"Recent posts
#1
German - Deutsch / Re: Fragen zu vnStat
Last post by Patrick M. Hausen - Today at 09:28:27 PMReporting - Netflow oder so ähnlich (aus dem Kopf).
#2
German - Deutsch / Re: Fragen zu vnStat
Last post by Zavinator - Today at 09:10:29 PMQuote from: Patrick M. Hausen on Today at 03:54:17 PMIch bin recht zufrieden mit Netflow und Elastiflow. Netflow ist ein Format von Cisco, mit dem ein Router (oder eine Firewall) Verbindungsdaten exportieren kann. In OPNsense ist das eingebaut. Man kann eingeschränkt die Visualisierung der Daten auch direkt auf der OPNsense und dann im Web UI laufen lassen, davon würde ich aber abraten. Netflow schreibt einfach verdammt viel. Man erzeugt mit dem Collector (das ist das Teil, wo die Daten zur Auswertung landen) extrem viel Last und schreibt sich unter Umständen seine SSD kaputt - je nach Hardware.
Besser ist m.E. nur den Exporter (das Teil, das die Daten generiert) auf der OPNsense zu aktivieren und die Daten an ein externes System wie Elastiflow zu schicken.
Elastiflow ist für kleine Installationen kostenlos. Man muss die Lizenz einmal im Jahr erneuern, aber es kostet halt nichts. Die möchten nur wissen, wer den Kram benutzt. "Klein" bedeutet bis zu 4000 Flows (Verbindungen) pro Sekunde. Das schafft nicht mal ein kleiner Hoster wie wir.
Du brauchst eine Linux-Maschine oder VM mit mindestens 16 GB RAM und idealerweise 4 Kernen für die Software.
https://www.elastiflow.com
Danke Patrick, werde ich mir ansehen. Wo bzw. wie aktiviere ich den Exporter auf der OPNsense?
LG Martin
#3
25.7, 25.10 Series / Re: Detections and blocking of...
Last post by BigFreddy - Today at 09:03:52 PMQuote from: nero355 on February 10, 2026, 03:23:46 PMThere are plenty of options :
- ZenArmor
- Suricata
- Pi-Hole
The first two are full IDS/IPS solutions and the last one is a DNS Blocklist based system which you can combine with this : https://forum.opnsense.org/index.php?topic=9245.0
I would say install a VM for each and have a look around in their webGUI :)
I took a look at the link you provided but the guide is broken as the images are not available anymore. So, to use Pi-Hole, I need to make additional changes within OPNSense while with the first two solutions (Zenarmor and Suricata) I don't need to make much of adjustments when it comes to DNS within OPNSense ?
#4
26.1 Series / Re: zfs and sqlite
Last post by franco - Today at 08:58:28 PMYep, if you want the complaint gone just reinstall it from the packages tab.
#5
Development and Code Review / Re: RFC: Kea DHCP Dynamic DNS ...
Last post by Monviech (Cedrik) - Today at 08:54:45 PMJust for reference there is already a competing PR open for that feature:
https://github.com/opnsense/core/pull/9401
You can read for the general feedback in there and compare it to your approach.
https://github.com/opnsense/core/pull/9401
You can read for the general feedback in there and compare it to your approach.
#6
Development and Code Review / RFC: Kea DHCP Dynamic DNS (DDN...
Last post by brendanbank - Today at 08:49:40 PMHi all,
I've been working on adding Dynamic DNS (DDNS) support to the Kea DHCP plugin in OPNsense and would love to get feedback before submitting a pull request.
Why this feature?
I'm in the process of migrating from ISC DHCP to Kea DHCP, but one of the blockers for me (and I suspect others) is the lack of DDNS support — the ability to automatically register forward (A) and reverse (PTR) DNS records when leases are handed out. This was available in ISC DHCP via nsupdate and is something I rely on in my network. With ISC DHCP reaching end-of-life, having feature parity in Kea is important for a smooth migration.
What it does
Future plans
IPv6 (DHCPv6) DDNS support with AAAA and ip6.arpa PTR records is planned as a follow-up.
Code and documentation
A note on the implementation: I'm proficient in Python but not so much in PHP, so I've used Claude Code to help write the PHP code. The implementation follows the existing OPNsense MVC patterns and has been tested on a production firewall with BIND9 as the DNS server, with both forward and reverse updates working correctly across multiple subnets with TSIG authentication. That said, an extra pair of eyes on the PHP would be very welcome.
I'd appreciate any feedback on the approach, the UI/UX, or the code itself before I open a PR against the main repos.
Thanks,
Brendan
I've been working on adding Dynamic DNS (DDNS) support to the Kea DHCP plugin in OPNsense and would love to get feedback before submitting a pull request.
Why this feature?
I'm in the process of migrating from ISC DHCP to Kea DHCP, but one of the blockers for me (and I suspect others) is the lack of DDNS support — the ability to automatically register forward (A) and reverse (PTR) DNS records when leases are handed out. This was available in ISC DHCP via nsupdate and is something I rely on in my network. With ISC DHCP reaching end-of-life, having feature parity in Kea is important for a smooth migration.
What it does
- Integrates the Kea DHCP-DDNS daemon (D2) with the existing Kea DHCPv4 plugin
- TSIG key management (HMAC-SHA256, HMAC-SHA512, etc.) for authenticated DNS updates (RFC 2845)
- DDNS domain profiles with configurable forward and reverse zones, DNS server addresses, and per-zone TSIG keys
- Per-subnet DDNS configuration with automatic hostname prefix options:
Network name — uses the OPNsense interface description (e.g. mylan.dyn.example.com)
Interface name — uses the physical interface name (e.g. vlan0.021.dyn.example.com)
Custom prefix — free-form input
No prefix — hostnames placed directly under the zone - Reverse zone auto-computation from subnet CIDR, with manual override for non-standard delegations (e.g. 10.in-addr.arpa instead of per-/24 zones)
- DHCID conflict resolution (RFC 4703) enabled by default
Future plans
IPv6 (DHCPv6) DDNS support with AAAA and ip6.arpa PTR records is planned as a follow-up.
Code and documentation
- Core implementation: brendanbank/core feature/kea-ddns
- Documentation: brendanbank/docs feature/kea-ddns-docs
A note on the implementation: I'm proficient in Python but not so much in PHP, so I've used Claude Code to help write the PHP code. The implementation follows the existing OPNsense MVC patterns and has been tested on a production firewall with BIND9 as the DNS server, with both forward and reverse updates working correctly across multiple subnets with TSIG authentication. That said, an extra pair of eyes on the PHP would be very welcome.
I'd appreciate any feedback on the approach, the UI/UX, or the code itself before I open a PR against the main repos.
Thanks,
Brendan
#7
25.7, 25.10 Series / Re: Midnight Commander missing
Last post by tam - Today at 08:48:57 PMThanks Franco. I was looking in the webinterface /ui/core/firmware#package
from ssh did the trick.
Code Select
pkg install mcfrom ssh did the trick.
#8
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by BrandyWine - Today at 08:34:47 PMThere is FreeBSD util in the Intel bundle, you need to dig it out of the I210 TGZ zip that's in the I210 folder.
\Release_30.6.zip\NVMUpdatePackage\I210\I210_NVMUpdatePackage_v2_00_Linux.tar.gz\I210_NVMUpdatePackage_v2_00_Linux.tar\I210\Linux_x64\
2nd, please post your nvm cfg file you are using with flash util.
3rd, with a hyper-v, do not flash from a vm, flash only from the host OS.
\Release_30.6.zip\NVMUpdatePackage\I210\I210_NVMUpdatePackage_v2_00_Linux.tar.gz\I210_NVMUpdatePackage_v2_00_Linux.tar\I210\Linux_x64\
2nd, please post your nvm cfg file you are using with flash util.
3rd, with a hyper-v, do not flash from a vm, flash only from the host OS.
#9
26.1 Series / Re: zfs and sqlite
Last post by OPNenthu - Today at 08:15:28 PMI upgraded to 26.1.2 now and then ran a health check. Saw this message:
Maybe it's related to the manual patch I had done above. Do I just ignore it?
Thanks!
Quote>>> Check for core packages consistency
Core package "opnsense" at 26.1.2 has 67 dependencies to check.
Checking packages: .............
hostwatch-1.0.12 repository mismatch: unknown-repository
Checking packages: ....................................................... done
***DONE***
Maybe it's related to the manual patch I had done above. Do I just ignore it?
Thanks!
#10
General Discussion / Re: upgrade from 21.7.8 failed
Last post by franco - Today at 08:14:35 PMHi Thierry,
21.x is so old it's difficult to give proper instructions on recovery with historic tools that likely don't support this or that magic we've added over the years.
This may help... there's still a lot of stuck old binary packages while you are on a newer base system:
# pkg bootstrap -f
Cheers,
Franco
21.x is so old it's difficult to give proper instructions on recovery with historic tools that likely don't support this or that magic we've added over the years.
This may help... there's still a lot of stuck old binary packages while you are on a newer base system:
# pkg bootstrap -f
Cheers,
Franco
