I tried different things and it does not work, even with "Type: Remote Host". I think I will try my chance with cron instead of Monit.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Show posts MenuServices: Monit: Settings: Service Tests Settings
Name: ping_failed_cloudflare
Condition: failed ping4 address 1.1.1.1 count 5 with timeout 5 seconds
Action: Alert
Services: Monit: Settings: Service Settings
Enable service checks: checked
Name: reload_wan
Type: Custom
Path: /usr/local/sbin/ifctl
Start:
Stop: /usr/local/sbin/ifctl -r opt2
Tests: ping_failed_cloudflare
Depends:
Description: Reload WAN interface if ping to Cloudflare DNS fail.
QuoteTest ping_failed_cloudflare with type Network Ping not allowed for this service typeHow to make it work?
Quote from: Patrick M. Hausen on January 23, 2025, 07:16:16 AMMove the web UI to a port other than 443 and disable the HTTP --> HTTPS redirect.Thank you Patrick, I did just that and added the port to the OPNsense HAProxy backend and it seems to work. Great!
Quote from: dseven on January 23, 2025, 10:49:40 AMOP, do you have your (System -> Settings -> General -> System -> Domain) set to "mydomain.com". If so, I think you may be confused because Unbound host overrides are not really true overrides - they are more like additional host records in the local DNS server. If you add a host override for "opnsense.mydomain.com", a DNS query for that would return that additional record BUT ALSO the default (automatically generated) system records for your firewall itself, and your browser may choose to use one of the default records.It is exactly my situation. It sometimes use the Unbound DNS override, but almost all times the system DNS record.
Quote from: dseven on January 23, 2025, 10:49:40 AMYou could potentially hack around this with (Services -> Unbound DNS -> General -> Do not register system A/AAAA records).For now, I will try Patrick's solution. If I encounter some problem's with this setup, I will look into it, thanks.
Quote from: dseven on January 23, 2025, 10:49:40 AMI would caution a bit against convoluting admin access to your firewall, though - it may come back to bite you some day, when something goes wrong, and you can't easily get into your firewall to fix it.In this case, I just have to use https://ip_address:port or https://opnsense.mydomain.com:port to bypass HAProxy. It's a simple home setup. But it's always great to have explanations to become more aware of weaknesses.
Quote from: dseven on January 23, 2025, 10:49:40 AMPersonally I think it's probably not a great idea to try to have "mydomain.com" resolve differently internally vs externally. I use "subdomain.lan" as my internal domain (I have a couple of locations, with different subdomains). Proxied stuff could still be accessed using "mydomain.com" URLs by enabling (Firewall -> Settings -> Advanced -> Reflection for port forwards). If your browser might be on the same LAN subnet as the proxy, you may also need "Automatic outbound NAT for Reflection", though that has the side-effect of making internal connections appear to come from the firewall's address, not the actual client's. I have my proxy in an isolated VLAN, which mitigates that issue, as well as being a bit more secure (I have firewall rules to control what the proxy host can access internally).Yes, I wanted to use the same domain externally and internally, but it makes my HAProxy configuration more complex. I do not have much time to rethink my setup at the moment, but you're right, it would be more secure to use another subnet for all my servers.
2023-05-22T23:21:31 Notice ddclient[33961] 94731 - [meta sequenceId="3"] FAILED: Unable to obtain information for 'vlan0.83' -- missing ip or ifconfig command
2023-05-22T23:21:31 Notice ddclient[33961] 93072 - [meta sequenceId="2"] FAILED: Unable to obtain information for 'vlan0.83' -- missing ip or ifconfig command
2023-05-22T23:21:31 Notice ddclient[33961] 92075 - [meta sequenceId="1"] FAILED: Unable to obtain information for 'vlan0.83' -- missing ip or ifconfig command
Quote from: marcquark on April 30, 2023, 09:58:12 AMYes, I want to use another, simplier, IPv6 link-local address. Like fe80::1/64. It is possible on Cisco routers for example.
It should be there already, check out Interfaces->Overview, it should display the link-local address. The address is deterministic, it's based on the interface's MAC address (EUI-64).
Quote from: meyergru on April 30, 2023, 11:02:05 AMOk, thank you.
Theoretically, fe80::1/64 is a perfectly legal address and you you be able to set it, but it does not seem to be possible from OpnSense GUI as a VIP.
You could modify the interface MAC in order to get another EUI-64 from that, but it contains ff:fe in the middle.