"
Has this been attempted on HA?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#16
General Discussion / Re: Announce: os-unifi-maxit replaces os-unifi7-maxit (with Unifi8)
February 28, 2024, 02:32:37 AM #17
23.7 Legacy Series / Re: HA cluster running 23.7.5 will not update to 23.7.6
October 14, 2023, 02:32:31 AM
Thanks for the input, I forgot to mention in my initial post that I did try the passive node first.
Also on the primary node, I did put it into CARP maintenance mode and update found nothing to install.
Even rebooted the primary node while in CARP maintenance mode and update found nothing to install.
I'll look into this later. I did do some trickyness to these units. I moved /var & /tmp off the SSD onto second hard drive, this should not be the cause I hope.
Even turned IPv6 off to see if that helped with no luck. It's strange how the cron job runs everynight to check for updates and changes the status on the home page, then doesn't update anything.
Maybe I'll built up some VMs and see what happens.
I do have 1 strange item with this HA cluster.
Hulu & ParamountPlus will not stream thru this cluster.
They stream fine thru an old Atom CPU not in HA cluster and thru other standalone OPNsense FWs. And other streaming services work just fine. I'm going to packet capture it and see what it looks like.
Also on the primary node, I did put it into CARP maintenance mode and update found nothing to install.
Even rebooted the primary node while in CARP maintenance mode and update found nothing to install.
I'll look into this later. I did do some trickyness to these units. I moved /var & /tmp off the SSD onto second hard drive, this should not be the cause I hope.
Even turned IPv6 off to see if that helped with no luck. It's strange how the cron job runs everynight to check for updates and changes the status on the home page, then doesn't update anything.
Maybe I'll built up some VMs and see what happens.
I do have 1 strange item with this HA cluster.
Hulu & ParamountPlus will not stream thru this cluster.
They stream fine thru an old Atom CPU not in HA cluster and thru other standalone OPNsense FWs. And other streaming services work just fine. I'm going to packet capture it and see what it looks like.
#18
23.7 Legacy Series / HA cluster running 23.7.5 will not update to 23.7.6
October 13, 2023, 02:41:19 AM
All,
I haven't looked into this much yet. I have a newly created HA cluster that was installed with 23.7 and upgraded to 23.7.5 before creating an HA cluster. The GUI shows pending update available, but when you click to proceed to upgrade it goes thru the process and says no updates available.
I know updates are available as several standalone OPNsense 23.7.5 boxes showed the same pending update and they updated to 23.7.6.
Any suggestions on what to troubleshoot? I've done the following so far.
1) attempted to update from passive node, no success.
2) attempted to update from active node, no success.
3) put node1 (active) into maintenance mode and update, no success.
4) change update server selection, no success.
5) perform all update items via console, no success.
6) attempted to update via pkg upgrade, no success.
It's strange that standalone(s) will update, but the HA cluster will not.
I haven't looked into this much yet. I have a newly created HA cluster that was installed with 23.7 and upgraded to 23.7.5 before creating an HA cluster. The GUI shows pending update available, but when you click to proceed to upgrade it goes thru the process and says no updates available.
I know updates are available as several standalone OPNsense 23.7.5 boxes showed the same pending update and they updated to 23.7.6.
Any suggestions on what to troubleshoot? I've done the following so far.
1) attempted to update from passive node, no success.
2) attempted to update from active node, no success.
3) put node1 (active) into maintenance mode and update, no success.
4) change update server selection, no success.
5) perform all update items via console, no success.
6) attempted to update via pkg upgrade, no success.
It's strange that standalone(s) will update, but the HA cluster will not.
#19
Hardware and Performance / Re: Random Frequent CPU Spikes and Page Faults [Almost Resolved]
August 08, 2023, 05:31:27 AM
Look at the information provided here.
https://bsd44.blogspot.com/2004/12/vmstat.html
Looks like faults is nothing but interrupts, so a high number shows a busy system.
Faults:
The faults section shows system faults. Faults, in this case, aren't bad, they're just received system traps and interrupts.
in Shows the number of system interrupts (IRQ requests) the system received in the last five seconds.
sy Shows the number of system calls in the last five seconds.
cs Gives the number of context switches, or times the CPU changed from doing one thing to doing another.
https://bsd44.blogspot.com/2004/12/vmstat.html
Looks like faults is nothing but interrupts, so a high number shows a busy system.
Faults:
The faults section shows system faults. Faults, in this case, aren't bad, they're just received system traps and interrupts.
in Shows the number of system interrupts (IRQ requests) the system received in the last five seconds.
sy Shows the number of system calls in the last five seconds.
cs Gives the number of context switches, or times the CPU changed from doing one thing to doing another.
#20
Virtual private networks / Re: Tailscale make install command not working
August 07, 2023, 02:19:07 AM
the instructions are lacking, you always do the following:
make
then if successfull
make install
make
then if successfull
make install
#21
23.7 Legacy Series / Re: Apcupsd plugin - tell UPS to remain off
August 03, 2023, 03:02:48 AM
Have you looked at these resources?? I'm in the process of connecting a UPS to my firewall and found these resources after searching the forum finding very little. looks like you can achieve your desired configuration by modifying/creating a custom conf file.
https://linux.die.net/man/8/apcupsd
http://www.apcupsd.org/manual/
https://linux.die.net/man/8/apcupsd
http://www.apcupsd.org/manual/
#22
Hardware and Performance / Re: Definitive list of supported wifi chipsets for ap mode
July 27, 2023, 09:10:53 PM
WIFI cards have 2 different modes: Infrastructure and Ad-Hoc. You want Infrastructure mode and not all drivers support it.
https://docs.opnsense.org/manual/how-tos/interface_wireless_internal.html
FreeBSD supports wireless adapters in access point (infrastructure) mode, but this functionality is limited to some drivers and there may be some, which do not support all options available via the web interface. Please make sure that you buy a wireless card that is supported to avoid these problems.
From my experience I ditched the wifi card out of my FW. Use an external solution to achieve my goal. My biggest roadblock if I remember correctly was I wanted 3+ SSIDs and could only get 2. This is the short list of headaches. If you search the forum you'll probably find most say do it with an external AP.
https://docs.opnsense.org/manual/how-tos/interface_wireless_internal.html
FreeBSD supports wireless adapters in access point (infrastructure) mode, but this functionality is limited to some drivers and there may be some, which do not support all options available via the web interface. Please make sure that you buy a wireless card that is supported to avoid these problems.
From my experience I ditched the wifi card out of my FW. Use an external solution to achieve my goal. My biggest roadblock if I remember correctly was I wanted 3+ SSIDs and could only get 2. This is the short list of headaches. If you search the forum you'll probably find most say do it with an external AP.
#23
22.7 Legacy Series / Re: Forward the same port to two different systems
July 08, 2023, 03:12:40 AM
Wan/NAT forward for each of the IP's to the destination host.
#24
Hardware and Performance / Re: QAT Accelerator
March 10, 2023, 04:26:28 PM
I tested the QAT speed of my ATOM C3758 which has onboard QAT, using the openssl speed command from this article.
https://stackoverflow.com/questions/64862544/how-to-check-compare-openssl-speed
I also saw a big decrease in CPU util on my openVPN connections after switching to the Q3758 CPU.
without using QAT
Doing aes-256 cbc for 3s on 16 size blocks: 11224359 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 64 size blocks: 2947524 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 744654 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 1024 size blocks: 186214 aes-256 cbc's in 2.98s
Doing aes-256 cbc for 3s on 8192 size blocks: 23475 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 16384 size blocks: 12084 aes-256 cbc's in 3.09s
Results with QAT
Doing aes-256-cbc for 3s on 16 size blocks: 43725132 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 64 size blocks: 15233718 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 256 size blocks: 4530328 aes-256-cbc's in 3.02s
Doing aes-256-cbc for 3s on 1024 size blocks: 1214440 aes-256-cbc's in 3.06s
Doing aes-256-cbc for 3s on 8192 size blocks: 150648 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 16384 size blocks: 75565 aes-256-cbc's in 3.01s
https://stackoverflow.com/questions/64862544/how-to-check-compare-openssl-speed
I also saw a big decrease in CPU util on my openVPN connections after switching to the Q3758 CPU.
without using QAT
Doing aes-256 cbc for 3s on 16 size blocks: 11224359 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 64 size blocks: 2947524 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 744654 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 1024 size blocks: 186214 aes-256 cbc's in 2.98s
Doing aes-256 cbc for 3s on 8192 size blocks: 23475 aes-256 cbc's in 3.01s
Doing aes-256 cbc for 3s on 16384 size blocks: 12084 aes-256 cbc's in 3.09s
Results with QAT
Doing aes-256-cbc for 3s on 16 size blocks: 43725132 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 64 size blocks: 15233718 aes-256-cbc's in 3.01s
Doing aes-256-cbc for 3s on 256 size blocks: 4530328 aes-256-cbc's in 3.02s
Doing aes-256-cbc for 3s on 1024 size blocks: 1214440 aes-256-cbc's in 3.06s
Doing aes-256-cbc for 3s on 8192 size blocks: 150648 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 16384 size blocks: 75565 aes-256-cbc's in 3.01s
#25
General Discussion / Re: Unbound DNS for VLANs via different gateways
March 09, 2023, 06:43:53 PM
Yes it can be done.
I have 10 VLANS
all but 2 have the default "*" gateway in the FW rule.
I have 1 openVPN connection to a US based endpoint.
In the FW rule for this VLAN the default gateway is changed to the connection name i.e. "openVPN_US"
1 have 1 openvpn connection to a EU based endpoint.
In the FW rule for this VLAN the default gateway is changed to the connection name i.e. "openVPN_EU"
1 note of interest, if you have issues getting DNS to resolve once the openVPN connection is up and active, I think I was unable to ping the LAN GW and DNS querys from command line against the IP would fail.
I created a Floating Rule to allow each VLAN access to its GW, I think it could be accomplished also by creating a rule on the VPN VLANs to allow them access to the GW and it should work.
Hopefully this helps.
zz00mm
I have 10 VLANS
all but 2 have the default "*" gateway in the FW rule.
I have 1 openVPN connection to a US based endpoint.
In the FW rule for this VLAN the default gateway is changed to the connection name i.e. "openVPN_US"
1 have 1 openvpn connection to a EU based endpoint.
In the FW rule for this VLAN the default gateway is changed to the connection name i.e. "openVPN_EU"
1 note of interest, if you have issues getting DNS to resolve once the openVPN connection is up and active, I think I was unable to ping the LAN GW and DNS querys from command line against the IP would fail.
I created a Floating Rule to allow each VLAN access to its GW, I think it could be accomplished also by creating a rule on the VPN VLANs to allow them access to the GW and it should work.
Hopefully this helps.
zz00mm
#26
Virtual private networks / Re: VPN Licenses
August 28, 2022, 04:39:51 AM
My answer to your question: The number of sessions is what you are getting with the different providers. I have 2 - 1 session VPN accounts, configured as followed:
VLAN104 openVPNEU connecting to NL endpoint, LAN & WIFI traffic show they are exiting/coming from somewhere in the netherlands.
VLAN105 openVPNUS connecting to US endpoint, LAN & WIFI traffic show they are exiting/coming from somewhere in the US.
To add additional headache to the mix, I have a cron job that resync/reconnects the VPN sessions at 4am every morning, The VPN connection configuration have multiple targets(s) selected at random. So everyday on the US connection, the traffic shows coming from a different city. Same for the NL connection.
I could do the above with 1 - 5 session account, which would only consume 2 of the 5, leaving the other sessions to be used on portable/mobile devices as needed.
Right now free VPN service is being used to test/setup. Planning on moving to a non free VPN service soon.
VLAN104 openVPNEU connecting to NL endpoint, LAN & WIFI traffic show they are exiting/coming from somewhere in the netherlands.
VLAN105 openVPNUS connecting to US endpoint, LAN & WIFI traffic show they are exiting/coming from somewhere in the US.
To add additional headache to the mix, I have a cron job that resync/reconnects the VPN sessions at 4am every morning, The VPN connection configuration have multiple targets(s) selected at random. So everyday on the US connection, the traffic shows coming from a different city. Same for the NL connection.
I could do the above with 1 - 5 session account, which would only consume 2 of the 5, leaving the other sessions to be used on portable/mobile devices as needed.
Right now free VPN service is being used to test/setup. Planning on moving to a non free VPN service soon.
#27
Virtual private networks / Re: Trying to set up a VPN only LAN and DNS doesnt seem to work
August 17, 2022, 07:57:55 PM
I had a similar issue when I created 2 VPN vLANs on my network, first I saw that I was unable to ping the GW when the VPN session was up, thus when I attempting nslookup against the GW it would fail. From some threads here on the forum, I finally used the following solution. Created a floating rule using alias's to allow access to the GW on the vLAN. I've attached screenshots that will hopefully help. Another option would be to use a different DSN server(s) which I did initially as part of troubleshooting to figure out the problem.
#28
Web Proxy Filtering and Caching / Re: Web request directing to web server
August 10, 2022, 10:08:14 PM
Looks like you have 3 options:
1) Port forward a different port for each domain thru the firewall to the web server for that domain. (Do this to test if the website is working thru firewall)
2) Put all the domain web pages on 1 Server, port forward thru the firewall to web server and let host headers do the work for you. (This is what I have used in the past)
3) Setup a reverse proxy that you port forward to thru the firewall and then let the reverse proxy do it's work. If you get this to work, then you could move your reverse proxy to the firewall if desired as NGINX is an option as well as traefik (traefik can be retreived by using the mimugmail repo addin)
Thats all I can provide as I'm currently working on option #3 without port forwarding at this time.
Happy firewalling
1) Port forward a different port for each domain thru the firewall to the web server for that domain. (Do this to test if the website is working thru firewall)
2) Put all the domain web pages on 1 Server, port forward thru the firewall to web server and let host headers do the work for you. (This is what I have used in the past)
3) Setup a reverse proxy that you port forward to thru the firewall and then let the reverse proxy do it's work. If you get this to work, then you could move your reverse proxy to the firewall if desired as NGINX is an option as well as traefik (traefik can be retreived by using the mimugmail repo addin)
Thats all I can provide as I'm currently working on option #3 without port forwarding at this time.
Happy firewalling
#29
22.1 Legacy Series / Re: Ad-guard plugs in not avaiilable
August 10, 2022, 07:56:43 PM
Are you running the commands like this?
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
then
pkg update
In linux/bsd if you want to run both commands as 1, you have to combine them together with '&&'
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf && pkg update
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
then
pkg update
In linux/bsd if you want to run both commands as 1, you have to combine them together with '&&'
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf && pkg update
#30
22.7 Legacy Series / Re: [Solved]PHP error on mongodb after installation to 22.7
August 01, 2022, 10:24:05 PM
Thanks for the find, just completed update to 22.7 and same thing happening on my firewall. Looks like it's resolved.
