Messages

Is this still an issue?
We have a Customer with one leased line and one pppoe for backup. Often the connection is sticked on the slave and does never come back to the master-node. We then need to reboot the slave to get the PPPOE-Connection back online on the master.

I guess it is not used to work like this?

@itngo Got any console output from these bad boot attempts?


Cheers,
Franco

We did not follow up on this furthermore, as another reboot did fix.
We had this with 2 or 3 virtuak opnsense also the last Update 24.4.2 Business.... there it was enough to use "restart all services" on console to fix the issue....

Hello
since version 23.7.5, ProxMox virtualizers can no longer connect stably to ProxMox Backup Server on port TCP 8007. The first session is still allowed and before the first session is terminated, another connection is already established, which is terminated by the OPNSense with a TCP reset.
How can I adjust the TCP parameters of the concurrent TCP session to a port and/or a specific source IP?
Regards,
Nick

Is this with opnsense in HA mode?

Did you ever solve this?
Same issue here....

https://github.com/opnsense/ports/commit/06bee5dc6939b5d3feeba53b7f8d1b179f384ec4

That was updated a week ago so it will probably be in available soon.

Thank you

Hi,
how to update RPSAMD to 3.91.
opnsense repository still gives RSPAMD 3.8.4 which is quite old. We want to evaluate openAI integration, but need at last 3.9.1.

Are you using any Blocklist in Unbound? Check if "Blocklist.site Youtube" is enabled.

I have a very similar setup to yours and that is how mine behaves. I did not check the "disable preempt" option under High Availability Settings.

On my Unifi switches (which do not support advanced bonding functions), I just configured Switch 1 to have a higher priority over Switch 2 (higher priority on Unifi means settings the actual priority numerical of Switch 1 to a lower value than that of Switch 2). And for anyone else with Unifi switches - I had to set the CARP frequency in OPNsense to 2 instead of 1 for it to be stable.

Edit: Just to add clarification, what I mean to say is that I didn't need to configure any LAG settings on my switches for it to work in my HA configuration which is identical to yours (except I have Unifi switches and Multi-WAN).

Many thx for confirming that chaning frequency from 1 to 2 helped in your setup with Unifi Switches. We also have a customer here with 2 opnsense and Unifi-Switches... It was not stable, but today we changed frequency to "3" and it looks far more promissing now....

Then I read you post, and feeled confirmed that we are now on the right way!

Thank you so much! five STARS!

Du kannst an der opnsense per SSH oder Konsole mit folgendem Befehl den SQUID wieder startbar machen.

sudo chmod 755 /usr/local/etc/squid

Achtung... das ist wohl nicht als "SICHER" anzusehen. Aber bis das Plugin seine Berechtigungen gefixt bekommen hat ein funktionierender "Dirty Workaround".

Hi,

der scheint in aktueller Version opnsense auch irgendwie kaputt zu sein.

Richte grad für einen Kunden 2 Geräte ein. Nur Proxy anschalten ohne weitere Konfiguration funktioniert schon nicht und quitiert mit dem gleichen Fehler den du gemeldet hast.

Hi,

wie auch schon in der opnsense Doku zur Suricata IPS/IDS, ist es nicht sonderlich sinnvoll sich den traffic am WAN-Interface anzuschauen. Da ist ja die Tür eh schon zu. Was von extern per DNAT reingelassen wird, muss auch erst wieder über das LAN-Interface die Firewall verlassen.

Also würde ich MALTRAIL eher an das LAN-Interface und ggf. an DMZ-Schnittstellen lauschen lassen....
Am WAN rauscht so viel dreck vorbei, der gar nicht für deine Firewall bestimmt ist, das der Sensor eh permanent alarm "pustet"....

I used an other way and - at least - unbound reaches other DNS servers over IPsec.

1. Firewall: Settings: Advanced
check Disable force gateway

2. System: Gateways: Single
setup gateway for LAN interface with LAN IP address

3. System: Routes: Configuration
setup route for remote network using the gateway above

Cheers,
proctor

Thanks! Works perfect!

We had also issues after upgrade to 24.4 with 2 of about 40 Firewalls. One DEC2xxx and one virtual.

The had not loaded their interfaces and where not reachable.
Both could be fixed by just doing another reboot....

We are heavily using GRE-Tunnels for some remote opnsense-systems just to get some unimportant status-information from remote-systems. The data itself is already encrytped, so we just want some routes to the remote-sites with GRE.

We have 2 sites where the IP is not static, so it would be nice to use DDNS-Name for the GRE-Endpoint.

However, webGUI still does not allow this. Is this something that we can work around without the need to create extra WG, OVPN, IPSEC or whatever-Config?

It seems that I had to disable logging to disk, and re-enable it for it to populate logging configs using newer template after upgrading to 24.1.

Same issue here, but your solution works!  ;)