OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of OmnomBánhmì »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - OmnomBánhmì

Pages: [1]
1
Hardware and Performance / OPNsense on Zotac Zbox CI337 nano: no reliable uptime (a week of testing)
« on: November 28, 2024, 12:29:48 pm »
For people searching for a low price fanless box to run OPNsense on, I can comment on what maybe not to buy. YMMV, but my idea was to buy another Zotac Zbox, since I run a large handful of these in older hardware iterations (CI327 nano) with N3450 for branch offices as failover since ca. 2018. So it seemed a safe bet.

TL;DR Experiments failed with the CI337 nano.

For context, the N3450s all work nicely with lines up to symmetric 1 gbps speeds, most offices have lower bandwidths though. However they all max out at around 640mbps. Unsure why that is, however I didn't care too much since these boxes are companion failover to DEC740 devices that do handle everything we throw at it without hiccup. So failover barely happened in a handful of years and if it did the CI327 nano was good enough for the specific purpose.

There's Realtek chips in the CI327 nano as well as the newer CI337 nano. So I thought let's get one of those and test on a DOCSIS gigabit. Mixed results here overall, line speed when it works, but no stable connection. Either I get 1 hour of uptime or maybe even 4 or so, but then inevitably b0rkage happens:

  • data throughput drops to zero
  • OPNsense UI is a no show
  • pings to the CI337 might still work though
  • ssh login might work, but more often the box does not respond on any TCP port
  • its HDMI output goes blank, i.e. I can't see any on-screen messages - if I see any it often repeats emulated netmap adapter rel_vlan entries with either destroyed, created, activated messages. After that repeated I see dropped packages
  • a keyboard needs to be connected for a ctrl-alt-delete reset
  • box is up again after rebooting, log entries are unremarkable

Looking for answers I found what everyone else may find: the useful posts with caveats here in the forum (heat dissipation, comments re Realtek chips, Intel firmware and microcode, power supply issues), and also comments on amazon re BIOS/UEFI updates. Well, none of what I tried fixed the issue: switch power supply and makeshift usb fan cooling. About 4 hours of uptime was the maximum I got.

So I'm returning this CI337 nano unit to the vendor. What I do like about Zotac is their size and sturdy build. The general reliability of the older model though... whatever, time to move on.

Next up, I'll go for N100 again with Intel i226-v this time. Protectli boxes seem a good next step at the next price level. For our branch offices SFP+ would sure be nice to have for upgrading the failover game, should I make the time for CWWK attempts there's boxes with that too.

I'll keep reading in the forum, thank you meyerguru and everyone who is active here with answers. This post is my 2ct. :)

2
General Discussion / Best practice for giving local staff a router status page
« on: March 22, 2024, 04:53:55 pm »
So with a handful of branch offices, on each site's OPNsense router we have a locked down user role that enables local staff to check things like failover status, WAN details and such. Read only for configuration, few menu items, and with "reboot" enabled among very few action options.

Now the Effective Privileges don't seem to exclude, or I haven't found or understood it, a way to lock down this user, dashboard-wise. So, ocassionally I find widgets changed or content added. Trying not to be paranoid, but if users can upload their own animated GIF file to the Pictures widget.. cat memes or not, I won't think that is a good idea and plan to change this setup. So I'll no longer holding it wrong.

If you have a similar model, enabling local staff to interact with OPNsense, how do you do a (mostly read-only) status page?

3
Hardware and Performance / Looking to upgrade the RAM in a DEC740
« on: February 22, 2023, 12:06:20 pm »
For the office we got a DEC740 which has 4GB of RAM. Memory usage is around 40%, which is fine. But, the Swap is always around 59%, so several GB worth of swapping at all times.

The datasheet does not mention user-upgradable RAM, but it does mention its DDR4. We have some of that in store, so could in theory just add to or replace the given RAM to e.g. get 8GB. This could reduce wear and tear on the mass storage considerably, I'd think.

Has anyone done this RAM upgrade successfully? Is that possible or encouraged even?

4
22.7 Legacy Series / Switching WAN provider - transfer given firewall rules to new interface used
« on: October 05, 2022, 04:44:14 pm »
There's an ISP change coming up for us, on a multi WAN setup. So atm we have both VDSL (WAN1) and fibre-with-copper (WAN2) active. Coming up will be the fibre-with-copper to be replaced by a fibre connection that does not use copper on the last 50cm of a legacy cabling installation.  ::)

There's no rush with the new setup, because all three shall continue to run in parallel for weeks or even months, and this DEC740 has enough ports for all of it. I'll stick to one aspect of the changes.

From what I've gathered I now have a full setup of WAN interfaces, and a range of firewall rules and such for WAN2. When the new ISP will offer IP it'll connect via interface ax1 - do I have to rebuild everything for the new WAN?

Maybe there is an easy way to copy over given firewall rules to the new interface? It would at least be convenient to be able to do that.

Any pointers appreciated.

5
21.7 Legacy Series / [SOLVED] Wireguard, Interfaces and Assignments: can't reenable instance
« on: April 06, 2022, 04:36:15 pm »
So I had several Wireguard instances configured, on different ports, and things worked well. For testing I disabled one of the wireguard "servers". This instance wg1 stopped working, test completed. The other continued to work.

Now, in VPN > Wireguard > Local the box for wireguard1 is checked again, and the interface shows in Interfaces as wireguard1. It is enabled as far as the information available here says.

But, in Interfaces > Overview it is marked as "down", and in Assignments wg1 shows as being assigned to re0 (and a real MAC) instead of wg1 and 00:00:00:00:00:00. wg1 is not shown and not listed in the dropdown list for re-assigning. The interface wireguard1 did not have an IP address configured.

So even though it is an enabled instance (as per VPN , the interface shows, it cannot be used now that I turned it off.

How can I enable it again such that I can assign wg1 to the interface again, and it will actually work and show in VPN -> Wireguard -> List Configuration (or % sudo wg  show)?

Rebooting the machine, restarting all services, and disabling and re-enabling wireguard or the interface did not improve the situation. What have I missed? What to do now?

6
21.7 Legacy Series / [SOLVED] 2 WAN interfaces, one shows up in Services -> DHCPv4
« on: March 21, 2022, 03:45:34 pm »
I have a 3-port box with OPNsense on - a new setup. Box connects to a VDSL line on WAN1, which it does, and a fibre connection von WAN2, which it does. This one is set to a static IPv4 address and works as intended. I have both WAN show up under Interfaces -> WAN, which is fine.

But surprisingly the WAN2 shows up  an an interface I can enable DHCP on Services -> DHCPv4. Certainly it is not meant be this way. Why does it show there, and what did I do wrong to put it there? Most importantly, how do I fix it?

7
21.7 Legacy Series / [SOLVED] Need to reconfigure a LAN interface from CLI
« on: January 17, 2022, 03:56:36 pm »
So I'm a longtime OPNsense user, but today I messed up my LAN-facing interface by erroneously setting a static LAN address. After hitting "Apply changes" I noticed, oh, wait... So the interface now has 192.168.250.85 as its static address, which is wrong. But I wasn't able to reach any the webinterface via any other machine in .250.0/24. Effectively I have locked myself out.

What I want to do is set the LAN interface re1 to request an address by DHCP (as I had it before).

Since my commandline user is not in the sudoers file ( ::)) I mounted the ZFS filesystem on an Ubuntu via an external drive and can now access and write to the zroot/ROOT/default.

On a plain FreeBSD this would be e.g. in /etc/rc.conf and a simple line. But, the OPNsense does not have that. The only occurrences of the static address I can find are using grep:

/mnt/zfs/etc/hosts myhostname.network myhostname
/mnt/zfs/usr/local/etc/filter_tables.conf:      <address>192.168.250.85
/mnt/zfs/usr/local/etc/filter_tables.conf:192.168.250.85

Where can I find the stored config? How can I set the LAN to request an address by DHCP?

Since I can't find a static entry where this address is assigned to re1, would rewriting those hits to the actual network address I want do any good?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2