"Recent posts
#1
26.1 Series / Re: Upgrade to RC1 successful
Last post by meyergru - Today at 04:14:05 PMI switched to 26.1-RC1 as well. Most things worked OOTB, however, I found that the NAT rules filter associations were gone, showing only "Manual" instead, although some link still exists as evidenced by the associated firewall rules being non-editable as usual.
After I tried the first steps of rules migration, all new style rules had no categories and were disabled per default. I wonder what would have happened if I followed the instructions and just removed the old rules at that point.
I tried to understand how the NAT rule linkage relates to new/old rules, but failed. Since it was a production system, I did not dare to remove the old rules.
What is irritating is that "floating rules" now are just the ones that have more than one interface, so if you add an interface to any existing interface rule, the rule shifts to floating rules (and also the other way around). However, I like that, because with the old style rules, you manually have to re-create a rule in the floating section. One has to get accustomed to this, however, because I also used 1-interface-only floating rules for blocking in the floating section just because of the priority being greater than implicit port forwarding rules.
After I tried the first steps of rules migration, all new style rules had no categories and were disabled per default. I wonder what would have happened if I followed the instructions and just removed the old rules at that point.
I tried to understand how the NAT rule linkage relates to new/old rules, but failed. Since it was a production system, I did not dare to remove the old rules.
What is irritating is that "floating rules" now are just the ones that have more than one interface, so if you add an interface to any existing interface rule, the rule shifts to floating rules (and also the other way around). However, I like that, because with the old style rules, you manually have to re-create a rule in the floating section. One has to get accustomed to this, however, because I also used 1-interface-only floating rules for blocking in the floating section just because of the priority being greater than implicit port forwarding rules.
#2
General Discussion / ISC-DHCP to KEA Migration Tool...
Last post by Sheridan Computers - Today at 03:50:49 PMI recently a small CLI tool I wrote for a client migration to help move ISC DHCP static mappings to Kea reservations using the OPNsense config.xml, as there's currently no way to export IPv6 static mappings via web interface.
I've open sourced it on github (should have releases for Linux, Windows, Mac).
It supports both IPv4 and IPv6 static mappings (including DUID, hostname, domain search, description). I originally wrote it mainly to handle DHCPv6 static reservations, since there isn't currently a GUI export/import path for those.
It's safe by default (reads the input config and writes to a new output file so you can review before importing) and only migrates static reservations, not pools or options.
This is very much a v1 community tool, so please test (pref in a lab) first and take a backup/snapshot before importing. If anyone wants to try it and provide feedback or edge cases, I'd really appreciate it.
See the Github README for command line usage.
Tested with 25.7.11:
ISC-DHCP to Kea Migration Tool
I've open sourced it on github (should have releases for Linux, Windows, Mac).
It supports both IPv4 and IPv6 static mappings (including DUID, hostname, domain search, description). I originally wrote it mainly to handle DHCPv6 static reservations, since there isn't currently a GUI export/import path for those.
It's safe by default (reads the input config and writes to a new output file so you can review before importing) and only migrates static reservations, not pools or options.
This is very much a v1 community tool, so please test (pref in a lab) first and take a backup/snapshot before importing. If anyone wants to try it and provide feedback or edge cases, I'd really appreciate it.
See the Github README for command line usage.
- Leave kea disabled for now
- Create the relevant IPv4 and IPv6 subnets in kea
- Download the config (from system settings in GUI)
- Use scan option first to see what will change
- Use the convert option to create a new xml config
- Restore the new config from OPNsense gui
- Check the kea settings everything imported
- Disable isc and enable kea
Tested with 25.7.11:
ISC-DHCP to Kea Migration Tool
#3
25.7, 25.10 Series / Re: IPv6 link-local route does...
Last post by franco - Today at 03:31:05 PM> When it comes up, the route for <prefix48>fff0::/60 to FE80::2%vtnet3 is missing from the routing table until I click the 'Apply' button on the routing config screen on the main router.
Maurice, could this overlap with the blackhole route we added for the delegated prefix?
Cheers,
Franco
Maurice, could this overlap with the blackhole route we added for the delegated prefix?
Cheers,
Franco
#4
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by Waldus66668 - Today at 03:30:43 PMSorry for making confusion. What I wrote is not 100% accurate for i226.
But in general eeupdate64e is easier to use since it does not require configuration file.
But going back to i226 - my workflow is following:
1 - to determine inventory I use Linux version of nvmupdate64e (from Intel driver pack)
2 - to flash i226 NVM I use Linux version of eeupdate64e. Please see this link:
CSG150 i226 NIC NVM update instructions
There in step 5 you will find instruction. Direct link to download Linux version of eeupdate64e is here:
CSG150_NVM_225.tar.gz
For me this has been working reliably.
Unfortunately EFI version of eeupdate64e compatible with i226 is not publicly available.
But in general eeupdate64e is easier to use since it does not require configuration file.
But going back to i226 - my workflow is following:
1 - to determine inventory I use Linux version of nvmupdate64e (from Intel driver pack)
2 - to flash i226 NVM I use Linux version of eeupdate64e. Please see this link:
CSG150 i226 NIC NVM update instructions
There in step 5 you will find instruction. Direct link to download Linux version of eeupdate64e is here:
CSG150_NVM_225.tar.gz
For me this has been working reliably.
Unfortunately EFI version of eeupdate64e compatible with i226 is not publicly available.
#5
26.1 Series / Re: Upgrade to RC1 successful
Last post by franco - Today at 03:16:24 PMAh, oui, naturellement. ;)
I added a note about the plugin situation in the forum announcement post.
The "https://192.168.1.1" is a bit of a hardcoded relic.
https://github.com/opnsense/core/blob/e75192ca461dfa/src/sbin/opnsense-installer#L53
From an imported config where "lan" may not exist it can be difficult to extract the correct value from. Let's call it an artefact for now.
Cheers,
Franco
I added a note about the plugin situation in the forum announcement post.
The "https://192.168.1.1" is a bit of a hardcoded relic.
https://github.com/opnsense/core/blob/e75192ca461dfa/src/sbin/opnsense-installer#L53
From an imported config where "lan" may not exist it can be difficult to extract the correct value from. Let's call it an artefact for now.
Cheers,
Franco
#6
25.7, 25.10 Series / Re: IPv6 link-local route does...
Last post by matt335672 - Today at 03:12:19 PMThanks both.
I was using PD with ISC dhcpd for this, and it was working (mostly) fine. For what I'm doing there's no advantage in using PD really, so I'd like to get the static routes working.
I'm not keen on messing around with my primary router for this, so I'll try setting up a VM with just my static routes on it and see what happens. There are only 3. If I can reproduce it on that, it should make a fault report easier.
I was using PD with ISC dhcpd for this, and it was working (mostly) fine. For what I'm doing there's no advantage in using PD really, so I'd like to get the static routes working.
I'm not keen on messing around with my primary router for this, so I'll try setting up a VM with just my static routes on it and see what happens. There are only 3. If I can reproduce it on that, it should make a fault report easier.
#7
26.1 Series / Re: Upgrade to RC1 successful
Last post by patient0 - Today at 03:00:08 PMSame for me, I did pgrades two OPNsense installation.
One from an installation which was on the Development channel, by switching as France explained, no issue.
The other was on the Dev channel too (not that it matters), exported config (to be sure) and reinstalled using the DVD ISO. The config was found on the ZFS pool and installation when smooth, and with the config found on the ZFS pool.
The only confusing thing was that after the installation and before the reboot the text on the console told me that the OPNsense GUI will be reachable on 192.168.1.1. That specific installation is IPv6 only, so I wasn't sure if the config was applied correctly - but it was.
One from an installation which was on the Development channel, by switching as France explained, no issue.
The other was on the Dev channel too (not that it matters), exported config (to be sure) and reinstalled using the DVD ISO. The config was found on the ZFS pool and installation when smooth, and with the config found on the ZFS pool.
The only confusing thing was that after the installation and before the reboot the text on the console told me that the OPNsense GUI will be reachable on 192.168.1.1. That specific installation is IPv6 only, so I wasn't sure if the config was applied correctly - but it was.
#8
26.1 Series / Upgrade to RC1 successful
Last post by Maurice - Today at 02:46:28 PMJust a quick report that I upgraded from the 25.7.11 development version to 26.1.r1, so far without issues.
Switching back to Community doesn't replace the automatically installed os-isc-dhcp-devel plugin with the non-devel version, but I think that's expected. It's an additional manual step which might be worth mentioning in the upgrade instructions.
I keep hostwatch disabled for the time being, so no statement about that.
Cheers
Maurice
Switching back to Community doesn't replace the automatically installed os-isc-dhcp-devel plugin with the non-devel version, but I think that's expected. It's an additional manual step which might be worth mentioning in the upgrade instructions.
I keep hostwatch disabled for the time being, so no statement about that.
Cheers
Maurice
#9
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by franco - Today at 01:59:44 PMSo https://github.com/opnsense/ports/commit/a1996a8fe27 is coming to 26.1-RC2 soon. That more or less concludes 1.)
For 2.) I'll publish new patch instructions after 26.1 is out. I think they don't apply cleanly in all cases anymore since there were more moving parts and some things from the patch have been extracted and moved to the master branch because they were safe as is.
Thanks,
Franco
For 2.) I'll publish new patch instructions after 26.1 is out. I think they don't apply cleanly in all cases anymore since there were more moving parts and some things from the patch have been extracted and moved to the master branch because they were safe as is.
Thanks,
Franco
#10
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by franco - Today at 01:38:43 PMhttps://github.com/opnsense/hostwatch/commit/482b45ce is on the way but not in 1.0.6.
For specific issues it may make sense to raise a ticket, but multiple versions are in flight now so it would be better to wait for the final one that's going into 26.1 to make reports on.
Cheers,
Franco
For specific issues it may make sense to raise a ticket, but multiple versions are in flight now so it would be better to wait for the final one that's going into 26.1 to make reports on.
Cheers,
Franco
