Messages

Ok that makes sense...so you leave it blank under System/Settings/General correct?

Lastly I use Unbound for DHCP related configurations. Is there a document that describes exactly how to use Unbound as recursive only? I am trying to make the move to DNSmasq for DHCP and as a non-recursive DNS provider that will talk to Unbound only.

All client/host systems need a recursive DNS server at one point in the chain to resolve names to IP addresses. You can use your ISP's, 1.1.1.1/8.8.8.8/etc. or simply run your own.

IMHO the last option is the most privacy conservative available even without encryption.

So I have configured Quad9 as my DNS under System/Settings/General. They are recursive correct?

If that is the case then why do I need a local recursive DNS? Is Unbound setup to be recursive out of the box?

Since I started this I will ask another question...is there a guide to go from Unbound to DNSmasq? And why would I need a recursive DNS?

Proxmox 9/Debian 13.

Hello all,

I am in the middle of building a Proxmox 9 server, with an Intel E610 10 gig card. I have an existing OPNsense server running with an Intel x550 10 gig card and I could roast hot dogs on the heat sink. It is blistering hot...so hot that I left the cover off the PC. I may have to retrofit the cover, to install a fan! As of right now the E610 is slightly hot to the touch but nowhere as hot as the X550. If you feel the need to get a cooler 10 gig card these can be had for about $300. As of right now OPNsense/FreeBSD do not support the E610 out of the box. Proxmox 9 does and thats why I figured I could start putting the card through its paces.

Thanks,
Steve

How do you have WG configured on the client side? I thought you had to tell it that no IPs are local IPs, so it just routes via OPNsense to the WAN.

Hello all,

For all my OPNsense deployments I used VLAN 1 as the LAN interface. In VLAN 1 I used to put all my network mgmt connections, so if my firewall was breached the hacker would have access to my network mgmt ports. Not good in my opinion. What I would like to do is configure OPNsense so that the LAN interface is set to a static IP but the subnet is /32. I will move my network mgmt connections to VLAN 2, and so on from there.

If this works should I setup static routes to the rest of the subnets being used or just let OPNsense handle it via layer 2? In my mind it should work but then I have never done it and wanted to check with the community.

Thanks,
Steve

Hello all,

Once upon a time I was able to use Monit to monitor and report on Suricata block events. With the update to 25.1 this seems to no longer work. Does someone have Monit doing this now? I would like to get that monitor back in place.

Thanks,
Steve

Thanks you for that!

Hello all,

On my dashboard it tells me I am running FreeBSD 14.3-RELEASE-p4 but when I look this up they tell me there is no p4 and the latest is p2, with the latest patches being released on 10/22/25. Can someone tell how to interpret this?

Thanks,
Steve

I am not sure of my problem...but here is what I have. I hope you can point me in the right direction!

I have a Lenovo M720q PC with a 4 port Intel I350 network adapter. I am going to use the onboard NIC for other VMs, as we as Proxmox mgmt. VLANs are configured on 3 of the 4 I350 ports, with the 4th port going to the Internet. The Proxmox config to support this is in attachment 1. The OPNsense config in Proxmox is in attachment 2.

I have a connection from my PC directly to port 1 of the I350. I have setup the VLAN on my PC connection to VLAN 1, which matches the OPNsense config for port 1. How am supposed to get to the GUI, so I can continue my config efforts? I am completely lost here.

[Content match Service Suricata_alert Date: Sat, 30 Aug 2025 14:41:04 Action: alert Host: opnsfwpr01.petrillo.home Description: content match:{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201...]

Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??

Content match Service Suricata_alert

        Date:        Sat, 30 Aug 2025 14:41:04
        Action:      alert
        Host:        opnsfwpr01.petrillo.home
        Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...

The Suricata alert indicates a network event captured on August 30, 2025, at 14:39:03 EDT, with the following details:

Timestamp: 2025-08-30T14:39:03.101552-0400
Flow ID: 2125015740515061 (unique identifier for the network flow)
Interface: igb3^ (network interface where traffic was captured)
Event Type: Alert (triggered by Suricata's intrusion detection system)
Source IP/Port: 172.16.2.2:31511 (private IP, likely internal network device)
Destination IP/Port: 185.136.96.98:53 (public IP, port 53 used for DNS)
Protocol: UDP (typical for DNS queries)
Packet Source: wire/pcap (captured from live network traffic or pcap file)
Transaction ID: 0 (tx_id for the specific transaction in the flow)

Alert Details:

Action: Allowed (traffic was not blocked)
GID: 1 (group ID for the rule)
Signature ID: 2027758 (unique ID for the rule triggered)
Revision: 5 (rule version)
Signature: ET DNS Query for .cc TLD (Emerging Threats rule for DNS query to .cc top-level domain)
Category: Potentially Bad Traffic (indicates suspicious but not necessarily malicious activity)
Severity: 2 (moderate severity, on a scale where 1 is critical, 3 is low)

Metadata:

Affected Product: Any (applies to any system)
Attack Target: Client_Endpoint (likely targeting a client device)
Confidence: High (high confidence in the rule's accuracy)
Created At: 2013 (rule creation date)

Summary: The alert was triggered by a DNS query from 172.16.2.2 to 185.136.96.98 for a .cc domain, flagged as potentially suspicious by Suricata's Emerging Threats ruleset. The .cc TLD is sometimes associated with malicious activity, but the traffic was allowed. Further investigation into the destination IP and domain context is recommended to assess risk. If you check out what this host has been reported for causing it to be flagged, you can look here. I like to use AbuseIPDB for further IP/host investigation.

Thank you for clarifying this!

Has anyone hit the problem with enabling Suricata when your network interface settings are enabled? It seems this combination, on my server, crushes DNS bc I lose all resolution to the Internet. If I go back and disable the network interface settings then DNS comes back.

Has anyone seen this combination?

Steve

I am using vlans, so all my interfaces are the vlans themselves. Is there another way to amend it?

[ifconfig ix0 mtu 9000]

Hello all,

I have an Intel X550 2 port network adapter. I would like to change the MTU of the ports first, which in turn will allow me to change the MTU on the OPNsense interaces that are supported by this 2 port adapter. I have tested that ifconfig ix0 mtu 9000 works when I SSH to the firewall. Now I wanted this to persist through reboots and I added ifconfig ix0 mtu to the tunables section but it does not persist. I am back to 1500. Am I doing something wrong with this?

Thanks,
Steve