_1: ......... done
[43/66] Upgrading ca_root_nss from 3.104 to 3.108...
[43/66] Extracting ca_root_nss-3.108: ..... done
[44/66] Upgrading php83-sqlite3 from 8.3.16 to 8.3.17_1...
[44/66] Extracting php83-sqlite3-8.3.17_1: ......... done
[45/66] Reinstalling kea-2.6.1_2...
[45/66] Extracting kea-2.6.1_2: .......... done
[46/66] Upgrading php83-gettext from 8.3.16 to 8.3.17_1...
[46/66] Extracting php83-gettext-8.3.17_1: ........ done
[47/66] Upgrading php83-ctype from 8.3.16 to 8.3.17_1...
[47/66] Extracting php83-ctype-8.3.17_1: ........ done
[48/66] Upgrading openssh-portable from 9.9.p1_1,1 to 9.9.p2_1,1...
[48/66] Extracting openssh-portable-9.9.p2_1,1: .......... done
[49/66] Upgrading suricata from 7.0.8_1 to 7.0.8_2...
[49/66] Extracting suricata-7.0.8_2: .......... done
[50/66] Upgrading php83-dom from 8.3.16 to 8.3.17_1...
[50/66] Extracting php83-dom-8.3.17_1: .......... done
[51/66] Upgrading mpd5 from 5.9_18 to 5.9_19...
[51/66] Extracting mpd5-5.9_19: .......... done
[52/66] Upgrading py311-duckdb from 1.1.3 to 1.2.0...
[52/66] Extracting py311-duckdb-1.2.0: .......... done
[53/66] Reinstalling sudo-1.9.16p2_1...
[53/66] Extracting sudo-1.9.16p2_1: .......... done
[54/66] Upgrading pftop from 0.10_1 to 0.12...
[54/66] Extracting pftop-0.12: ..... done
[55/66] Upgrading py311-Jinja2 from 3.1.4 to 3.1.6...
[55/66] Extracting py311-Jinja2-3.1.6: .......... done
[56/66] Upgrading crowdsec from 1.6.4_1 to 1.6.5_2...
[56/66] Extracting crowdsec-1.6.5_2: .......... done
crowdsec is running as pid 45734.
Stopping crowdsec.
Waiting for PIDS: 45734.
Waiting for PIDS: 52434.
Updating crowdsec hub data
Downloading /usr/local/etc/crowdsec/hub/.index.json
crowdsecurity/base-http-scenarios is outdated because of scenarios:crowdsecurity/http-cve-probing
crowdsecurity/base-http-scenarios is outdated because of contexts:crowdsecurity/http_base
crowdsecurity/postfix is outdated because of parsers:crowdsecurity/postfix-logs
downloading parsers:crowdsecurity/postfix-logs
downloading scenarios:crowdsecurity/http-cve-probing
downloading https://hub-data.crowdsec.net/web/trendy_cves_uris.json
downloading contexts:crowdsecurity/http_base
downloading collections:crowdsecurity/base-http-scenarios
downloading collections:crowdsecurity/postfix

Run 'sudo service crowdsec reload' for the new configuration to be effective.
Loaded: 134 parsers, 10 postoverflows, 753 scenarios, 8 contexts, 4 appsec-configs, 93 appsec-rules, 132 collections
Starting crowdsec.
[57/66] Upgrading diffutils from 3.8_1 to 3.11...
[57/66] Extracting diffutils-3.11: .......... done
[58/66] Upgrading os-dmidecode from 1.1_1 to 1.2...
[58/66] Extracting os-dmidecode-1.2: ...... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Configuring system logging...done.
[59/66] Upgrading os-acme-client from 4.8 to 4.9...
[59/66] Extracting os-acme-client-4.9: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/AcmeClient: OK
[60/66] Upgrading os-theme-rebellion from 1.9.2 to 1.9.2_1...
[60/66] Extracting os-theme-rebellion-1.9.2_1: .......... done
[61/66] Upgrading clamav from 1.4.2,1 to 1.4.2_1,1...
===> Creating groups
Using existing group 'clamav'
Using existing group 'mail'
===> Creating users
Using existing user 'clamav'
[61/66] Extracting clamav-1.4.2_1,1: .......... done
[62/66] Upgrading rspamd from 3.11.0 to 3.11.0_1...
===> Creating groups
Using existing group 'rspamd'
===> Creating users
Using existing user 'rspamd'
[62/66] Extracting rspamd-3.11.0_1: .......... done
[63/66] Upgrading nano from 8.2 to 8.3...
[63/66] Extracting nano-8.3: .......... done
[64/66] Upgrading opnsense from 25.1.1 to 25.1.3...
[64/66] Extracting opnsense-25.1.3: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Migrated OPNsense\Unbound\Unbound from 1.0.11 to 1.0.12
Migrated OPNsense\Dnsmasq\Dnsmasq from <unversioned> to 1.0.0
Migrated OPNsense\Core\Tunables from 1.0.0 to 1.0.1
Migrated OPNsense\Interfaces\Vip from 1.0.0 to 1.0.1
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: Modified 2 trust store links.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
[65/66] Upgrading os-theme-vicuna from 1.48 to 1.48_1...
[65/66] Extracting os-theme-vicuna-1.48_1: .......... done
[66/66] Upgrading postfix from 3.9.1,1 to 3.10.1,1...
===> Creating groups
Using existing group 'mail'
Using existing group 'maildrop'
Using existing group 'postfix'
===> Creating users
Using existing user 'postfix'
===> Creating homedir(s)
[66/66] Extracting postfix-3.10.1,1: ......... done
postfix: Postfix is using backwards-compatible default settings
postfix: See https://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=3.6" and "postfix reload"
chown: /usr/local/man/man1/mailq.1.gz: No such file or directory

===============================================================
Postfix was *not* activated in //usr/local/etc/mail/mailer.conf!

To finish installation run the following commands:

  mkdir -p //usr/local/etc/mail
  install -m 0644 //usr/local/share/postfix/mailer.conf.postfix //usr/local/etc/mail/mailer.conf
===============================================================

=====
Message from dnsmasq-2.90_5,1:

--
To enable dnsmasq, edit /usr/local/etc/dnsmasq.conf and
set dnsmasq_enable="YES" in /etc/rc.conf[.local]

Further options and actions are documented inside
/usr/local/etc/rc.d/dnsmasq


NOTE: when using dnssec, inaccurate system clocks
can cause DNS resolution to fail
because DNSSEC signatures may then not validate.


SECURITY RECOMMENDATION
~~~~~~~~~~~~~~~~~~~~~~~
It is recommended to enable the wpad-related options
at the end of the configuration file (you may need to
copy them from the example file to yours) to fix
CERT Vulnerability VU#598349.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-ctrl-agent.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-dhcp4.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/keactrl.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/config.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/local_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/online_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/console.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/clamd.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/freshclam.conf if it is no longer needed.
=====
Message from rspamd-3.11.0_1:

--
Due to the issues with Hyperscan alignment, it is recommended to remove the
existing cached files that might cause troubles from /var/db/rspamd by using the
following command: "find /var/db/rspamd/ -type f -name '*.unser' -delete"
This action is needed merely for this particular upgrade.
=====
Message from opnsense-25.1.3:

--
What are you looking at?
You may need to manually remove /usr/local/etc/postfix/main.cf if it is no longer needed.
You may need to manually remove /usr/local/etc/postfix/master.cf if it is no longer needed.
You may need to manually remove /usr/local/etc/postfix/aliases if it is no longer needed.
You may need to manually remove /usr/local/etc/postfix/transport if it is no longer needed.
You may need to manually remove /usr/local/etc/postfix/virtual if it is no longer needed.
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages:

Installed packages to be REMOVED:
   libsigsegv: 2.14

Number of packages to be removed: 1
[1/1] Deinstalling libsigsegv-2.14...
[1/1] Deleting files for libsigsegv-2.14: ........ done
Checking all packages: .......... done
The following package files will be deleted:
   /var/cache/pkg/dnsmasq-2.90_5,1~1ba23f6dcb.pkg
   /var/cache/pkg/postfix-3.10.1,1.pkg
   /var/cache/pkg/php83-8.3.17_1~1ec044c1e6.pkg
   /var/cache/pkg/sudo-1.9.16p2_1~10006b4ee0.pkg
   /var/cache/pkg/nss-3.109.pkg
   /var/cache/pkg/protobuf-29.3_1,1~58d8f36e23.pkg
   /var/cache/pkg/syslog-ng-4.8.1_5.pkg
   /var/cache/pkg/php83-curl-8.3.17_1~7a7cc654a4.pkg
   /var/cache/pkg/opnsense-25.1.3~4e5ab1baa3.pkg
   /var/cache/pkg/py311-certifi-2025.1.31~9a9de9b45d.pkg
   /var/cache/pkg/indexinfo-0.3.1_1~1634745d18.pkg
   /var/cache/pkg/py311-pyasn1-modules-0.4.1.pkg
   /var/cache/pkg/php83-xml-8.3.17_1.pkg
   /var/cache/pkg/socat-1.8.0.3.pkg
   /var/cache/pkg/php83-ctype-8.3.17_1~b882eb5da5.pkg
   /var/cache/pkg/easy-rsa-3.2.2,1~3d0d27a7cc.pkg
   /var/cache/pkg/opnsense-25.1.3.pkg
   /var/cache/pkg/protobuf-c-1.5.1.pkg
   /var/cache/pkg/py311-cryptography-42.0.8_7,1~e3360d1806.pkg
   /var/cache/pkg/abseil-20250127.0.pkg
   /var/cache/pkg/lighttpd-1.4.77_1~5fae8d6eb7.pkg
   /var/cache/pkg/boost-libs-1.87.0_1.pkg
   /var/cache/pkg/py311-Jinja2-3.1.6~2e84b00e54.pkg
   /var/cache/pkg/indexinfo-0.3.1_1.pkg
   /var/cache/pkg/postfix-3.10.1,1~c64008431c.pkg
   /var/cache/pkg/php83-ctype-8.3.17_1.pkg
   /var/cache/pkg/os-dmidecode-1.2.pkg
   /var/cache/pkg/php83-curl-8.3.17_1.pkg
   /var/cache/pkg/os-theme-rebellion-1.9.2_1.pkg
   /var/cache/pkg/py311-numpy-1.26.4_5,1.pkg
   /var/cache/pkg/php83-dom-8.3.17_1.pkg
   /var/cache/pkg/py311-beautifulsoup-4.13.3_1.pkg
   /var/cache/pkg/clamav-1.4.2_1,1.pkg
   /var/cache/pkg/boost-libs-1.87.0_1~ff9e7be9f4.pkg
   /var/cache/pkg/php83-mbstring-8.3.17_1.pkg
   /var/cache/pkg/py311-pylsqpack-0.3.19.pkg
   /var/cache/pkg/pftop-0.12~5c6ff4626d.pkg
   /var/cache/pkg/php83-sockets-8.3.17_1.pkg
   /var/cache/pkg/php83-gettext-8.3.17_1.pkg
   /var/cache/pkg/crowdsec-1.6.5_2~28d0db5efc.pkg
   /var/cache/pkg/php83-dom-8.3.17_1~4ad65bc998.pkg
   /var/cache/pkg/mpd5-5.9_19.pkg
   /var/cache/pkg/php83-simplexml-8.3.17_1.pkg
   /var/cache/pkg/py311-trio-0.29.0.pkg
   /var/cache/pkg/php83-zlib-8.3.17_1~38a1c96eb6.pkg
   /var/cache/pkg/sqlite3-3.46.1_1,1~c10504717d.pkg
   /var/cache/pkg/protobuf-29.3_1,1.pkg
   /var/cache/pkg/bind-tools-9.20.6~1935af8f6c.pkg
   /var/cache/pkg/php83-gettext-8.3.17_1~466ce054a9.pkg
   /var/cache/pkg/mpd5-5.9_19~c1efd9d43b.pkg
   /var/cache/pkg/ntp-4.2.8p18_4~10ab4c3d85.pkg
   /var/cache/pkg/ca_root_nss-3.108.pkg
   /var/cache/pkg/zstd-1.5.7~f24ce5e6aa.pkg
   /var/cache/pkg/php83-pdo-8.3.17_1~688f851975.pkg
   /var/cache/pkg/py311-cryptography-42.0.8_7,1.pkg
   /var/cache/pkg/php83-xml-8.3.17_1~48df67e008.pkg
   /var/cache/pkg/php83-ldap-8.3.17_1.pkg
   /var/cache/pkg/php83-session-8.3.17_1~3b17a00662.pkg
   /var/cache/pkg/bind-tools-9.20.6.pkg
   /var/cache/pkg/os-theme-vicuna-1.48_1.pkg
   /var/cache/pkg/sudo-1.9.16p2_1.pkg
   /var/cache/pkg/openssh-portable-9.9.p2_1,1~a8b7c04426.pkg
   /var/cache/pkg/php83-sqlite3-8.3.17_1~e18d1b2695.pkg
   /var/cache/pkg/py311-truststore-0.10.1~b73b0c6b6a.pkg
   /var/cache/pkg/php83-pdo-8.3.17_1.pkg
   /var/cache/pkg/py311-beautifulsoup-4.13.3_1~9e85a878a0.pkg
   /var/cache/pkg/easy-rsa-3.2.2,1.pkg
   /var/cache/pkg/kea-2.6.1_2.pkg
   /var/cache/pkg/libpsl-0.21.5_2~1c1087bc0c.pkg
   /var/cache/pkg/crowdsec-1.6.5_2.pkg
   /var/cache/pkg/lighttpd-1.4.77_1.pkg
   /var/cache/pkg/nano-8.3~52fd707333.pkg
   /var/cache/pkg/protobuf-c-1.5.1~742e0d1412.pkg
   /var/cache/pkg/py311-pylsqpack-0.3.19~b287ab4af0.pkg
   /var/cache/pkg/py311-pyasn1-modules-0.4.1~296e39c0aa.pkg
   /var/cache/pkg/diffutils-3.11.pkg
   /var/cache/pkg/icu-76.1,1~841b5ae1eb.pkg
   /var/cache/pkg/php83-ldap-8.3.17_1~cb14f2d302.pkg
   /var/cache/pkg/php83-filter-8.3.17_1~5679cb6edc.pkg
   /var/cache/pkg/clamav-1.4.2_1,1~dad70cc586.pkg
   /var/cache/pkg/re2-20240702_1~710cf8174d.pkg
   /var/cache/pkg/sqlite3-3.46.1_1,1.pkg
   /var/cache/pkg/openldap26-client-2.6.9_1~22dbdc11f0.pkg
   /var/cache/pkg/ntp-4.2.8p18_4.pkg
   /var/cache/pkg/nss-3.109~4ef2277c45.pkg
   /var/cache/pkg/openldap26-client-2.6.9_1.pkg
   /var/cache/pkg/py311-trio-0.29.0~6e7fff27af.pkg
   /var/cache/pkg/kea-2.6.1_2~20b9bfcb88.pkg
   /var/cache/pkg/libpsl-0.21.5_2.pkg
   /var/cache/pkg/opnsense-update-25.1.3~ea2655dcb9.pkg
   /var/cache/pkg/suricata-7.0.8_2~655a9dbc26.pkg
   /var/cache/pkg/php83-sockets-8.3.17_1~87c5b41cf3.pkg
   /var/cache/pkg/php83-zlib-8.3.17_1.pkg
   /var/cache/pkg/py311-truststore-0.10.1.pkg
   /var/cache/pkg/php83-simplexml-8.3.17_1~0a4f3bd048.pkg
   /var/cache/pkg/diffutils-3.11~f6e9019633.pkg
   /var/cache/pkg/py311-duckdb-1.2.0~445097a92e.pkg
   /var/cache/pkg/os-dmidecode-1.2~55bee2ded0.pkg
   /var/cache/pkg/ca_root_nss-3.108~887efe8228.pkg
   /var/cache/pkg/py311-Jinja2-3.1.6.pkg
   /var/cache/pkg/socat-1.8.0.3~9df3832327.pkg
   /var/cache/pkg/abseil-20250127.0~da51474fc7.pkg
   /var/cache/pkg/os-theme-vicuna-1.48_1~febb25d0cf.pkg
   /var/cache/pkg/opnsense-update-25.1.3.pkg
   /var/cache/pkg/nano-8.3.pkg
   /var/cache/pkg/php83-session-8.3.17_1.pkg
   /var/cache/pkg/php83-mbstring-8.3.17_1~0736684d76.pkg
   /var/cache/pkg/openssh-portable-9.9.p2_1,1.pkg
   /var/cache/pkg/rspamd-3.11.0_1~9107aefab8.pkg
   /var/cache/pkg/php83-sqlite3-8.3.17_1.pkg
   /var/cache/pkg/krb5-1.21.3_1~89de19c5d3.pkg
   /var/cache/pkg/dnsmasq-2.90_5,1.pkg
   /var/cache/pkg/rspamd-3.11.0_1.pkg
   /var/cache/pkg/php83-filter-8.3.17_1.pkg
   /var/cache/pkg/php83-pcntl-8.3.17_1.pkg
   /var/cache/pkg/re2-20240702_1.pkg
   /var/cache/pkg/pftop-0.12.pkg
   /var/cache/pkg/curl-8.12.1.pkg
   /var/cache/pkg/zstd-1.5.7.pkg
   /var/cache/pkg/php83-8.3.17_1.pkg
   /var/cache/pkg/icu-76.1,1.pkg
   /var/cache/pkg/syslog-ng-4.8.1_5~c1d5935ef8.pkg
   /var/cache/pkg/py311-duckdb-1.2.0.pkg
   /var/cache/pkg/os-acme-client-4.9~8b7d75214c.pkg
   /var/cache/pkg/krb5-1.21.3_1.pkg
   /var/cache/pkg/suricata-7.0.8_2.pkg
   /var/cache/pkg/os-theme-rebellion-1.9.2_1~f72ef63734.pkg
   /var/cache/pkg/curl-8.12.1~d85a3be0a3.pkg
   /var/cache/pkg/py311-numpy-1.26.4_5,1~793c96920c.pkg
   /var/cache/pkg/py311-certifi-2025.1.31.pkg
   /var/cache/pkg/os-acme-client-4.9.pkg
   /var/cache/pkg/php83-pcntl-8.3.17_1~6ce739b176.pkg
The cleanup will free 162 MiB
Deleting files: .......... done
All done
Nothing to do.
Starting web GUI...done.
Fetching base-25.1.3-amd64.txz: ...

I started the upgrade shortly before 9:00 PM, and now it's almost two hours later. I don't mean the last step, it's been almost two hours. This is the first time I've had to wait this long for an upgrade, and it's happily carrying on like this. I don't know how long this will last. I don't see anything unusual in the log. What can I do besides wait?

Thanks for Support.

Hallo zusammen,

ich wollte fragen ob jemand von euch eine Lösung zu dem Problem hat.
Seit ungefähr 2 Tagen habe ich das Problem das der Service Redis über Gui nicht starten lässt.

Die Fehlermeldung das IP bereits benutzt wird habe es auch mit netstat etc. gecheckt aber der Service ist dann trotzdem nicht gestartet ich habe auch einen Workaround gefunden aber anscheinend nach dem nächsten Änderung über GUI ist der Dienst wieder offline. Datenbank hatte ich auch reset gemacht hat aber nichts gebracht.


Das Problem ist wohl das ich in der Konfiguration 2x die Interne IP drin stehen habe.

Es siehst dann so aus:

bind 127.0.0.1 ::1 172.29.2.1 172.29.2.1
Wenn ich dann den doppelten eintrag rauslöscht habe lässt sich die DB wieder starten.

Irgendwie richtig seltsam das ganze.

Viele Grüsse

Falscher Name im Zertifikat.
Klick mal drauf und schau dir den Namen dann siehst du warum du die Fehlermeldung bekommst du hast ein Interception oder erstellt.

Wenn du andere Server absichern willst so habe ich es gemacht mit einem Zertifkat dann würde ich einen Reverse Proxy bauen. Allerdings habe ich das nicht mit dem HA-Proxy das geht damit auch aber ich habe dafür eine VM genommen mit NGINX und habe dort ein Wildcard Zertifikat hinterlegt und mit diesem sämtliche Webservices abgedeckt.
Vermutlich ist das was du machen wolltest.

https://docs.opnsense.org/manual/reverse_proxy.html

Hier ist sowas z.b auch beschrieben wie es geht.

Anders gefragt was passiert wenn du HA-Proxy und den Regeln dazu deaktivierst hast du dann immer noch die Zertifikats Probleme weil so wie ich das verstehe verwendest du diesen doch für deine Outbound Addresse um diese dann absichern über SSL.

Wenn du deine Outbound Traffic absichern möchtest weis nicht ob de HA-Proxy das richtige ist ich würde dazu entweder ein Externes Produkt nehmen als Webproxy oder installier dir das Webproxy Plugin was angeboten wird unter den Pungins.

Es kommt aber darauf an was mit dem HAProxy genau erreichen wolltest. Ich habe diesen z.b bei mir nur laufen um für eine Weiterleitung auf das Webinterface vom RSPAMD.

Bin mir nicht 100% sicher aber wenn du die Ersteinrichtung macht und stellt dabei auf ALL / WAN macht er mit ziemlicher Sicherheit eine Regal auf der Firewall. Und zwups hast du das im Internet. Daher wüde ich halt an der stellt vorschlage eine LAN Addresse funktioniert genauso gut als wenn du 0.0.0.0 nimmst nur das du den Access eingrenst von wo aus das teil erreichbar ist.

Kann für die Ersteinrichtung übrings dieses YT Video hier vorschlagen wird dort im übringen auch davor gewarnt.

https://www.youtube.com/watch?v=fP_mQWSI8tc&t=221s (Ab Minute 6:45 ca.)

Viele Grüsse

1. würde ich ADGuard nicht auf 0.0.0.0 es sei den du möchtest das dein Interface im Internet erreichbar ist.
2. Wenn möglich empfehle ich euch hier eine separate IP für das Dashboard zu konfigurieren in der Config macht das ganze im übrigen um einiges einfacher wie ich finde.

Sind aber nur meine Gedanken dazu müsst ihr selbst entscheiden.

Ich persönlich denke das er einen Proxy laufen hat unter einen Interception Check macht und dort hast du wahrscheinlich ein z.b internes Zertifikat hinterleg was diesen Fehler mit dem Zertifikat versucht oder ein Self Sign.
Ist aber nur eine Vermutung ohne auf deine Box zu schauen.

Frage zum Unifi AP wieso verwendest du für die Konfiguration nicht die Software von Unifi dazu soweit ich gesehen habe in der Version 8 sollte das alles soweit möglich sein. Ich habe die Software für das Webinterface direkt auf einer VM laufen so das immer Zugriff auf meinen AP habe und kann von dort aus alles mögliche Konfigurieren.

Hallo zusammen,

gibt es schon für Postfix/RSPAMD/Redis ein Modul womit man Dkim über die Gui konfigurieren kann?
Danke für eurer Feedback.

Viele Grüsse

Nachdem ich nun auf 24.1.6 Upgegraded habe habe ich nun Probleme mit dem HAProxy.
Irgendwas scheint dort mit der Configuration nicht mehr zu passen im neuen Release.


Fehlermeldung dazu hier:

Erstmal hat er erkannt das wohl eine Differenz in Configuration gibt:

--- /usr/local/etc/haproxy.conf   2023-10-13 21:25:15.801837000 +0200
+++ /usr/local/etc/haproxy.conf.staging   2024-04-30 16:37:37.211591000 +0200
@@ -12,6 +12,7 @@
     nbthread                    1
     hard-stop-after             60s
     no strict-limits
+    httpclient.resolvers.prefer   ipv4
     tune.ssl.default-dh-param   1024
     spread-checks               0
     tune.bufsize                16384
@@ -42,7 +43,7 @@

# Frontend: Frontend_RSPAMD ()
frontend Frontend_RSPAMD
-    bind 172.29.2.1:11334 name 172.29.2.1:11334 ssl  crt-list /tmp/haproxy/ssl/5f0b440942b9d4.71019842.certlist
+    bind 172.29.2.1:11334 name 172.29.2.1:11334 ssl no-alpn crt-list /tmp/haproxy/ssl/5f0b440942b9d4.71019842.certlist
     mode http
     option http-keep-alive
     default_backend Backend_RSPAMD


Beim Syntax Check meint er das hier:

[NOTICE] (96963) : haproxy version is 2.8.9-1842fd0
[NOTICE] (96963) : path to executable is /usr/local/sbin/haproxy
[ALERT] (96963) : config : parsing [/usr/local/etc/haproxy.conf.staging:46] : 'bind 172.29.2.1:11334' in section 'frontend' : 'crt-list' : cannot open file '/tmp/haproxy/ssl/5f0b440942b9d4.71019842.certlist' : No such file or directory
[ALERT] (96963) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (96963) : config : Fatal errors found in configuration.

Wie ich das lese hat der nun Probleme das Zertifikat zu lesen weil er keins findet.
Bzw. kann es sein das ich mal wieder ein Directory anlegen muss da es nicht vorhanden ist evtl. ?

Hier noch Update:

root@opensense01:/tmp/haproxy/ssl # ls -alF
total 39
drwxr-x---  2 www  www     5 Apr 30 16:37 ./
drwxr-x---  7 www  www     7 Apr 30 15:45 ../
-rw-------  1 www  www  5183 Apr 30 16:46 5f0b436c884250.54714133.calist
-rw-------  1 www  www  1911 Apr 30 16:46 6628cfc91b808.issuer
-rw-------  1 www  www  8156 Apr 30 16:46 6628cfc91b808.pem
root@opensense01:/tmp/haproxy/ssl #

Anscheinend sucht nach einem File was dort nicht gibt.


Update:
Ok konnte das Problem Lösen einfach das Zertifkat nochmals neu zugewiesen im Frontend dann ging es wieder.

Und wie kann ich releay weiter nutzen gibt es ein Plugin oder irgentwas?

Hallo,

ich habe den Patchnotes gelesen das nun was mit dem DHCPReleay geändert wurde.
Auf meiner Firewall sehe ich auch das es nun Einträge dort gibt von wegen Migrated IPV4 Server Entry.

Jetzt wäre meine Frage ist das DHCPRelay schon abgelöst? Und wurden die Einträge nun ins ISC DHCP Migriert oder wo finde ich die Konfiguration nun?

Vielleicht kann mir das mal einer kurz mitteilen was man da nun unternehmen muss. Weil ich z.b nutze nämlich keine DHCP Funktionalitäten auf der Firewall sondern habe diese auf meinen DHCP / DNS Server ausgelagert daher nutze ich nur die DHCPReleay funktion dort.

Viele Grüsse

Danke werde es mal ausprobieren mit der neu erstellen Datei ob es dann funktioniert.

Hallo Mimugmail,

ich denke du meinst diese Datei?
/usr/local/etc/rspamd/worker-controller.inc
Aber leider ist das auch die die immer anpassen muss. Und nach einem Upgrade wird sie wieder überschrieben.

Eine andere finde auch nicht auf dem System.
find / -name worker-controller.inc
/usr/local/etc/rspamd/worker-controller.inc
root@opensense01:~ #

Wäre froh über weiteren Input um das Problem zu lösen.
Viele Grüsse