"Recent posts
#1
General Discussion / Re: FIB/VRF support in OPNsens...
Last post by Fredouil - Today at 11:44:41 AMHello, I disagree with this analysis. I've lost count of the number of discussions where professionals say that if OPNsense supported VRF, they would immediately switch to that solution. I know many professionals who are reluctantly forced to turn to Fortinet, VYOS, or others because they have VRF or VDOM. I truly believe it would be a huge mistake to think this feature isn't important; it should be a priority. I'm giving you my analysis as an expert and professional who regularly meets with other professionals at trade shows.
#2
General Discussion / Re: Struggles scripting with t...
Last post by allddd - Today at 09:15:34 AMDoes it have to be an LAN host, or would it be OK for an external service to notify you?
You could use a service like https://healthchecks.io in combination with Monit. This would be even more reliable, since you would receive a notification regardless of whether you are currently using the system or not.
You can configure Monit to send an HTTP request to healthchecks.io every time a check is successful. If it fails for any reason, or if OPNsense cannot reach healthchecks.io at all, you will be notified. They offer a generous free tier, you can even receive calls and SMS.
You could use a service like https://healthchecks.io in combination with Monit. This would be even more reliable, since you would receive a notification regardless of whether you are currently using the system or not.
You can configure Monit to send an HTTP request to healthchecks.io every time a check is successful. If it fails for any reason, or if OPNsense cannot reach healthchecks.io at all, you will be notified. They offer a generous free tier, you can even receive calls and SMS.
#3
25.7, 25.10 Series / Re: LAN breaks when moving fro...
Last post by tdpolo26 - Today at 07:31:59 AMQuote from: greY on Today at 05:52:39 AMHiyeah i had that same idea today.... its like when i switch the assignment something remains em0
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.
#4
25.7, 25.10 Series / Re: Suricata IPS + Promiscuous...
Last post by greY - Today at 06:03:47 AMended up, having all WAN (1G) ports at queues=1 and all LAN (10G) ports at queues=2. I guess LAN ports could be set to 4 or 8, I just currently have no time for deeper tests and performance seems to be the same as before.
It made all working again. Especially having WAN ports at 4 I also had weird issues with gateway groups. Doesn't matter if load balancing or failover mode, there were connection issues (instable) to SSH targets.
It made all working again. Especially having WAN ports at 4 I also had weird issues with gateway groups. Doesn't matter if load balancing or failover mode, there were connection issues (instable) to SSH targets.
#5
25.7, 25.10 Series / Re: LAN breaks when moving fro...
Last post by greY - Today at 05:52:39 AMHi
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.
#6
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - Today at 04:45:50 AMLast update!
Everything is working, I have enabled the firewall rules back instead of using public DNS.
OPNsense Announcements is showing a hotfix 25.10.1_2 but it is not available yet, but I was reading 25.7 update and that seems to be the root cause of my problems indeed: https://forum.opnsense.org/index.php?topic=50052.msg255254#msg255254
That package manager update is the only thing that could have opened hell's door, until I ran the update again to install another 85 packages which failed with a Danger msg.
So anyway, this update is not great, I have never experience such major issue during an OPNsense update process before.
If you run this in prod, get ready for a wild ride.
Everything is working, I have enabled the firewall rules back instead of using public DNS.
OPNsense Announcements is showing a hotfix 25.10.1_2 but it is not available yet, but I was reading 25.7 update and that seems to be the root cause of my problems indeed: https://forum.opnsense.org/index.php?topic=50052.msg255254#msg255254
That package manager update is the only thing that could have opened hell's door, until I ran the update again to install another 85 packages which failed with a Danger msg.
So anyway, this update is not great, I have never experience such major issue during an OPNsense update process before.
If you run this in prod, get ready for a wild ride.
Code Select
Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again. The fix is in this update, but impossible to install without upgrading
the package manager first. We hope this will only be a minor inconvenience
during the process. #7
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - Today at 04:15:13 AMSomething is terribly wrong with the latest updates, the one prior to 25.7.10 and 25.7.10
After fixing the drama above as explained, uPnP wasn't starting and all my DNS setup was broken (Pi-Hole + Unbound), no matter what I did, nothing was working, I had to use public DNS instead.
I checked the update again and there were another 85 packages to install, 25.7.10 update, during the update process it failed with a danger message and 404 when trying to access the UI.
Reboot and attempt to update via console, uPnP no longer fails and works, also, my DNS setup is working again.
I have no idea wtf happened, I did the usual, check for update and apply, nothing else.
If you are reading this and haven't updated it yet to 25.7.10, don't.
Something is broken!
After fixing the drama above as explained, uPnP wasn't starting and all my DNS setup was broken (Pi-Hole + Unbound), no matter what I did, nothing was working, I had to use public DNS instead.
I checked the update again and there were another 85 packages to install, 25.7.10 update, during the update process it failed with a danger message and 404 when trying to access the UI.
Reboot and attempt to update via console, uPnP no longer fails and works, also, my DNS setup is working again.
I have no idea wtf happened, I did the usual, check for update and apply, nothing else.
If you are reading this and haven't updated it yet to 25.7.10, don't.
Something is broken!
#8
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by dmurphy - Today at 04:00:17 AMJust following up that I still see a memory leak in dnsmasq even after a reboot and an update to 25.7.10.
The cronjob which periodically restarts the process is keeping it from being an issue, but I still am trying to track down the leak.
Unfortunately it appears our base FreeBSD doesn't have proper dtrace support; it's mostly broken.
I also tried digging in with gdb but hit a deadend there too; can't really dig into jemalloc that way.
Anyway, looking forward to trying dnsmasq $version++ where we know there are memory leak fixes. No urgency since the crontab process restart is doing its thing -- seems to be a slow leak.
For fun, here's a procstat -v. You can see two memory regions that continue to grow.
[root@dmurphy-gw /usr/local/sbin]# procstat -v 21656
PID START END PRT RES PRES REF SHD FLAG TP PATH
21656 0x200000 0x216000 r-- 22 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x216000 0x264000 r-x 78 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x264000 0x265000 r-- 1 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x265000 0x266000 r-- 1 1 1 0 CN--- sw
21656 0x266000 0x268000 rw- 2 0 1 0 C---- vn /usr/local/sbin/dnsmasq
21656 0x268000 0x269000 rw- 1 1 1 0 C---- sw
21656 0x800e5b000 0x820e3b000 --- 0 0 0 0 ----- gd
21656 0x820e3b000 0x820e5b000 rw- 5 5 1 0 C--D- sw
21656 0x8219d8000 0x8219d9000 r-x 1 1 99 0 ----- ph
21656 0x8229c4000 0x8229ea000 r-- 31 60 20 10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x8229ea000 0x822a16000 r-x 28 60 20 10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x822a16000 0x822a19000 r-- 3 0 1 0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x822a19000 0x822a1a000 rw- 1 0 1 0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x823729000 0x82375b000 r-- 17 39 4 2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x82375b000 0x823771000 r-x 22 39 4 2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x823771000 0x823772000 r-- 1 0 1 0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x823772000 0x823774000 rw- 2 0 1 0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x8245aa000 0x8245cc000 r-- 24 66 4 2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x8245cc000 0x824626000 r-x 42 66 4 2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824626000 0x824627000 r-- 1 0 1 0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824627000 0x824629000 rw- 2 0 1 0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824ede000 0x824f5d000 r-- 121 451 308 114 CN--- vn /lib/libc.so.7
21656 0x824f5d000 0x825099000 r-x 316 451 308 114 CN--- vn /lib/libc.so.7
21656 0x825099000 0x8250a2000 r-- 9 0 1 0 CN--- vn /lib/libc.so.7
21656 0x8250a2000 0x8250a9000 rw- 7 0 1 0 C---- vn /lib/libc.so.7
21656 0x8250a9000 0x8251ca000 rw- 19 19 1 0 C---- sw
21656 0x1259f7200000 0x1259f7221000 rw- 28 28 1 0 C---- sw
21656 0x1259f7400000 0x1259f7e00000 rw- 840 840 1 0 C---- sw
21656 0x1259f7e00000 0x125a00500000 rw- 31625 31625 1 0 ----- sw
21656 0x125a00600000 0x125a0a200000 rw- 29677 29677 1 0 ----- sw
21656 0x19660f171000 0x19660f177000 r-- 6 30 251 57 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f177000 0x19660f18e000 r-x 23 30 251 57 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f18e000 0x19660f18f000 r-- 1 0 1 0 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f18f000 0x19660f190000 r-- 1 1 1 0 CN--- sw
21656 0x19660f190000 0x19660f192000 rw- 2 2 1 0 C---- sw
21656 0x7fffffffe000 0x7ffffffff000 --- 0 0 0 0 ----- gd
The cronjob which periodically restarts the process is keeping it from being an issue, but I still am trying to track down the leak.
Unfortunately it appears our base FreeBSD doesn't have proper dtrace support; it's mostly broken.
I also tried digging in with gdb but hit a deadend there too; can't really dig into jemalloc that way.
Anyway, looking forward to trying dnsmasq $version++ where we know there are memory leak fixes. No urgency since the crontab process restart is doing its thing -- seems to be a slow leak.
For fun, here's a procstat -v. You can see two memory regions that continue to grow.
[root@dmurphy-gw /usr/local/sbin]# procstat -v 21656
PID START END PRT RES PRES REF SHD FLAG TP PATH
21656 0x200000 0x216000 r-- 22 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x216000 0x264000 r-x 78 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x264000 0x265000 r-- 1 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x265000 0x266000 r-- 1 1 1 0 CN--- sw
21656 0x266000 0x268000 rw- 2 0 1 0 C---- vn /usr/local/sbin/dnsmasq
21656 0x268000 0x269000 rw- 1 1 1 0 C---- sw
21656 0x800e5b000 0x820e3b000 --- 0 0 0 0 ----- gd
21656 0x820e3b000 0x820e5b000 rw- 5 5 1 0 C--D- sw
21656 0x8219d8000 0x8219d9000 r-x 1 1 99 0 ----- ph
21656 0x8229c4000 0x8229ea000 r-- 31 60 20 10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x8229ea000 0x822a16000 r-x 28 60 20 10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x822a16000 0x822a19000 r-- 3 0 1 0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x822a19000 0x822a1a000 rw- 1 0 1 0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x823729000 0x82375b000 r-- 17 39 4 2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x82375b000 0x823771000 r-x 22 39 4 2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x823771000 0x823772000 r-- 1 0 1 0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x823772000 0x823774000 rw- 2 0 1 0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x8245aa000 0x8245cc000 r-- 24 66 4 2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x8245cc000 0x824626000 r-x 42 66 4 2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824626000 0x824627000 r-- 1 0 1 0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824627000 0x824629000 rw- 2 0 1 0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824ede000 0x824f5d000 r-- 121 451 308 114 CN--- vn /lib/libc.so.7
21656 0x824f5d000 0x825099000 r-x 316 451 308 114 CN--- vn /lib/libc.so.7
21656 0x825099000 0x8250a2000 r-- 9 0 1 0 CN--- vn /lib/libc.so.7
21656 0x8250a2000 0x8250a9000 rw- 7 0 1 0 C---- vn /lib/libc.so.7
21656 0x8250a9000 0x8251ca000 rw- 19 19 1 0 C---- sw
21656 0x1259f7200000 0x1259f7221000 rw- 28 28 1 0 C---- sw
21656 0x1259f7400000 0x1259f7e00000 rw- 840 840 1 0 C---- sw
21656 0x1259f7e00000 0x125a00500000 rw- 31625 31625 1 0 ----- sw
21656 0x125a00600000 0x125a0a200000 rw- 29677 29677 1 0 ----- sw
21656 0x19660f171000 0x19660f177000 r-- 6 30 251 57 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f177000 0x19660f18e000 r-x 23 30 251 57 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f18e000 0x19660f18f000 r-- 1 0 1 0 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f18f000 0x19660f190000 r-- 1 1 1 0 CN--- sw
21656 0x19660f190000 0x19660f192000 rw- 2 2 1 0 C---- sw
21656 0x7fffffffe000 0x7ffffffff000 --- 0 0 0 0 ----- gd
#9
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - Today at 03:18:31 AMTHIS CANNOT BE RIGHT!!!!
Download this since I am runnint 25.7: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/All/openssl-3.0.18,1.pkg
Extract:
Copy from USB to both location since idk which is which:
The system is booting and I can log in, now I need to check if it is gonna connect to the internet.
Download this since I am runnint 25.7: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/All/openssl-3.0.18,1.pkg
Extract:
Code Select
libcrypto.so.12
libssl.so.12
Copy from USB to both location since idk which is which:
Code Select
/usr/lib/
/lib/The system is booting and I can log in, now I need to check if it is gonna connect to the internet.
#10
General Discussion / Re: Struggles scripting with t...
Last post by ASteve - Today at 03:03:25 AMQuote from: allddd on Today at 01:24:14 AMQuote from: ASteve on Today at 12:16:30 AMand triggers an action if either of the upstream gateways is down.
Not sure about the API, but have you considered using Monit? It's designed to do exactly that.
It can notify you, execute a script, or basically do anything else you want it to.
https://docs.opnsense.org/manual/monit.html
Thanks for recommending Monit... it's related to what I'm trying to do. I have Monit set up... but I'm trying to achieve something subtly different. Monit can't do what I want because I want the decision about presence/absence of a fault-condition to be made by a host on my LAN - not by the host running OpnSense.
With Monit, while it could run a script (on the OpnSense router) when relevant fault conditions arise... I want a script to periodically verify that the gateway is operating properly. I don't want my OpnSense router to push notifications of faults... I want a script that runs on a separate host (on my LAN) to poll to check the opposite - i.e. that both uplinks are 'OK'. I make a distinction between the approaches as they have different failure modes. If some aspect of my networks (LAN/WAN/VPN etc.) is down, this could plausibly block delivery of a message about failure (giving the false impression that everything is OK). Conversely, if I take a polling approach - dispatching requests (perhaps once a minute) from a host I'm actively using... then any failure to verify things are "OK" (whatever the reason for that failure) will permit reliable notification about there being some kind of problem. Another obvious distinction between the approaches: if power to my OpnSense router fails (unplugged/switched off at mains) then the Monit service on it will not be dispatching any notifications. Conversely, if a service running on my desktop (which I'm actively using) fails to successfully poll the router, and verify things are OK, then it will be able to actively notify me - even if the LAN and/or WAN are not working properly; even if email and/or DNS are not working properly.
