Confused by snapshots

[Taomyn]

I thought I would check on the Snapshot section of configuration of my firewall and saw that I only have, default, and it was dated back in 2023 - its also 9.88G in size.

You cannot view this attachment.

As my current firewall state is stable, I cannot see why I would want to revert back to such an old snapshot. Can I update it with a new snapshot and delete the old one? I've read the docs and a tutorial on the forum, but neither seems to help me.

As my firewall is a Proxmox VM I've been using it for snapshots, but I was curious to look at the OPNsense feature.

[Patrick M. Hausen]

ZFS snapshots work differently from e.g. VMware. They simply "freeze" a certain point in time for the underlying FS structure.

That snapshot that you see *is* the current state of your file system. If you

- create a new one
- set the new one active
- reboot
- delete the old one

You will end up with exactly the same situation, only the "created" time stamp will be newer.

The "snapshots" in the OPNsense UI are really "boot environments" as FreeBSD calls it. There's always one active one which is not really frozen or can be reverted to at all. And an arbitrary number of "frozen" ones that you can use to revert to.

tldr; that "default" thing is really not a snapshot at all but your current read/write mounted file system; add more "real snapshots" as you see fit.

[Taomyn]

Thank-you, that makes sense now.

[senser]

Why aren't they called boot environments though? Or bootable snapshots?

[Patrick M. Hausen]

Don't ask me why the OPNsense developers sometimes name things in the UI differently compared to whatever the upstream product uses. E.g. WireGuard interfaces are instances. Boot environments are snapshots. No idea.

[senser]

Maybe there is a developer reading this :)
Anyway, it is always good to have one good, working Boot Environment other than the default, running one!
It's a good safety net, should you mess up

[franco]

Today I think most new people trying OPNsense neither know FreeBSD nor ZFS. That's why we settled on snapshots.

WireGuard has relatively weak concepts of terminology. Since forever, "interfaces" have been assigned network devices in OPNsense and previous software. We can't go ahead and call WireGuard interfaces "interfaces" and ask people in support cases if they assigned their WireGuard interface as an interface. The documentation would also suffer from this and someone would surely complain sooner or later.


Cheers,
Franco

[Patrick M. Hausen]

The downside is that third party documentation cannot be easily applied to OPNsense. Worst area being HAproxy, I guess.

[Seimus]

Today I think most new people trying OPNsense neither know FreeBSD nor ZFS. That's why we settled on snapshots.

You cant even imagine how right you are.

The downside is that third party documentation cannot be easily applied to OPNsense. Worst area being HAproxy, I guess.

This can be fixed in the 1st party documentation by creating annotations e.g. SNAPSHOT = Boot Environments if needed

You are right, but lets be honest here. Such users often even dont consider to lookup 3rd party documentation. How many times we can see some people dont even read 1st party documentation.

Regards,
S.

[Patrick M. Hausen]

You are right, but lets be honest here. Such users often even dont consider to lookup 3rd party documentation. How many times we can see some people dont even read 1st party documentation.

I am observing the opposite. People google e.g. "HAproxy something something" and only when they cannot match the stackoverflow thread to what they see in the UI do they come here.

Even for things that are really well documented, e.g. setting up a LAN bridge, the most common way is:

Google --> Youtube video --> Forum because the "content creator" forgot the tunables.


For any product I do not know the official documentation is my first stop. If that is hard to navigate or understand that disqualifies the product immediately in most cases. But I seem to be the exception.

[franco]

HAproxy is an odd example here. I understand your point, but it's there because Frank contributed it under community umbrella (tier 3). We can give some code quality pointers, but that's all we will do.


Cheers,
Franco

[Patrick M. Hausen]

Not arguing you should change anything for now :-)

[franco]

Not arguing that we shouldn't :)

Suggestions and opinions are good, but choices have to be made by us and others eventually. My favourite point is that WireGuard terminology isn't great either, so why should we get the stick end of that and live with overlapping terminology in our GUI which would also confuse users reading the vanilla docs (which the users don't need due to the GUI).

Cedrik is doing a great job filling docs weak spots at the moment, practically overseeing the repo now at his own request. Get your voice heard where it matters most.


Cheers,
Franco

[Seimus]

Cedrik is doing a great job filling docs weak spots at the moment, practically overseeing the repo now at his own request. Get your voice heard where it matters most.

Indeed Cedrik is doing great job on the docs, like VLANs & LAGGs and the whole routing section for FRR plugin, etc. Its much more easier to refer to a section on the Docs rather than explain everything from scratch.

So be became like an official Docs maintainer? ;) (Gratz!)

Regards,
S.