Messages

Hi Everyone.

Running the latest OPNsense 25.1.3-amd64 FreeBSD 14.2-RELEASE-p2 OpenSSL 3.0.16

I am trying to set a few devices in LAN network to operate at Priority Network Control(7).

The Rule





When looking at the packets in Live View, the ToS is still set to 0x0 which is default behavior



Does anyone know why the TOS is not applied although set to Network (7)?

Hi Monviech

I disabled Auto HTTPS on Caddy Plugin, since I have a very intricate certificate system setup in ACME Client plugin, that runs automations and pushes certificates to servers within the LAN etc. Thus, I simply set all the Domains to look at the certificates in the Trust store of OPNsense that is generated by the ACME client

There is no issue per se, I simply check the logs (error) and came across this issue where there is "no certificate" for the WAN IP 10.10.19.2, that technically exists in the NAT network between my router and my public IP.

I don't like error messages in logs and thought I would reach out to see if anything can be done to correct the issue. But if it works.... don't _____ with it.

Hi Everyone,

I recently switched from Nginx Reverse Proxy to Caddy on OPNsense.
Works really smart and everything seems to be working, However I get this entry in my logs as error:

"debug","ts":"2024-10-01T09:28:57Z","logger":"http.stdlib","msg":"http: TLS handshake error from 105.232.xxx.xxx:9078: no certificate available for '10.10.19.2'"}

This is in my home lab, so I have the Fiber Router NAT everything to the Firewall and obviously OPNsense then handles the tcp/80 tcp/433 within OPNsense.

So the connection looks like this:

<Public IP 197.188.xxx.xxx/32> to <OPNsense IP 10.10.19.2> to <LAN Network 192.168.200.0/24>

From my understanding, since 10.10.19.2 is not internet routable it cannot get a certificate, but it should not worry about that, it should be looking at the Public IP, but does not seem to get resolved or I cannot find any way to static it. I cannot bind it in custom conf's since 197.188.xxx.xxx is not on the firewall anywhere?

Any ideas?

[created the allowed IPs with 0.0.0.0/0?]

Hi Bob,

created the allowed IPs with 0.0.0.0/0?
I did add this in the peer configuration; however, this pushes a route in OPNSense that force all traffic over WireGuard from all clients in the LAN. I just need this for 1 client machine.

enabled NAT for WireGuard?
Outbound NAT rules was setup on both sides yes. This is needed for my "Road Warriors" using another WG instance




When doing a ping from client in Site B, and doing a packet capture I can see the client 192.168.200.220 is sending the ICMP request to 10.2.2.2 to 10.2.2.1 and then 10.2.2.1 immediately replies unreachable. So the issue is somewhere that 10.2.2.1 is not passing the traffic to the WAN on Site A

[Site A]

I have successfully created a Site-to-Site WireGuard VPN between two sites.

Site A
LAN: 172.16.1.0/24
WG: 10.2.2.1/24
Interface Assigned Manually and Allow IPV4* Rule Added


Site B
LAN: 192.168.200.0/24
WG: 10.2.2.2/24

Interface Assigned Manually and Allow IPV4* Rule Added
Added Gateway: 10.2.2.1/24

I can route flawlessly between A & B without any issues, but I have one host on Site B that must use the default WAN gateway of Site A to connect to the Internet (because of the public IP it needs to present outbound)

I created a rule to force use the Gateway Created on Site B to route over to 10.2.2.1 on Site A, but I cannot get Site A to forward that traffic via its WAN gateway. I just get Destination Host Unreachable.

How can I allow the traffic originating from the single host on Site B to pass to the gateway of Site A?

Any help would be appreciated.

I have a rule in my LAN interface for a device that I change the priority to Video of all packets and low delay (ACK packages matching any packet type.

With the latest update any change to priority causes the rule to not pass? Anyone else have this issue?

Hi Guys,

I use a custom curl URL to notify me on my Telegram when my servers have completed startup. I am looking to do the same thing with OPNsense, but cannot figure out how to go about it.

The GUI CRON section has no support for a custom curl command, and adding the entry to /etc/crontab makes no difference.

on Debian and other Linux Distros I use the @reboot directive of cron to achieve this.

I did not take the decision lightly. But the connection on TCP/22 is controlled via GeoIP source only from my country, which is quite small and does not have a lot of people that know what SSH is.

Access to Firewall is done via 4096bit RSA Key & all machines behind it uses its own 4096bit RSA key, with password auth disabled.

Confident that this setup is secure enough for my setup  ;)

Can be done via VPN yes.

However, I want to allow SSH access to Linux hosts behind the firewall without VPN, and restrict them in the firewall rules using the source directive in the rule.

I managed to get this going by simply allowing SSH to "This Firewall" on the WAN Rule, using SSH Key, I connect to the Firewall and then connect to the Linux host on the LAN.

Has anyone ever attempted to use OPNsense as a SSH Proxy / Jumphost?

Currently I forward port 22 from my GEO Location to a Linux server on the network and then jump the SSH session from there to other hosts in the network. But if I have active SSH connections via this server and I bounce that server, all other connections are lost.

Would be great if OPNsense itself could be the Jumphost.

I recently installed a new firewall V22.7 and I manipulated the backup files from my old firewall on the new firewall (completely different interfaces, lagg setup etc.)

Everything is working, but I cannot get the ipfw Shaper service to list in the services.
on the console when running service ipfw status I get "Cannot 'status' ipfw. Set firewall_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'."

I have complete removed the shaper and set it back up from scratch but the service does not enable, list or start.

Any ideas where I can check now?

[[Tue Jul 5 10:41:23 CAT 2022] Error add txt for domain:_acme-challenge.anything.com.na]

There seems to be an issue with the latest version of the ACME client using DNS-01 Verification.

Anyone know how to fix this?

<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 98916 - [meta sequenceId="1"] [Tue Jul  5 10:41:20 CAT 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 15494 - [meta sequenceId="2"] [Tue Jul  5 10:41:20 CAT 2022] Single domain='*.anything.com.na'
<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 42590 - [meta sequenceId="3"] [Tue Jul  5 10:41:20 CAT 2022] Getting domain auth token for each domain
<14>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 5764 - [meta sequenceId="4"] [Tue Jul  5 10:41:23 CAT 2022] Getting webroot for domain='*.anything.com.na'
<14>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 52261 - [meta sequenceId="5"] [Tue Jul  5 10:41:23 CAT 2022] Adding txt value: 0Yfe1V7sfNU***********************hock71wr_GCqU for domain:  _acme-challenge.anything.com.na
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 57425 - [meta sequenceId="6"] [Tue Jul  5 10:41:23 CAT 2022] Error add txt for domain:_acme-challenge.anything.com.na
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 59624 - [meta sequenceId="7"] [Tue Jul  5 10:41:23 CAT 2022] Please add '--debug' or '--log' to check more details.
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 62170 - [meta sequenceId="8"] [Tue Jul  5 10:41:23 CAT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

Maybe a bug in the configd template. Are there any log files which would indicate that?

It seems the issue is with the error pages, I have no idea how to fix this. Is there any way to completely purge the NGINX configuration and re-setup everything from scratch?

This seems to be suspect. I have no clue what I am looking at but can see there is issues with nginx.conf and location.tmpl, so it seems you are on the right track with your thinking

<11>1 2022-04-22T09:18:53+02:00 opnsense.badenhorst.com.na configd.py 448 - [meta sequenceId="45"] [1943752e-de03-4a5a-9c00-5ad11b7a976b] Inline action failed with OPNsense/Nginx OPNsense/Nginx/nginx.conf 'dict object' has no attribute 'statuscodes' at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/template.py", line 270, in _generate     content = j2_page.render(cnf_data)   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 1304, in render     self.environment.handle_exception()   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 925, in handle_exception     raise rewrite_traceback_stack(source=source)   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/nginx.conf", line 21, in top-level template code     {%   include "OPNsense/Nginx/http.conf" %}   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/http.conf", line 328, in top-level template code     {%         include "OPNsense/Nginx/location.conf" ignore missing with context %}   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/location.conf", line 47, in top-level template code     error_page {{ errorpage.statuscodes.replace(',', ' ') }} {% if errorpage.response is defined and errorpage.response != '' %}={{ errorpage.response }} {% endif %}{% if errorpage.redirect is defined and errorpage.redirect != '' %}{{ errorpage.redirect }}{% else %}/error_{{ errorpage_uuid.replace('-', '') }}.html{% endif %};   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 474, in getattr     return getattr(obj, attribute) jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'statuscodes'  During handling of the above exception, another exception occurred:  Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 506, in execute     return ph_inline_actions.execute(self, inline_act_parameters)   File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 51, in execute     filenames = tmpl.generate(parameters)   File "/usr/local/opnsense/service/modules/template.py", line 347, in generate     raise render_exception   File "/usr/local/opnsense/service/modules/template.py", line 338, in generate     for filename in self._generate(template_name, create_directory):   File "/usr/local/opnsense/service/modules/template.py", line 273, in _generate     raise Exception("%s %s %s" % (module_name, template_filename, render_exception)) Exception: OPNsense/Nginx OPNsense/Nginx/nginx.conf 'dict object' has no attribute 'statuscodes'

I recently re-installed my OPNSense using OPNsense 22.1.6-amd64

Everything was working great up and until 2 days ago, I am attempting to add another Upstream Server to be used via the reverse proxy. However no matter what I do, the configuration does not change after clicking Apply. If I change the port of an already configured Upstream Server or simply add a new upstream server, the configuration remains completely unchanged.

After any change to upstreams / upstream servers are made, Services>Nginx>Traffic Statistic still shows the old uptream server and ports.

I have verified this by creating a MD5 hash of /usr/local/etc/nignx/nginx.conf and absolutely no change happens upon making changes in the GUI.

OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022

os-nginx (installed)   1.26