"Recent posts
#1
General Discussion / Re: http_proxy for bogons-upda...
Last post by franco - Today at 04:56:39 PM> Is there a(n easy) way to make fetch in the bogons-download use the http_proxy as well? Also without breaking other stuff?
Well:
# cat /var/cron/tabs/root | grep bogon
1 3 * * 0 (/usr/local/sbin/configctl -d filter schedule bogons) > /dev/null
So that means when configd environment is set up correctly the bogons fetch should work. Unless the daemon call loses the env, but I haven't heard of this before:
src/opnsense/service/conf/actions.d/actions_filter.conf:[schedule.bogons]
src/opnsense/service/conf/actions.d/actions_filter.conf-command:daemon -f /usr/local/opnsense/scripts/firmware/launcher.sh -ur 900 bogons
> Is there other cronjobs/daemons/functions that I missed that may have the same problem when no Internet is available on the secondary firewall?
I'm not sure. That's not a usual setup and most people in stricter environments don't care too much about not having outside access for stray components since everything is configured to use local services.
Cheers,
Franco
Well:
# cat /var/cron/tabs/root | grep bogon
1 3 * * 0 (/usr/local/sbin/configctl -d filter schedule bogons) > /dev/null
So that means when configd environment is set up correctly the bogons fetch should work. Unless the daemon call loses the env, but I haven't heard of this before:
src/opnsense/service/conf/actions.d/actions_filter.conf:[schedule.bogons]
src/opnsense/service/conf/actions.d/actions_filter.conf-command:daemon -f /usr/local/opnsense/scripts/firmware/launcher.sh -ur 900 bogons
> Is there other cronjobs/daemons/functions that I missed that may have the same problem when no Internet is available on the secondary firewall?
I'm not sure. That's not a usual setup and most people in stricter environments don't care too much about not having outside access for stray components since everything is configured to use local services.
Cheers,
Franco
#2
26.1 Series / Re: 26.1.1: Unbound: Option "q...
Last post by coffeecup25 - Today at 04:53:12 PMQuote from: rolsch on February 10, 2026, 08:23:08 PMI have deleted, saved the dns entrys in the System: Settings: General.
Restarted the system and enter again the dns-server in System: Settings: General.
But the DANGER message pop up in the two sections:
Services → Unbound DNS → Query Forwarding
Services → Unbound DNS → DNS over TLS
So what the heck is wrong...?????
I just applied 26.1.2 this morning. I also have Query Forwarding checked with a few servers listed on the system setup page. I made the change to System DNS over Unbound yesterday for reasons mentioned in a new post in the General Discussions section.
I did not reboot as everything seemed to work immediately.
No issues of any kind, then or now.
I do not use DNS over TLS and my other settings are almost out of the box simple. (2 subnets, KEA and all devices with DHCP reservations, Adguard Home).
Hopefully, this will help narrow things down in the detective work.
#3
Hardware and Performance / Re: DEC-850v1 with Netboard A2...
Last post by pfry - Today at 04:49:40 PMQuote from: N0b0dy1985 on Today at 02:57:25 PM[...]Do I need a jumper or something?[...]
Given that the quote is "PCIe x4", I assume both sockets are M-keyed... There are shared signals between PCI-e and SATA, but it may auto-detect. I may have even tested it unknowingly - I'd have to go look at my pile o'motherboards. They're signal anyway - it should not be possible to damage an M-keyed SSD by sticking it into an M or M+B slot. I'd definitely look at the link width and version via "pciconf -lbcevV [device]" (format could be wrong) (assuming it's detected).
#4
26.1 Series / Re: Divert mode "Write to ipfw...
Last post by franco - Today at 04:48:19 PM> Invalid argument
This wasn't fixed by the recent change. It's also different from the initial "Permission denied".
> Will this fix allow the firewall to continue if suricata crashes/fails?
This isn't supported by FreeBSD at the moment as far as I know.
Cheers,
Franco
This wasn't fixed by the recent change. It's also different from the initial "Permission denied".
> Will this fix allow the firewall to continue if suricata crashes/fails?
This isn't supported by FreeBSD at the moment as far as I know.
Cheers,
Franco
#5
26.1 Series / Re: 26.1.1: Unbound: Option "q...
Last post by franco - Today at 04:46:17 PMAre you using any browser extensions? And is the health audit clean?
#6
26.1 Series / Re: Clean upgrade from 25.1.7 ...
Last post by franco - Today at 04:32:59 PM> My question is: would you advise against doing a clean 26.1.1 install and restoring the config? If so, what are the main risks, and what alternative approach would you recommend?
There's no reals pros and cons except maybe the time you spend doing this. You'll use historic logs but normally not a big deal either.
The most pressing reasons for a reinstall are change of file system (to ZFS) or a damaged install beyond repair or switching the disk.
Cheers,
Franc
There's no reals pros and cons except maybe the time you spend doing this. You'll use historic logs but normally not a big deal either.
The most pressing reasons for a reinstall are change of file system (to ZFS) or a damaged install beyond repair or switching the disk.
Cheers,
Franc
#7
26.1 Series / Re: [SOLVED] 26.1.1 to 26.1.2 ...
Last post by seelk - Today at 04:18:19 PMMarking this as solved. Ultimately what ended up working was the following:
pkg upgrade -fy (download and overwrite every single package)
opnsense-update -fk (ensure the Kernel is also explicitly rewritten)
reboot
pkg upgrade -fy (download and overwrite every single package)
opnsense-update -fk (ensure the Kernel is also explicitly rewritten)
reboot
#8
German - Deutsch / Re: VPN Wireguard Peer Generat...
Last post by osmom - Today at 04:17:36 PMSpeichere dir alles was unter Config steht in eine Text Datei bevor du "store and generate next" drückst. Dann kannst du die Konfiguration in deinen Client und in der Firerwall unter Peers eintragen. Den Private-Key brauchst du nur im Client. in den Peers der Firerwall benötigst du nur den Public-Key.
Abschließend musst du den Peer in der Instanz zuordnen.
Abschließend musst du den Peer in der Instanz zuordnen.
#9
Hardware and Performance / Re: DEC-850v1 with Netboard A2...
Last post by Patrick M. Hausen - Today at 03:59:31 PMMake sure to create the mandatory FreeBSD GPT partition structure and use partitions of type freebsd-zfs. Also you will need to copy the boot loader to the new drives. Simply replacing one part of the mirror with an entire raw disk, and then the second part, will lead to an unbootable system.
Easiest way but with more downtime:
- create a configuration export/backup
- shutdown system, change both SSDs
- boot from USB and perform a fresh installation
- if you pick both SSDs in the installer it will create a mirrored setup automatically
- perform config restore
Done.
Easiest way but with more downtime:
- create a configuration export/backup
- shutdown system, change both SSDs
- boot from USB and perform a fresh installation
- if you pick both SSDs in the installer it will create a mirrored setup automatically
- perform config restore
Done.
#10
26.1 Series / Re: 26.1.1 to 26.1.2 upgrade i...
Last post by seelk - Today at 03:58:54 PMQuote from: newsense on Today at 03:39:49 PMWhat happens if you check for updates again?
What is the output for "opnsense-update -g"
While troubleshooting, Gemini recommended I run "opnsense-update -fb", which I did. It went through the update process. However, I'm still having issues with the same services not starting. Gemini recommended the following:
pkg update -f
pkg install -f ldns (this fixed the SSH issue)
pkg install -f crowdsec ntopng
CrowdSec appears to be fixed but Host discovery service and ntopng fail to start. Running a Health audit still shows checksum mismatches for many files.
