Topics

Hi there,

Today by updating my FWs to the latest version (25.1.10), I noticed that I had my web console certificates expired (on both nodes as one certificate is shared)
Nothing to worry about, I've a configured internal CA, I created a new GUI certificate on the master with the same parameters (SAN are valid for both nodes/IPs)

Issue is: when I wanted to sync the configuration, I was not able to find the new certificate on the backup node.

I've tried to reboot both nodes and also to activate/deactivate certificates sync (saving & hitting sync each time) - Didn't help.
I've also the exact same issue on a second pair of FWs (remote backup site - same version but VMs)

I can't figure out if it is a recent issue or not, so I'll need some help to troubleshoot and solve it.

Thanks in advance!😉

PS: I DID find the new sync button... 😇 but I would really appreciate a full sync status panel if possible.
(ref: https://github.com/opnsense/core/issues/8301)

Hi there,

I might be mistaken by a change, but I can't find the small "synchronize to backup" button for HA settings in the new 25.1 UI.

And therefore, also missing the small status when you press on it!

Is it missing or is it moved somewhere else? Thx in advance!

[fairly new to HA]

Hi there,

I set up a new HA cluster for my home infra and so far, migration has been great, everything seems to be working as expected. HA works when I switch CARP manually or if I shutdown/restart the master.

Everything... except my IPSEC VPN tunnel that doesn't switch over. :(

My Phase 1 is configured to the WAN CARP IP and I also tried to disable MOBIKE as mentioned here https://forum.opnsense.org/index.php?topic=19244.0
pfsync interface is a dedicated cable and there is a rule that allows everything between both FWs.

As I'm fairly new to HA, I don't know what to expect here but I tried to switchover/restart the master and also tried to shut it down for 10 minutes but this didn't help, IPSEC tunnel is only coming back after master is up again.

IPSEC tunnel is still in the legacy mode, I don't know if switching to the newer version would help.

Where can I start looking? Thanks in advance ;)

K.R
Franck

Hi there,

I made a recent design change to allow the possibility to patch my network switches without interruption.
(https://forum.opnsense.org/index.php?topic=32211.msg155680#msg155680)

So my physical firewall has 2 NICs configured in failover mode in a LAGG, spread on 2 physical switches. So is my Internet router (yeah double NAT is not ideal, but I have no choice with my provider)
All the interfaces work is done via VLANs & different interfaces.

RTSTP is activated on switches so the 2nd link of the router is disabled if the switch number 1 is online.

If I power off or update the switch 1, Internet and all the other things continue to work "as expected", except my IPSEC tunnel to another failover site. When the switch come back online, it doesn't reconnect it.

I've tried to restart the IPSEC service, nothing will work unless I restart the firewall. Restarting the firewall or service on remote site doesn't help.

Any idea what could be the issue and how to solve this?

Thanks in advance for your help ;)

[failover]

Hi there,

I've a question concerning my firewall NIC/LAGG design.

Up to now, I had a single switch (Ubiquiti) and I had 2 physical NICs configured in LACP on my OPNsense firewall. All interfaces were managed by different VLANs (including WAN connectivity)

But to ease the whole firmware patch management and offer redundancy on several systems, I bought a second switch.

Now, as Ubiquiti doesn't offer LACP on several physical switches, I'm wondering what is the best LAGG type I should now configure to have redundancy/a bit of load balancing between both links: would you choose failover, loadbalance or round robin?

My first reflex would be to go to loadbalance, but maybe there is a few things to consider before. Maybe a LAGG is not the best option at all.

Thanks in advance for your advices! ;)

PS: If required/better, I could add 2 physical NICs in the server (but from the load, it is not necessary at all)

Hi there,

After have tried to get more info to create an HA setup VM/Physical server, I abandonned the idea of the HA as it doesn't seems to be feasible. The only possibility would be to create a LAG to have the same interfaces on both side but it is apparently not really possible in a VMware VM (more info here: https://forum.opnsense.org/index.php?topic=21696.msg102192)

So I have an unused i5-4570 with 32GB or RAM (previous ESX in my homelab), storage is a USB stick (32GB)

2 main questions:
- what is the best way to migrate from one to the other?
Knowing that I've 2 interfaces in the VMs (a trunk with several VLANs and the WAN) and on the physical server, I have a 4x1GB/s Broadcom card. How is the interface assignement working after configuration upload?

- what kind of optimization/tweaks can I do to use the most of my hardware (esp. memory, which is overkill)?
You can suggest hardware modifications too...

PS: in a near future, I'll have a dual Intel 10 GB/s for this machine, is it recommended to create a LACP LAG with "VLAN interfaces" for all or to dedicate one for WAN and one for LANs?
(I've a 1 GB/s Internet connection)

Thanks for your suggestions! ;)

Dear all,

Recently, I had the opportunity to go to fiber Internet connectivity. Speed is great, I get almost 1GB/s symetrical on a PHYSICAL computer connected on the box. ;D

What a disapointment when I got (after tests and optimizations) only the half behind my firewall VM.
The whole virtualization is probably to blame with all added latency and overhead (driver, hypervisor, etc...), so I don't know how to solve that.

But as a solution, I have an unused physical machine that was a previous hypervisor with 32GB of RAM and a core I5 and this should be just fine for that job (please comment if you think the opposite)

My idea is to go from a single VM which offers now with backups and snapshots a lot of flexibility and reliability to an HA cluster between the new physical and the VM machines.
Performance loss in case of problem/maintenance is 100% acceptable but of course, not the config/connectivity loss because I've also a VPN tunnel to another location and family is connecting to my infra (yes it's a home lab! ;))

VM network config:
- 2 virtual NICs (VMXNET3, one for WAN, one for LANs
- the LANs interface is configured with multiple VLANs/subnets
- All default GWs are with IPs finishing with .1

I'd like to keep the .1 as default GWs, so this has to be moved to the virtual IPs. .2 and .3 are all reserved for that project on all LAN subnets.

I know already there is difficulties with drivers and stuff (doc speaks about the necessity to use LAGG) to do such a mixed setup, but knowing the above, where do I start?

Thanks in advance for you great help :)


Réfs:
https://docs.opnsense.org/manual/hacarp.html
https://docs.opnsense.org/manual/how-tos/carp.html

Hi there,

Don't know where to start with, but since I've upgraded from 20.1 to 207, it seems I have more and more strange issues (I got some unbound issues too, I had to disable DNSSEC temporarily)

Usually, my FW is on a "should run on this host" in order that my SIEM can capture the traffic. Today, I had to maintain some ESXi host and I vMotioned the FW a few times... it crashed twice! ??? None of the other VM suffered a network connectivity.

I've to mention this NEVER happened before with previous versions, I could vMotion dozen of times.

I couldn't see some issues because I didn't had to move the VM since I've upgraded.

Where do we start to troubleshoot that? ;)

Hi there,

In order to be able to use DNS over TLS, I've looked arround and found those advanced options for Unbound :

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 8.8.8.8@853
forward-addr: 8.8.4.4@853

The only question is : whenever the advanced option field will be removed, how can we achieve the same result ?  ;)

Hi there :)

I am trying to get the Captive Portal with my Guest network to operate. However, the problem is that ano clients are automatically forwarded to the login page (iPad, Chrome phone or Windows computer)

I configured it according to the documentation (https://docs.opnsense.org/manual/how-tos/guestnet.html).

What is strange for me is that it was working before (as I'm new to OPNsense & I've started implementation not so long ago, I can't tell exactly when it started not to work anymore. I've configured the base as in the doc, saw it was working and let it there. I've the feeling it was working with 20.1.3 but I can't vouch if 20.1.4 broke the thing.

What is weird, whenever it was redirecting or now (not working anymore), my captive portal is accessible at http://192.168.XXX.1:8001 (not 8000 as I saw almost everywhere). I can't explain why and don't know if it is a config issue.

However, otherwise I just get "server not found" when I try to open any page, no matter if https or http.

Some settings about the setup:
- 2 physical NICs (it's a VM), one is WAN, the other is tagged for all the different subnets (guest, prod, mutimedia)
- I'm not using a proxy (for now)
- I'm using Unbound with DNSsec active
- the captive portal is not using SSL and no hostname is defined.
- DHCP works fine in the guest

I've the feeling with other threads in forum that tagged interfaces are often linked with issue... is it ?

Anyway, I'd like to have some help, so I can also understand better how everything works together.
Thanks in advance ! ;)

Hi there,

I'm trying to setup my first Opnsense infra. There is my home lab and a DR site.
Both have now a firewall and incoming/outgoing traffic t WAN is working fine.

As I like it, I've restricted Outboud traffic to HTTP/HTTPS and for some other ports (see capture)

Now, I've created an OpenVPN server at home and setup the client at the DR site. Connection is active between both FWs.

But I just can't access ressources from one LAN to the other. If I look at firewall logs, I clearly see that the traffic is blocked by the "Default deny rule" (as an example RDP)
If I activate the more generic rule (the one disabled at the top of the capture), it works.

I'm confused, I though VPN traffic would be setup in the OpenVPN interface. In several tutorials, there is also mention of creating a new interface for the OpenVPN opnsX interface, which will create a new gateway.
Setting an open firewall rule on this extra interface didn't solve the issue either.

I'm suspecting a routing issue (VPN traffic should hit the VPN interface first no ?), but it is beyond my knowledge for now :-)

Help very much appreciated !