Gateways Overview¶
OPNsense Gateways¶
Both sites run OPNsense firewalls as their network gateways.
| Site | Gateway | Hardware | OPNsense | FreeBSD | ISP | IPv6 |
|---|---|---|---|---|---|---|
| Owl | 10.7.0.1 | DEC700 | 26.1_4 | 14.3-RELEASE-p7 | Metronet (static) | HE Tunnel |
| Blue | 10.15.0.1 | Protectli UP-2420 | - | - | Starlink (DHCP) | DHCPv6-PD |
Common Features¶
Both gateways share:
- ZeroTier VPN for site-to-site connectivity
- Unbound DNS with forwarding to PowerDNS for internal resolution
- DHCP server with dynamic DNS registration
- Git backup to private GitHub repositories
- SSH access via
joeuser (root login disabled)
Configuration Management¶
Ansible IaC (Primary)¶
Gateway configuration is managed via the Ansible opnsense role, which uses the OPNsense REST API and SSH:
| Gateway | IaC Status | Coverage | Notes |
|---|---|---|---|
| Owl | Deployed | ~78% | 18 subsystem tags, 24 bugs found and fixed |
| Blue | Planned | — | Needs inventory + Starlink-specific vars |
cd /Users/joe/src/scandora.net/cloud/ansible
./scripts/run-opnsense.sh owl # Full deployment
./scripts/run-opnsense.sh owl --tags dhcp,dns # Specific subsystems
See Ansible Roles for the full subsystem table and IaC Coverage Audit for what's managed vs. manual.
Git Backup Repositories¶
| Gateway | Repository |
|---|---|
| Owl | github.com/scandora/opnsense-owl.git |
| Blue | github.com/scandora/opnsense-blue.git |
Backup & Recovery Tooling¶
# Pull config.xml backup via SSH (daily cron, 90-day retention)
./scripts/backup/pull-config.sh owl
# Detect manual config changes outside Ansible
./scripts/backup/check-config-drift.sh owl
See Disaster Recovery for full recovery procedures.
Config File Location¶
Production configs are stored at: gateways/{site}/configs/config.xml
Development Workflow¶
- Provision dev VM from golden image:
terraform apply(~90s) - Create API key:
sudo ~/virsh-create-apikey.py(OPNsense auto-starts via libvirt) - Open SSH tunnels (IAP → GCE host → KVM guest LAN)
- Test Ansible changes:
./scripts/run-opnsense.sh opnsense-dev - Validate idempotency (run again, confirm only raw POST tasks change — expect 12 changed)
- Deploy to production:
./scripts/run-opnsense.sh owl - Tear down:
terraform destroy
See DEV-WORKFLOW.md for full setup guide.
Comparison¶
For a detailed comparison of Owl vs Blue configuration, see: Gateway Comparison
Key Differences¶
| Aspect | Owl (Iowa) | Blue (Colorado) |
|---|---|---|
| WAN IP | Static (46.110.77.34) | Dynamic (DHCP) |
| IPv6 | HE Tunnel (static prefix) | DHCPv6-PD (dynamic) |
| NIC Driver | igb (Intel) | igc (Intel, newer) |
| Ports | 3 (DEC700) | 4 (Protectli) |
| DHCP Static Maps | 28 devices | 12 devices |
| Theme | opnsense-dark | vicuna |
Access Methods¶
SSH Access¶
# Owl - via ZeroTier
ssh joe@192.168.194.10
# Owl - via IPv6 (HE tunnel)
ssh joe@owl.scandora.net
# Blue - via LAN (from Blue site)
ssh joe@10.15.0.1
# Blue - via ZeroTier
ssh joe@blue.zt.scandora.net
No Root SSH
Root SSH login is disabled on both gateways. Always use joe with passwordless sudo.
Web Interface¶
| Gateway | URL | Notes |
|---|---|---|
| Owl | https://10.7.0.1 | From Owl LAN |
| Owl | https://192.168.194.10 | Via ZeroTier |
| Blue | https://10.15.0.1 | From Blue LAN |
Common Commands¶
Configuration Management¶
# Pull config from gateway (FreeBSD)
ssh joe@192.168.194.10 "cat /conf/config.xml" > owl-config.xml
# Restart Unbound DNS
ssh joe@192.168.194.10 "sudo configctl unbound restart"
# Restart ZeroTier
ssh joe@192.168.194.10 "sudo configctl zerotier restart"
Service Status¶
# Check services
ssh joe@192.168.194.10 "sudo configctl service status"
# View ZeroTier logs
ssh joe@192.168.194.10 "clog -f /var/log/zerotier.log"
FreeBSD Commands
OPNsense runs FreeBSD. Command syntax differs from Linux (e.g., clog instead of journalctl, different find flags).