Messages

I want to automate a few items to toggle routes and and other simple things via the API. The first item I am trying to do is toggle enable/disable an alias. (Toggle alias on, a certain host in the alias matches a conditional route and routes out gateway B. Toggle off, it routes out gateway A.)

I have a user and API access is working. For instance, I ran

Code Select Expand

curl -k -u "sometoken":"somekey" https://192.168.40.2/api/firewall/alias/getAliasUUID/SomeAlias
and voila I got back

{"uuid":"44724741-c37e-419a-9fa2-3aad79111335"}

Fantastic. Auth works.

Now I am completely lost on making the POST. I tried this based on the POST example here https://docs.opnsense.org/development/how-tos/api.html.

Code Select Expand

curl -XPOST -d '{"ed8a5bf8-861a-4307-a7b4-df1b2a727d18":"null"}' -H "Content-Type: application/json" -k -u "sometoken":"somekey" https://192.168.40.2/api/firewall/alias/toggleItem

and I get

Code Select Expand

{"message":"action toggleItem expects at least 1 parameter(s)","status":400}

which I half expect as I have no clue what values to put in. The docs say Parameter $uuid,$enabled=null. Great, I have a uuid, what values are allowed for $enabled? I have tried true/false, 1/0. Is there a table somewhere that describes these values? Or am I so green there is some convention here that a real dev would understand that I don't? Thanks!

This is an embarrassing one. Somehow my WAN interface had an MTU of 576 - and for all I know it's been like that forever. I had never set an MTU and that must be what the modem or who knows negotiates with the firewall. I hard set the WAN to 1500 and everything works. I'll be over here with my working VPN and my shame.

I have a working Wireguard tunnel to Mullvad - mostly. I have not set an MTU anywhere but the Wireguard interface shows an MTU of 496 which is bizarrely low. I cannot connect to most sites due to this low MTU and I have confirmed that that is indeed the MTU by running

Code Select Expand

ping -i 0.1 -D -g 300 -G 1500 8.8.8.8. Sure enough when I hit 497, pings die. I have tried setting the interface and the Wireguard Local MTU to 1420 (the usual default) and then no traffiic passes. I am stumped. Any thoughts on what's going on and how to get a normal/usable MTU?

Is there any estimate on when OpnSense will have Jason's implementation of WG ? I'm currently fine with OpenVPN, but looking toward WG.

OPNSense already has it via the official Go module. It's not kernel based which is slightly (very slightly) slower, but it's secure and MUCH faster than anything else out there. Go Wireguard with reckless abandon now on OPNSense.

Define "included". The kernel patch doesn't help anyone with the wireguard plugin yet so rushing this is not useful and creates false expectations.

Considering the Netgate cowboy kernel module fiasco, I will gladly take this approach any day of the week.

To say this is scathing is being kind.

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html

I guess the plan is to have stateful failover on DHCP WAN?

Please update the thread if you find any good solutions as I would like to have the same.
Currently I just keep my WAN interfaces without CARP so when a failover occurs it drops all external sessions but at least I still have Internet access.

The plan is if the firewall is BACKUP then 'ifdown vtnet0' which is my WAN interface. If the firewall is MASTER then 'ifup vtnet0'. I don't expect this to be stateful nor do I plan to have CARP VIPs on the WAN interface. I simply want to use the CARP state to trigger an interface change.

It actually sounds like you are doing what I am after. How are you achieving that? For instance, just in basic testing on my BACKUP, if I run 'ifconfig vtnet0 down' all interfaces go down and 'ifconfig vtnet0 up' brings all interfaces up. It's bizarre.

This seems to be a pretty common topic, but I haven't found anything definitive. I have a DHCP address on my WAN. I have seen multiple work arounds involving spoofing MACs, using non-routable IPs on the WAN interface for CARP and others. It seems to me that simply doing an ifdown on the WAN interface of the backup firewall is fine for my use case.

The big question is, where should I create my notify logic? Can I do it directly in /usr/local/etc/devd/carp.conf or will that get overwritten with updates? Can I create another file /usr/local/etc/devd/mycustomtweaks.conf that will be safe from updates?

I figured it out. Sigh.... I had a gateway set to a CARP VIP on the box that instead of trying to connect to the Master holding the VIP, it looped back to itself. i don't follow why specifically, but once I deleted the VIP off the Backup, everything worked.

The title says it all. I can't seem to update the box and when I do I get the error "Could not authenticate the selected mirror."

I tried from the command line and got:

Code Select Expand

Fetching change log information, please wait... Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
3472375263232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/20.7/sets/changelog.txz.sig: Authentication error

That sent up a red flag - that's the self signed certificate on the box?!

Then I tried curl just to see what's up:

Code Select Expand

*   Trying 89.149.211.205:443...
* Connected to pkg.opnsense.org (89.149.211.205) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /usr/local/etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

DNS seems to resolve to the right IP and a connection is made. https://imgur.com/a/XtQVxTN

I'm stumped. Any ideas?