Topics

[1.1.0]

I have a FreebSD (amd64) cross-build system for building OPNsense for aarch64.

the OPNsense/tools repository is installed on in

Code Select Expand


/tmp/opnsense


on my machine keep it separate from the main package repositories.

I am following the process in OPNsense/tools, but encountered a few problem with the version number of certain packages.

For example, when I build the ports collection, it fails with these type of error messages:

Code Select Expand




>>> ERROR: The build encountered fatal issues!
>>> Aborted version 1.1.0 for databases/py-duckdb@py311 (py311-duckdb)

>>> Aborted version 2.1.5_9 for dns/dnscrypt-proxy2 (dnscrypt-proxy2)
>>> Aborted version 3.18.0 for dns/py-dns-lexicon@py311 (py311-dns-lexicon)
>>> Aborted version 2.6.1,1 for dns/py-dnspython@py311 (py311-dnspython)

>>> Aborted version 29.4,3 for editors/emacs@nox (emacs-nox)
>>> Aborted version 12.4.0,2 for emulators/open-vm-tools-nox11 (open-vm-tools-nox11)
>>> Aborted version 3.1.6,1 for lang/ruby31 (ruby)

>>> Aborted version 5.12.0_17 for net-mgmt/collectd5 (collectd5)
>>> Aborted version 1.7.0_1 for net-mgmt/py-opn-cli (py311-opn-cli)
>>> Aborted version 1.32.0 for net-mgmt/telegraf (telegraf)

>>> Aborted version 4.6 for net/chrony (chrony)
>>> Aborted version 24.1.4_1 for net/cloud-init@py311 (py311-cloud-init)
>>> Aborted version 1100.00_1 for net/realtek-re-kmod (realtek-re-kmod)

>>> Aborted version 2.4.10_1 for print/cups (cups)

>>> Aborted version 1.4.1_2,1 for security/clamav (clamav)
>>> Aborted version 1.6.3_1 for security/crowdsec (crowdsec)
>>> Aborted version 2.4.5_1 for security/gnupg (gnupg)
>>> Aborted version 7.0.6_2 for security/suricata (suricata)
>>> Aborted version 1.8.17_1 for security/xray-core (xray-core)

>>> Aborted version 8.5.0_1 for sysutils/ansible@py311 (py311-ansible)
>>> Aborted version 8.14.3_1 for sysutils/beats8 (beats8)
>>> Aborted version 1.12a_1 for sysutils/cciss_vol_status (cciss_vol_status)
>>> Aborted version 1.8.2 for sysutils/node_exporter (node_exporter)
>>> Aborted version 7.32.1 for sysutils/puppet7 (puppet7)

>>> Aborted version 2.20.37_1 for textproc/minify (minify)

>>> Aborted version 0.5.7 for www/c-icap-modules (c-icap-modules)
>>> Aborted version 2.8.4.3.0.4.2.3_4 for www/caddy-custom (caddy-custom)
>>> Aborted version 1.0.0_10 for www/icapeg (icapeg)



I checked the version numbers against the aarch64 repository of Maurice (OPNsense aarch64 firmware repository) and it looks like it is mostly updated packages that caused the failures.

for example,

py311-duckdb (1.1.0) fails while py311-duckdb (1.0.0) looks like it is ok

How do I fix this version problem in the build system (I am not a FreeBSD expert)

Either I need to get the build system to accept the latest version or I need to revert (downgrade) the packages to the previous versions.

Any help will be appreciated.

I have managed to build the latest OPNsense 24.1.1 for my NanoPi R4S on a vm at aws with a Graviton CPU, by following the make steps given in opnsense/tools

I ended up with the following files in ../images:

Code Select Expand

OPNsense-202402091824-arm-aarch64-R4S.img

Using dd, I can copy this image to a SD card and it works fine in my R4S.

../sets:

Code Select Expand


packages-24.1_101-aarch64.tar
base-24.1_3-aarch64-R4S.txz
kernel-dbg-24.1_3-aarch64-R4S.txz


What is not clear to me, is how do I set up a web server as a repository for the images and plugins to allow the installation of updates and plugins from the menu in OPNsense GUI?

Are there any documents / tutorials /guides on how to create and configure a web server as a repository?

Thanks

I am setting up new OPNsense firewalls (23.1.6)

For the CARP setup, I have to define a number of IP Alias settings under Interfaces / Virtual IPs / Settings:

Problem 1:
In the screen for defining an IP Alias, there is no Description field.

Is this a design decision or a bug?

Can we have the Description field back again?

For a CARP ip, the Description field is shown when a CARP ip is defined


Problem 2

In the Summary screen, Interfaces / Virtual IPs / Settings, sorting on the Address column does not work

I have two separate LAN networks, each behind an OPNsense firewall with two private domains:

aaa and bbb

The two networks are link via a site-to-site VPN;

On each network, Unbound is configured as the local DNS server to to resolve local host names of the format:

host1.aaa and host2.aaa for the one network and host3.bbb and host4.bbb for the other network.

How do I configure the Unbound DNS server on the aaa domain to forward queries for hosts on the bbb domain to the Unbound server on the bbb domain?

I upgraded to the latest version 19.1.9, but now the root user is read-only.
The second admin user is now also read-only.

I can no longer add / edit users.

Also, when I try and edit a route, I get the following error:

User root denied for write access (user-config-readonly set)

How do I fix this?

I am running version 18.7.7 in HA cluster

We use the local database for authentication of users

When logged in as root on the primary fw, it is not possible to create a new User or a new User Group.

The error message is:

You do not have permission to perform this action.

What am I missing here?

[VLAN 10]

I am running the latest 18.7.7 on two identical boxes in a HA cluster with CARP.

On the LAN side, I have 8 VLANS's defined on the the single LAN interface.

Each VLAN has it's own /24 subnet, defined ad follows:

VLAN 10
10.11.10.1/24     CARP VIP, with VHID=10
10.11.10.91/24   Box One Interface
10.11.10.92/24   Box Two Interface
   
VLAN 20
10.11.20.1/24     CARP VIP, with VHID=20
10.11.20.91/24   Box One Interface
10.11.20.92/24   Box Two Interface

etc for all VLANS

This all works very well.

Somewhere I read that CARP monitors a physical link and that that this setup creates unnecessary CARP broadcast traffic that is essentially redundant, as all the VLANS are on the same physical interface and cable. You will not have a failure where only one VLAN subnet (virtual Interface) will fail, all the VLAN virtual interfaces will fail together if the physical interface fails.

What I can remember from the comment, is that it is better to define a CARP VIP for one VLAN and then define IP Aliases for the other VLANS, but define the IP Aliases on the VLAN interface that is defined as a CARP VIP, but I am not sure that I got that right.

Any recommendations or advice will be appreciated

[General]

I need some help on configuration of the Postfix plugin please.

Version is OPNsense 8.1.6-amd64.

I want to use Postfix as a SMTP server to send notification e-mails from the LAN devices to external email addresses.

The internal LAN domain is mydomain, while externally we use mydomain.net. There are proper mx and ptr records for mx.mydomain.net

In the OPNsense System setup, the domain is defined as mydomain

This is my current Postfix configuration:

General

System Hostname:      mx.mydomain.net
System Domain:         mydomain.net
System Origin:           (blank)
Listen IP's:                 all
Trusted Networks:       10.11.0.0/16 (Local LAN), plus the default 127.0.0.0/8 networks
Allow TLS Only:           Yes
Server Certificatae:      star.mydomain.net   (wildcard SSL certificate for mydomain.net)
Root CA:                     Digicert Intermediate CA
SMTP Client Security:   may
Smart Host:                10.11.10.1   (this is the firewall LAN address)
Username:                  postfix
Password:                   ******

Domains
Domain:   mydomain                      Destination:     mx.mydomain.net                 

Senders
Address:  nas@mydomain.net            Action:  OK


On the NAS device, the mail client is configured as follows:

From email:     nas@mydomain.net
SMTP Server:  10.11.10.1
Port:               587
USE TLS          Yes
Username:       postfix
Password:        ******

When I send an email from the NAS device, it fails.

The NAS device can access the Postfix server at 10.11.10.1

There is nothing in the Postfix log files except start and stop messages.

How can I debug this or is my config wrong?

I am using OPNsense 8.1.6.

I am trying to set up mobile VPN to allow remote dial-in. I am following the instructions inn your How-To guide for setting up IPsec VPN for mobile clients  (https://wiki.opnsense.org/manual/how-tos/ipsec-road.html)

In the guide, there is an option to specify the Peer Identifier and to define the actual value of the peer identifier. (see attachment)

This option is missing in the software.

In the client setups for iOS and macOS, this value is needed.

What am I missing here?

HI,

Is it possible to add an option the GUI to force a CARP failover from Primary to Secondary and or from Secondary to Primary again?

At the moment, I use the CLI command
      sysctl net.inet.carp.demotion = 102

to force failover from Primary to Secondary and
      sysctl net.inet.carp.demotion = -102

Thanks

Hi,

Currently we have 2 x OPNsense units running version 17.7.12 in a HA cluster on two hardware units from Decisio  (model OPNsense Quad Core Gen3 SSD Rack, SKU: OPN19004R)

Do we need to first upgrade to 17.1.12_1 before we attempt to upgrade to 18.1.5?

Is it better to do a clean install of 18.1.5 and restore the configuration backup?

If there are issues, how do we revert back to 17.1.12?

Regards

Hi,

I do appreciate the willingness of the OPNsense team to fix issues and to respond to any bug reports in a timely (weekly) manner, but it also create some uneasiness.

When is 18.1 Production Series stable enough to install on a critical production site?

Is there not a need for a more "stable" release with a list of known issues that can be used on production sites provided you can live with the the known issues?

The frequent 18.1 releases is a just too "bleeding edge" for me, or am I just too conservative?

HI,

I have two WAN connections, WAN0 and WAN1,  with different sub-nets on each WAN connection.

The gateway for WAN1 is the default gateway.

Internal LAN devices with 1:1 NAT rules defined with public ip addresses from WAN1 sub-net, correctly uses the correct public IP from WAN1 as defined in the 1:1 NAT rule.

The problem is with LAN devices with 1:1 NAT rules defined on public IP addresses from the WAN0 sub-net.

Despite the 1:1 NAT rule, traffic from these devices are still routed via the default gateway for WAN1 (the system default gateway) and not via public ip as defined in the 1:1 NAT rule.

This is for traffic that originates on the LAN device. Traffic that originates from the internet is correctly routed via WAN0 to the LAN device as per the 1:1 NAT rule.

How do I fix this please or what am I missing?

Hi,

A feature request to make it easier to deploy OPNsense in enterprise setups.

On the Cisco ASA series you can define Services Groups, which can the be applied to individual hosts or networks.

Is it possible to consider something similar?

For example, you define a Service Group called "Mail Services" and for this group, you then define all the services (ports) that you want to allow through:
     HTTPS
     POP3
     IMAP
     SMTP
     SUBMISSION

You then apply this to individual hosts or networks etc.

The current Interface Groups is not really that helpful for this, as it is only applicable to interfaces or virtual vlan interfaces

Hi,

I have two OPNsense firewalls running on 2 x dedicated hardware units in a new HA CARP cluster that is working fine, except for one problem - unsynchronised failover of the interfaces.

I have two WAN interfaces and one LAN interface, but with a number of virtual vlan interfaces defined on the LAN interface.

Each WAN interface has a CARP VIP, with the other public ip's of the WAN sub-net defined as an IP Alias on top of the CARP VIP of the WAN sub-net (same VHID number).

On the LAN side, each vlan has a CARP VIP and two device ip's.
For the 10.1.1.0/24 subnet and vlan, I have defined:

   OPNsense1  10.1.1.1.91, OPNsense2 10.1.1.92 and CARP VIP 10.1.1.1

The same for the other vlans subnets.

Each WAN interface and each vlan virtual interface has a unique VHID.

The problem is that during a failover, the WAN and virtual interfaces do not fail over at the same time. If I reboot the active unit, I may find that one unit has the WAN interfaces as active with the LAN interfaces as backup and the other unit the reverse. It looks like there is a timing difference between the WAN and LAN interfaces when a decision is made to failover or not. Sometimes even the WAN interfaces are split  or the LAN interfaces are split between the two units.

From my understanding of CARP, each VHID is handled individually and will failover independently of the other VHID's.

This will also be a problem if one interface fails. It will not help if ony that interface fails over to the other fw.

Obviously, this is not going to work.

The main reason for the HA cluster, is failure of the OPNsense hardware units, as I already have dual uplinks to the ISP and dual switches.

How do I ensure that the units fail all interfaces over at the same time?

Gents,

I need some help please with 2 x OPNsense fw units in a HA CARP setup.

I have configured the HA CARP correctly and it works 100% with vlans and an IPsec Site-tot-Site link to our other site. Each fw has it's own public ip and then one public CARP VIP. The IPsec link also works with the CARP VIP defined on the WAN subnet.

We plan to use some of the other public WAN ip's with 1:1 NAT and vm's as mail and web servers, each with his own dedicated public IP from the WAN subnet. (This is how we had it previously on our HA Cisco ASA firewalls)

What is not clear to me, is how do I "CARP" the other public wan ip's?

Do I need 3 public ip's for each vm now - one per fw and one CARP VIP assigned to the vm?

Surely that can't be right?

Gents,

I am new to OPNsense, but would like to evaluate the 18.1 Release Candiates.

Where and how do I download the releases?

[System: High Availability GUI]

Hi,

I am using the System: High Availability GUI page to manage the CARP setup between two OPNsense units. Everythung is working fine, except that one of the units crashed and since then, there is a corruption in GUI two input fields

The IP address field of the Synchronize Peer IP and the Synchronize Config to IP has an old value (10.5.1.2) that is never erased. See screenshot attached.

Before i do a save of the page, I have to manually update the ip fields to the correct value (10.18.1.52) and then click on save. It accepts and use the correct value, as the sync etc all works.

However, after the save is done, the old value of 10.5.1.2 returns again immediately. Before the next save, I have to overwrite it again.

I have checked, the wrong value is not in the xml config file that I downloaded and uploaded again. The web GUI is picking it up from somewhere else.

Any ideas where and and how I can get rid of this value?

[PFSYNC net]

Hi,
I am running OPNSense 17.7.5-amd64 on a 2 x OPNsense Quad Core Gen3 SSD (Model SKU OPN19004R).
I have configured CARD and the Failover works 100%, even with a SITE-to-SITE IPsec tunnel to head-office Router.

The PFSYNC interfaces are dedicated and connected point-to-point with a cable.

I have one major problem. Whenever the Master syncs the config to the Slave, it deletes the firewall rule on the PFSYNC interface of the Slave that accepts sync traffic.

The rule simply accepts all traffic from PFSYNC net to PFSYNC net.

To start the sync process, I manually configure this rule on the Master and the Slave.

When I make any change to any firewall rule on the Master, even just changing the description of a rule on the master, this rule on the PFSYNC interface is deleted on the Slave and all further syncs fail until I manually add the rule again on the Slave.

Other firewall rules are transferred correctly to the Slave on the other interfaces.

Any ideas how to fix this?