Owl vs Blue Gateway Configuration Comparison¶
Generated: 2026-02-05
Owl Config: gateways/owl/configs/config.xml
Blue Config: gateways/blue/configs/config.xml
Executive Summary¶
| Aspect | Owl (Iowa) | Blue (Colorado) |
|---|---|---|
| Hardware | DEC700 | Protectli UP-2420 |
| OPNsense | 26.1_4 | - |
| FreeBSD | 14.3-RELEASE-p7 | - |
| ISP | Metronet (Static IP) | Starlink (DHCP) |
| LAN Subnet | 10.7.0.0/16 | 10.15.0.0/16 |
| IPv6 | HE Tunnel (static) | DHCPv6-PD (Starlink) |
| NIC Driver | igb (Intel) | igc (Intel, newer) |
1. System Settings¶
| Setting | Owl | Blue |
|---|---|---|
| Hostname | owl | blue |
| Domain | scandora.net | blue.scandora.net |
| Theme | opnsense-dark | vicuna |
| DNS Search | owl.scandora.net, scandora.net | blue.scandora.net, scandora.net |
| NTP Servers | 0-3.us.pool.ntp.org | 0-3.opnsense.pool.ntp.org |
| Timezone | Etc/UTC | Etc/UTC |
| Thermal Sensor | amdtemp | amdtemp |
Sysctl Tunables¶
Owl-only tunables:
dev.ax.0.iflib.override_nrxds/ntxds- Aquantia NIC ring descriptorsdev.ax.1.iflib.override_nrxds/ntxds- Aquantia NIC ring descriptorsdev.ax.0.rss_enabled/dev.ax.1.rss_enabled- RSS for Aquantia NICsvm.pmap.pti=0- Meltdown mitigation disabledhw.ibrs_disable=1- Spectre V2 mitigation disablednet.inet.icmp.drop_redirect=1- Drop ICMP redirects
Note: Owl has additional Aquantia (ax) NIC tunables suggesting it may have 10GbE interfaces. Blue doesn't need these as the Protectli uses Intel igc NICs only.
2. Network Interfaces¶
Owl Interfaces¶
| Interface | Device | IP Address | Notes |
|---|---|---|---|
| WAN | igb1 | 46.110.77.34/26 | Static IP, Metronet |
| WAN IPv6 | igb1 | 2001:470:1f11:b8::2/64 | HE Tunnel |
| LAN | igb0 | 10.7.0.1/16 | |
| OPT1 | igb2 | - | Unused |
| ZEROTIER | zt6ldb571t4n4bn | - | ZeroTier overlay |
Blue Interfaces¶
| Interface | Device | IP Address | Notes |
|---|---|---|---|
| WAN | igc0 | DHCP | Starlink (dynamic) |
| WAN IPv6 | igc0 | DHCPv6-PD | Starlink /56 delegation |
| LAN | igc1 | 10.15.0.1/16 | track6 from WAN |
| OPT1 | igc2 | - | Enabled but unconfigured |
| OPT2 | igc3 | - | Enabled but unconfigured |
| ZEROTIER | zt6ldb571t4n4bn | - | ZeroTier overlay |
Key Differences¶
- WAN Addressing:
- Owl: Static IPv4 (46.110.77.34) + Static HE IPv6 tunnel
-
Blue: DHCP IPv4 + DHCPv6-PD (Starlink provides /56 prefix)
-
IPv6 Strategy:
- Owl: Hurricane Electric tunnel broker (predictable addressing)
-
Blue: Native DHCPv6-PD from Starlink (addresses may change)
-
Extra Ports:
- Blue has 2 additional enabled ports (OPT1, OPT2) - Protectli UP-2420 has 4 ports vs DEC700's 3
3. Gateways¶
Owl Gateways¶
| Name | Type | Gateway IP | Default |
|---|---|---|---|
| WAN_GW | inet | 46.110.77.1 | Yes |
Blue Gateways¶
| Name | Type | Gateway IP | Default |
|---|---|---|---|
| WAN_GW | inet | (DHCP) | Yes |
| WAN_DHCP6 | inet6 | (DHCP) | Yes |
Note: Blue has explicit DHCP6 gateway; Owl's IPv6 is via HE tunnel configured differently.
4. Firewall Rules¶
Both gateways use consolidated dual-stack rules (IPv4+IPv6 combined):
WAN Inbound Rules (Both)¶
| Rule | Protocol | Port | Source | Description |
|---|---|---|---|---|
| 1 | ICMP | - | any | Allow ICMP inbound |
| 2 | TCP | 22 | GeoIP_US (Owl) / any (Blue) | Allow SSH inbound |
| 3 | UDP | 9993 | any | Allow ZT inbound |
Rule Consolidation
Previously there were 6 separate WAN rules (3 IPv4 + 3 IPv6). These have been consolidated into 3 dual-stack rules using OPNsense's "IPv4+IPv6" option, reducing complexity while maintaining the same functionality.
Owl SSH Security Features¶
Owl's SSH rule includes additional protections:
- GeoIP filtering: Only US-based IPs
- Rate limiting: 15 connections per 60 seconds max
- sshlockout table: Automatic IP blocking
- State limits: 100 max states, 50 source nodes
LAN Rules¶
- Default allow LAN to any (IPv4+IPv6, all protocols)
- ZeroTier interface rules for cross-site access
Blue-Specific Rules¶
- Allow ZT to LAN: Explicit rule for cross-site access (IPv4+IPv6)
5. DHCP Configuration¶
| Setting | Owl | Blue |
|---|---|---|
| Enabled | Yes | Yes |
| Domain | owl.scandora.net | (not set explicitly) |
| Search List | owl.scandora.net; scandora.net | blue.scandora.net; scandora.net |
| DHCP Range | 10.7.254.10 - 10.7.254.254 | 10.15.254.10 - 10.15.254.254 |
| Static Maps | 28 devices | 12 devices |
| Default Lease | (default) | 7200 sec |
| Max Lease | (default) | 14400 sec |
Notable Static Mappings¶
Owl (28 devices):
- TP-Link switches (SG108PE, SG105PE)
- TP-Link EAP610 access points (×2)
- Various other network equipment
Blue (12 devices):
- Netgear switches (GS308EPP, GS308E)
- TP-Link EAP110 (outdoor WAP)
- Netgear WAX610, WAX214 access points
6. DNS (Unbound)¶
| Setting | Owl | Blue |
|---|---|---|
| Enabled | Yes | Yes |
| Port | 53 | 53 |
| DNSSEC | Disabled | Disabled |
| Register DHCP | Yes | Yes |
| Register Static | Yes | Yes |
| TXT Support | Yes | Yes |
| Stats | Enabled | Disabled |
| Hide Identity | No | (default) |
| Hide Version | No | (default) |
Note: Both have similar Unbound configs. Owl has stats enabled for monitoring.
7. Installed Plugins¶
| Plugin | Owl | Blue | Purpose |
|---|---|---|---|
| os-ddclient | ✅ | ❌ | Dynamic DNS client |
| os-git-backup | ✅ | ✅ | Git-based config backup |
| os-theme-advanced | ✅ | ✅ | Theme |
| os-theme-cicada | ✅ | ✅ | Theme |
| os-theme-rebellion | ✅ | ✅ | Theme |
| os-theme-tukan | ✅ | ✅ | Theme |
| os-theme-vicuna | ✅ | ✅ | Theme |
| os-zerotier | ✅ | ✅ | ZeroTier VPN |
Key Difference: Owl has os-ddclient for dynamic DNS - likely not needed since Owl has static IP, but may be used for other DNS records.
8. ZeroTier Configuration¶
| Setting | Owl | Blue |
|---|---|---|
| Enabled | Yes | Yes |
| Network ID | 6ab565387a4b9177 | 6ab565387a4b9177 |
| Interface | zt6ldb571t4n4bn | zt6ldb571t4n4bn |
| Description | (none) | scandora.net |
Both gateways are on the same ZeroTier network (192.168.194.0/24), enabling site-to-site connectivity.
9. Backup Configuration¶
| Setting | Owl | Blue |
|---|---|---|
| Git Backup | Enabled | Enabled |
| Repo URL | ssh://github.com/scandora/opnsense-owl.git | ssh://github.com/scandora/opnsense-blue.git |
| Branch | main | main |
| GDrive Backup | Enabled | Not configured |
| Backup Count | 3 | 5 |
Note: Owl has Google Drive backup in addition to Git. Blue only has Git backup.
10. SSH & User Configuration¶
Users (Both)¶
| User | UID | Shell | Notes |
|---|---|---|---|
| root | 0 | (default) | System administrator |
| joe | 2000 | /bin/sh (Owl) / /bin/tcsh (Blue) | Admin user |
SSH Keys¶
- Owl root: No authorized keys
- Owl joe: Multiple keys (saturn, triton, pluto)
- Blue root: Luna key configured (but root login may be disabled at SSH level)
- Blue joe: Luna key configured
SSH Settings (Both)¶
- SSH enabled
- Group: admins
- No auto-start (noauto=1)
Note: Both gateways have SSH enabled on the admins group. Root SSH login appears to be disabled on Blue at the service level (not in XML config), which is why ssh joe@10.15.0.1 works but ssh root@10.15.0.1 fails.
11. Recommendations¶
For Blue Gateway¶
-
Consider GDrive Backup - Owl has redundant backup to Google Drive. Consider adding this to Blue for disaster recovery.
-
Review OPT1/OPT2 Ports - Blue has two extra enabled but unconfigured ports. Either disable them or assign them specific roles.
-
Enable Unbound Stats - Owl has DNS stats enabled which helps with troubleshooting.
-
Document Static IPs - With only 12 DHCP static mappings vs Owl's 28, ensure all critical devices are mapped.
For Both Gateways¶
-
Standardize User Shells - joe uses
/bin/shon Owl and/bin/tcshon Blue. Consider standardizing. -
DNSSEC - Both have DNSSEC disabled. Consider enabling if upstream resolvers support it.
-
Review SSH Exposure - Both allow SSH from any source on WAN. Consider restricting to known IPs or ZeroTier only.
Appendix: Quick Reference¶
Owl Access¶
ssh joe@owl.scandora.net # Via public IP
ssh joe@owl.zt.scandora.net # Via ZeroTier
ssh joe@192.168.194.xxx # Via ZeroTier IP
Blue Access¶
ssh joe@10.15.0.1 # Via ZeroTier (LAN IP)
ssh joe@blue.zt.scandora.net # Via ZeroTier DNS
# Note: root SSH login is disabled on Blue
ZeroTier Network¶
- Network ID:
6ab565387a4b9177 - Subnet:
192.168.194.0/24