Messages

1

German - Deutsch / Re: OPNSense kein Zugriff mehr weder WAN noch LAN

« on: November 29, 2024, 05:30:15 pm »

Na dann erst mal weiter beobachten. FWIW, hier auf einem älteren Zotac mit N3450 und Realteks sind sowohl realtek-re-kmod als auch os-realtek-re installiert.

kldstat sagt der if_re.ko ist geladen. (Hier im FreeBSD-Forum steht welcher welcher ist https://forums.freebsd.org/threads/if_re-for-rtl8125-module-loads-no-device-output.89372/ )

Schönes Wochenende!

2

German - Deutsch / Re: OPNSense kein Zugriff mehr weder WAN noch LAN

« on: November 29, 2024, 11:57:26 am »

Realtek ist etwas haarig, das mag sein. Aber nicht per se. Ich betreibe eine reichliche handvoll MiniPC mit Realteks im Einsatz, und da läuft alles rund - die arbeiten als failover und selten unter Volllast, doch durchaus mit Dualstack und mit verschiedenen Bandbreiten bis 1gbps. An der Umstellung sollte es nicht geniun liegen.

Am Log sehe ich auf den ersten Blick keine Ursache. Wird das Gerät wärmer als vorher?

3

Web Proxy Filtering and Caching / Re: CADDY/cloudflare - Not understanding why I am getting an SSL handshake failure

« on: November 29, 2024, 10:20:59 am »

This is a little hard to diagnose. Try testing with these methods and post/report the responses you get, for each of your subdomains:

$ curl -v https://prod.youraddre.ss -o /tmp/test

This will give you metadata about the connection, and redirects will show. You may look for subjectAltName, Host and location values (and others).

Web-based tests do not show as much detail, however https://deref.link/ and https://wheregoes.com/ may help too.

4

German - Deutsch / Re: OPNSense kein Zugriff mehr weder WAN noch LAN

« on: November 28, 2024, 02:18:43 pm »

Ohne einen Auszug aus den Systemlogs wird man auch nicht schlau draus, wir auch nicht. Poste doch mal daraus die letzten paar Zeilen vor dem Ausfall bzw. bevor der aufgehört hat überhaupt etwas zu loggen. Sonst bleibt deine Frage unbeantwortbar.

5

Hardware and Performance / OPNsense on Zotac Zbox CI337 nano: no reliable uptime (a week of testing)

« on: November 28, 2024, 12:29:48 pm »

For people searching for a low price fanless box to run OPNsense on, I can comment on what maybe not to buy. YMMV, but my idea was to buy another Zotac Zbox, since I run a large handful of these in older hardware iterations (CI327 nano) with N3450 for branch offices as failover since ca. 2018. So it seemed a safe bet.

TL;DR Experiments failed with the CI337 nano.

For context, the N3450s all work nicely with lines up to symmetric 1 gbps speeds, most offices have lower bandwidths though. However they all max out at around 640mbps. Unsure why that is, however I didn't care too much since these boxes are companion failover to DEC740 devices that do handle everything we throw at it without hiccup. So failover barely happened in a handful of years and if it did the CI327 nano was good enough for the specific purpose.

There's Realtek chips in the CI327 nano as well as the newer CI337 nano. So I thought let's get one of those and test on a DOCSIS gigabit. Mixed results here overall, line speed when it works, but no stable connection. Either I get 1 hour of uptime or maybe even 4 or so, but then inevitably b0rkage happens:

• data throughput drops to zero
• OPNsense UI is a no show
• pings to the CI337 might still work though
• ssh login might work, but more often the box does not respond on any TCP port
• its HDMI output goes blank, i.e. I can't see any on-screen messages - if I see any it often repeats emulated netmap adapter rel_vlan entries with either destroyed, created, activated messages. After that repeated I see dropped packages
• a keyboard needs to be connected for a ctrl-alt-delete reset
• box is up again after rebooting, log entries are unremarkable

Looking for answers I found what everyone else may find: the useful posts with caveats here in the forum (heat dissipation, comments re Realtek chips, Intel firmware and microcode, power supply issues), and also comments on amazon re BIOS/UEFI updates. Well, none of what I tried fixed the issue: switch power supply and makeshift usb fan cooling. About 4 hours of uptime was the maximum I got.

So I'm returning this CI337 nano unit to the vendor. What I do like about Zotac is their size and sturdy build. The general reliability of the older model though... whatever, time to move on.

Next up, I'll go for N100 again with Intel i226-v this time. Protectli boxes seem a good next step at the next price level. For our branch offices SFP+ would sure be nice to have for upgrading the failover game, should I make the time for CWWK attempts there's boxes with that too.

I'll keep reading in the forum, thank you meyerguru and everyone who is active here with answers. This post is my 2ct.

6

General Discussion / Best practice for giving local staff a router status page

« on: March 22, 2024, 04:53:55 pm »

So with a handful of branch offices, on each site's OPNsense router we have a locked down user role that enables local staff to check things like failover status, WAN details and such. Read only for configuration, few menu items, and with "reboot" enabled among very few action options.

Now the Effective Privileges don't seem to exclude, or I haven't found or understood it, a way to lock down this user, dashboard-wise. So, ocassionally I find widgets changed or content added. Trying not to be paranoid, but if users can upload their own animated GIF file to the Pictures widget.. cat memes or not, I won't think that is a good idea and plan to change this setup. So I'll no longer holding it wrong.

If you have a similar model, enabling local staff to interact with OPNsense, how do you do a (mostly read-only) status page?

7

Hardware and Performance / Re: Looking to upgrade the RAM in a DEC740

« on: April 07, 2023, 05:20:10 pm »

Thank you all for the detailed replies! I'll check with page in / page out activity, however I do suspect I let myself be fooled by being more familiar with Linux, so may not rush towards upgrading.

8

Hardware and Performance / Re: Smart Managed Switch: Cisco or Zyxel

« on: April 04, 2023, 04:39:26 pm »

You haven't said what for - or a price range. Adding my 2ct here anyhow.

Zyxel does consumer gear, I have that at home (GS1200). VLANs they can do, and while the UI is modern, running the configuration is not without problems (small handful of VLANs). I need to reboot the switches every month or so, because data throughput slows down considerably over time. Annoyin. I'm eyeing Aruba for a refresh in homelab gear.

The older rackmount and PoE switches that run in the company data rack work nicely and without any issues. These are XGS2210 and GS2210 specimen, and they stay out of your way and just work. Newer stuff supports Nebula and cloud management, haven't touched those yet.

9

Hardware and Performance / Looking to upgrade the RAM in a DEC740

« on: February 22, 2023, 12:06:20 pm »

For the office we got a DEC740 which has 4GB of RAM. Memory usage is around 40%, which is fine. But, the Swap is always around 59%, so several GB worth of swapping at all times.

The datasheet does not mention user-upgradable RAM, but it does mention its DDR4. We have some of that in store, so could in theory just add to or replace the given RAM to e.g. get 8GB. This could reduce wear and tear on the mass storage considerably, I'd think.

Has anyone done this RAM upgrade successfully? Is that possible or encouraged even?

10

22.7 Legacy Series / Switching WAN provider - transfer given firewall rules to new interface used

« on: October 05, 2022, 04:44:14 pm »

There's an ISP change coming up for us, on a multi WAN setup. So atm we have both VDSL (WAN1) and fibre-with-copper (WAN2) active. Coming up will be the fibre-with-copper to be replaced by a fibre connection that does not use copper on the last 50cm of a legacy cabling installation. 

There's no rush with the new setup, because all three shall continue to run in parallel for weeks or even months, and this DEC740 has enough ports for all of it. I'll stick to one aspect of the changes.

From what I've gathered I now have a full setup of WAN interfaces, and a range of firewall rules and such for WAN2. When the new ISP will offer IP it'll connect via interface ax1 - do I have to rebuild everything for the new WAN?

Maybe there is an easy way to copy over given firewall rules to the new interface? It would at least be convenient to be able to do that.

Any pointers appreciated.

11

22.1 Legacy Series / Re: os-ddclient

« on: September 14, 2022, 10:38:07 am »

I'm in the no-ip.com boat, and am using groups. This piece of information https://www.noip.com/support/knowledgebase/limit-hostnames-updated-dynamic-dns-client/ is what helped me:

Some clients don’t like a colon( : ) character as a separator, you can use the url encoded colon character %3A, %23, or # if you run into this issue.

As noted above, the OPNsense UI does not do a good job, substituting %3A was rejected there. Also, I was getting badauth from debugging on the commandline before the change.

So the login parameter in /usr/local/etc/ddclient.conf needs this. Note the login line has %3A instead of a colon between groupname and username. Also, I don't explicitly specify an interface since my OPNsense is an exposed host behind another router.

Code: [Select]

syslog=yes                  # log update msgs to syslog
pid=/var/run/ddclient.pid   # record PID in file.
ssl=yes

# the Inet interface is implicit
use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t 0 -s noip-ipv4",
protocol=noip, \
login=group%3Anom@example.com, \
password=NunAYurBusiness \
example.ddns.net

12

21.7 Legacy Series / Re: [SOLVED] Wireguard, Interfaces and Assignments: can't reenable instance

« on: April 22, 2022, 10:01:46 am »

Short version, if you have more than one Local instance of wireguard, any Endpoint belonging to one of the servers must not have more than the TunnelIP address /32 assigned to it. If it has, like in 10.10.10.5/32 192.168.1.0/24 then this happens: the wg instance will not show in "List Configuration", it will not start, and there is no error message to be found, not even in "sudo wg show".

So fixing this is simple, check your endpoints if it happens to you. Once the wg instance comes up, you will see the "new" instance in Interfaces > Assignments.

So this is interesting, and I led myself be led by various tutorials available on the internet for getting into these troubles. They say to "restrict" the client after connection to accessing a certain network range, add the 192.168.1.0/24 range to the endpoint definition. That might work for single instance setups, but does not work for me with many.

(I guess I need to  read more on cryptokey routing and all the interfacec types involved.)

13

21.7 Legacy Series / Re: Can't get Internet access from 2nd LAN

« on: April 07, 2022, 01:11:36 pm »

In the time that passed, did you solve your problem yet hushcoden? It likely has to do with outbound NAT.

If the default deny rule hits, its often because in Firewall -> NAT -> Outbound the main setting is very restrictive, in that your manual rules are not evaluated. Pragmatically that can be set to "Hybrid", such that "Automatic rules are added, but additional manual rules can be added as well."

See here: https://docs.opnsense.org/manual/nat.html#outbound

14

German - Deutsch / Re: OPNsense / *sense (Online) Usergroup?

« on: April 06, 2022, 05:04:53 pm »

Ich wäre dann auch gern dabei, künftig. Gesundheit ist allerdings klar wichtiger!

15

21.7 Legacy Series / [SOLVED] Wireguard, Interfaces and Assignments: can't reenable instance

« on: April 06, 2022, 04:36:15 pm »

So I had several Wireguard instances configured, on different ports, and things worked well. For testing I disabled one of the wireguard "servers". This instance wg1 stopped working, test completed. The other continued to work.

Now, in VPN > Wireguard > Local the box for wireguard1 is checked again, and the interface shows in Interfaces as wireguard1. It is enabled as far as the information available here says.

But, in Interfaces > Overview it is marked as "down", and in Assignments wg1 shows as being assigned to re0 (and a real MAC) instead of wg1 and 00:00:00:00:00:00. wg1 is not shown and not listed in the dropdown list for re-assigning. The interface wireguard1 did not have an IP address configured.

So even though it is an enabled instance (as per VPN , the interface shows, it cannot be used now that I turned it off.

How can I enable it again such that I can assign wg1 to the interface again, and it will actually work and show in VPN -> Wireguard -> List Configuration (or % sudo wg  show)?

Rebooting the machine, restarting all services, and disabling and re-enabling wireguard or the interface did not improve the situation. What have I missed? What to do now?