Messages

Hi all,

Is there any moderator monitoring this forums category? Would it be better to file this over GitHub perhaps ?

Let me know,
KR,
m.

Hi all,

Not sure if I'm hitting a bug here but I could narrow down my observed behaviors to a Squid configuration parameter.

- proxy setup in Transparent mode.
- setting the "Number of squid workers" to 4
- simple CLI request : curl www.perdu.com

Would randomly hit a Squid "id=ERR_INVALID_URL" thrown error message (and would sometimes pass through with no issues):

Code Select Expand

</head><body id=ERR_INVALID_URL>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="/">/</a></p>

<blockquote id="error">
<p><b>Invalid URL</b></p>
</blockquote>

<p>Some aspect of the requested URL is incorrect.</p>

<p>Some possible problems are:</p>
<ul>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or similar)</p></li>
<li><p>Missing hostname</p></li>
<li><p>Illegal double-escape in the URL-Path</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
</ul>

<p>Your cache administrator is <a href="mailto:admin@localhost.local">admin@localhost.local</a>.</p>
<br>
</div>

<hr>
<div id="footer">
<p>Generated Mon, 02 Mar 2026 06:52:39 GMT by squid.domain.local (squid)</p>
<!-- ERR_INVALID_URL -->
</div>
</body></html>
My guess is that this happens whenever the request is served by any workers other than 0 hence [1,2,3] in my tests.
Reverting to "Number of squid workers = 1" gets me a steady transparent proxy configuration which serve's any requests, all the time.

Any thoughts?

Thanks a lot,
Kind regards,
m.

Thanks for this tutorial, it does still work on current versions.
Would anyone know if the "custom.xml" would stand updates/upgrades?

It's actually pretty clean though, as adding IPS rules once this is in place is a simple matter of updating/adding rules within your "custom.rules" files and update that on you web server. Neat.

Thanks,
m.

Yeahee bingo, that was exactly that, my 1st VLAN assignation had a "Track interface (Legacy)" setting in it's IPv6 mode..
Thanks a lot !!

Hey hey, indeed...

bob@ons:~ $ cat /var/etc/radvd.conf
# Automatically generated, do not edit
# Skipping defunct interface lan

"lan" is pretty much always removed here in favor of VLANs etc..

Hi there,

Yes basically 5 out of 6 migrated nodes here are remote / I always keep way's in each Hypervisor from my current location while doing this and I simply snapshot the VM before doing anything (remote access = a simple Network(s) alias hosting my edge WAN IP's having access to a few DNAT rules; allowing HTTPS management over the hypervisor + a ThinLinc enabled Linux host + 127.0.0.1/32:OPNsense_admin_port). Although yes, if these rules fails, I may be in troubles.

I've successfully done the rules migration on all of them -- a single issue in the wizard was a left over rule addressing a none existing anymore gateway. I started by doing the local node to assess that my Remote Access rules were fully migrated and working fine (tested from a remote site)...

Another safety net I've been using sometimes was a complete "clone" of the untouched, in running state VM. Clone on which I'd set the "start at boot" parameter to enable this while remaining in powered off status for now. Then I'd remove that same parameter from the currently running VM (do NOT start on boot) on which I'd conduct the updates. You'd do your things, if all goes well, you can drop the clone and re-set the start at boot parameter on the main VM. If in troubles, you'd have to reboot the host and analyze what went wrong.

I'm sorry I wouldn't be of much help if you're using hardware appliances.

Hope this helps a bit.
Cheers,
m.

Hi Franco,

Thanks a lot for your update, I've checked the /etc/etc/radvd.conf file which essentially (aside two commented initial lines) is empty..
I'll check this out as I know that on this node I'm full on DHCP on the WAN interfaces (note the S).

Thanks again for your wonderful work all around OPNsense, this piece of kit is smashing really !

Cheers,
m.

Hi all,

Thanks for 26.1, migrated 6 nodes interlinked with full meshed WG + BGP on FRR etc all top notch, not a glitch! Excellent.

On one node though, I'm seeing the "Router Advertisements" listed within the "Services" widget in red and stopped (expected) while on all the other nodes the "Router Advertisements" isn't listed at all within the services widget. I do not have any configuration in there in regards to "Router Advertisements" (on any of my nodes that is). Is there anything I could check/assess here?

You cannot view this attachment.

One last quick question, what's the idea with "Firewall > Rules [new]" and "Firewall > Rules"? Will these two merge at some point? I migrated all my rules to the new scheme and find both menus now to be a source of confusion now.

Thanks for OPNsense, it rocks !

Cheers,
m.

Hi there,

I tested the free plugin and it works according to plan, thanks!

A few items though:
- I guess that with the Community - Self-Provisioned licensing scheme, the provided threat feeds include OSINT only. Are you intending to list what is included within your OSINT package? I.E: all the Q-Feeds triggering threats here were part of my next in line ingress policy object which is the IPSUM_L1 threat intelligence feed.

- I may think that the plugin does not release/give control back to OPNsense once the inactive administrative session timeout has been reached. One may still click on the three Q-Feeds menus. Although, while nothing refreshes within the Q-Feeds menus, once you click anywhere else within the GUI, you're routed to the usual OPNsense login page, which is the normal behavior under these circumstances.

- Why the "Security" new menuitem? why not simply within the "Services > Q-Feeds Connect" menu directly? Perhaps there are other unknown to me plugins that uses the "Security" menuitem although if you're the only one, I don't see the point TBH.

Let me know,
Thanks

Hi all,

I'd cut a long story short, I need (for lack of better solution) to restart an LTE router everyday. Without this, latencies just gets higher and higher and higher up until it's not operating no more. I couldn't yet nail the main issue down.

That LTE WAN uplink is seated within a dedicated VLAN on a DMZ switch (along a 2nd wan uplink on it's own dedicated VLAN etc etc..)

My issue at OPNsense was that once the device would be auto-rebooted once a day, that VLAN interface ip & gateway wouldn't be updated at the OPNsense level (the LTE router permit's a so called "passthrough" feature where a backend device would get the LTE bond IP address, in my case OPNsense, handy..).

So here is what I've cobbled, please read carefully what the main script does before blindly copy/paste/run.

The main script: (saved in /usr/local/bin/dhcp-renew)

Code Select Expand

#!/bin/sh

set -e

ENABLE_LOGGING=true
INTERFACE=$1

# Logging function
log_message() {
  if [ "$ENABLE_LOGGING" = "true" ]; then
    echo "$(date +%Y-%m-%d.%H:%M:%S) - $1" >> /var/log/dhcp-renew.log
  fi
}

# Function DHCP Renew
dhcp_renew() {
  /sbin/ifconfig $INTERFACE down
  /sbin/ifconfig $INTERFACE up
  /bin/rm -f /var/db/dhclient.leases.$INTERFACE
  /sbin/dhclient $INTERFACE
}

# Function Renew WAN
renew_wan() {
  /usr/local/etc/rc.newwanip $INTERFACE
  /usr/local/sbin/configctl interface reconfigure $(/sbin/ifconfig $INTERFACE | grep description | awk '{print $3}' | tr -d '()')
}

# Main script logic
main() {
  curtime=$(date +%s)
  uptime=$(sysctl kern.boottime | awk -F'sec = ' '{print $2}' | awk -F',' '{print $1}')
  uptime=$((curtime - uptime))

  log_message "========================"
  log_message "==== Process START ====="
  log_message "Interface given as parameter : '$INTERFACE'"
  log_message "System uptime: $uptime seconds"

  dhcp_renew
  log_message "DHCP Renew on interface '$INTERFACE' : DONE"

  renew_wan
  log_message "NEWWANIP & Interface Reconfigure on interface '$INTERFACE' : DONE"

  log_message "==== Process END ====="

}

# Run the main script logic
main

Making it executable:

Code Select Expand

chmod +x /usr/local/bin/dhcp-renew

The actions.d companion script: (saved in /usr/local/opnsense/service/conf/actions.d/actions_dhcp_renew.conf)

Code Select Expand

[start]
command:/usr/local/bin/dhcp-renew
parameters:%s
type:script
message:DHCP-RENEW on interface
description:DHCP-RENEW on specified interface

Restarting the configd service is needed:

Code Select Expand

service configd restart

And a quick log extract: (/var/log/dhcp-renew.log)

Code Select Expand

2025-12-08.12:33:00 - ========================
2025-12-08.12:33:00 - ==== Process START =====
2025-12-08.12:33:00 - Interface given as parameter : 'vlan0.8.888'
2025-12-08.12:33:00 - System uptime: 309327 seconds
2025-12-08.12:33:00 - DHCP Renew on interface 'vlan0.8.888' : DONE
2025-12-08.12:33:06 - NEWWANIP & Interface Reconfigure on interface 'vlan0.8.888' : DONE
2025-12-08.12:33:06 - ==== Process END =====

You can then edit your System>Settings>Cron jobs and schedule a specific interface forced renewal:
You cannot view this attachment.

Since I've put this in place, my specific interface gateway is now correctly set on OPNsense after each router restart and it's almost transparent if not for the router reboot cycle needed time. As said, the main issue has nothing to do with OPNsense itself. Finally, in my case, I'm also cycling any WireGuard instances that may use this path after the forced daily renewal.

Please do not hesitate to correct any mistake or provide any insight.
I.E:

• I did not took the needed time to completely understand what this does exactly : /usr/local/etc/rc.newwanip
• I'm not sure that the /usr/local/bin path may be advisable for user made scripts.

Hope this may help,
Cheers,
m.

For OpnSense, you define the WAN interface IP with a netmask of /32 and set the "IPv4 gateway rules" to your gateway, in which you check both "Upstream Gateway" and "Far Gateway" and select the WAN interface and gateway IP.

Thanks a lot, I'll try to set that up as well..
Kind regards,

hi all,

A quick question onto scheduling both of these commands:

Code Select Expand

System>Settings>Cron>+>ZFS pool scrub
System>Settings>Cron>+>ZFS pool trim
How often shall these run as a best practice?

Thanks,
Regards,

The difference is I've changed them both to DHCP, instead of static IP. I read it somewhere on this forum, that it allows the same gateway IP added via DHCP, but not manually.

Hi there, thanks for the tip -- was struggling to find out how to inject the same gateway over both WAN uplinks within OPNsense !! this solved it

If you see traffic that is not destined to your IPv4, it might be so-called "unknown unicasts". Their forwarding is a normal function of an L2 switch.

Yes that is the case here.

It will not help if you configure your interface as /32 and set up a pointopoint route to your gateway ip - although that could/should also be done regardless (I do that). Otherwise, you might not get traffic to your "subnet neighbors".

Could you give me more information as to how you enable the "pointtopoint route" to the /26 subnet gateway using /32 on your WAN uplink?

If you want to block such traffic before it even hits your OpnSense, you can use Hetzner's Robot Firewall to filter against your own IPv4 (I do that, too, and it works).

Yes that clear's up a massive amount of pure noise, best practices indeed.

Thanks!

Hi there,

Trying to understand your setup, the VPS1/2 as well as any WG "clients/road warriors" are tied to the same WG instance on your new OPNsense NGFW ?

I'm not acquainted with the overlay "tool" you may be using (tailscale or such I'd guess) although I would separate things, one WG instance for your meshed network (VPS1 + VPS2 + OPNsense) and I'd do another instance terminating any WG road warriors ingressing connections at the OPNsense level.

Hope this help's a bit.
Regards,
m.