Topics

Admins -- If this is off topic for this forum, please remove/delete this.

I have been coasting a long with email services from yahoo for a long time, but enshitification hs taken it's toll.
I have over the years set up my own mail servers in my domains - but I know I don't have the bandwidth to do the administratoin needed to keep the service healthy and clean. 
So, I'm looking for a reliable hosting provider that I can use for IMAP/SMTP services - One that doens't use Google, Amazon, etc. - and I'd like to gp with a company that as ethical as coproprations can be.
I have spent thta last week or so going through reviews and web sites from countless providers -- in most cases, email seems to primarily be a web site hosting add on. 
I have my own domain(s) and already host web sites for each locally.

I have a list of criteria that are required:
IMAP + IMAP Storage - prefer 20GB per mail box or more
SMTP
5 mailboxes at a minimum, but would much prefer accounts managed at domain(s) level so that I can create/remove mailboxes as needed.
Unlimited Aliasing

A Nice to have but not currently in use is Shared Calendars.



The marketing fluff around this is ... very strong.
And there are a lot of them out there.

I'm tossing rocks in the pool at this point in the hope that someone out there has a provider they are happy enough with that they will reccomend them, so I can narrow the field a bit.

I just upgraded to 25.7.9_7 and adjusting networks afterwards. 

I have separate physical subnets for various purposes.
One I use for all WIFI and a security camera NVR.
I need _one_ camera on  LAN40 to talk to the NVR on LAN40.
I had the Wifi subnet isolated from the other subnets by the 3rd and 4th rule (successfully I thought).
I tried adding the top two rules for any protocol/any port between 192.168.20.70 and 192.168.40.5
I'm missing something because the block tot eh subnet appears to be working, but the rules prior to that do not.
I'm not sure what I'm missing here, but if anyone can explain it to me like I'm a dummy, I'd appreciate it.


                Automatically generated rules    
      IPv4 *    192.168.20.70/24    *    192.168.40.5/24    *    *    *       In rule for Security Camera    
      IPv4 *    192.168.40.5/24    *    192.168.20.70/24    *    *    *       Out Rule for Security Camera    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block out to private subnets rule    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block in to private subnets rule    
      IPv4 *    WIFI net    *    *    *    *    *       Default allow WiFi to any rule    

I spun up a new install of 25.7.
After getting to the login and doing the basic wizard setup bit, I restored a backup of my running OPNSense running 25.1

None of the passwords from either setup work on the console after reboot.

Is this expected?
Should I have modified the backup file and blanked password fields?
I don't recall seeing anything particular in the docs other than restore steps.

Or is this just some incompatibility between versions?
 

My time is about 9 minutes off -- compared to two other professionally (more than me at least) managed networks.
The default opnsense pool reported in the logs DNS resolution failure

Error    ntpd    error resolving pool 1.opnsense.pool.ntp.org: Name does not resolve (8)

so I added pool.ntp.org ans us.pool.ntp.org and I'm still seeing status like below.
I do see this and many more servers in the list -- is the "Unreach/Pending" just a side effect of not being in sync?
Although the offset column shows I'm not as far off as it really is ...

I'd really like my gateway to sync up and provide NTP for  the local networks ...

Code Select Expand

Status     Server     Ref ID     Stratum     Type     When     Poll     Reach     Delay     Offset     Jitter
Unreach/Pending     us.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     opnsense.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     134.215.155.177     216.239.35.0     2     u     14     64     7     48.304     +1.936     0.174
Unreach/Pending     158.51.99.19     17.253.26.125     3     u     16     64     7     42.716     +0.857     0.319
Unreach/Pending     72.14.183.239     45.79.1.70     3     u     13     64     7     16.266     +0.373     0.067
Unreach/Pending     74.208.25.46     198.46.254.130     3     u     13     64     7     36.483     +5.648     2.497


This has nothing to do with OPNsense -- this is firmly with the provider - Spectrum in Texas.

Spectrum has recently added fiber to my area.
I have a /29 of static IP addresses (Spectrum calls this a "5 block").
At random intervals, geolocation for my static IPs update to various major metro areas in Texas.
When running my IP through various ip tools on the internet you can see the different tools will show different locations.
I assume that those various tools update their location information to some extent at least to routing to/from the IP address, perhaps?

Spectrum tech support has been way less than helpful so far -- most of the 1st level responses haven't even understood the issue.
Most of them don't understand what a PTR record is and will argue about their ability to alter them. :=(
At one point, on escalation I was told that Spectrum will route traffic outside the spectrum network in various physical locations, based on network load.
None of them will answer any questions about how spectrum routing and traffic paths work, or how this could affect the geo-location of the public, static IP addresses for which I pay extra.

Traffic that originates coming to me seems unaffected -- the IP addresses do appear to appear to be public.  Where this shows up as a a major PITA is that I frequently get security alerts from places like ebay - " A device logged into your account from San Marcos, Tx - was that you?" - next login I have to go through account verification. again.
Some streaming services provide "local" channels.
Makes life interesting if you never know if "local" will be Dallas/Ft Worth, Houston, Austin or San Antonio ... 

Any one else on Spectrum or encountered anything like this?

Ramblings from someone who woke up in the middle of the night with this in his head ...

The Arista 7050S-52 switch (10GB ports) is out in the wild for just over $100 now.
The later 7050 family switches have at least 4GB of ram, and this model has a "built in SSD".
Arista EOS is based on Linux -- I have a 7050TX-64 (10GB and 40GB ports) that is on a 4.9 64bit kernel (and it's not on the latest version.)

Would it be possible to run OPNsense on Arista hardware?
Anyone tried it?


I have no idea what you'd do with that many ports, but at ~$100 - $150 ... 

I'm looking for anyone else on their service where you experience frequent geo-location shifts of your public IP.
I'm on a static /29 from them in the 70.116.n.n range.

The only streaming app that can reliably determine what is "local" to us is the Spectrum TV app. 

Sometimes the streaming apps the wife uses will show us channels/content from the closest Metro area, and a lot of days we get content from San Antonio -- several hundred miles away.

Spectrum business support has provided two responses so far, depending on which level of tech you get:
1. "No, you are crazy, we never have any issues, it's a problem to deal with in your app."
2. "Yea, happens all the time, sucks to be you."


I'm collecting traceroutes to several points of interest, when we see the change to document.
I did some searching and saw someone on reddit asking about the same thing -- their solution was to go to another fiber provider.
I wish I could here.
I had to wait for someone to pass away here to grab an open DSL port before spectrum installed fiber.

Other than the really weird head end issue it's not that bad (especially compared to present alternatives), but at this point it's driving us buggy with this issue.

I am to the stage setting up automated backups of an opnsense installation.
I see the API documentation, and that looks like possibly the answer, however ...

Is the entire configuration stored in a single file as in the backup from the UI?

I have used another, similar product that contained the configuration in a single file and a very simple korn shell script was all that was required to obtain a copy of the file that could be used for restoration.

/conf/config.xml seems to have a majority of the config -- can it be used to restore on a fresh install?
If so, what is the advantage of the APIs for backup?

It seems in the gui the ability to enable ssh access is global and I don't see anything that is interface specific.
Is the WAN interface disabled for ssh access by default?

Especially if you edit DHCP static leases or DNS overrides in order to save yourself the time of one-by-one entry:

There appears to be no data integrity checking prior/during restore.

Some examples:
Trailing spaces in fields - like mac addresses, duplicate entries in DHCP leases, all are rejected if attempted in the GUI.
All get by the restore without error.
Best part is, in the case of ISC DHCP4, apparently handing multiple IP addresses to the same MAC address works.
Both get inserted into unbound.
So a single device gets two valid leases and both entries are inserted into DNS.

Being able to sort the static lease entry tables by the various column headers would help identify these quickly.
You can sort the leases table - so you can only see them the obvious when it occurs and some device becomes unavailable on the network because it happens to not respond to the first DNS entry.



My bad for the essentially corrupted data -- but if there is an attempt to idiot-proof opnsense, I'm winning today. :/

This is a really dumb/simple setup and I know the answer is somewhere in these forums or the docs, and I have spent several days looking ...
I can't find anything that addresses this specific question so here I go ...

I have an OPNSense device with 6 interfaces - 1 WAN, 5 LANs.
Each LAN is it's own 192.168.n.0/24 subnet.
Each LAN has it's own DNS overrides in unbound, and each has ISC DHCP4 server configured with a single pool with in it's subnet and a range of static leases assigned outside the dynamic pools.

LANs are:
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
192.168.40.0/24
192.168.50.0/24

I'm not using any IPV6, VLANs or VPNs at present to keep this simple.


As I added each new subnet after initial WAN/LAN set up, I duplicated the LAN Any to Any rules to each new subnet.
On each subnet I can do fwd/rev lookups of any device on any other LAN.
It appears I have general access across all LANs (as expected) with the any-to-any rules in place.

I need to configure rules to isolate some subnets to only have access to the WAN.
Some subnets need access to the other not-isolated subnets.

For each subnet that should be blocked, firewall rules for each interface should be added above the allow any rule to that block both inbound and outbound from the other subnets, correct?

For example -- if I add on the 50.0/0 interface block in and block out rules for the net address of the 10.0/0, 20.0/0, 30.0/0 and 40.0/0 subnets  -- will effectively block all traffic in and out from those networks, or do I need to have inbound blocked on the .50.0/0 interface and outbound to the .50.0/0 on all other interfaces?

Is there a simpler way to do this in floating rules and I'm just over-complicating this?
In addition to the any-to-any rules on the LANs  - other than the "automatically generated rules" (which vary in number for some reason on the different LANs) is there any other basic think I'm missing?

I also need to restrict access to the opnsense appliance itself from the WAN and certain LANs.
Is there a setting in the GUI or is that done via firewall rules?

How is 192.168.30.100 to 192.168.30.200 _not_ within a 192.168.30.0/24 subnet?

I tried this a number of years ago without success.  https://forum.opnsense.org/index.php?topic=9039.0
I am desperately hoping there is an alternative to manual input of ~70 DNS override entries and ~90 or so static DHCP assignments.

Any way to manually edit the xml backup file then restore?
I don't see any way in the UI to mass imports...

This is the page from OPNSense docs: https://docs.opnsense.org/manual/routes.html
Short and sweet, but not much help.

I had a LAN configured between two other somewhat similar firewall products.
Site 1 LAN 192.168.10.0/24
Site 1 LAN for interconnect 192.168.30/0  (Interface 192.168.30.1)

Site 2 LAN for interconnect 192.168.30/0  (Interface 192.168.30.2)
Site 2 LAN 192.168.20.0/24

Site 1 Gateway for route to site 2 -  192.168.30.2 with monitor IP of 192.168.20.1
Site 2 Gateway for route to site 1 - 192.168.30.1 with monitor IP of 192.168.10.1

Site 1 static routes 192.68.20 Net via Site 1 Gateway
Site 2 static routes 192.68.10 Net via Site 2 Gateway

This configuration worked between sites in the previous setup -- I have changed to OPNSense in Site 1 and Site 2 is on the other/older firewall.

Gateway monitoring doesn't even work on OPNSense.
I can monitor and get a ping response from Site 2 gateway from OPNSense CLI but not the default gateway in Site 2

Obviously I'm missing something in routing, but I can't see it ...

Anyone got any hints?

When installing the os-smart plugin to monitor drive health, the message below is displayed.

There is no /etc/periodic.conf file.
Just daily, weekly, etc, directories in /etc/periodic 

Should this file be created or should an entry in the appropriate period be created?

Message from smartmontools-7.4_1:

--
smartmontools has been installed

To check the status of drives, use the following:

   /usr/local/sbin/smartctl -a /dev/ad0   for first ATA/SATA drive
   /usr/local/sbin/smartctl -a /dev/da0   for first SCSI drive
   /usr/local/sbin/smartctl -a /dev/ada0   for first SATA drive

To include drive health information in your daily status reports,
add a line like the following to /etc/periodic.conf:
   daily_status_smart_devices="/dev/ad0 /dev/da0"
substituting the appropriate device names for your SMART-capable disks.

To enable drive monitoring, you can use /usr/local/sbin/smartd.
A sample configuration file has been installed as
/usr/local/etc/smartd.conf.sample
Copy this file to /usr/local/etc/smartd.conf and edit appropriately

To have smartd start at boot
   echo 'smartd_enable="YES"' >> /etc/rc.conf

I have a Supermicro 1U Server I'm (going) to use as a firewall.
4 500GB enterprise SATA disks, so ZFS raidz3 might be a good approach.

It ran so long I stopped it and tried another firewall product that can use ZFS and on the same hardware installation time is minutes, not hours.

I'm running the installation of opnsense 23.7 again ...  I'm 3+ hours in and the screen says 38%.

Is this normal?
Anyone else using ZFS?

If a query forward for a specific domain exists in unbound AND a redirect for all DNS queries are redirected to 127.0.0.1, which takes precedent?

I have an interface on the OPNSense that is used to send/receive traffic from another network via a dedicated link to another building.

Interface is configured, gateway is set up, static route is added.  (Both sides)

One site interface IP is 192.168.30.1, the other has an interface IP of 192.168.30.2
Gateway on the .1 side is the .2 IP.
Gateway on the .2 side is the .1 IP.
The monitor IP on each is the LAN ip of the respective firewall.  (192.168.10.1 on the .1 side and 192.168.20.1 on the .2 side.)
Static routes have been added for each network -- routes for traffic to the .20/24 has been added and a route for the .10/24 has been added.

From OPNSense on the "LAN" net, I can access servers on the 192.168.30.0/24 net but not the 192.168.20.0/24 net.

When the gateways are configured, you can set up a "monitoring IP" -- it is set for the primary LAN interface IP on both sides.
OPNSense identifies the gateway as up, but the other end sees the OPNSense gateway as down.

It's like static routes are ignored on PFsense.

Do route changes require a reboot?

What settings am I missing on the OPNSense to make this work?

I had this set up and working with another firewall product, but can't seem to make it happen now.
A lot more things to twiddle in OPNSense I think.

I have OPNSense1 set up with WAN/LAN ans some optional interfaces.

One of the optional interfaces is a 10G link to another building with it's own firewall and internet connection.
(One internet connection is DSL the other is line-of-sight radio, and traffic needs are very different on both.)

Previously, I configured an interface on each firewall for the connection between buildings, added a gateway on each with the interface on the opposite firewall as the gateway IP address, and the LAN IP on the opposite firewall as the monitor IP.



That's not working in OPNSense for some reason. 

And best of all, when I activate the route and gateway, my DMZ subnet loses WAN access :/

What portions of this configuration can I post here for suggestions on how to make this work?

Visual if that helps.  Trying to get the gateway/route correct to connect the two sites.


One thing I do see in the static route configuration section is this statement:
"Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway. "

As soon as I enable this route:
Disabled Network                    Gateway                                  Description                Commands
              192.168.20.0/24   OfficeLabGW - 192.168.30.2   Static route to site 2   

And this gateway:
OfficeLabGW    OfficeLab    IPv4    255    192.168.30.2    192.168.20.1    ~    ~    ~    Pending    OfficeLab Gateway

Most everything loses access to the internet.

This rather simple setup worked with the firewall I previously used, so I know it's possible.
I suspect I'm just missing something basic.

This is getting to be a steep learning curve :)

For the most part so far(with some real weirdness), the WAN and LAN traffic seem to be working as expected.
DHCP active on LAN (I'm typing this from a desktop connected to LAN right now on a DHCP lease.

I need to setup several other "LAN" interfaces for various purposes -- some of them need to be isolated from everything but the internet and one is just for traffic to another building.

So, I have configured so far:
WAN
LAN
(Both working pretty much as expected)

WLAN         192.168.15.0/24
Work           192.168.50.0/24
10GLAN     192.168.40.0/24
Outbuilding 192.168.30.0/24

For most of this, /24 is overkill but it keeps it simple(ish).

I can match the physical interface in the UI by observing the display in the console --

WLAN   (igb3)      192.168.15.1/24
Work     (igb3)      192.168.50.1/24
10GLAN  (ix1)      192.168.40.1/24
Outbuilding (ix0)   192.168.30.1/24

The interface names and MAC address on the console agree with the interface names in the UI.

I have enabled DHCP on Work and WLAN -- plugging in a laptop on the Work segment gets a DHCP assignment from the WLAN range.
I swap the interface to the WLAN interface and I get an address in the Work range...


How exactly are DHCP services tied to an interface?
I'm not sure what I'm doing wrong here ...



LAN is a 192.168.0.0/24

I need to create a subnet for Windows laptops.
Win 192.168.50.0./24
DHCP enabled for about 10 IPs in this range.
Access to the internet using but no access to any other systems behind the OPNSense box.
I don't care if it uses external DNS -- I need these latops completely isolated from the internal network as a priority.

Instead of a LAN to Any rule, would the proper way to do this be Windows to This Firewall rule?







I created another subnet by adding an interface with a different 192.168.0.0/24.
Enabled DHCP, booted a laptop connected to that interface ...
I can see that it gets an IP on the