"Apart from the one firewall mentioned, all the other firewalls have now updated today without issue.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.7, 25.10 Series / Re: GeoIP with ipinfo stopped working ?
December 05, 2025, 05:46:35 PMApart from the one firewall mentioned, all the other firewalls have now updated today without issue.
#2
25.7, 25.10 Series / Re: GeoIP with ipinfo stopped working ?
December 05, 2025, 03:45:02 PM
I'm using unique tokens on all firewalls.
I'm deducing that the maximum download exceeded is due to the firewall making multiple attempts to download the file, which matches the logs.
If I use curl to download the file from another location I see ?token=f2cbc8898bc30a appended to the filename.
I'm also seeing:
In order to use GeoIP, you need to configure a source in the GeoIP settings tab
When I go into the Firewall: Aliases
I'm deducing that the maximum download exceeded is due to the firewall making multiple attempts to download the file, which matches the logs.
If I use curl to download the file from another location I see ?token=f2cbc8898bc30a appended to the filename.
I'm also seeing:
In order to use GeoIP, you need to configure a source in the GeoIP settings tab
When I go into the Firewall: Aliases
#3
25.7, 25.10 Series / Re: GeoIP with ipinfo stopped working ?
December 05, 2025, 03:15:02 PM
I'm seeing the same thing. From the timings this is before I updated to 25.7.9 from 25.7.8
Relevant logs from one of my firewalls.
Relevant logs from one of my firewalls.
Quote[...]
2025-12-05T11:42:13 Notice firewall geoip updated (files: 0 lines: 0)
2025-12-05T11:42:13 Error firewall geoip update failed : You have reached your 10 downloads per day limit for ipinfo_lite.csv.gz from [ip.ad.dr.ess] Please reach out to increase your limit via support@ipinfo.io. [http_code: 429]
2025-12-05T11:42:13 Notice firewall geoip updated (files: 0 lines: 0)
[...]
2025-12-05T11:42:01 Error firewall geoip update failed : File is not a zip file
2025-12-04T11:46:03 Notice firewall geoip updated (files: 0 lines: 0)
2025-12-04T11:46:03 Error firewall geoip update failed : You have reached your 10 downloads per day limit for ipinfo_lite.csv.gz from [ip.ad.dr.ess]. Please reach out to increase your limit via support@ipinfo.io. [http_code: 429]
[...]
2025-12-04T11:41:04 Error firewall geoip update failed : File is not a zip file
2025-12-04T11:41:03 Notice firewall geoip updated (files: 0 lines: 0)
2025-12-04T11:41:03 Error firewall geoip update failed : File is not a zip file
2025-12-04T11:41:01 Notice firewall geoip updated (files: 0 lines: 0)
2025-12-04T11:41:01 Error firewall geoip update failed : File is not a zip file
2025-12-03T11:40:08 Notice firewall geoip updated (files: 496 lines: 5785121)
2025-12-02T11:39:06 Notice firewall geoip updated (files: 496 lines: 4954678)
2025-12-01T11:38:05 Notice firewall geoip updated (files: 496 lines: 4951034)
[...]
#4
25.7, 25.10 Series / Re: ipinfo geoip update not working
October 15, 2025, 04:07:27 PMThis may be a usable workaround for some.
Having registered an account with IPinfo, entered and saved the URL.
Create a new GeoIP alias. When saving this you should the IPinfo DB downloaded.
#5
25.7, 25.10 Series / Re: ipinfo geoip update not working
October 15, 2025, 10:48:07 AM
When I upgraded a firewall to 25.7.5 I also migrated from Maxmind to IPinfo. It was about 14 hours before I saw the IPinfo data downloaded and it has updated daily since. During the transition I did not notice any issues with GeoIP based rules (which is not to say that there were none).
Yesterday I migrated this firewall to newer hardware. All looked OK when I put it online, but there was no GeoIP data. This lead to the GeoIP rules not being applied and as a result I rolled back to the old hardware.
As noted it would be useful to be able to request a download of the data.
Yesterday I migrated this firewall to newer hardware. All looked OK when I put it online, but there was no GeoIP data. This lead to the GeoIP rules not being applied and as a result I rolled back to the old hardware.
As noted it would be useful to be able to request a download of the data.
#6
General Discussion / Re: UK TalkTalk with Draytek modem and OPNSense router - Help Needed
October 06, 2025, 08:57:09 PMIf you map the instruction in the original Draytek link (https://www.draytek.co.uk/support/guides/kb-isp-talktalk#vigor-vdsl2-modems) across to the fields given in section 2 of the device manual https://www.draytek.com/assets/online_manuals/pdf/DrayTek_UG_Vigor167_V1.4.pdf
I think you will be able to do what you are looking for.
#7
25.7, 25.10 Series / Feature request
September 01, 2025, 11:01:22 AM
Where a picture has been configured, would you consider adding the ability to display it on the Login screen?
#9
25.1, 25.4 Series / Re: OPNsense haproxy SSL_TLS_SNI header
August 15, 2025, 01:32:31 PM
Could it be related to a change that I saw announced on Debian Bullseye recently?
Quoteapache2 (2.4.65-1~deb11u1) bullseye-security; urgency=medium
Following the resolution of CVE-2025-23048,
some SSL-enabled websites may begin encountering
the error (AH02032):
.
Misdirected Request:
The client needs a new connection for this request as the
requested host name does not match the Server Name Indication
(SNI) in use for this connection.
.
This behavior is particularly noticeable with AWS Application
Load Balancers. Although they support intelligent SNI handling,
they do not (as of this writing) relay SNI data to the target
server, resulting in failed connections when hostnames don't align.
.
Without an SNI provided by the client, there is nothing httpd
can do to determine which vhost/configuration should be
used to provide the correct certificate (and TLS authentication
eventually) whenever multiple vhosts listen on the same IP:port.
.
That's because reading the HTTP Host header necessarily has to
happen after the TLS handshake/auth/decryption (and later
renegotiation is not an option with TLSv1.3).
.
So those connections fall back to the first vhost declared on
the IP:port for the TLS handshake part, and if the request
Host header finally matches a different vhost with a different
TLS configuration it's rejected with AH02032.
.
Before 2.4.64 the check was not accurate and would allow that,
with security implications.
.
As a workaround, you may (after a risk analysis) generate a
wildcard certificate. If you're managing multiple domains,
consolidate them into a single certificate by including each
wildcard domain as an alias. Then, update the Apache configuration
to reference this unified certificate.
.
Another possible workaround is to configure each virtual host to
listen on a separate port. This approach avoids SNI-related issues
by ensuring that each vhost is uniquely addressed through its own
connection endpoint, thereby allowing distinct TLS configurations
without ambiguity.
.
This error may also stem from a misconfigured HAProxy setup.
In such cases, enabling dynamic SNI handling on HAProxy might be
necessary to ensure that the correct hostname is passed through
during the TLS handshake. After risk analysis, it could be done
by using "sni req.hdr(Host)" directive.
-- Bastien Roucariès <rouca@debian.org> Fri, 25 Jul 2025 20:33:38 +0200
#10
Hardware and Performance / Re: SOHO hardware with support for 5 & 10 Gbit/s fibre.
July 20, 2025, 04:44:13 PM
Thanking all of you that have responded.
My interim solution has been to terminate the copper from both the ONT's onto one of my Unifi switches.
Then trunk the traffic to the OPNsense box via SFP+/DAC.
My interim solution has been to terminate the copper from both the ONT's onto one of my Unifi switches.
Then trunk the traffic to the OPNsense box via SFP+/DAC.
#11
Hardware and Performance / Re: SOHO hardware with support for 5 & 10 Gbit/s fibre.
June 23, 2025, 04:28:08 PMQuote from: Seimus on June 23, 2025, 01:06:57 PMWhat about the Official HW? DEC
I did look, but there do not appear to be any with 10Gbit/s copper ports. So the only option would be 4 x SFP+
Copper SFP+ modules run very hot.
#12
Hardware and Performance / SOHO hardware with support for 5 & 10 Gbit/s fibre.
June 23, 2025, 12:29:21 PM
XGS-PON is becoming available from my service providers and I have started to look for hardware to facilitate migration to these services.
While I can find hardware with combinations of 2.5Gbit/s copper with SPF+, I am yet to find much in the SOHO market with 10Gbit/s copper with SPF+.
Does anyone have any recommendations for hardware that will run OPNsense?
While I can find hardware with combinations of 2.5Gbit/s copper with SPF+, I am yet to find much in the SOHO market with 10Gbit/s copper with SPF+.
Does anyone have any recommendations for hardware that will run OPNsense?
#13
General Discussion / Re: Unsense - new GUI theme
May 08, 2025, 10:50:34 AMI prefer dark mode and I find the blue is easier to read than the orange.
As noted a little more contrast for the blue would help.
#14
25.1, 25.4 Series / 25.3.1 Monit parsing password field text.
March 14, 2025, 10:58:46 PMI was configuring Monit on a remote firewall and when it would not start found a log error:
2025-03-14T16:31:26 Error monit /usr/local/etc/monitrc:12: syntax error 'L@|y='
The text in question was from the Mail Server Password field in General settings.
#15
24.7, 24.10 Legacy Series / Re: Help please re Connection Issues after updating to Full Fibre with Open Reach UK
December 16, 2024, 04:50:43 PM
So your ISP is PlusNet (part of the BT group as I was last aware).
You look to have a gateway running. Some DHCP errors. Maybe sort those out next.
Then it might be helpful if you try a state what problem you are trying to solve.
You look to have a gateway running. Some DHCP errors. Maybe sort those out next.
Then it might be helpful if you try a state what problem you are trying to solve.
