Messages

@robertkwild, I have a corresponding setup, cameras talking to an NVR which is accessible from an app or local web address. The NVR is on a unique subnet where it is blocked entirely from the internet. It is allowed to request only the time, which is served by Opnsense, or of course respond to received requests. I can use the app to access the NVR because access from the primary subnet into the NVR subnet is not blocked (direction). Thus, if you have carried out meyergru's suggested test you should find you have access from within your network, not from outside it. If that is the case then all is well with your rules.

To view your cameras when away from home, set up wireguard access to home, allowing requests from that subnet into the NVR subnet.

I am unable to comment on your rules for a couple of reasons. One is that as a usual practice I do not click on external image addresses in here. More importantly, using remote images means that those images will eventually die, making the entire thread meaningless for future readers. Please always upload images or code here using the tools available. It also enables easier reading and responses.

I understand. I did similar for serial printer output (and keyboard input) on a CP/M machine, but that was a long time ago.

Thank you for the additional explanation, meyergru. From the links I conclude that it is a case of test in your own environment. I had maxthreads and bindthreads set, with dispatch set now. I might re-do the process with testing.

Add another tunable. This time, we're allowing NIC drivers to use ISR queues.

Code Select Expand

net.isr.dispatch = deferred

Lukas, I was aware of the other tunables but I did not find this particular one in the Opnsense docs, whether on the page yourreference or in a search. I did find it offered by Gemini.

Are you able to comment further on the source for this one please, and its actual effects? My reading of the referenced page is that it may be unnecessary.

In the first of your images you appear to be looking at CPU utilisation in which case you are looking at percentages. It depends what you choose. Information about the measure is given on the Y axis label.

Are you referring to the comma after the date number, "December 11, 2025"? Are there other commas I am not seeing in the images?

That is one of the standard (i.e. common) date formats.

Hi,
It's not the date. The other numbers: First image:

user: 2,304  <------ 2,3 or 2304?

Ah, the not-a-comma commas :-)

I am now officially a massive fan of Deciso hardware :)

I made a journey from "too expensive" to "massive fan", with the bonus support reason cited by Seimus. It is great that you can get a Community Edition of Opnsense and stick it on what you have (as I first did), or a VM, or cheap fancy-spec new hardware (as I next did) but for anyone for whom DEC hardware is in reach, I suggest the plunge is most rewarding.

Are you referring to the comma after the date number, "December 11, 2025"? Are there other commas I am not seeing in the images?

That is one of the standard (i.e. common) date formats.

Get another AP. Attach one to each of the two LAN ports, configured as described by Coffeecup25. Run the IoT one on the 2.4 GHz band as a completely separate network from your primary LAN devices on a 5 GHz band.  Usually IoT devices do not need much data so bandwidth is unlikely to be an issue. You can find APs with a few ethernet ports at low cost.

It is possible to run multiple wireless networks off a single AP but that does not solve your upstream problems as easily as whacking on another AP on a distinct network.

I am interested in what low power device are you using and what is the WiFi component?

I just tested with Wireguard and it does block if you add the Wireguard interface into the two Qfeeds floating rules:

It blocked a known malicious IP on my LAN and Wireguard interfaces:

I think we are talking about different things. If I am out and using my VPN server at home, the Wireguard interface is in Qfeeds and traffic is normal from its point of view. If I am at home and using a VPN provider so it is not my home address, Qfeeds sees only an encrypted stream to my VPN provider. It is the latter case I was discussing.

I thought Qfeeds would filter the VPN (if you added within the floating rule) the interface list that currently has WAN?

I have set up daily Time Machine backups for her to the NAS. These will fail silently while she is on an external VPN.

@Qfeeds Thank you. Possible festive presents are being contemplated once more, without intervention by me. :-)

Do you know whether there are any issues with Macs, when it comes to the serial connection? Like MBP with an USB->USBc converter? (have seen the info on the page about macOS, just asking for experience)

I found it worked more smoothly than expected, a contrast with trying to work a serial connection to a Hunsn box. I used the cable which comes with the Deciso with an Apple USB A->C converter (A1632) but other converters should work. There are various apps on the app store. My preference after trying three is SerialTools. You can save a configuration document and start that. I think Apple's screen in Terminal works too.

My wife raised that she could not reach a NZ web site, miwoollies.com, with whom we have dealt occasionally over many years. I found I could, then realised I was still on the VPN so obviously Qfeeds was stopping her, which proved true. The address in question is 192.200.160.14 which threat lookup shows to be Bigcommerce Inc. This is the same site, different IP,  I raised a few days ago when she was trying to reach the Australian luxury goods site Oroton, although the problem was less important then. The relevant list is James Brine Bruteforce IPs feed

As we discussed before, bigcommerce is used by both legitimate and non-legitimate players. Is the solution to whitelist selected IPs as they arise, in floating rules? If I install a VPN on her machine she will probably wind up leaving it on, bypassing Qfeeds. Is the bigcommerce listing open to refinement?

Coincidentally I have this evening (my time) received an alert from haveibeenpwned about an aggregated list from Synthient last April, in which list an email and password appear. Given that list gathers previous material the alert probably repeats previous rather than being new. In any case, without knowing the breach source there is really nothing to do if passwords are strong and never reused. Criminals are not going to expend centuries trying to brute-force long random strings and state actors would not be interested in me.

This is still in the vein of saying of course my e-mail is known, and in some cases they can see the lock (hashed password) but breaking it is another matter so why jump on hearing someone else knows my email and a singular lock? If it were to something critical then I will hear from the organisation and can act as a precaution, though all critical assets have 2FA anyway.

While other people may have a different view, I am not seeing credential monitoring as worth the investment unless it can tell me precisely on which site the breach occurred.

Edit to add: I am my own e-mail provider, and have for many years kept anything important out of e-mail unless the message itself has strong encryption.