"
Not really a wizard, but I'm a big fan of being able to edit things in context, so edit or create an alias while having a firewall rule open - a good example would be the way the old Sophos UTM did it, or Fortinet does it now.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.7, 25.10 Series / Re: Adding a VLAN takes 26 clicks and 71 keystrokes across 6 screens
November 20, 2025, 10:23:25 AM #2
25.7, 25.10 Series / Re: Adding a VLAN takes 26 clicks and 71 keystrokes across 6 screens
November 19, 2025, 12:32:01 PM
I agree that this is not the best case for a bad UI, in other firewalls you would also have to do a lot of clicking to achieve this result.
However I would like to see some UI streamlining for firewall rules and aliases.
However I would like to see some UI streamlining for firewall rules and aliases.
#3
25.7, 25.10 Series / Re: Adding a VLAN takes 26 clicks and 71 keystrokes across 6 screens
November 18, 2025, 11:18:10 AM
This might best be part of a wider discussion about usability, which, in my opinion, is not necessarily the top priority in opnsense development.
I think more focus on this would be beneficial.
I think more focus on this would be beneficial.
#4
Tutorials and FAQs / Re: [Tutorial] How to Secure and Implement Internal IPv6 NAT66/NPt
November 05, 2025, 10:44:30 AM
Ok, the way to do this by the book:
- use GUA internally to reach the internet
- use ULA (as secondary address) and/or IPv4 addresses for internal addressing, primarily if you have internal servers that need static addresses
- firewall using the above addresses you assigned. OPNsense has the functionality to support this using dynamic IPv6 address objects or interface address objects
Let me stress that NAT is not a security feature - firewalling is used for that. NAT is only relevant if there is a routing / addressing issue that can not be solved in any other way. Using reserved addresses is never a good idea - renumbering of static networks is potentially a huge hassle and you may be forced to if those addresses are used in the future.
The only reason I can see for NPTv6 is if you have a small site with dynamic IPv6 addresses that is multihomed. In that case in my opinion it is necessary to NPTv6 the secondary uplink in order to solve some problems regarding source address selection on the client.
- use GUA internally to reach the internet
- use ULA (as secondary address) and/or IPv4 addresses for internal addressing, primarily if you have internal servers that need static addresses
- firewall using the above addresses you assigned. OPNsense has the functionality to support this using dynamic IPv6 address objects or interface address objects
Let me stress that NAT is not a security feature - firewalling is used for that. NAT is only relevant if there is a routing / addressing issue that can not be solved in any other way. Using reserved addresses is never a good idea - renumbering of static networks is potentially a huge hassle and you may be forced to if those addresses are used in the future.
The only reason I can see for NPTv6 is if you have a small site with dynamic IPv6 addresses that is multihomed. In that case in my opinion it is necessary to NPTv6 the secondary uplink in order to solve some problems regarding source address selection on the client.
#5
Tutorials and FAQs / Re: [Tutorial] How to Secure and Implement Internal IPv6 NAT66/NPt
November 04, 2025, 03:44:50 PM
Let me be clear that you should do none of those things.
There are solutions to these problems, but not those.
There are even problems where NPTv6 is a legitimate solution (small site multihoming, for example), but not that one.
But maybe I don't understand, so, tell me, what problem does all of that actually solve?
EDIT: If you really want to know how to do IPv6 in your local network, I would advise you to read https://forum.opnsense.org/index.php?topic=45822.0 .
There are solutions to these problems, but not those.
There are even problems where NPTv6 is a legitimate solution (small site multihoming, for example), but not that one.
But maybe I don't understand, so, tell me, what problem does all of that actually solve?
EDIT: If you really want to know how to do IPv6 in your local network, I would advise you to read https://forum.opnsense.org/index.php?topic=45822.0 .
#6
Hardware and Performance / Re: Easy Time Sync
November 04, 2025, 11:26:16 AM
There's also the Timemachines TM2000b, if you also want PTP.
#7
German - Deutsch / Re: [gelöst] Empfehlung SFP+ PCIe Karte
October 23, 2025, 12:49:08 PM
Die X520 ist nur PciE 2.0, d.h. du brauchst 8 lanes, um die vernünftig zu betreiben.
Ansonsten gibt es eine breite Auswahl an verschiedenen Karten und Herstellern - persönlich mag ich Mellanox, die sind verhältnismäßig effizient (lies: kühl), und kompatibel, und es gibt sie billig auf ebay - was eher für Privatanwender ein Kriterium ist.
Ansonsten gibt es eine breite Auswahl an verschiedenen Karten und Herstellern - persönlich mag ich Mellanox, die sind verhältnismäßig effizient (lies: kühl), und kompatibel, und es gibt sie billig auf ebay - was eher für Privatanwender ein Kriterium ist.
#8
General Discussion / Re: Transparent Filter Bridge setup - no internet
October 16, 2025, 11:22:30 AM
To a more general point - are you sure that you need a transparent bridge? We have that discussion comparably often, and it's not a recommended setup.
#9
25.7, 25.10 Series / Re: Newbie with questions about 25.7 Series
October 13, 2025, 11:27:44 AMQuote from: Seimus on October 10, 2025, 11:50:17 AMBy Dave, the OP ment Dave Plummer.
Basically a legend of a developer that worked on Early versions of windows and is the creator of the task manager If I remember correctly.
I'm sure a Microsoft programmer gives the best advice on networking. A general rule of mine is not to let software developers mess with the network, if possible.
#10
25.7, 25.10 Series / Re: Newbie with questions about 25.7 Series
October 10, 2025, 11:17:44 AMQuote from: Patrick M. Hausen on October 09, 2025, 05:20:41 PMNobody I know including myself with experience in firewalls and networks runs a transparent bridge. It's incredibly difficult, error prone, and unreliable. So I cannot give any advice but "don't".
That Dave guy on youtube made a video about transparent bridging in which he claims it to be the best thing since sliced bread. Unfortunately.
#12
German - Deutsch / Re: Probleme mit NGINX
September 04, 2025, 02:23:57 PMQuote from: Seelenschnitter on September 03, 2025, 10:53:09 PMHallo zusammen,
ich habe heute auf meiner Synology im Docker einen Vaultwarden aufgesetzt. Nun wollte ich aber nicht den Reserve Proxy und die SSL Abhandlung von der Synology nutzen, sondern das meiner Firewall und nginx überlassen. Also habe ich heute selbiges frisch installiert auf der Opnsense und wollte es einrichten.
Aber nach einem gesamten Tag konfigurieren und wirklich so gar keinem Erfolg (ausser beim Synology mit SSL Zertifikat von meiner Domain und Reverse Proxy inklusive NAT und Outbound NAT auf Opnsense vollkommen funktional) fiel mir auf, dass im Dashboard ständig im Live Log "WARNING: failed to setup nginx" auftaucht. Eine Reinstallation half nichts und zu dem Fehler finde ich auch nicht vernünftiges.
Hat dazu jemand eine Idee?
Normalerweise würde der nicht starten, weil die Konfiguration ein Problem hat.
#13
Virtual private networks / Re: Unable to stablish first IPSec VPN
September 02, 2025, 11:21:43 AM
If it's site2site, use a suitably long PSK.
IPSec is bad enough without using certificates, unfortunately.
Speaking as the one who does the level 3 ipsec support at my employer.
IPSec is bad enough without using certificates, unfortunately.
Speaking as the one who does the level 3 ipsec support at my employer.
#15
25.7, 25.10 Series / Re: Assign prefix ID
July 28, 2025, 11:14:07 AM
Pretty much, but I would like to add the following:
2001:db8:ffff:ff00:0000:0000:0000:0000/56 != 2001:db8:ffff:ff::0/56
2001:db8:ffff:ff00:0000:0000:0000:0000/56 == 2001:db8:ffff:ff00::0/56
2001:db8:ffff:ff00:0000:0000:0000:0000/56 != 2001:db8:ffff:ff::0/56
2001:db8:ffff:ff00:0000:0000:0000:0000/56 == 2001:db8:ffff:ff00::0/56
