"Recent posts
#1
25.7, 25.10 Series / NetFlow + SIP strange problem
Last post by ou1 - Today at 10:28:36 PMI'm experiencing a very strange issue on OPNSense Business 25.10.2, running on a DEC750. I believe this was a problem also on previous versions, but I only disabled NetFlow just before upgrading to 25.10.2.
If I disable NetFlow (clear all interfaces, disable Capture Local, reboot), I can no longer make outgoing calls from my SIP phone. Incoming calls work fine. It remains this way until I re-enable NetFlow. I don't even need to enable it on my VOIP interface, it just needs to be enabled.
Looking at captured traffic, the client is sending large INVITE packets which are being fragmented. This happens both with NetFlow enabled and disabled. The only difference is that when it doesn't work (when NetFlow is disabled), there is no response from the server. It seems that the server is either silently dropping the packets, or they are not being delivered.
With NetFlow enabled, I get responses 100 Trying, 183 Session Progress, 180 Ringing.
With Netflow disabled, I get no responses, then client re-sends the INVITE, over and over until the call fails.
I have no static NAT rules, just Hybrid Outbound NAT, no SIP-specific OPNSense configuration whatsoever. I don't see any dropped packets in the firewall logs.
Any insight into this would be very appreciated.
If I disable NetFlow (clear all interfaces, disable Capture Local, reboot), I can no longer make outgoing calls from my SIP phone. Incoming calls work fine. It remains this way until I re-enable NetFlow. I don't even need to enable it on my VOIP interface, it just needs to be enabled.
Looking at captured traffic, the client is sending large INVITE packets which are being fragmented. This happens both with NetFlow enabled and disabled. The only difference is that when it doesn't work (when NetFlow is disabled), there is no response from the server. It seems that the server is either silently dropping the packets, or they are not being delivered.
With NetFlow enabled, I get responses 100 Trying, 183 Session Progress, 180 Ringing.
With Netflow disabled, I get no responses, then client re-sends the INVITE, over and over until the call fails.
I have no static NAT rules, just Hybrid Outbound NAT, no SIP-specific OPNSense configuration whatsoever. I don't see any dropped packets in the firewall logs.
Any insight into this would be very appreciated.
#2
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by stef - Today at 10:25:00 PMQuote from: BrandyWine on Today at 08:34:47 PMThere is FreeBSD util in the Intel bundle, you need to dig it out of the I210 TGZ zip that's in the I210 folder.
\Release_30.6.zip\NVMUpdatePackage\I210\I210_NVMUpdatePackage_v2_00_Linux.tar.gz\I210_NVMUpdatePackage_v2_00_Linux.tar\I210\Linux_x64\
2nd, please post your nvm cfg file you are using with flash util.
3rd, with a hyper-v, do not flash from a vm, flash only from the host OS.
Thank you, I found it inside the i210 folder (the driver pack version is 31.0)
Will try again with OPNsense and that tool.
That's the nvm.cfg i've been using
Code Select
CURRENT FAMILY: 1.0.0
CONFIG VERSION: 1.20.0
; NIC device
BEGIN DEVICE
DEVICENAME: Intel(R) Ethenet Contolle I226-V
VENDOR: 8086
DEVICE: 125C
SUBVENDOR: 8086
SUBDEVICE: 0000
NVM IMAGE: FXVL_125C_V_1MB_2.32.bin
EEPID: 80000425
RESET TYPE: REBOOT
;REPLACES: 80000308
END DEVICEI just noticed the typo (Controlle instead of Controller) in the DEVICENAME, could it be that? I also tried with the 2MB (changing the EEPID with 422 at some point)
Yes, I haven't tried flashing it from a VM but only from host (proxmox), Windows (installed on a SSD) or a live OPNsense ISO.
#3
Hardware and Performance / Re: Warning about RealTek adap...
Last post by Bob.Dig - Today at 09:45:13 PMQuote from: meyergru on February 11, 2026, 11:16:30 PMI have an Aquantia here, as well. Never worked right.No problem here with the realtek or aquantia, although I am only using them with PCIe3 and as direct connections to each other, in Windows.
#4
German - Deutsch / Re: Fragen zu vnStat
Last post by Patrick M. Hausen - Today at 09:28:27 PMReporting - Netflow oder so ähnlich (aus dem Kopf).
#5
German - Deutsch / Re: Fragen zu vnStat
Last post by Zavinator - Today at 09:10:29 PMQuote from: Patrick M. Hausen on Today at 03:54:17 PMIch bin recht zufrieden mit Netflow und Elastiflow. Netflow ist ein Format von Cisco, mit dem ein Router (oder eine Firewall) Verbindungsdaten exportieren kann. In OPNsense ist das eingebaut. Man kann eingeschränkt die Visualisierung der Daten auch direkt auf der OPNsense und dann im Web UI laufen lassen, davon würde ich aber abraten. Netflow schreibt einfach verdammt viel. Man erzeugt mit dem Collector (das ist das Teil, wo die Daten zur Auswertung landen) extrem viel Last und schreibt sich unter Umständen seine SSD kaputt - je nach Hardware.
Besser ist m.E. nur den Exporter (das Teil, das die Daten generiert) auf der OPNsense zu aktivieren und die Daten an ein externes System wie Elastiflow zu schicken.
Elastiflow ist für kleine Installationen kostenlos. Man muss die Lizenz einmal im Jahr erneuern, aber es kostet halt nichts. Die möchten nur wissen, wer den Kram benutzt. "Klein" bedeutet bis zu 4000 Flows (Verbindungen) pro Sekunde. Das schafft nicht mal ein kleiner Hoster wie wir.
Du brauchst eine Linux-Maschine oder VM mit mindestens 16 GB RAM und idealerweise 4 Kernen für die Software.
https://www.elastiflow.com
Danke Patrick, werde ich mir ansehen. Wo bzw. wie aktiviere ich den Exporter auf der OPNsense?
LG Martin
#6
25.7, 25.10 Series / Re: Detections and blocking of...
Last post by BigFreddy - Today at 09:03:52 PMQuote from: nero355 on February 10, 2026, 03:23:46 PMThere are plenty of options :
- ZenArmor
- Suricata
- Pi-Hole
The first two are full IDS/IPS solutions and the last one is a DNS Blocklist based system which you can combine with this : https://forum.opnsense.org/index.php?topic=9245.0
I would say install a VM for each and have a look around in their webGUI :)
I took a look at the link you provided but the guide is broken as the images are not available anymore. So, to use Pi-Hole, I need to make additional changes within OPNSense while with the first two solutions (Zenarmor and Suricata) I don't need to make much of adjustments when it comes to DNS within OPNSense ?
#7
26.1 Series / Re: zfs and sqlite
Last post by franco - Today at 08:58:28 PMYep, if you want the complaint gone just reinstall it from the packages tab.
#8
Development and Code Review / Re: RFC: Kea DHCP Dynamic DNS ...
Last post by Monviech (Cedrik) - Today at 08:54:45 PMJust for reference there is already a competing PR open for that feature:
https://github.com/opnsense/core/pull/9401
You can read for the general feedback in there and compare it to your approach.
https://github.com/opnsense/core/pull/9401
You can read for the general feedback in there and compare it to your approach.
#9
Development and Code Review / RFC: Kea DHCP Dynamic DNS (DDN...
Last post by brendanbank - Today at 08:49:40 PMHi all,
I've been working on adding Dynamic DNS (DDNS) support to the Kea DHCP plugin in OPNsense and would love to get feedback before submitting a pull request.
Why this feature?
I'm in the process of migrating from ISC DHCP to Kea DHCP, but one of the blockers for me (and I suspect others) is the lack of DDNS support — the ability to automatically register forward (A) and reverse (PTR) DNS records when leases are handed out. This was available in ISC DHCP via nsupdate and is something I rely on in my network. With ISC DHCP reaching end-of-life, having feature parity in Kea is important for a smooth migration.
What it does
Future plans
IPv6 (DHCPv6) DDNS support with AAAA and ip6.arpa PTR records is planned as a follow-up.
Code and documentation
A note on the implementation: I'm proficient in Python but not so much in PHP, so I've used Claude Code to help write the PHP code. The implementation follows the existing OPNsense MVC patterns and has been tested on a production firewall with BIND9 as the DNS server, with both forward and reverse updates working correctly across multiple subnets with TSIG authentication. That said, an extra pair of eyes on the PHP would be very welcome.
I'd appreciate any feedback on the approach, the UI/UX, or the code itself before I open a PR against the main repos.
Thanks,
Brendan
I've been working on adding Dynamic DNS (DDNS) support to the Kea DHCP plugin in OPNsense and would love to get feedback before submitting a pull request.
Why this feature?
I'm in the process of migrating from ISC DHCP to Kea DHCP, but one of the blockers for me (and I suspect others) is the lack of DDNS support — the ability to automatically register forward (A) and reverse (PTR) DNS records when leases are handed out. This was available in ISC DHCP via nsupdate and is something I rely on in my network. With ISC DHCP reaching end-of-life, having feature parity in Kea is important for a smooth migration.
What it does
- Integrates the Kea DHCP-DDNS daemon (D2) with the existing Kea DHCPv4 plugin
- TSIG key management (HMAC-SHA256, HMAC-SHA512, etc.) for authenticated DNS updates (RFC 2845)
- DDNS domain profiles with configurable forward and reverse zones, DNS server addresses, and per-zone TSIG keys
- Per-subnet DDNS configuration with automatic hostname prefix options:
Network name — uses the OPNsense interface description (e.g. mylan.dyn.example.com)
Interface name — uses the physical interface name (e.g. vlan0.021.dyn.example.com)
Custom prefix — free-form input
No prefix — hostnames placed directly under the zone - Reverse zone auto-computation from subnet CIDR, with manual override for non-standard delegations (e.g. 10.in-addr.arpa instead of per-/24 zones)
- DHCID conflict resolution (RFC 4703) enabled by default
Future plans
IPv6 (DHCPv6) DDNS support with AAAA and ip6.arpa PTR records is planned as a follow-up.
Code and documentation
- Core implementation: brendanbank/core feature/kea-ddns
- Documentation: brendanbank/docs feature/kea-ddns-docs
A note on the implementation: I'm proficient in Python but not so much in PHP, so I've used Claude Code to help write the PHP code. The implementation follows the existing OPNsense MVC patterns and has been tested on a production firewall with BIND9 as the DNS server, with both forward and reverse updates working correctly across multiple subnets with TSIG authentication. That said, an extra pair of eyes on the PHP would be very welcome.
I'd appreciate any feedback on the approach, the UI/UX, or the code itself before I open a PR against the main repos.
Thanks,
Brendan
#10
25.7, 25.10 Series / Re: Midnight Commander missing
Last post by tam - Today at 08:48:57 PMThanks Franco. I was looking in the webinterface /ui/core/firmware#package
from ssh did the trick.
Code Select
pkg install mcfrom ssh did the trick.
