Topics

Can I run my own automation script in the acme plugin? It seems to only have a list of commands to choose from.
thanks! Till

Hi,
according to the docs:
https://docs.opnsense.org/development/api/core/trust.html
There is a raw_dump function. I assume it can be used to export a full certificate incl private key?
When I try to use it, it returns 404.
Does it exist?
I have a dedicated "api" user with the privileges: "System: Certificate Manager"
I have successfully tested it and parsed out the UUID by using:

Code Select Expand

CERT_UUID=$(curl -s -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/search" | jq -r '.rows[] | select(.commonname == "<my common name>") | .uuid')Now when I run:

Code Select Expand

curl  -v -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/raw_dump?uuid=$CERT_UUID"it returns 404.
Any hint?
I am running on 25.1.10.

thank you!

I had a couple of situations recently where my firewall got very unresponsive on some services incl the Web UI. Logging into the Web UI then takes up to a minute.
The only thing that helped getting back to normal was a reboot then. How can I diagnose what'S going on?
Some logs on the CLI which I could monitor when it happens?
The system is a an Atom CPU C3558 @ 2.20GHz (4 cores, 4 threads) with 64Gb RAM and ZFS mirrored boot device, latest version installed, all updates.
It does run Zenarmor an I have seen mongod consuming quite some CPU cycles but normally that isn't an issue.
Any hint on how to track this down next time it happens is appreciated.
TIA!

Anyone got a hint for me?
I use the ACME client to manage a number of certificates.
I would like to have an automation that sends me an email when a particular certificate has been renewed.
Any idea how to do that?
I thought about using monit in any way for that but have no clue how.
Thanks for any hint.
-Till

When I change from ddclient to native client, do I need to recreate all host records? Because the logs still show "ddclient" as process being used.
Thanks!

I think I have been spoiled by all the smooth upgrades I had in the past. This time it was all but smooth.
The server went unresponsive multiple times (had to hard-reboot), web gui not responding, LAN interface got unresponsive after a few minutes being up. I finally have it running now, but still occasionally can't connect to the web UI.
I have submitted a crash report. What else can I do to help?

I also now have this error message popping up in backend log every hour:

Code Select Expand

[07bbd436-4c8f-446a-9205-24455d9ba5f5] Script action stderr returned "b'Traceback (most recent call last):\n File "/usr/local/opnsense/scripts/OPNsense/Zenarmor/sensei-db-version.py", line 11, in <module>\n from packaging import version\nImportError: cannot import name \'version\' from \'packaging\' (unknown location)'"
Is Zenarmor fully supported with this release?
Thank you for your great work!

I think this has been asked before (can't find the thread anymore) but maybe something has changed:
Is there any plan to support API access to the certificate store? I would love to utilise the acme plugin to manage all my certificates, not only those used on the firewall. But then I need some automated way to retrieve them after renewal.
Is there any workaround? Maybe someone has a shell script that exports the certificate locally and then I can scp it from the machine?
Thanks! Till

Has anyone already done some phpIPAM integration into OPNSense? Both tools have open API's.
I wonder if I could build something like:
- creating a new device with a static IP in phpIPAM will aotmatically create an DHCP entry in OPNSense for the static v4 IP.
Anyone?
Thanks!

Did anyone already look into the newly lounged DNS0.EU initiative? Sounds like a good European alternative to NextDNS or the like. -Till

Does anyone have experience in updating spdns combined hosts (IPv4 & IPv6 with a single update token) with ddclient?
The update URL looks like this:

Code Select Expand

https://update.spdyn.de/nic/update?hostname=Domain&myip=IPv4Address,IPv6Address&user=hostname&pass=update-token
Do I need to go for custom with this?

Thanks!

I was on 23.1 for a few days and today I was offered an updated ddclient package, so I installed.
Since then web UI doesn't start anymore.
When restarting all services via SSH, I get the following output which indicated problems with ddclient.
Can someone help me to recover from that? I am not really deep into freebsd CLI. thank you!

Code Select Expand

FAILED:   updating <domian_replaced>: unexpected status (14)
Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient line 4105.
Use of uninitialized value $_[0] in sprintf at /usr/local/sbin/ddclient line 2163.
WARNING:  updating : nochg: No update required; unnecessary attempts to change to the current address are considered abusive
Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient line 4114.
Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient line 4115.
Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient line 4116.
Use of uninitialized value $h in hash element at /usr/local/sbin/ddclient line 4105.
Use of uninitialized value $_[0] in sprintf at /usr/local/sbin/ddclient line 2163.
FAILED:   updating : unexpected status (0)
Use of uninitialized value in string ne at /usr/local/sbin/ddclient line 1157.
Use of uninitialized value in string ne at /usr/local/sbin/ddclient line 1157.

FAILED:    was not updated because protocol <undefined> is not supported.

Team,
this is a problem I have for more than a year, so it is not specific to the current version. Nevertheless I wonder how to either fix it or work around it.
My setup is an external VDSL modem with OPNSense initiating a PPPoE session on it.
Unfortunately, the line is suffering from temporary instabilities. So it may break down and OPNsense re-establishes the connection a minute later. The problem I have is that in those cases, IPv6 adress assignment via track interface often fails. I assume this i some kind of timing problem. I can manually fiy this by reloading the PPPoE  via Interfaces->Overview->WAN-> PPPoE reload.
However this is a cumbersome manual procedure.
Any ideas?

thanks, Till

Hi,
just realized - no matter what I put into the alias dialog, nothing shows up under host override -> alias afterwards. The list stays empty.
Is this a bug?

thanks! Till

As always, I struggle to find out if alll the plugins I run will be compatible with 22.1.
Is there any way to figure out without trial/error?

thanks!

For a specific use case, I run a forward proxy server on OPNsense.
However, those clients using the proxy, seem to bypass Zenarmor.
Any recommendation how to configure it to work with a locally installed proxy?

thanks!

I need a quick inspiration:
On IPv4, i can easily create a rule that allows internet access to a certain VLAN and excluding access to other local networks by inverting the destination.
With IPv6 (track interface), I don't have static networks. How would I craft a rule to achieve the same which would work with any IPv6 network assigned to the other interfaces?

thanks, Till

Hallo,
hat irgendjemand ähnliche Erfahrung gemacht das der Zugriff auf die Mediatheken vom SmartTV plötzlich hakt? Hat sich durch eines der letzten OPNSense updates da irgendwas verändert?
Ich steh da grad ein bisschen auf dem Schlauch.
VG!

Hi,
for a while already I have the problem that one of my firewalls won't update via UI anymore.
It always resonds with

Code Select Expand

"Timeout while connecting to the selected mirror."
Updating from shell works. Though it throws a warning:

Code Select Expand

Fetching change log information, please wait... fetch: transfer timed out
fetch: /tmp/changelog/changelog.txz.sig appears to be truncated: 0/1332 bytes

Checking that folder, it is indeed empty:

Code Select Expand

root@OPNsensemil:~ # ls -la /tmp/changelog/
total 8
drwxr-xr-x  2 root  wheel   512 Feb 10 13:01 .
drwxrwxrwt  6 root  wheel  1024 Feb 10 12:59 ..
root@OPNsensemil:~ #

Any advise how to fix this?
I am on 21.1, but this problem existed before.

Update:
this seems to be similar to this:
https://forum.opnsense.org/index.php?topic=21087.msg98506#msg98506

thanks, Till

Not sure if the topic attracts a reader but let me give it a try:

I have, since a few months, the problem that my VDSL connection breaks once or twice a day.
My setup so far was OPNsense with pppoE on WAN -> Draytek Vigor 165 as modem.
It's not only the pppoe that breaks, it is the DSL wich re-syncs and then 2 min later the connection is back.

I replaced the modem - > same issue.
I called the ISP, they came and changed the port in the DSLAM and also the a different pair of cables.
-> same issue.
So I bought an original Telekom Smart 3 router, put it into modem only mode and tried that -> same issue.
So finally, I put the Telekom Smart 3 back into router mode, reconfigured OPNsense to not use pppoe but just send packets to the Telekom router. -> Now the connection is stable.
How can that be? Did OPNsense 20.7 introduce some major changes to the pppoe client that brakes my connection? I can't imagine. I am a bit out of ideas and want my old setup back but I need to get it stabilized (was running well before). I can't really say if this started with the 20.7 upgrade, but it falls into the same timeframe.
Any feedback, suggestions are highly appreciated!
cheers, Till

I am currently testing Sensei on my system and realized that it often switches back to bypass mode automatically.
Why is that?
My VDSL connection is a bit unstable which leads to frequently changing IPv6 addresses on my LAN interfaces. Could that be a reason?
thanks! Till