Topics

I have a number of certificates from Let's encrypt.  One wildcard for the whole domain, and 3 individual ones.

Recently one of the services using these broke, and it turns out that the renewal process failed.  This process though only failed on the 3 individual services, the wildcard renewed quite happily.

When I did in I find that the _acme-challenge TXT record fails to add to my Goddady DNS for the domain.

(See the attached image file that I could not figure out how to embed ;-)  )

This only seems to happen when it tries to create a record with a _acme-challenge.XXX format (where XXX is the name of the server that needs the certificate).  The wildcard happily creates as it has no .XXX on the end.

Is this an issue with the setup of the DNS?  or something weird in the opnsense ACME Client?  I have tried looking at the TXT it tries to add to get the value and then manually creating a key to match, but this fails too, probably because the client tries to add a new value to the same key and that fails.

Any ideas how I can get this to work again?

I swear there used to be a button to clear the logs in the logs of the ACME client.  Has this disappeared or is there another way to clear the logs from the UI?

For the last couple of weeks since I upgraded to the 23.7 I have been having a problem with my opnsense router.

1) Sometimes my machines loose internet access, but the network seems to be working.  When this happens I cannot access the opnsense webui either. Poking the powerbutton rectifies the machine shutsdown cleanly then works when rebooted.

2)The router randomly reboots.  I become aware that the whole network is just not working.  After a bit it starts working again and when I access the webui it is clear the router has rebooted.

The device itself is about a month old now based on an N5105 with 16gb ram.

I've made sure I've done all the updates I have found but alas still no luck figuring out what caused it.

Situation 1 just happened again prompting me to finally get around to asking if anyone has any ideas.  25pages back in the log at the time it happened I see this.

<6>pid 61824 (unbound), jid 0, uid 59: exited on signal 11   
2023-09-07T09:42:00   Notice   kernel   <6>pid 25031 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:40:09   Notice   kernel   <6>pid 4217 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:40:00   Notice   kernel   <6>pid 97999 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:39:00   Notice   kernel   <6>pid 85400 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:36:00   Notice   kernel   <6>pid 52843 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)
2023-09-07T09:34:00   Notice   kernel   <6>pid 25958 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:30:00   Notice   kernel   <6>pid 68520 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:28:00   Notice   kernel   <6>pid 38821 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:27:00   Notice   kernel   <6>pid 26862 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:25:00   Notice   kernel   <6>pid 566 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:24:01   Notice   kernel   <6>pid 84849 (python3.9), jid 0, uid 0: exited on signal 11 (core dumped)   
2023-09-07T09:21:00   Notice   kernel   <6>pid 40608 (ld.lld), jid 0, uid 0: exited on signal 11 (core dumped)

python error messages also happen when situation 2 occurs as well.  I seem to remember around the time it started that the updates did an update to python.  Is it possible this is corrupt or something?  Is there a repair option?

Pre router death HAProxy was working really well.

Having now got everything back on line, HAProxy does not work for any server that does anything with Rules etc.   The basic ones work normally but not that.

During the process of importing the confing opnsense made me upgrade to the latest version.  Although the config looks good and checks through fine things keep failing.

I went through and disabled all the servers that were not working.  I am now adding them in one by one, but am not winning.  I exported the haconfig and found this.



These feels like it should not be there and I wondered if because the config was imported new it has generated new acls and there is a mixture of old and new in there?  Not sure if that makes sense though or even really what those acls might be!

Up until now I have used a broadband modem connected to my WAN port using PPPOE.

PSTN telephony is being turned off so the only way to get this now is to use my providers (Vodafone) broadband.  Having just had the opnsense device die I have replaced it and have imported the setup that has been working for the last 5 years.

My plan was to connect the opnsense router (OR) to the broadband router(BR) by having the OR WAN port as an exposed device on the BR.  This connection works on the OR box where I can ping the BR routing address from the OR box but there is no routing going on.

As I changed the WAN port from PPPOE on the OR to static IP does this change all the rules and things?

I am trying to reload a new copy of opnsense and base it on a config.xml.

I can do this and it gets running as my server, however the challenge is I chose a really complex password for my system and it is too hard to type it in manually.   This means I cannot get logged in to run the installer to get it on the hardware.

Is there a way to get the system to do the import but replace the config.xml version of the root password with the standard opnsense default?    If not an option can I do this by modifying config.xml?

After 5 years my opnsense router box died.  Worse I found my configbackus were not good.

I bought a new box and I have a USB adapter for the sata drive from the old box as the drive slots differ.  It boots on this adapter, but I cannot login as my password is very long and complex and I cannot get the box to attach to the network or a device attached to its ports.   I think the configuration of the ports is different so the instance thinks it has no ports.

I tried booting to single use mode and doing opnsense-shell password, but when it reboots it does not remember that password, I suspect because the right part of the disk is not mounted through USB, though I cannot manually mount them.

My goal is just to get a current version of the config from this disk.  Anybody got any ideas how I can do that?  Once I have that I will do a reinstall and import that config.

Is there an add-in that provides the client side of the cloudflare tunnels to be run on an opnsense router?

I've looked but not seen anything and I am reluctant to do things that are not natively supported.  I'd rather have it break out on the router than go through the fire wall to another box where it then breaks out if possible.

Or do people feel just using this (in a personal context not a business context) is not a great idea?

I am trying to correctly setup HAProxy for my application.

I have three urls that deliver to the haproxy  address1.mydomain.com, address2.mydomain.com,address2.mydomain.com

Each has a real end server defined that points towards the correct internal server and the port number the target service is on.

There is a backend pool defined for each and a public service defined for each using a rule defined for each.

There are conditions for each of them in the form   if host matches address1.mydomain.com

There is a rule for each which have the form if IS_Address1 use pool address1_pool.

As well as this there is a rule put in by the acme service and one to redirect any input from http to https using HTTP Redirect = scheme https code 301

My issue is that if I visit any of these sites address1, 2 or 3 I get sent to the same backend pool.  During the time I have been trying to understand this I have been sent to each of the pools, so I know they all work.  However all three addresses will always go to the same backend pool at any time.

This feels like a rules prescidence issue but I can find no way in the UI to reorganise them. The logs also do not seem to give any usable help.  Anybody got any idea why I have this trouble?  and if there is a better way to use the logs that might help me debug it?

Having come close to having no router I wanted to make an image backup onto a duplicate disk so that if I do get a permanent disk failure I can just plug the spare in.  I have an identical SSD in a USB adapter to which I could copy the disk.  My knowledge of FreeBSD is very basic though and I cannot figure out how to actually use DD to achieve the image I want, I can't even figure out the commands to see whether the USB is actually visible to the OS.

Is there an easier way to do this or any tutorials somewhere that could help me achieve this.

Today I did some updating of my certificates for the router.

I decided I would however return to just using the standard https port rather than defining my own.

I made the change in the user interface reverting to 443 in the settings and restarted.  Now I cannot access the web gui!   I can however SSH in so I went in and chose restore, assuming this would restore the settings to a working auto backup.  Alas it seems to make no difference.

I also tried resetting the wired lans ip address in an attempt to force it back to working with HTTP but that did not work either.

Any ideas of how I can get back to the GUI so I can put this right?

Hi there

I am using

OPNsense 22.7_4-amd64
FreeBSD 13.1-RELEASE
OpenSSL 1.1.1q 5 Jul 2022

And trying to make use of NTOPNG.  I cannot get it to keep seeing my Wired network (the one I am actually using to access the switch).   It detects no traffic despite the fact that the machine it is telling me that on is on this network.

I have three physical connections EM3=WAN, EM2=Wired(network switch),  EM1=Wireless(Poe switch).

there are three vlans on EM1 but none on EM2.   I managed to get EM2 to appear the other day by uninstalling and reinstalling NTOPNG.   When I went in two days latter to check on something it was again not there and I cannot find any way to bring it back.

What am I doing wrong here?   Do I need a VLAN for my non router Wired equipment(currently these are on 10.0.0.x where the router is 10.0.0.1)?   I have tried to get on to the NTOPNG Discord to ask this but I'm over a week down and no verification so I thought I would try here in case someone can point me in the right direction.

Many thanks for any ideas.

I am setting up NTOPNG and it looks and works great however It does not appear to see one of my network interfaces.  This is a bit annoying as it is my main wired network.   

My network was originally setup with one Wired network in the router 10.0.0.x on (em2) and wifi was independent just using a port in this network to connect.  The wan is connected to em3.

I created a specific interface for the wireless (em1).   And subsequently created 3 VLANs for various reasons.  I did not move the wired to a separate VLAN though so all wired devices still connect to the same network interface em2

It is this em2 that does not show up, though both em3 and em1 do.   I reason therefore that this is something I am miss configuring but as yet have found no great resource for helping me set it up.   Can anyone tell me where I am going wrong or point me to some step by step configuration advice?

Looking for some help into something that is driving me mad.

I updated my router about a week ago to 22.7.   Since then my Echo devices seem to be unable to maintain a connection.   They often say "something went wrong"  and they always keep breaking off when streaming. 

All my other wireless network devices seem to work at least as well if not better, though debugging wireless is not easy.  Has something changed that requires me to adjust something so that they maintain their connection? 

I am trying to use NTOPNG for the first time in a while and it will not let me login.

I followed the instructions that come up through the login page and various other bits of internet advice that essentially add up to these three

redis-cli set ntopng.prefs.local.auth_enabled 1

redis-cli del ntopng.user.admin.password

redis-cli SET user.admin.password ea847988ba59727dbf4e34ee75726dc3

Iv'e tried the with the service stopped and with the service started following with a refresh but still the login prompt rejects me.  The login itself will not even allow me to enter the admin password for the router as the button stays faded (I think it is too long for the web front end).  I am using NTOPNG with Https and that was working fine, however I have upgraded to 21.7 since the last time I tried to use this.

Anyone got any advice on things to try?  Will removing it from the box and putting it back help or will the setup be retained anyway leading to no change?

Trev

Hi there,

My Let's encrypt certificate never auto renews and I am not sure why.   I have to do this manually every time which is extremely tedious!  I wonder if I have something set wrong in the schedule page or something.  Could someone share the settings they use to make sure this works?

Been ages since I've had any issue with OpnSense and I am running on 20.7.7 (installed) with Unbound at 1.13.0 (though have noticed that an _1 is now there and updated).

My problem is that unbound keeps stopping, and that breaks everything.  It seems to do this fairly randomly but it is a pain when it does!  Now I know the challenge I can just get on the switch and start it again, however I feel like it may be possible to autostart it with Monit if it fails.  Has anyone done this or got a pointer to some information on how to make that work?

I've been using Wireguard for quite some time now and its been great.

Saturday I upgraded my router to 20.7 (finally) and now I have discovered that wireguard is no longer functioning.  It makes connections fine and wireguard client is seeing data sent to the wireguard server on my opnsense box but nothing coming back.

On the server I look in the configuration and this sees data being received and sent from the client.  Which suggests that the data being sent is not getting off the router.   When I ping from the client the address of the VPN server I get no response.

Feels like something has changed in the routing or rules.  I've not made any changes so I don't think it is me.  Does anyone have any pointers to where to look to fix this?

Yesterday everything was fine.  Last night I upgraded to 20.7 and today she cannot connect to her work.

Their system uses Blackberry secure and it no longer attaches on either Wifi or LAN.  I did not changes other than to upgrade to this version.

Anyone have any idea what is new about 20.7 that could cause this issue?  Everything looks good, and all seems to be working normally other than this.  I wondered if something has changed about allowing VPNs or something?

I am looking for advice with getting the above working.

I have a wireless network on one interface and a wired network on a second interface.  The Echo I have is on wireless and the server it needs to reach on the wired interface.

There are any any rules between the two interface currently.  If I try to discover then the echo will fail.  However if I plug the wireless router into the wired router rather than the second interface then the echo will correctly find the devices, proving this is about protocol crossing the interfaces.

I have the mDNS relay enabled and on these two interfaces and that does not help.  From investigation I believe this may be something to do with either SSDP or multicast between the interfaces (or both) however I've not been able to figure out what.  Can anyone out there help?