Messages

121

20.1 Legacy Series / CARP with dual stack and different VHIDs

« on: April 06, 2020, 02:45:23 pm »

Till version 19.x I had the same VHID for ipv4 and ipv6 addresses on same interface, so that in a case of failover both address families failover.

Since opnsense version 20.x you are forced to use different VHIDs for ipv4 and ipv6 on same interface. Today I triggered a failover (temporarly disable carp) and while all ipv4 addresses on backup node moved to MASTER, the ipv6 addresses kept BACKUP.

Any ideas why? Else I would have to manually edit the config.xml to have same VHIDs again, since gui prevents this since 20.x.

122

Tutorials and FAQs / Re: Port Forwarding Rules Organization/Grouping

« on: April 06, 2020, 11:48:21 am »

Unfortunatelly not. These separators are really a feature, that I like pretty much on my pfSense installation and I miss in OPNsense. Not just for NAT, also in rules.
In OPNsense there is no equivalent for NAT at all and in rules is just a category filter that does not allow this intuitive grouping, like it can be done with separators.

Maybe you should open a feature request on github.

123

20.1 Legacy Series / Re: IPSec - Multiple phase 1 configuration issue

« on: April 02, 2020, 10:11:53 pm »

Just use the /usr/local/etc/ipsec.opnsense.d directory for your manual configuration files. They get included and are not affected by GUI changes.
Different lease pools for groups, dual-stack pools, eap-radius, etc. There you can use whole bunch of strongswan features that are not accessible by GUI.

There exist also strongswan.opnsense.d and ipsec.secrets.opnsense.d

124

Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL

« on: April 02, 2020, 09:54:24 pm »

@t.mayer: you are not alone with your problem. I have a similar setup. Squid, transparent, log sni, remote blacklists, local whitelists.

I tried several settings and finally had to disable transparent proxy for https. Maybe a bug in squid.

Even local domains were whitelisted, squid generated a self signed certificate in log only mode. Pretty strange

I hope it will be fixed sometime. ATM just users that have static proxy or get it via wpad or option 252 are logged by proxy.

125

German - Deutsch / Re: NICs werden nicht erkannt, Intel 82599 nicht auf HCL

« on: March 27, 2020, 12:15:28 pm »

Is there any dmesg output, if you load drivers manually on cli:

Code: [Select]

kldload /boot/kernel/t4fw_cfg.ko
If you need TOE then you need to load t4_tom.ko, too.

126

20.1 Legacy Series / Re: Dashboard widgets spanning multiple columns? How?

« on: March 24, 2020, 11:32:08 am »

Ok, you have a malfunction. What I need is a solution.

127

20.1 Legacy Series / Re: CARP VHID Groups

« on: March 24, 2020, 11:12:55 am »

I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.

Or IPv6 running. Version 19.x allowed to use same VHID for IPv4 and IPv6. Used it to force common failover of both ip families.

20.X does not allow use of same VHID for IPv4 and IPv6. So need to waste more (double) VHIDs. I hope it just must be unique per interface. Else with many vlans, ipv6 and other vrrp/carp devices in network that must not overlap, 256 VHIDs are depleted pretty wuick.

Really? Do you have a link to the issue why this was changed?

https://github.com/opnsense/core/issues/3732

since the internal key is per interface+vhid it won't support overlap

128

20.1 Legacy Series / Re: CARP VHID Groups

« on: March 24, 2020, 09:07:32 am »

I'm not really sure what your problem is? When you have more than one VHID on an interface you have an error in your design.

Or IPv6 running. Version 19.x allowed to use same VHID for IPv4 and IPv6. Used it to force common failover of both ip families.

20.X does not allow use of same VHID for IPv4 and IPv6. So need to waste more (double) VHIDs. I hope it just must be unique per interface. Else with many vlans, ipv6 and other vrrp/carp devices in network that must not overlap, 256 VHIDs are depleted pretty wuick.

129

German - Deutsch / Re: NICs werden nicht erkannt, Intel 82599 nicht auf HCL

« on: March 23, 2020, 01:52:05 pm »

Meine Favoriten wären Chelsio 110-1120-40 PCIexpress 8x Dual port 10Gbps T420-CR Network Card.

Und was spricht gegen die T420-CR? Wir haben zwar nur T540 Quad-Ports im Einsatz, aber mit entsprechenden Einträgen in der /boot/loader.conf.local läuft das ohne Probleme:

Code: [Select]

# load Chelsio NIC driver
t5fw_cfg_load="YES"
if_cxgbe_load="YES"

Für die T4XX wäre es dann analog:

Code: [Select]

# load Chelsio NIC driver
t4fw_cfg_load="YES"
if_cxgbe_load="YES"


130

20.1 Legacy Series / Dashboard widgets spanning multiple columns? How?

« on: March 23, 2020, 10:01:13 am »

Hi all,

I created some dashboards with 19.x series in a 3col layout and had some widgets spanning three columns. Now with 20.1 I wanted to rearange existing ones and add new widgets, but I do not manage any more to span more columns?
Was there anything changed, so that only 1col widgets are possible or is there a trick to do multi cols?

I checked config.xml and did not find any special tag that seems to handle col layout. But when I restore dashboard from old config, I can restore my old multo-col layouts. So where does it determine how many cols to span? Then I could at least hack it via config.xml.

Any hints?

131

20.1 Legacy Series / Re: HA sync not automatically anymore

« on: March 12, 2020, 10:07:42 pm »

Is the cronjob implemented? Then I can set it to 5 mins... But an option for autosync is still a better solution and more Enterprise solution like.

132

20.1 Legacy Series / Re: HA sync not automatically anymore

« on: March 12, 2020, 07:43:34 pm »

Make it an option.

This manual sync is really a showstopper. Not everybody uses weak consumer mini pcs for OPNsense. Companies like us run it on multi-core 19" server for thousands of users and never had slow gui issues.

But the issue that would occur in case of failover when the ruleset is unsynced will be much greater than a slow gui.

133

20.1 Legacy Series / Re: HA sync not automatically anymore

« on: March 10, 2020, 10:06:46 am »

Yes, the missing auto-sync is really one step backwards. I forget sync so often. I pray to god, that failover never occurs in this unsync'ed moments and chaos starts.

A blue pop-up? There should be a big, big permanent reminder until sync is really done.

134

20.1 Legacy Series / Re: Set MTU Size on VLAN Interface

« on: March 08, 2020, 10:14:57 pm »

It's not a cronjob and I assume, it should be triggered on every kind of (re)boot.
There is a syshook for start

https://docs.opnsense.org/development/backend/autorun.html

135

General Discussion / Re: How to remove DHCP reservation from removed interface?

« on: March 08, 2020, 10:10:59 pm »

Right, it's _/conf directory.