Messages

61

General Discussion / Re: Unable to update/reinstall kernel

« on: August 02, 2023, 02:52:01 am »

I fetched it from the shell via ssh. However, I'm not sure what to do next.

Here is the output:

fetch https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/kernel-23.7-amd64.txz
kernel-23.7-amd64.txz                                   31 MB   10 MBps    03s

Perhaps I can somehow do the upgrade via the shell with this package that I fetched?

62

General Discussion / Re: Unable to update/reinstall kernel

« on: August 02, 2023, 01:44:14 am »

Thanks. However, that command, executed from the shell via ssh, gave the same result. It just said "fetching kernel" and hung. I guess if I can't find a solution in the next day or so, I'll reinstall and restore from config. However, that's a last resort because it's a bit riskier. What if something goes wrong with the process? I'd hate to have significant downtime setting everything up again.

If it comes down to that, I think I'll get another SSD and swap it out before doing the reinstallation. That way, if there are any problems, I can put the current SSD back in.

63

General Discussion / Unable to update/reinstall kernel

« on: August 01, 2023, 10:40:23 pm »

I'm trying to upgrade to version 23.7 of OPNsense, and the upgrade freezes due to a package mismatch. In particular, I have version 23.1.11 of OPNsense installed, but the kernel is 23.1.8.

When I go under "Firmware," "Packages" and attempt to reinstall the kernel, it hangs with the output:

"***GOT REQUEST TO REINSTALL***
Currently running OPNsense 23.1.11_1 at Tue Aug  1 15:25:16 CDT 2023
Fetching kernel-23.1.11-amd64.txz:

Does anyone now how to work around this problem and reinstall (update) the kernel to 23.1.11?

64

23.7 Legacy Series / Re: Help! Unable to upgrade to 23.7. Prccess hangs.

« on: August 01, 2023, 06:16:58 pm »

Changing the mirror had no effect except that, in addition to the status information I posted, it now gives the following error message:

"pkg: Repository OPNsense has a wrong packagesite, need to re-create database."

I searched on this and can see that others have gotten this error when upgrading to past versions, but I didn't find a solution.

Also, I do not use IPV6.

65

23.7 Legacy Series / Help! Unable to upgrade to 23.7. Process hangs.

« on: August 01, 2023, 05:20:52 pm »

I cannot upgrade to 23.7. When I check for updates, OPNSense gets stuck checking for updates and hangs. I've tried it from three different client systems, and have also rebooted the OPNSense server. I've also tried updating from the console but that only updates, not upgrades.

Does anyone know if there is a way out of this? I don't want to reinstall and restore from a config file because my setup is complex and I don't want to take the risk that something will go wrong.

Here is the output when I check for updates, which as noted gets stuck at this point:


***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1.9 at Tue Aug  1 10:10:06 CDT 2023
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/284144 bytes
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 835 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (83 candidates): .......... done
Processing candidates (83 candidates): ..... done
The following 43 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
   libltdl: 2.4.7
   libmcrypt: 2.5.8_3
   php81-pear: 1.10.13
   php81-pear-Crypt_CHAP: 1.5.0_1
   php81-pecl-mcrypt: 1.0.6

Installed packages to be UPGRADED:
   curl: 8.1.1 -> 8.1.2
   ddclient-devel: 3.10.0_1 -> 3.10.0_3
   easy-rsa: 3.1.4 -> 3.1.5
   krb5: 1.20.1 -> 1.21
   nettle: 3.9 -> 3.9.1
   nss: 3.89.1 -> 3.90
   ntp: 4.2.8p15_5 -> 4.2.8p17
   openssh-portable: 9.3.p1,1 -> 9.3.p2,1
   openssl: 1.1.1t_2,1 -> 1.1.1u,1
   openvpn: 2.6.4 -> 2.6.5
   opnsense: 23.1.9 -> 23.1.11_1
   opnsense-update: 23.1.8 -> 23.1.11
   pftop: 0.8_2 -> 0.8_4
   php81: 8.1.19 -> 8.1.20
   php81-ctype: 8.1.19 -> 8.1.20
   php81-curl: 8.1.19 -> 8.1.20
   php81-dom: 8.1.19 -> 8.1.20
   php81-filter: 8.1.19 -> 8.1.20
   php81-gettext: 8.1.19 -> 8.1.20
   php81-ldap: 8.1.19 -> 8.1.20
   php81-mbstring: 8.1.19 -> 8.1.20
   php81-pdo: 8.1.19 -> 8.1.20
   php81-phalcon: 5.2.1 -> 5.2.2
   php81-session: 8.1.19 -> 8.1.20
   php81-simplexml: 8.1.19 -> 8.1.20
   php81-sockets: 8.1.19 -> 8.1.20
   php81-sqlite3: 8.1.19 -> 8.1.20
   php81-xml: 8.1.19 -> 8.1.20
   php81-zlib: 8.1.19 -> 8.1.20
   py39-markupsafe: 2.1.2 -> 2.1.3
   py39-pandas: 2.0.1_1,1 -> 2.0.2,1
   py39-setuptools: 63.1.0 -> 63.1.0_1
   py39-sqlite3: 3.9.16_7 -> 3.9.17_7
   py39-ujson: 5.7.0 -> 5.8.0
   python39: 3.9.16_2 -> 3.9.17
   squid: 5.8 -> 5.9
   strongswan: 5.9.10_1 -> 5.9.10_2
   suricata: 6.0.12 -> 6.0.13

Number of packages to be installed: 5
Number of packages to be upgraded: 38

The process will require 5 MiB more space.
58 MiB to be downloaded.

66

General Discussion / Use monit to test for interface down?

« on: April 28, 2023, 07:52:47 pm »

I have two WANS, a primary WAN and a secondary WAN, and a gateway group with failover from primary WAN to secondary WAN when primary WAN goes down.

I would like to use Monit, available under "services," to send an email notifying me when either WAN goes down. I looked in the OPNsense documentation for Monit and didn't see anything about notification when an interface goes down.

So I'm wondering: before I spend the time setting up Monit and configuring it with my email, is this something that Monit can do? Does anyone have some tips on the setup?

67

General Discussion / Re: Dual wan group and port forwarding

« on: April 22, 2023, 09:41:15 am »

Using port forwarding on the LAN interface may work (I don't know for sure). However, the two traditional ways to access a dynamic DNS name from LAN side are to either use NAT reflection or else split DNS.

The way I've always done it is split DNS. In OPNsense, this can be done from "Services," "Unbound DNS," "Overrides." From there, you can add an override with the domain name of your dynamic DNS and whatever IP address you want it associated with (which is the same IP address that you're port forwarding to). This will ensure that the name resolves to the proper IP address when accessed on the LAN side.

There is also a way to do it with NAT reflection, and i believe there some options for configuring NAT reflection in the port forwarding menu. However, I'm not really familiar with that.

68

Virtual private networks / Re: Second OpenVPN server on different WAN

« on: April 21, 2023, 04:44:52 pm »

tiermutter thanks for the recommendation.

In the OpenVPN server configuration menu, there is not an option to choose two specific interfaces, such as "WAN" and "WAN2," but there is an option to choose "any" interface. Is this what you mean? I set the interface to "any," and I was able to connect at least through the primary WAN. (I haven't tested it yet with secondary WAN, but it should work).

On the client side, I will need to somehow set it to fall back to secondary WAN's IP address or URL when the primary WAN is down. You said that there is a way to do this. I don't see how in my client VPN software on the Linux Mint laptop that I use as my client. This is probably beyond the scope of this forum since it's an OpenVPN client configuration issue rather than an OPNsense issue. However, if you have any suggestions about how to configure the client to fall back to the public IP address or URL of the secondary WAN, I'd appreciate it.

As a last resort, this setup will still work because when the primary WAN goes down, which doesn't happen often but does occasionally happen, I can just manually change the IP address in the client software to that of the secondary WAN, which should get me into my network.

69

Virtual private networks / Second OpenVPN server on different WAN

« on: April 21, 2023, 07:58:54 am »

I have a multi-WAN setup, with a gateway group and failover from the primary WAN to the secondary WAN whenever the primary WAN goes down.

I also have an OpenVPN server set up on the primary WAN so that I can access the network from the public Internet.

I would like to set up a second OpenVPN server on the secondary WAN so that I can access the network over the secondary WAN if the primary WAN goes down while I'm traveling. I tried to do this by simply cloning the existing OpenVPN server and changing the WAN interface and tunnel IP subnet, but it didn't work. I couldn't connect over the second OpenVPN tunnel.

Does anyone know whether I need to create a new certificate of authority for the second OpenVPN server and/or a new certificate of authority for the user? I don't understand why I would need to do so, but it appears that the second OpenVPN server is not working with the existing certificates.

70

General Discussion / Re: OPNSense Noob Question - Can OPNsense handle 10 Gbe Internet from ISP on IPV6

« on: April 21, 2023, 12:24:43 am »

Also, one other thing: Your Mellanox card is probably not going to be recognized out of the box. You're likely going to need to add the driver by configuring the mlx4en_load setting in tunables as discussed here: https://forum.opnsense.org/index.php?topic=21007.0.

Maybe it will be different in your case since you're using a ConnectX-4, but I certainly had to do this to get it to recognize my ConnectX-3.

71

General Discussion / Re: OPNSense Noob Question - Can OPNsense handle 10 Gbe Internet from ISP on IPV6

« on: April 21, 2023, 12:18:04 am »

You should be fine, then, except possibly for the RAM, which you mentioned. 4GB is low, and while it just meets the minimum hardware requirements for OPNsense, the recommended hardware requirements are 8GB, as discussed here: https://docs.opnsense.org/manual/hardware.html. If you can at all afford it, I'd upgrade the amount of RAM to at least 8GB or, better yet, 16GB.

72

General Discussion / Re: OPNSense Noob Question - Can OPNsense handle 10 Gbe Internet from ISP on IPV6

« on: April 20, 2023, 11:34:12 pm »

It's more a matter of whether your hardware can handle 10gbe. OPNsense certainly can. I have a 10gbe port on an OPNsense router that functions perfectly well. It's on LAN side and used for VLANs, not WAN as it sounds like you intend, and it's connected to the switch via a Mellanox ConnectX-3 network card (which, incidentally, requires a tunable setting to be recognized), but it shouldn't make any difference which interface it's on. Also, IPV4 vs. IPV6 shouldn't matter. My ISPs provide IP addresses of both types through DHCP4 and DHCP6.

Again, however, I would urge that you make sure your hardware isn't going to bottleneck with 10gbe. Most modern consumer hardware should be fine, but if you have a low power device on which you intend to install OPNsense, there could be problems.

73

General Discussion / Re: ddclient with no-ip.com

« on: April 20, 2023, 09:35:09 pm »

You might need to change "backend" under "general settings" from "ddclient" to "OPNsense." I have an active post about this. It's the only way I got NO-IP working with a multi-WAN setup. If you don't have multiple WANs, then maybe you don't need to, but changing this setting certainly was necessary in my case.

74

General Discussion / Re: Dynamic DNS is broken with multi-wan setup (more information)

« on: April 20, 2023, 06:44:27 pm »

Thanks for the information. I'm glad that they added the OPNsense backend, which so far appears to be working properly with my multi-WAN setup, at least with NO-IP as the dynamic dns provider and "Interface (IPv4")" as the check method.

With the ddlcient backend, multi-WAN does not appear to work properly no matter what check method is chosen, "interface" or anything else. I suspect that the ddclient backend is probably fine for single WAN setups, however.

75

General Discussion / Re: Dynamic DNS is broken with multi-wan setup (more information)

« on: April 20, 2023, 09:51:22 am »

Tentatively, I might have found a solution. Under "Dynamic DNS," "Settings," "General Settings," there is an option to configure something called "backend," with two options: "ddclient," which is the default, and "OPNsense." Changing the backend to OPNsense appears to have forced NO-IP to update to the IP address of the correct WAN interface. I need to do more testing, but tentatively, it seems that this may fix multi-WAN dynamic DNS.

I don't understand what "backend" means and couldn't find any documentation on it, but I'm cautiously optimistic that it solves the problem.