Recent posts

#1
26.1 Series / Re: Enable SSH at Console
Last post by patient0 - Today at 04:46:53 PM
On the console use:

configctl service start opensshor
configctl openssh start
Not sure if the 'service start' survives a reboot.
The documentation uses SSH as an example: https://docs.opnsense.org/development/backend/configd.html#naming-convention

And: in the folder /conf/backup are backups of your previous config, in case you need them.
#2
OK this only happens when I use the config file. If I don't specify a config file, I get a full inventory and can even filter by the MAC of my i226 card. I still get a message about "Unsupported device found - DeviceId: 15D6." though.

Intel(R) Ethernet NVM Update Tool
NVMUpdate version 1.43.20.0
Copyright(C) 2013 - 2025 Intel Corporation.

./nvmupdate64e -i -l out.log -m 00A0C9261A48

Config file will not be read.
Unsupported device found - DeviceId: 15D6.
Inventory
[00:001:00:00]: Intel(R) Ethernet Controller I226-V
Alternate MAC address is not set.
Flash inventory started.
Shadow RAM inventory started.
Shadow RAM inventory finished.
Flash inventory finished.
OROM inventory started.
OROM inventory finished.
[00:001:00:00]: Intel(R) Ethernet Controller I226-V
Vendor                 : 8086
Device                 : 125C
Subvendor              : 8086
Subdevice              : 0000
Revision               : 4
LAN MAC                : 00A0C9261A48
Alt MAC                : 000000000000
SAN MAC                : 000000000000
ETrackId               : 8000028D
SerialNumber           : 00A0C9FFFF261A48
NVM Version            : 2.20(2.14)
PBA                    : G23456-000
VPD status             : Not set
VPD size               : 0
NVM update             : No config file entry
checksum             : Valid
OROM update            : No config file entry
CIVD                 : 0.0.0
EFI                  : 0.1.1, checksum None
#3
General Discussion / Re: Single gateway monitoring ...
Last post by arubenstein - Today at 04:31:26 PM
Quote from: Patrick M. Hausen on Today at 04:19:58 PMBest open a feature request on Github.

Ah thanks for the pointer. I shall do so.
#4
26.1 Series / Enable SSH at Console
Last post by kmschneider1 - Today at 04:28:24 PM
I am looking to find out how to enable ssh at the Console NOT using the WebGUI. I have searched extensively but the information always points to the WebGUI or is issues with existing SSH setups. For reference as to why I need the console. I made a dumb noob move while trying out caddy and did not backup first. My WebGUI is currently inaccessible. Everything else works perfectly so I am trying to fix it via the console since I think I know what is causing the issue. However, my opnsense box is in my basement and I apparently did not enable ssh before all this happened. 

I do know that a reinstall will resolve this but since everything else (VPN,Port Forwarding, DHCP Leases) works, I am trying to fix it without needing to redo everything.
#5
I have another intel NIC (i219) in my machine that seems to be getting in the way:

./nvmupdate64e -i -c nvm.cfg.txt -l out.log

Config file read.
Unsupported device found - DeviceId: 15D6.
Error:   Config file ETrackId doesn't match NVM image version [config: 0x80000422, image: 0x74616465].

I think I need to use the -location option to specify (-m didn't help) but I haven't found the right thing to pass to that. Not sure what info in pciconf I need to put there:

igc0@pci0:1:0:0:        class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller I226-V'
    class      = network
    subclass   = ethernet
#6
Best open a feature request on Github.
#7
You need only the two centre wires. Thats (with 6 total) 3 & 4 for RJ11 and (with 8 total) 4 & 5 for RJ45. This is really just "mechanics". RJ11 is the international equivalent of TAE with 6 wires total.

Common patch cables are RJ45 so I try to keep everything that way.
#8
General Discussion / Single gateway monitoring IP
Last post by arubenstein - Today at 04:15:13 PM
About ten years ago, someone posted this:

https://forum.opnsense.org/index.php?topic=3974.msg14153#msg14153

Essentially, they asked why you couldn't specify the same IP on multiple gateway monitors. I've always wondered this too. The answer given in that post isn't entirely accurate. dpinger can definitely do this, with the -B command (which is already used). Here is my proofs:

In two different windows, I run:

window 1: tcpdump -i ix1 host 8.8.8.8
window 2: tcpdump -i igb0 host 8.8.8.8

then I run the following:

root@fw1:~ # dpinger -f -B 100.91.121.144 8.8.8.8
and

root@fw1:~ # dpinger -f -B 216.220.92.80 8.8.8.8

this is the result I see in the tcpdump windows

window 1:

root@fw1:~ # tcpdump -i ix1 host 8.8.8.8
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ix1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:02:01.129175 IP 216.220.92.80 > dns.google: ICMP echo request, id 8483, seq 15, length 8
10:02:01.131229 IP dns.google > 216.220.92.80: ICMP echo reply, id 8483, seq 15, length 8
10:02:01.629594 IP 216.220.92.80 > dns.google: ICMP echo request, id 8483, seq 16, length 8
10:02:01.631648 IP dns.google > 216.220.92.80: ICMP echo reply, id 8483, seq 16, length 8
10:02:02.715829 IP 216.220.92.80 > dns.google: ICMP echo request, id 27100, seq 0, length 32
10:02:02.717876 IP dns.google > 216.220.92.80: ICMP echo reply, id 27100, seq 0, length 32

window 2:

root@fw1:~ # tcpdump -i igb0 host 8.8.8.8
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:02:06.750199 IP 100.91.121.144 > dns.google: ICMP echo request, id 13418, seq 0, length 8
10:02:06.796505 IP dns.google > 100.91.121.144: ICMP echo reply, id 13418, seq 0, length 8
10:02:07.250663 IP 100.91.121.144 > dns.google: ICMP echo request, id 13418, seq 1, length 8
10:02:07.300514 IP dns.google > 100.91.121.144: ICMP echo reply, id 13418, seq 1, length 8
10:02:07.752011 IP 100.91.121.144 > dns.google: ICMP echo request, id 13418, seq 2, length 8
10:02:07.813853 IP dns.google > 100.91.121.144: ICMP echo reply, id 13418, seq 2, length 8
So, in essence, it would seem this work just fine if the UI would allow it.

In my opinion, I'd rather dpinger / gateway monitoring be monitoring the same IP I specify "out on the net" to test gateway viability, rather than just the other end of the connection or whatever. This doesn't really test internet reachibility.

Can this change be considered?  A further enhancement would be the ability to set more than one IP to monitor, which is a common feature on other firewalls.

Thanks for your consideration!
#9
General Discussion / Re: Deutsche Telekom - Glasfer...
Last post by chemlud - Today at 04:10:56 PM
Which advantage has RJ45 over RJ11? I'm totally unsure to which cable I have to connect the RJ11 plug,,, is there some kind of cabeling plan for RJ11/RJ45 available?

I have no LSA tool (and no experience with that at all...) but only a cheap rj45 crimp tool. Sounds crazy to have 1.5 Gbit with homebake stuff like that.
#10
Quote from: estebang on February 10, 2025, 02:02:41 PMI've re-read your OP several times to try to avoid a pointless contribution... (an opening comment like that almost guarantees one), but I'm pretty sure I'm achieving what you want to do only with unbound with a very similar setup.

I catch all local requests to my *.mxxxxxxx.org domain which are directed to a caddy reverse proxy container with a lan ip address.

We have some public code demo sites such as dev1, dev2 at dev1.mxxxxxx.org with public IP addresses. In Unbound overrides:

Host: *    Domain: mxxxxxxx.org          Value: 192.x.x.x   Descrip: Caddy Reverse Proxy
Host: *    Domain: dev1.mxxxxxx.org   Value: 20.x.x.x    Descrip: Public webserver IP address

Does this not work for you?

clever solution. works well for me. Thanks!