OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of patrick3000 »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - patrick3000

Pages: [1] 2
1
24.7 Production Series / Multi-WAN gateway monitoring dashboard problem with virtual adapaters
« on: October 14, 2024, 07:05:34 am »
I have a multi-WAN setup with gateway monitoring in OPNsense 24.7.6 that I run virtually on Truenas SCALE.

It works properly if I pass through the two WANs (called "WAN" and "WAN2") using PCIE pass-through. However, if I virtualize either of the WANs and pass it through as a virtual adapter, then the dashboard always shows a green dot, which is supposed to indicate that the interface is up, even when the interface is down. (Please note that this appears to be a dashboard problem only, because gateway monitoring appears to still actually work and fail over to whichever WAN is still up.)

As I recall, this problem with the dashboard and virtual adapters subject to gateway monitoring did not exist in earlier versions of OPNsense, such as 24.2, which was the last time I passed through virtual adapters. So, it appears to be a new problem, and I suspect is a bug, in 24.7.

Does anyone know how to fix this dashboard problem with gateway monitoring in version 24.7? Alternatively, does anyone have any experience or feedback with this problem?

2
Virtual private networks / Migrating OpenVPN from legacy to instance, no detailed information
« on: April 05, 2024, 12:39:36 am »
I have OpenVPN installed in server mode which has been working perfectly for the past year in OPNsense (and before that for almost ten years in Pfsense before I switched to OPNsense last year). I use the OpenVPN server on OPNsense to access my entire home network, including LAN and various other subnets, from a Linux Mint laptop acting as OpenVPN client when I'm away from home.

However, as of version 24.1 of OPNsense, the OpenVPN server shows as "legacy," and I will need to migrate to an "instance" rather than server.

Unfortunately, the official documentation on this, which is contained here https://docs.opnsense.org/manual/vpnet.html, is rather sparse. In addition, the official documentation only discusses setting up an instance from scratch, not migrating from a server in legacy mode to an instance.

Also, there are no online tutorials, at least that I can find, on setting up an OpenVPN instance on OPNsense.

I have looked at the configuration menu for an OpenVPN instance, and there are things about it that are confusing.

For one thing, there is no option to specify the interface, as there is in the legacy server menu. That's a problem for me because I have two WAN interfaces, WAN and WAN2, with WAN as primary and WAN2 for fail-over. I only want to access OpenVPN on WAN, not WAN2, because I plan to eventually set up another VPN on WAN2. However, I don't have static public IP addresses and use dynamic DNS to get to WAN, and there is only an option for a "Bind address" (which I assume means IP address), not Bind URL which I would need with dynamic DNS, to specify that I only want to use WAN for OpenVPN.

There are also other confusing things in the instance menu, like "Push options," which are not present in the legacy server menu.

If anyone has any thoughts on this or knows of a detailed tutorial on setting up an OpenVPN instance, I would appreciate learning about it. Also, does anyone know how soon the legacy server mode will be phased out? I hope it won't be in the next version of OPNsense due out this summer, because if it is, I suspect that there will be many surprised users.

3
General Discussion / Two cable modems with the same IP address--access one of them
« on: February 05, 2024, 06:05:21 am »
I have a multi-wan setup with a gateway group consisting of WAN and WAN2, and failover from WAN to WAN2 if WAN goes offline.

The problem is that both WAN and WAN2 are connected to cable modems (an Arris modem for WAN and Netgear for WAN2), and each cable modem has the same IP address, which is 192.168.100.1. That's the default IP address for both modems, and there is no way to change it.

Every now and then, I'd like to access the web UI for either the WAN or WAN2 modem, and for some reason, when I type "192.168.100.1" into a browser, OPNsense always routes to the cable modem for WAN2, which is the Netgear modem. I can never access the Arris modem, which is the one connected to WAN, unless I unplug it from the OPNsense router and directly connect it to a laptop, which is a big hassle.

So here is what I'm wondering: since I have two devices in my network with the IP address 192.168.100.1 (which doesn't seem ideal but cannot be changed), is there a way from LAN side to tell OPNsense that I want to access the modem at that IP address that is connected to the WAN rather than the WAN2 interface?

4
General Discussion / Custom startup script to set interface link speed?
« on: February 02, 2024, 07:53:50 am »
My WAN interface is connected to a cable modem but, for some reason, does not automatically negotiate to 2.5 gbps, the max speed of the modem, even though it's on an X550-T2 adapter that supports this speed.

I have figured out how to get it to connect at 2.5 gbps by changing a setting at the command shell using the command "ifconfig [interface name] media 2500Base-T."

Unfortunately, however, this does not persist after reboot.

So, does anyone know a way to create a script in the OPNsense UI to run this command automatically at startup? I'd rather not manually edit configuration files, such as cron, in FreeBSD because I'm afraid I could mess something up and also because it might break with updates.

I'm not sure if there is a way to do this, but I thought I'd check.

5
General Discussion / In gateway group, WAN or WAN2 randomly drops and stays offline until reboot
« on: January 19, 2024, 12:21:31 am »
I have OPNsense set up with a gateway group, with two interfaces, WAN and WAN2, connected via cable modems to the public internet and getting IPV4 addresses assigned by DHCP.

Unfortunately, sometimes either the WAN or WAN2 interface will randomly drop and go into offline status, even though there is no internet outage. When this happens, the interface stays offline until I reboot OPNsense. Since it's a gateway group, I sometimes don't even know that WAN or WAN2 went offline since I still get internet from the other interface in the group. However, I am now in the habit of checking the OPNsense dashboard every couple of days to see if either WAN or WAN2 has gone offline.

Currently, I am running OPNsense virtually, as a guest VM over KVM in Truenas SCALE. However, until a few months ago, I had OPNsense installed bare metal on a physical computer, and I still had the same problem with intermittent random drops of either WAN or WAN2, so I don't think this problem has anything to do with virtualization.

Also, I have tried to simulate the problem and cannot do so. To attempt to simulate it, I disconnect the coax cable leading to the modem for either WAN or WAN2, and OPNsense correctly shows the interface going offline. Then, when I connect the coax cable to the modem again, OPNsense correctly shows the interface as online.

Does anyone know anything about this? Have you had it happen, or do you know how to troubleshoot it?

6
General Discussion / Number of threads for OPNsense
« on: December 02, 2023, 08:57:24 pm »
A couple of months ago, I migrated OPNsense from bare metal to a VM running on Truenas SCALE, which is similar to Proxmox since it's KVM on top of Debian.

My CPU is a Ryzen 7 Pro 5750G, and when I originally set it up, I allocated OPNsense four threads. It ran fine until yesterday, when I needed to transfer a large file (approximately 100 GB) to a remote destination. During the transfer, it started to get high packet loss on WAN, generally between 5% and 15%, and the transfer slowed to a crawl. What's strange is that my CPU usage shown in OPNsense was only around 10-20%.

I stopped the transfer, increased the number of threads allocated to OPNsense from 4 to 6, then restarted the transfer. This time, I've had no packet loss, and the transfer is working properly. So, it appears that OPNsense was bottle-necking and losing packets due to not having enough threads.

Does anyone know if this is normal behavior? In particular, why would CPU usage show at only 10-20% while packets are being lost due to insufficient threads? Also, do I need to increase it even more, from 6 to 8 threads, to ensure this doesn't happen again?

7
General Discussion / NTP not working (causes problems)
« on: November 22, 2023, 07:50:56 am »
I have OPNsense installed as a VM running on top of something similar to Proxmox (Truenas SCALE actually, but you can consider it Proxmox because for these purposes, it's almost the same thing since it's KVM in Debian).

Recently, it's been acting strange and crashed randomly once. Upon further investigation, I noticed that the NTP service is not working, so I don't think OPNsense can get the time accurately. The status of all servers is "Unreach/Pending," and in the NTP log file, there are a bunch of entries saying "unable to bind to wildcard address :: - another process may be running - EXITING."

So, it appears that OPNsense is not able to access any NTP server and cannot get the time, which is probably the source of the problems. However, when I manually queried one of the servers in the pool from the Shell with "ntpdate -q 0.opnsense.pool.ntp.org" I got the result "server 167.248.62.201, stratum 3, offset +0.000000, delay 0.04958" (and some other stuff).

So, it seems that the NTP servers can be reached manually, but for some reason, the NTP service in OPNsense isn't working properly.

I'm considering reinstalling and restore from config, but I'd rather not because there are a few VLANs and other interfaces, and matching everything up will take some work.

Any thoughts on what could be causing NTP not to work and how I can troubleshoot this?

8
General Discussion / Gateway doesn't come back online after losing connectivity
« on: November 17, 2023, 06:59:13 pm »
I have two gateways: WAN and WAN2, which are in a gateway group, with gateway monitoring, and WAN is assigned highest priority.

My problem is with WAN2, which is assigned to on-board Intel adapter. When I lose internet connectivity to WAN2, either because my ISP has an outage or because I unplug the ethernet cable for testing purposes, WAN2 correctly shows in OPNsense as going offline, but the problem is that it remains offline even after internet connectivity is restored. The only way to get WAN2 to show as back online is to reboot OPNsense.

(Incidentally, WAN works perfectly, even though it's assigned to a NIC with a 2.5 GB Realtek adapter, but WAN comes back online after an outage with no problem.)

So here is my question: why is that, after going offline due to loss of connectivity, gateway monitoring will not show WAN2 as back online even after connectivity is restored, yet rebooting OPNsense will somehow cause gateway monitoring to show that WAN2 is back online?

Can anyone offer any troubleshooting tips?

9
General Discussion / VLANs on hypervisor that hosts OPNsense or in OPNsense itself?
« on: October 27, 2023, 04:32:56 pm »
I recently moved OPNsense from a bare metal install on a physical machine to a virtual machine running as a guest in Truenas SCALE, a hypervisor that reportedly is similar to Proxmox (although I haven't used Proxmox).

When I moved OPNsense to a virtual machine, I chose to set up the VLANs on the host (Truenas SCALE) and pass each VLAN as a virtual adapter to OPNsense. So, OPNsense doesn't "see" any VLANs at all. All it sees are adapters named vtnet1, vtnet2, etc. But each of those adapters corresponds to a VLAN in Truenas SCALE.

Everything works perfectly, but my concern is that if there is ever a hardware failure and I need to move OPNsense somewhere else, whether to another VM or to a physical machine, then it will be laborious to reconfigure all the VLANs, probably in OPNsense at that point.

So I'm wondering whether I should have instead passed the OPNsense VM virtual adapters that correspond to physical adapters on the host (rather than passing it adapters that correspond to VLANs), and then created the VLANs in OPNsense, which would make for easier portability of the VM. Does anyone know the best practice?

10
Web Proxy Filtering and Caching / Disk size for transparent proxy
« on: October 16, 2023, 08:44:45 pm »
I have OPNsense set up on a home network which is used by both me and my spouse for working from home and also for our phones, television, etc.

I am going to create a transparent proxy, initially on only one vlan that contains my Linux laptops and Truenas servers, and possibly on the other vlans at a later point in time. The purpose of the transparent proxy will be so that I can install Zenarmor and ClamAV.

My question is about disk sizing. I have OPNsense installed in a VM running on Truenas SCALE that, similar to Proxmox, uses KVM. I currently have it on a virtual disk that's only 40GB. Presumably, I will need more than that for a transparent proxy, since there will be a bunch of logging involved.

Does anyone know what size I should expand the OPNsense virtual disk to? Would 120GB be enough? I also realize that I'll need to allocate more memory, as I currently only have 8 GB memory allocated, but I have plenty more I can allocate and will probably eventually bump it to 16 GB. It's resizing the disk that's a bit more of a hassle, so I'd like to figure out in advance how large a disk I will need.

11
General Discussion / Proxy server beginner question regarding certificate of authority
« on: October 16, 2023, 05:25:40 am »
I have OPNsense set up as the firewall for my house. Both my spouse and I work form home, and we rely on the network extensively.

I would like to harden security, and I'm considering setting up a transparent proxy server in OPNsense so that I can subsequently install Zenarmor and ClamAV. However, I'm undecided about this because all the proxy server tutorials I've seen rely on self-signed certificates for SSL access, and there is no way I'd want to install trusted certificates on all client devices in my house, which include numerous Linux and Windows laptops and desktop PCs, as well as phones with IOS.

So, I'm wondering whether there is a way to buy a trusted certificate from an authority and install that in OPNsense for SSL access with the proxy server rather than using a self-signed certificate, which would avoid the need to do any configuration at the client level.  I would think this would be possible, and trusted certificates aren't expensive, but for some reason, all the tutorials I've seen rely on self-signed certificates, so I'm wondering if there's something I'm missing.

Bottom line: Is it possible to install a transparent proxy server on OPNsense and install a trusted certificate of authority, rather than self-signed, so that I can avoid the need to do any configuration at the client level?

12
General Discussion / OPNsense as VM on HDD pool?
« on: September 29, 2023, 06:08:17 am »
I currently have OPNsense installed on bare metal with an SSD NVME boot drive, three physical interfaces, and five VLANs. I'm going to be migrating it to a VM on Truenas SCALE, which is built on Linux Debian and uses KVM for virtualization.

I'm considering installing OPNsense on a 3-disk hard drive mirror ZFS pool. It will also have 16 GB dedicated RAM. However, I'm wondering if installing it in a VM on a hard drive pool could result in latency problems given that hard drives are slow at random reads and writes?

In particular, and here is my main question: after OPNsense boots, does it mostly just stay in memory? If so, then I should be fine. If on the other hand it's constantly doing a bunch of read and write operations to the boot drive, then I'd imagine I could have problems installing it on an HDD pool.

I also have the option of installing it on an SSD pool in Truenas SCALE KVM, but I'd rather not because that pool only has two mirrored SSDs, and one of them is slightly old, so there would be less redundancy than if I put it on the 3-way HDD mirror.

13
General Discussion / Host override requries local domain name to resolve
« on: September 28, 2023, 07:03:36 am »
I have DHCP enabled in OPNsense and use it to provide leases for almost all devices on my network. However, I am trying to configure one specific device, my Truenas server, with an actual static mapping not assigned by OPNsense.  (There are reasons for this that aren't worth getting into here.)

This setup mostly works, except for one problem related to name resolution.

The static mapping of the Truenas server is 192.168.1.200. Again, this is not assigned by OPNsense. However, in OPNsense, I added a host override under Unbound mapping the domain "Truenas-server" to 192.168.1.200.

The problem, however, is that now, if I want to reach the server by name from a Linux device on the network, I'm required to prepend the name of the server with the local domain name I set in OPNsense.

So, from a Linux device, "ping Truenas-server" gives "Name or service not known." However, "ping [LocalDomain].Truenas-server" reaches the server.

What's strange is that form a Windows device, I'm able to reach the server with just "ping Truenas-server."

Does anyone know how to fix this so that the name "Truenas-server" resolves to 192.168.1.200 without the need to prepend it with [LocalDomain]?

14
General Discussion / Unable to update/reinstall kernel
« on: August 01, 2023, 10:40:23 pm »
I'm trying to upgrade to version 23.7 of OPNsense, and the upgrade freezes due to a package mismatch. In particular, I have version 23.1.11 of OPNsense installed, but the kernel is 23.1.8.

When I go under "Firmware," "Packages" and attempt to reinstall the kernel, it hangs with the output:

"***GOT REQUEST TO REINSTALL***
Currently running OPNsense 23.1.11_1 at Tue Aug  1 15:25:16 CDT 2023
Fetching kernel-23.1.11-amd64.txz:

Does anyone now how to work around this problem and reinstall (update) the kernel to 23.1.11?

15
23.7 Legacy Series / Help! Unable to upgrade to 23.7. Process hangs.
« on: August 01, 2023, 05:20:52 pm »
I cannot upgrade to 23.7. When I check for updates, OPNSense gets stuck checking for updates and hangs. I've tried it from three different client systems, and have also rebooted the OPNSense server. I've also tried updating from the console but that only updates, not upgrades.

Does anyone know if there is a way out of this? I don't want to reinstall and restore from a config file because my setup is complex and I don't want to take the risk that something will go wrong.

Here is the output when I check for updates, which as noted gets stuck at this point:


***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1.9 at Tue Aug  1 10:10:06 CDT 2023
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/284144 bytes
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 835 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (83 candidates): .......... done
Processing candidates (83 candidates): ..... done
The following 43 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   libltdl: 2.4.7
   libmcrypt: 2.5.8_3
   php81-pear: 1.10.13
   php81-pear-Crypt_CHAP: 1.5.0_1
   php81-pecl-mcrypt: 1.0.6

Installed packages to be UPGRADED:
   curl: 8.1.1 -> 8.1.2
   ddclient-devel: 3.10.0_1 -> 3.10.0_3
   easy-rsa: 3.1.4 -> 3.1.5
   krb5: 1.20.1 -> 1.21
   nettle: 3.9 -> 3.9.1
   nss: 3.89.1 -> 3.90
   ntp: 4.2.8p15_5 -> 4.2.8p17
   openssh-portable: 9.3.p1,1 -> 9.3.p2,1
   openssl: 1.1.1t_2,1 -> 1.1.1u,1
   openvpn: 2.6.4 -> 2.6.5
   opnsense: 23.1.9 -> 23.1.11_1
   opnsense-update: 23.1.8 -> 23.1.11
   pftop: 0.8_2 -> 0.8_4
   php81: 8.1.19 -> 8.1.20
   php81-ctype: 8.1.19 -> 8.1.20
   php81-curl: 8.1.19 -> 8.1.20
   php81-dom: 8.1.19 -> 8.1.20
   php81-filter: 8.1.19 -> 8.1.20
   php81-gettext: 8.1.19 -> 8.1.20
   php81-ldap: 8.1.19 -> 8.1.20
   php81-mbstring: 8.1.19 -> 8.1.20
   php81-pdo: 8.1.19 -> 8.1.20
   php81-phalcon: 5.2.1 -> 5.2.2
   php81-session: 8.1.19 -> 8.1.20
   php81-simplexml: 8.1.19 -> 8.1.20
   php81-sockets: 8.1.19 -> 8.1.20
   php81-sqlite3: 8.1.19 -> 8.1.20
   php81-xml: 8.1.19 -> 8.1.20
   php81-zlib: 8.1.19 -> 8.1.20
   py39-markupsafe: 2.1.2 -> 2.1.3
   py39-pandas: 2.0.1_1,1 -> 2.0.2,1
   py39-setuptools: 63.1.0 -> 63.1.0_1
   py39-sqlite3: 3.9.16_7 -> 3.9.17_7
   py39-ujson: 5.7.0 -> 5.8.0
   python39: 3.9.16_2 -> 3.9.17
   squid: 5.8 -> 5.9
   strongswan: 5.9.10_1 -> 5.9.10_2
   suricata: 6.0.12 -> 6.0.13

Number of packages to be installed: 5
Number of packages to be upgraded: 38

The process will require 5 MiB more space.
58 MiB to be downloaded.

Pages: [1] 2
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2