Messages

In short, neither opnsense nor port forwarding are "broken".

You seem to be a bit confused about how SSL actually works however. :)

What cert do you see connecting from outside to https://domain.space and what cert do you receive when connecting from inside to https://server_IP ?

Also, you can safely remove the OPNSense WEBGUI cert from that server, it's utterly irrelevant to the whole setup.

what about the first one (where it seems that OPNSense is intercepting / not routing the address)?

Something doesn't add up here, you're mentioning port forwarding tutorials then asking about SSL intercept.

Which is the actual setup that you have in place right now ?

Are your speeds consistent and under 100Mbps in either direction ?

Can you provide some iperf data beetween hosts over the tunnels ? That is, not host to firewall.

That is correct. Note that you can have one or more SANs, most common being hostname + fqdn.

Also please edit your thread title to something that resembles SSL Issue - as it stands is highly misleading  ;)

The CN and/or SANs you're using on the public cert must match mycloud.mydomain.space in your example.

For public certs the SANs are what matters nowadays, so at the very least make sure your CN and SAN are defined as you can see in the forum.opnsense.org certificate.

Started seeing [HBSD SEGVGUARD] for Unbound since 18.7.10 came out however I'm unsure what's causing it. On one machine it helped reinstalling Unbound, however all others are still randomly seeing it at various intervals, both on VMs and APU hardware.

Since all the configuration is identical: no System defined DNS and only 1.1.1.1 and 9.9.9.9 over TLS is defined in Options according to the pfsense blog post last year when 1.1.1.1 was announced - I'm a bit unsure where the issue actually is as I couldn't see anything in the logs with increased verbosity.

The python segvguard is new to me however, although all the other bits match for the Unbound error:

Suspension expired and SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT

That being said, the problems with Unbound started a while back therefore there's no direct correlation between your Internet outage and anything else.

[lattera]

The worst thing about it is that the devs have no error logs about what went wrong, and while the best assumption right now would likely go towards a regression on the BSD side of things we'll never really know...

As for the upgrade experience overall, I wouldn't pin an opinion on a failed upgrade and for what it's worth given the extent of the changes in 19.1 and the addition of HBSD thanks to the great work put in by lattera and his team I would say that overall it's been quite stellar, with a few minor glitches and regressions that were at the end of the day to be expected given time and resources.

Glad it all worked out for you though.

That sounds like a BIOS/coreboot issue, what hardware are you running it on ?

The better solution is a proper testing environment. If all your options are "Testing in Production" then it will always be a gamble and no 'guru' will ever be able to help.

The most appropriate way to do it if production is the only option would be to engage the vendor support team - probably Deciso in this case ? - to assist with the upgrade process.

The post above yours would have been a good starting point... ::)

Do you have the same monitor IP on multiple interfaces ?

Can you try selecting OpenSSL, Save, check for updates, 12 and confirm with 19.1 ?

Note that a few reboots will happen automatically and you should be on 19.1.1 at the end

Your info is allover the place and likely unrelated...

Please do a 12 in the console and ensure you're on 19.1.1 before anything else.

You can always boot 19.1 from a stick in live mode and test things out without changing anything on the box.

If things look good you can even do a new install importing the config in the process.