"
Why not use the battle tested OpenVPN server with MFA already existing in OPNsense core?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.7, 25.10 Series / Re: Adding a VLAN takes 26 clicks and 71 keystrokes across 6 screens
November 20, 2025, 11:10:11 AM
Its more like:
- You already half finished a firewall rule
- You notice you need a new alias
- You can add it in a different tab, but you have to save the rule and then edit it again and then add the alias
I mean yeah its a planning issue but it interrupts the workflow surprisingly often. I dont know if often enough to create complex dependencies to solve this, but it would be a "nice to have" if at least the available aliases in an open firewall rule would update.
- You already half finished a firewall rule
- You notice you need a new alias
- You can add it in a different tab, but you have to save the rule and then edit it again and then add the alias
I mean yeah its a planning issue but it interrupts the workflow surprisingly often. I dont know if often enough to create complex dependencies to solve this, but it would be a "nice to have" if at least the available aliases in an open firewall rule would update.
#3
German - Deutsch / Re: Opnsense DNS Warum funktioniert es nicht so wie bei anderen Routern
November 20, 2025, 08:33:26 AM
Ich sehe hier gerade keinen Handlungsbedarf. Man kann noch viel mehr falsch konfigurieren und warnungen werden auch fast immer überlesen.
Geh mal zu "System - Settings - Administration" und ändere das interface wo die Webgui hört. Da kommt wohl das bekannteste Fenster was so ziemlich alle ignorieren xD
Geh mal zu "System - Settings - Administration" und ändere das interface wo die Webgui hört. Da kommt wohl das bekannteste Fenster was so ziemlich alle ignorieren xD
#4
German - Deutsch / Re: Opnsense DNS Warum funktioniert es nicht so wie bei anderen Routern
November 19, 2025, 05:30:57 PM
Wenn man die Doku liest und 1:1 befolgt hat man keine dieser Probleme:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
#5
25.7, 25.10 Series / Re: Transparent Filtering Bridge + Traffic Shaping ( Per client bandwidth limit )
November 19, 2025, 05:14:56 PM
I tested the pf traffic shaping recently and performance was not that great, its still experimental. I would not deploy it in production but rather wait.
#6
25.7, 25.10 Series / Re: Adding a VLAN takes 26 clicks and 71 keystrokes across 6 screens
November 19, 2025, 01:47:10 PM
Ideas that are in the mind is e.g. creating a new Alias while having a Firewall Rules dialog open, but for that to ever happen we have to follow the roadmap a bit further and push the "Firewall - Automation - Filter" component which is entirely MVC and was reworked a lot during the past year. It's soon going to be called "Firewall - Rules [new]".
GUI improvements take a long time to develop and test.
GUI improvements take a long time to develop and test.
#7
25.7, 25.10 Series / Re: Feature Requst: KEA DHCPv6 "shared subnets" (redux)
November 19, 2025, 08:22:43 AM
You can close the issue and open a new one following the template.
The more focused your request is on a simple topic, also generally with a configuration example and/or documentation, the more likely it will be a feature request.
If its mixing lots of different concepts/features and its a long wall of text it most likely doesnt get that much attention.
Put yourself in the shoes of somebody triaging 10 issues every day, the ones with a simple direction are more likely to get picked up.
The more focused your request is on a simple topic, also generally with a configuration example and/or documentation, the more likely it will be a feature request.
If its mixing lots of different concepts/features and its a long wall of text it most likely doesnt get that much attention.
Put yourself in the shoes of somebody triaging 10 issues every day, the ones with a simple direction are more likely to get picked up.
#8
25.1, 25.4 Series / Re: Unable to add/edit/clone rule under Firewall - Automation - Filter
November 18, 2025, 06:51:16 PM
The API can take a comma separated string of interfaces ("" empty string is floating). So e.g LAN,,WAN will produce all LAN, Floating, WAN. (search endpoint).
#9
25.7, 25.10 Series / Re: Feature Requst: KEA DHCPv6 "shared subnets" (redux)
November 18, 2025, 03:42:42 PM
I transfered it to core.
#10
25.7, 25.10 Series / Re: Adding a VLAN takes 26 clicks and 71 keystrokes across 6 screens
November 18, 2025, 11:59:14 AM
I guess this mostly falls into the Macro/Wizard dicussion.
Technically a vlan, layer 3 interface and dhcp are different technologies. So the GUI does not intermingle them for maximum flexibility.
Since all new components are API enabled, crafty individuals could build their own workflows (e.g a script that does exactly what they want with all assumptions their environment requires)
These could also have their own GUIs as the plugin system is very advanced and can hook into existing models.
For more inspiration check out the new system wizard.
Technically a vlan, layer 3 interface and dhcp are different technologies. So the GUI does not intermingle them for maximum flexibility.
Since all new components are API enabled, crafty individuals could build their own workflows (e.g a script that does exactly what they want with all assumptions their environment requires)
These could also have their own GUIs as the plugin system is very advanced and can hook into existing models.
For more inspiration check out the new system wizard.
#11
Virtual private networks / Re: FR: Will OPNsense adopt the new Endpoint-Independent NAT Patch?
November 18, 2025, 11:46:30 AM
Reading the reviews link it does not seem like that commit is in FreeBSD 14. Which means this will not hit the OPNsense kernel for a while if its not backported. So this looks more like it takes well into 2026-27 and FreeBSD 15 based OPNsense.
#12
25.1, 25.4 Series / Re: Unable to add/edit/clone rule under Firewall - Automation - Filter
November 18, 2025, 07:25:27 AM
It requires an interface selection if the rules are not in floating. Maybe thats the issue?
#13
25.7, 25.10 Series / Re: dnsmasq is flooding log, possible DNS-rebind attack detected: dns.msftncsi.com
November 17, 2025, 05:15:17 PM
You can turn off the rebind protection in 'System - Settings - Administration'
#14
General Discussion / Re: Tagged and untagged vlans question
November 17, 2025, 11:08:43 AM
It should not be an issue if tagged and untagged is not mixed on the OPNsense on the same network interface.
If your trunk only has vlans configured on the OPNsense, then untagged frames are not evaluated on the port, as long as you don't actively use the parent interface of the VLANs.
By using a second interface for untagged, you are most likely good.
If your trunk only has vlans configured on the OPNsense, then untagged frames are not evaluated on the port, as long as you don't actively use the parent interface of the VLANs.
By using a second interface for untagged, you are most likely good.
#15
25.7, 25.10 Series / Re: Q: Wireguard Road Warrior in Multi-WAN setup
November 16, 2025, 09:38:56 PM
Wireguard is a stateless protocol. Once peers have handshaked, they will happily use that socket forever, until one side sends a handshake from a new socket.
But, a peer might be behind a firewall that does not allow receiving this new handshake (the state is open for the old socket only), so the peer never updates and continues to send all packets to the last known socket.
If you want failover you need a stateful protocol like OpenVPN that notices if the control channel gets interrupted and re-establishes automatically.
Wireguard is only self healing if both peers can always talk directly to the other peers socket.
But, a peer might be behind a firewall that does not allow receiving this new handshake (the state is open for the old socket only), so the peer never updates and continues to send all packets to the last known socket.
If you want failover you need a stateful protocol like OpenVPN that notices if the control channel gets interrupted and re-establishes automatically.
Wireguard is only self healing if both peers can always talk directly to the other peers socket.
