"Recent posts
#1
Virtual private networks / Re: Mullvad WireGuard crashing...
Last post by OPNenthu - Today at 02:27:14 AMAre you running your VP2440 with coreboot or AMI? If coreboot, there is an open TSB for the 2.5GbE ports related to ASPM:
https://protectli.com/news/vp2440-coreboot-issue/
https://kb.protectli.com/wp-content/uploads/sites/9/2025/12/TSB-2025-001_-VP2440-ASPM-Network-Performance-Issue_v1_1_0.pdf
Not sure if this is the issue in your case, though.
https://protectli.com/news/vp2440-coreboot-issue/
https://kb.protectli.com/wp-content/uploads/sites/9/2025/12/TSB-2025-001_-VP2440-ASPM-Network-Performance-Issue_v1_1_0.pdf
Not sure if this is the issue in your case, though.
#2
Virtual private networks / Mullvad WireGuard crashing; mo...
Last post by MyUsername0861 - Today at 01:54:49 AMHello
Long time lurker, first time poster.
New to OPNsense but used pfSense for years. I am pulling my hair out and need some advice.
Long story kinda short, I had my pfSense (Netgate SG-2100) using a selective routing setup to Mullvad via WireGuard (VPN1) for my primary VLAN (VLAN10) and I also ran a Raspberry Pi on VLAN 50. VLAN 50 did not use VPN1 but connected using WireGuard client on the Debian running Raspberry Pi.
All worked fine and I could use my full bandwidth (I get ~400/10 from my ISP) to download files using a bittorrent client.
I migrated to an OPNsense (Protectli VP2440; running 26.1.1) and "moved the config over" (this may be a point of contention later but withhold judgment temporarily). After some minor hiccups and new Rule changes that didn't adapt, I got everytihng running! It is a beast and I love it! Rock solid.... until... I fired up the Raspberry Pi. Once I started downloading a file or two, and the bandwidth kicked up to over ~300Mbps, the whole WAN interface and both VPNs froze up.
I have attached an image of my setups as they progressed through my troubleshooting. Original "known good" setup on pfSense/pre-migration to OPNsense: "Setup 1", "Setup 2" where I replaced the pfSense/Netgate with the OPNsense/Protectli, and "Setup 3" where I removed the managed switch from the equation.
I have tried many things on both the router and the bittorrent client (bandwidth shaping on router, MTU/MSS on both, bandwitdh limits on bittorrent client; connection limits on bittorrent client) and once I started downloading any files that require the client to run for more than 2 minutes (e.g. 25GB+) it freezes the VPN2 connection.
Now, in Setup 2, all connections would lock up, in Setup 3, ONLY VPN2 locks up and the WAN and VPN1 stay connected.
I love troubleshooting so here are SOME of the steps I took. Stopping the download does not allow the VPN2 to self correct. I started big and rebooted the router and all goes back to normal until I start a download again.
The ONLY step that seems to work short of a reboot is reloading the WAN DHCP interface in 'Interfaces: Overview' (or the newly found CLI 'configctl interface reconfigure wan' command). I am not familiar enough with FreeBSD/OPNsense enough to know what all this command does so I'm not quite sure what it's doing that it fixes VPN2, but no other standalone command is able to fix it like this step.
A little more info: I have watched every log in the GUI and whichever ones I could set to "Debug" I did. Nothing pops up OTHER than I seemed to notice a few more pf logs of "mismatched state" but wasn't sure if that was coincidence. This hardware is overkill so my firewall states are not maxing out (maybe 2000 total at the time?), CPU remains around 10% usage and memory is about 10%, so I'm not hitting any max states or connections. I removed the "virusprot" overload rules via "Disable rate limit rule" in "Firewall:Settings:Advanced".
Also, I watched my cable modem to see if any logs popped up there and nothing did. (which I wasn't sure they would in setup 3 because the WAN stayed active)
Now, to go back to my "moved the config over", I asked to withhold judgment because everything else works just like before. So I'm not sure what could be wrong with the config.
Any and all advice welcomed. I'm truly mostly looking to help myself in maybe some info I don't have on what logs I may be able to watch as the issue is fairly easily reproducible.
(If more info is required, please let me know, I just didnt want to overload my initial post and hope this is enough for now.)
THANK YOU!
Long time lurker, first time poster.
New to OPNsense but used pfSense for years. I am pulling my hair out and need some advice.
Long story kinda short, I had my pfSense (Netgate SG-2100) using a selective routing setup to Mullvad via WireGuard (VPN1) for my primary VLAN (VLAN10) and I also ran a Raspberry Pi on VLAN 50. VLAN 50 did not use VPN1 but connected using WireGuard client on the Debian running Raspberry Pi.
All worked fine and I could use my full bandwidth (I get ~400/10 from my ISP) to download files using a bittorrent client.
I migrated to an OPNsense (Protectli VP2440; running 26.1.1) and "moved the config over" (this may be a point of contention later but withhold judgment temporarily). After some minor hiccups and new Rule changes that didn't adapt, I got everytihng running! It is a beast and I love it! Rock solid.... until... I fired up the Raspberry Pi. Once I started downloading a file or two, and the bandwidth kicked up to over ~300Mbps, the whole WAN interface and both VPNs froze up.
I have attached an image of my setups as they progressed through my troubleshooting. Original "known good" setup on pfSense/pre-migration to OPNsense: "Setup 1", "Setup 2" where I replaced the pfSense/Netgate with the OPNsense/Protectli, and "Setup 3" where I removed the managed switch from the equation.
I have tried many things on both the router and the bittorrent client (bandwidth shaping on router, MTU/MSS on both, bandwitdh limits on bittorrent client; connection limits on bittorrent client) and once I started downloading any files that require the client to run for more than 2 minutes (e.g. 25GB+) it freezes the VPN2 connection.
Now, in Setup 2, all connections would lock up, in Setup 3, ONLY VPN2 locks up and the WAN and VPN1 stay connected.
I love troubleshooting so here are SOME of the steps I took. Stopping the download does not allow the VPN2 to self correct. I started big and rebooted the router and all goes back to normal until I start a download again.
The ONLY step that seems to work short of a reboot is reloading the WAN DHCP interface in 'Interfaces: Overview' (or the newly found CLI 'configctl interface reconfigure wan' command). I am not familiar enough with FreeBSD/OPNsense enough to know what all this command does so I'm not quite sure what it's doing that it fixes VPN2, but no other standalone command is able to fix it like this step.
A little more info: I have watched every log in the GUI and whichever ones I could set to "Debug" I did. Nothing pops up OTHER than I seemed to notice a few more pf logs of "mismatched state" but wasn't sure if that was coincidence. This hardware is overkill so my firewall states are not maxing out (maybe 2000 total at the time?), CPU remains around 10% usage and memory is about 10%, so I'm not hitting any max states or connections. I removed the "virusprot" overload rules via "Disable rate limit rule" in "Firewall:Settings:Advanced".
Also, I watched my cable modem to see if any logs popped up there and nothing did. (which I wasn't sure they would in setup 3 because the WAN stayed active)
Now, to go back to my "moved the config over", I asked to withhold judgment because everything else works just like before. So I'm not sure what could be wrong with the config.
Any and all advice welcomed. I'm truly mostly looking to help myself in maybe some info I don't have on what logs I may be able to watch as the issue is fairly easily reproducible.
(If more info is required, please let me know, I just didnt want to overload my initial post and hope this is enough for now.)
THANK YOU!
#3
German - Deutsch / Re: DHCP läuft nicht v.26.1
Last post by k0ns0l3 - Today at 01:39:49 AMQuote from: Utopia on February 12, 2026, 02:09:42 PMBei mir war das gleiche Problem. Nach dem Update funktionierte das DCHP nicht mehr.
Meine Windows-PCs haben keine IP-Adressen mehr bekommen.
Ich bin im Menü dann auf den Punkt "Dienste", dann auf "DNSMask DNS&DHCP". Im Reiter "Allgemein" war bei dem Menü "ISC / KEA DHCP (veraltet)" der Auswahlpunkt "ISC DHCP4-Leases registrieren" nicht aktiviert. Für mich sieht das so aus, wie wenn dieser Service mit der neuen Version abgeschaltet wurde. Ich habe dort wieder einen Haken gesetzt und auf "speichern" geklickt. Danach haben meine Windows-PC ihre IP-Adresse wieder automatisch über DHCP bekommen.
Ich beobachte das Ganze mal noch etwas, aber augenscheinlich scheint es wieder zu funktionieren.
Danke für den Hinweis
Lg
#4
26.1 Series / Re: NAT Reflection / Hairpinni...
Last post by TheSHAD0W - Today at 01:29:12 AMWifi was broken in general for the 26.1 release. I'm surprised it was working for you. Try the latest update. You may need ot delete and reinstall the wifi.
#5
26.1 Series / Re: DNAT auto firewall [Regist...
Last post by TheSHAD0W - Today at 12:48:34 AMNote that a quick test using the "Register Rule" method on 26.1.2 was not successful; I'll dig further later...
#6
26.1 Series / Re: Wireguard Issues and Error
Last post by damian - Today at 12:20:34 AMApologies for the mistakes in my post - I've had a very long 3 weeks.
Corrections:
1. "I have set up and instance" = I have set up an instance
2. "Could someone point me to something the right direction please?" = Could someone point me in the right direction please?
Thank you
Corrections:
1. "I have set up and instance" = I have set up an instance
2. "Could someone point me to something the right direction please?" = Could someone point me in the right direction please?
Thank you
#7
26.1 Series / Re: zfs and sqlite
Last post by tessus - Today at 12:16:25 AMAs I feared this topic moved away from my original question. My question was not related to hostwatch and its i/o usage.
I don't want to sound ungrateful, but why is my question ignored or answered with something else I didn't ask. I am ok with answers like "I don't know", "never heard of such a thing", "check this ...", but unfortunatelety I just got unrelated answers.
But maybe my question was not specific enough, thus I'll try again:
What is the status of the ZFS issues related to sqlite in FreeBSD?
I don't want to sound ungrateful, but why is my question ignored or answered with something else I didn't ask. I am ok with answers like "I don't know", "never heard of such a thing", "check this ...", but unfortunatelety I just got unrelated answers.
But maybe my question was not specific enough, thus I'll try again:
What is the status of the ZFS issues related to sqlite in FreeBSD?
#8
26.1 Series / Wireguard Issues and Error
Last post by damian - February 12, 2026, 11:53:43 PMHi Everyone,
Please accept my apologies for asking a newbie question here - I'm sure you're up to your necks with far greater matters.
I'm trying to setup the following connection using OPNSence 26.1 installed on a VPS (with root access):
Wireguard (In) -> VLAN (Intermediary) -> LAN (Public IP)*
*Note: I only have the 3 interfaces with no WAN present
I've been through the OPNSense manual and followed every guide I could find online but nothing works.
The Wireguard instance doesn't accept connections at all - there's no Handshake. I have set up and instance, then Interfaces: Assignments, assigned Outbound NAT and Firewall rules, double, triple and quadruple-checked the instance, keys, and ports. Nothing.
I also get the following error using Firewall Rules:
There were error(s) loading the rules: /tmp/rules.debug:137: direction must be explicit with rules that specify routing - The line in question reads [137]: pass on wg0 route-to ( vlan01 10.6.5.0 ) inet from {(wg0:network)} to {(vlan01:network)} keep state ( no-sync ) label "dd6671fc-4a3b-4e9e-bf4c-f9f624c74090" # WG0-VLAN
When I change the "state" condition I get the same error but for the state condition I selected i.e. synproxy, modulate, sloppy, no state. The error is the same regardless of selected state.
Could someone point me to something the right direction please? Thank you
Please accept my apologies for asking a newbie question here - I'm sure you're up to your necks with far greater matters.
I'm trying to setup the following connection using OPNSence 26.1 installed on a VPS (with root access):
Wireguard (In) -> VLAN (Intermediary) -> LAN (Public IP)*
*Note: I only have the 3 interfaces with no WAN present
I've been through the OPNSense manual and followed every guide I could find online but nothing works.
The Wireguard instance doesn't accept connections at all - there's no Handshake. I have set up and instance, then Interfaces: Assignments, assigned Outbound NAT and Firewall rules, double, triple and quadruple-checked the instance, keys, and ports. Nothing.
I also get the following error using Firewall Rules:
There were error(s) loading the rules: /tmp/rules.debug:137: direction must be explicit with rules that specify routing - The line in question reads [137]: pass on wg0 route-to ( vlan01 10.6.5.0 ) inet from {(wg0:network)} to {(vlan01:network)} keep state ( no-sync ) label "dd6671fc-4a3b-4e9e-bf4c-f9f624c74090" # WG0-VLAN
When I change the "state" condition I get the same error but for the state condition I selected i.e. synproxy, modulate, sloppy, no state. The error is the same regardless of selected state.
Could someone point me to something the right direction please? Thank you
#9
26.1 Series / NGINX proxy reverse for an IIS
Last post by bulmaro - February 12, 2026, 11:23:01 PMCould someone please share the procedure for configuring NGINX as a reverse proxy for an IIS backend that uses Windows authentication (NTLM/Negotiate)? I've tried, but it keeps asking me for my username and password repeatedly.
#10
26.1 Series / ntopng plugin issue (26.1.2)
Last post by seelk - February 12, 2026, 10:54:03 PMI'm currently stuck in an endless loop to change the password for ntopng after initially logging in with admin/admin. I have reinstalled the plugin, including redis, to no avail. I have restarted the plugins, disabled them, deleted cookies, followed instructions from https://www.ntop.org/guides/ntopng/faq.html#cannot-login-into-the-gui but no success. Is anyone experiencing the same thing? I'm running out of options.
