Messages

See attached

IMHO similar to Enabling/Disabling KEA/DNSmasqd on Multiple Interfaces but maybe with some improvements :)

I don't think you can equate the two. There are just a few interfaces that appear in the list in your example. There are on the other hand dozens of leaf pages. Also a dropdown in a menu item would look super odd imo - not even sure it is possible.

Anyway, I'm preparing an alternative that has a small star in each breadcrumb heading. Unobstrusive and not "Super Mario World" to my eye

I realised when doing this everyone would have an opinion xD

I thought about the first option. It seemed cumbersome to me. To add a Favorite, you would need to click a button and then navigate a list and click another?

I also thought about the second option. The issue with that is there isn't consistency between pages that would make adding an icon or setting there convenient or consistent. Probably the only realistic spot to add it is at the start or end of the heading on the page.

The nice part though of having the favorite icon in the menu is that multiple options can be clicked without having to open each page.

Maybe Franco or Ad will see this and can weigh in from a preferred UI perspective before I finalise a PR.

I'm proposing to submit a PR shortly to implement a Favorites section.

• It only appears if the user has at least one favorite selected. If all favorites are removed, the Favorites section disappears
• Favorites are added/removed simply by clicking on a star icon next to each leaf menu item. The star icon changes appearance if the item is in the Favorites list
• The Favorites list is stored per-user, and is subject to their permissions
• If a favorited menu item is removed (eg an interface is removed or a plugin uninstalled), the Favorites entry is also removed
• Favorites entries appear in the same order as the corresponding menu items

Some sample screenshots attached.

FWIW, it seems that the original "hung" state of opnsense-revert was caused by a file lock on config.xml by configd, which prevented run_migrations.php from acquiring it

I've managed to deal with that - that wasn't fun.

It appears that when I had to abort opnsense-revert because it hung, the FreeBSD repo was somehow enabled. Then when I ran opnsense-revert again, pkg was updated to the FreeBSD version (2.5.1), which obviously led to some conflicts.

I had to go through a process of disabling the repo, deleting the pkg database, and force reinstalling OPNsense. Then checking there weren't any rogue packages on the system from the FreeBSD repo.

Ugh.

Weird problem. I've been experimenting with some patches, and have routinely successfully reverted them by "opnsense-revert opnsense".

But on the latest try, it is stuck at ">>> Invoking update script 'refresh.sh'"

Previously I interrupted the script at this point and then tried again, but it complained that the OPNsense package repo conf was not available. So I copied that back from the sample, but the script still gets stuck.

Any tips how to fix this?

FWIW, I migrated my rules today (I recently transitioned to dnsmasq so decided why not continue the transition xD) and thanks to the migration assistant it was seamless. Nice work team!

I had been using that already, but the tunnel would stop working after several weeks.

Mullvad support also told me that they wouldn't support psk-exchange anymore.

PR closed due to OPNsense's security posture, implemented via devd instead. [Edit: logging added]

Code Select Expand

cat /usr/local/etc/devd/wg1-postup.conf
notify 100 {
    match "system" "IFNET";
    match "subsystem" "wg1";
    match "type" "LINK_UP";
    action "subsystem=$subsystem; if /usr/local/sbin/mullvad-upgrade-tunnel -wg-interface ${subsystem}; \
      then logger -t ${subsystem}-postup mullvad-upgrade-tunnel completed; \
      else rc=$?; logger -t ${subsystem}-postup mullvad-upgrade-tunnel failed, rc=${rc}; \
      fi";
};

Update: https://github.com/opnsense/core/pull/9825

I need to run a PostUp command when my Mullvad WG interface comes up (to implement quantum resistant tunnelling: https://mullvad.net/en/help/quantum-resistant-tunnels-with-wireguard#modify-config).

I've successfully built the Mullvad utility for FreeBSD, and it works fine on the command line to establish ephemeral peers over the established tunnel to negotiate a PSK.

However, this needs to be run each time the tunnel is established.

There isn't any PostUp (or PostDown, PreUp or PreDown) option in the WG UI in OPNsense to easily add this. I know OPNsense doesn't directly use wg-quick, but there is also no equivalent option.

Is there another good way to do so? Or do I need to look at implementing changes to the OPNsense code to add advanced options in the UI to facilitate this?

Just wanted to chime in to say kudos to Franco for having the courage to overhaul dhcp6c. It's been a long-neglected part of the nix/bsd universe and was in need of some tlc. It just staggers me that this hasn't happened already at an industry level

I literally set my virtual ip as 'fd77:2ac4:81ba::/48' which seems to work for clients getting a ULA, but also causes an issue with ntp if it tries to bind. You mentioned a /64 - did you use the CIDR similar to above, or an actual address? Was the type of the virtual ip just a regular virtual ip, or other?

Sorry, didn't get the notification for this. You've probably solved it/moved on, but to answer the question, they are addresses in CIDR notation, like: fdfd:2553:8868:66::1/64. The mode is IP Alias.

RRD is disabled, netflow is disabled, don't use unbound