Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - cookiemonster

#2
CPU bottlenecked by storage subsystem perhaps, trying to log.
#3
General Discussion / Re: Password Reset
July 06, 2026, 12:23:16 AM
Very good.
#4
Very graceful Murat. I appreciate the offer. Although I have the time currently, I lack the funds to purchase a licence; despite the favourable conditions.
I hope I will be in a better position soon to take it up, should the offer still be open. Much obliged.
#5
Quote from: philippe_crowdsec on July 02, 2026, 11:25:49 AM@cookiemonster: I'm interested in the discussion about CrowdSec.

The product is free (security engine, scenarios, vpatch, WAF rules, Claude skill, etc.) and is MIT-licensed.
A blocklist is shared amongst users who share signals, for free, and many more are also free of charge.
There is 0 cost on the OpnSense integration.

So I'd be interested to understand your feelings better (or maybe it's about the SaaS console)?
If you have time and the will to discuss this, please PM me.
Hi @philippe_crowdsec - thanks for the note. I will keep it short here so as to not hijack the thread. Yes those are free but my _main_ issue is that the integration was limited and was never advanced. The note since 2024 if I'm not mistaken is:
QuoteAt the moment, the CrowdSec package for OPNsense is fully functional on the command line but its web interface is limited; you can only list the installed objects and revoke decisions. For anything else you need the shell or the CrowdSec Console.
Which means most of the existing and new functionality is unmanageable from the plugin. For instance I can't use SPOA for haproxy on OPN when using the OPN haproxy plugin.
If you are still willing to listen to my points (thank you for the offer) I shall open a new post so we can discuss them. In the open I suspect will be suitable for other users too. If you agree. Again, thank you. Just confirm and I will.
#6
Quote from: thelittleblackbird on June 27, 2026, 12:42:34 AMhere you have it, in the attached file.

I tried to implement the tunnable described in the opnsense documentation about performance:
https://docs.opnsense.org/troubleshooting/performance.html

if you need something else just ask

thanks


If you have set RSS for that performance, it might need revisiting. Maybe it does not help and is detrimental in your case.
#7
Pics seems to be hosted in imgur. Those are unavailable in the UK (I can't see them). But it might apply also to other locales.
#8
It sounds like somehow your firewall rules are or were left too open and allowed traffic into your AdGuardHome port.
If you use the ADGH UI and go to "Setup guide" you'll see it listening to all interfaces unless you've changed from defaults, which are the result of "$ifconfig | grep inet" on your OPN.
That will include your WAN ip address.
Therefore my thinking is firewall rules need revising.
So 1. **Open DNS resolver on the WAN**: seems to have caught it. It might only need reset of firewall states. Hopefully.!
#9
Clear, thank you all contributors.
#10
I don't have a paid subscription but I was at the start very willing to be helpful and was engaged with their support team to help them help me diagnose problems and in return they got to improve their product. It felt the fair tradeoff of being early user/tester for a free product. All as expected.
As time has gone by I am more and more disheartened with the trajectory so far taken, in that it feels now they've had our use, they can move to their paying market with a more mature product.
Again, not unexpected BUT as with the functionality gone that used to be free and the main one, multicore, exactly as you have clearly explained, has had me 1) wondering if it is still worth the machine's stress for what it gets 2) whether to stop using it.
It seems the balance against us is too uneven. The impression that they have taken without giving back to balance the scales a bit for us early testers is the more bitter one.

A similar thinking is growing with Crowdsec to be honest but this is not the place for this one.

So yes, same impressions, same fork in the road. No decision taken yet but feels close. I don't know yet what will replace it though.
#11
Quote from: newsense on June 25, 2026, 08:26:06 PM>>> Avoid Server Certificate Lifetimes > 397 Days


Or simply use your own certificate that can be issued from OPNSense, and enjoy 730 days of certificate validity. This is the hard limit from Apple for private/enterprise CAs

As long as you're controlling everything else on your VPN/devices importing your own CA everywhere is a no brainer.
So is this not going counter to the 397 days advice above? Asking because last time i was on this, the amount of effort I put into in vain was high.
#13
Thank you for this @meyergru . I had to abandon my last attempt at this and I can see from this what changes I must adopt despite following the guide, for instance not manually crafting the certs but using an app. The price of the recommended one for the this purpose stings but the technical background is very valuable. Thank you. I might be able to re-visit the attempts.
#14
My suggestion will be to test with a non-*bsd-based router. A Linux one instead.
user friendlies were dd-wrt and open-wrt. It's been a while since I looked, it might have changed.
The reason to suggest it is that you likely eliminate any possible tuning required under freeBSD for your connection. Linux tends to have more hardware support for NICs as well. Yes you are using well supported nics in freebsd but tunables could be a factor.
Additionally it might be possible to put some additional logging in place to support your case with the ISP.
#15
I would start looking for clues in two places: message buffer and system log which is /var/log/system/latest.log
Perhaps a live tail (tail -f) whilst renewing the dhcp lease from the ISP.