Messages

yea i guess i was hoping to be able to use N-series intel boxes, like N100/N150 or N-305/N-350 with Zenarmor + Wireguard at 1-2 Gbps. Wireguard is very good at going across cores, but Zenarmor will peg 1 cpu so you can't have both, Zenarmor + Wireguard, even though there is CPU leftover.

the whole businesses trying to use the home subscription is absolute bullsh*t. meanwhile, you get tons of free testing from home users. The whole SASE stuff, i don't care about any of that as a home user. i want to use low powered device without sacrificing my internet connection.

i picked up a UniFi Fiber gateway and $99/year Cybersecure subscription. This has come a long way in 1 year with regard to content filtering. Its still in pre-release software, but its very close to Zenarmor in terms of content filtering, etc. Using suricata, content filter, is all multi-threaded, no limits, so this is getting interesting at least.

i prefer OPNsense as a router. zenarmor is nice, even with its upgrade warts. As a home user, i just want some decent content filtering, be able to use my full fiber home connection, and do it on the lowest possible power device. zenarmor makes this easy in some ways and extremely difficult in others.

is it possible for unbound to support blocklist in this format or similar?

Code Select Expand

server:
local-zone: "doh.dns.apple.com." always_nxdomain
local-zone: "mask.apple-dns.net." always_nxdomain
local-zone: "mask.icloud.com." always_nxdomain
local-zone: "mask-h2.icloud.com." always_nxdomain
local-zone: "mask-api.icloud.com." always_nxdomain
local-zone: "use-application-dns.net." always_nxdomain
most blocking i want to return 0.0.0.0 but for a handful of domains, i want to return NXDOMAIN. right now i do this by putting a custom file in

Code Select Expand

/usr/local/etc/unbound.opnsense.d/
but that not ideal as it doesn't get backed up or restored with normal config.xml tools. i would like to provide unbound with an custom URL for a blocklist that also specifies the response type, like NXDOMAIN instead of the global setting.

thx. that fixed it for me.

this also makes all the plugins and packages "orphaned", preventing you for adding or removing any other packages, even ones not related to zenarmor.. if we aren't going to get a fix, can we at least get updates? like why its not getting fixed or taking longer than expected, so we aren't left in the dark?

this is still happening, i only replying because you said it fixed server side.

Same issue here. I tried both Danish and US repositories.

i dont think the opnsense mirrors do not have anything to do with the problem, the problem appears to be with the zenarmor repo

Code Select Expand

pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error

thread on the zenarmor forum: https://forum.opnsense.org/index.php?topic=48947.0

i posted over here: https://forum.opnsense.org/index.php?topic=48962.0 but yea i am encountering the same issue

trying to check for updates.. i now get this. using the default business mirror.

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.4.3 (amd64) at Thu Sep 18 08:14:58 MDT 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 908 packages processed.
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
EDIT: i guess this in problem with ZenArmor...

been using opnsense for years now, i never had ACME cron renewal work. if use the force option in the UI it renews. i keep meaning to look into it, but because the force works, i just move on until next time .. hah.

if you set

Code Select Expand

dev.netmap.buf_num > 1000000 does that even work? i tried that and got a message like

Code Select Expand

081.363854 [1363] netmap_config_obj_allocator requested objtotal 2000000 out of range [4, 1000000] which seem to set the actual buf_num to the default, not even 1000000...

i am using ixl driver on X710-DA2 with native netmap driver.

Apparently, you need a business license or higher for multi core support. This is laughable. In this day and age, charging for multi core support, seriously? Modern CPU's have had multiple cores for years. What software company charges for multi core support? NONE, except for Zenarmor you need to revisit your strategy. Multi core support is nothing novel or innovative. All modern software applications support it.

what. the whole reason i want multi-core support is so i can downgrade my home hardware to lower TDP cpu... ugh

The multicore support is in developmentstage and we plan to ship it with version 2.1 in July.

thanks for the update!

I use Vagrant - need to urgently update my project for 25.1. OPNsense runs in a virtual machine, source tree(s) are on the host system. OPNsense mounts project directory via NFS.

For 24.7 see https://github.com/punktDe/vagrant-opnsense

My current large show stopper is that I need to configure a Debian VM on a powerful hypervisor for nested virtualisation and Vagrant so I can use VScode over SSH to that machine - because my Intel Mac is being replaced by Apple silicon.

oh yea, that is certainly doable with the proxmox setup i have, just have the code on a linux vm and nfs export and have opnsense nfs mount it. i'll give this a try. seems promising.

thanks!

curious as to hear how people are working with opnsense developement.. git clone / git branch / make mount / edit / git commit / git push / create pull request, is great and all. currently doing that on a Proxmox VM and its fairly simple.

but using vim/emacs on the terminal is so-so. vscode via remote SSH to freebsd doesn't really work without linux binary support, which the opnsense repo seems to be missing essential packages

Code Select Expand

devel/linux-rl9-libsigsegv
emulators/linux_base-rl9
i don't necessarily have to have vscode, but largely gotten use to it at this point. neovim seems like its possible with some effort to get it working on freebsd.

so i'd like to hear what other solutions people are using before i spend too much time in one direction.

thanks