"
This Akamai WAF blocking your connection to the website, probably due to your VPN (on a VPS/Cloud?) or some other rule triggering it.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.7 Series / Re: https://errors.edgesuite.net/18.8d4f2417.1759419363.417b068
October 02, 2025, 07:05:13 PM #2
25.7 Series / IPv6 prefix modifcation crashing OPNsense
October 02, 2025, 10:55:29 AM
I have a working IPv6 setup with /64 prefix delegation from ISP, but any attempt to change "Prefix delegation size" with "Send prefix hint" crashes the firewall. I am able to consistently reproduce this, every time I attempt to change these values, routes crashes and reboots.
Code Select
Versions
OPNsense 25.7.4-amd64
FreeBSD 14.3-RELEASE-p2
OpenSSL 3.0.17Code Select
[44893]
[44893]
[44893] Fatal trap 12: page fault while in kernel mode
[44893] cpuid = 0; apic id = 00
[44893] fault virtual address = 0x10
[44893] fault code = supervisor read data, page not present
[44893] instruction pointer = 0x20:0xffffffff80e054e6
[44893] stack pointer = 0x28:0xfffffe0145ffca70
[44893] frame pointer = 0x28:0xfffffe0145ffcb90
[44893] code segment = base 0x0, limit 0xfffff, type 0x1b
[44893] = DPL 0, pres 1, long 1, def32 0, gran 1
[44893] processor eflags = interrupt enabled, resume, IOPL = 0
[44893] current process = 87956 (tailscaled)
[44893] rdi: fffff8000baba000 rsi: 000000000000001c rdx: 0000000000000010
[44893] rcx: 00000000ffffffff r8: 00000000000000fd r9: 000000006529fcfd
[44893] rax: 0000000000000000 rbx: fffff8000baba000 rbp: fffffe0145ffcb90
[44893] r10: fffff8072ff77b18 r11: fffff8013fe18970 r12: fffffe0145ffcb30
[44893] r13: fffff8021286cd80 r14: fffffe0145ffcb30 r15: fffff80612e18a80
[44893] trap number = 12
[44893] panic: page fault
[44893] cpuid = 0
[44893] time = 1759394699
[44893] KDB: stack backtrace:
[44893] db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0145ffc7c0
[44893] vpanic() at vpanic+0x161/frame 0xfffffe0145ffc8f0
[44893] panic() at panic+0x43/frame 0xfffffe0145ffc950
[44893] trap_pfault() at trap_pfault+0x3da/frame 0xfffffe0145ffc9a0
[44893] calltrap() at calltrap+0x8/frame 0xfffffe0145ffc9a0
[44893] --- trap 0xc, rip = 0xffffffff80e054e6, rsp = 0xfffffe0145ffca70, rbp = 0xfffffe0145ffcb90 ---
[44893] in6_selectsrc() at in6_selectsrc+0x636/frame 0xfffffe0145ffcb90
[44893] in6_selectsrc_socket() at in6_selectsrc_socket+0x41/frame 0xfffffe0145ffcbd0
[44893] in6_pcbconnect() at in6_pcbconnect+0x1b3/frame 0xfffffe0145ffcc50
[44893] tcp6_connect() at tcp6_connect+0x69/frame 0xfffffe0145ffcc90
[44893] tcp6_usr_connect() at tcp6_usr_connect+0x32e/frame 0xfffffe0145ffcd20
[44893] soconnectat() at soconnectat+0xb1/frame 0xfffffe0145ffcd60
[44893] kern_connectat() at kern_connectat+0xed/frame 0xfffffe0145ffcdc0
[44893] sys_connect() at sys_connect+0x81/frame 0xfffffe0145ffce00
[44893] amd64_syscall() at amd64_syscall+0x117/frame 0xfffffe0145ffcf30
[44893] fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0145ffcf30
[44893] --- syscall (98, FreeBSD ELF64, connect), rip = 0x49c0ff, rsp = 0x87082f3e8, rbp = 0x87082f3e8 ---
[44893] KDB: enter: panic
panic.txt0600001215067435613 7143 ustarrootwheelpage faultversion.txt0600007515067435613 7547 ustarrootwheelFreeBSD 14.3-RELEASE-p2 stable/25.7-n271676-ab2281de1853 SMP
OPNsense (c) 2014-2025 De
#3
25.1, 25.4 Series / UX - Multiple VPN Tailscale and Openconnect
April 09, 2025, 06:00:54 PM
OpenVPN, IPSec, Wireguard, Zerotier allow multiple VPN instances or VPN Network membership. It would make sense to keep this UX consistent and allow/Add feature for Tailscale and Openconnect as well.
#4
Hardware and Performance / Re: OPNsense Firewall Hardware
February 23, 2025, 06:36:50 AM
The same vendor has N100 pc as well, check it https://clientronix.in/product/clientronix-alpha-100/
#5
24.7, 24.10 Series / Re: Netflow excessive CPU and disk I/O usage
January 07, 2025, 02:32:25 PMQuote from: Patrick M. Hausen on December 29, 2024, 02:07:02 PMNetflow creates a protocol entry of every single connection. On a busy gateway what you observe is just expected. It's a heck of a lot of data, so there is no "solution".
You could set up an external network management system and netflow aggregator and send the data there instead of processing it locally. Most products are commercial, though. I am still investigating if there is any open source tool I can use.
I use Elastiflow (renamed to NetObserve). They have a free tier license which is good enough for homelab use.
https://www.elastiflow.com/basic-license
#6
24.7, 24.10 Series / SOLVED: Unexplained drop in LAN to WAN speed
January 05, 2025, 07:09:52 PM
Solved.
Looks like mismatched jumbo frames enabled on the couple of switches might have been causing this issue. Disabled Jumbo frames on all devices across the network, which resolved the issue.
Looks like mismatched jumbo frames enabled on the couple of switches might have been causing this issue. Disabled Jumbo frames on all devices across the network, which resolved the issue.
#7
24.7, 24.10 Series / Re: Unexplained drop in LAN to WAN speed
January 03, 2025, 08:19:07 PM
I am running homelab with Elastiflow, Grafana (prometheus exporter) and Librenms (snmpv3), none of the observability platforms are showing any anomaly.
The last change I made was to add bunch of VLAN interfaces, planning to use trunked L3 switch for VLAN seggregation. I will remove these interfaces to check if it makes any difference.
The last change I made was to add bunch of VLAN interfaces, planning to use trunked L3 switch for VLAN seggregation. I will remove these interfaces to check if it makes any difference.
#8
24.7, 24.10 Series / Re: Unexplained drop in LAN to WAN speed
January 03, 2025, 08:07:07 AM
I have RSS enabled,
Tunables are also as per recommendations
Code Select
net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 4
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 6
net.inet.rss.maxbits: 7
net.inet.rss.mask: 3
net.inet.rss.bits: 2
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1
Tunables are also as per recommendations
Code Select
net.isr.bindthreads = 1
net.isr.maxthreads = -1
net.inet.rss.enabled = 1
net.inet.rss.bits = 2
#9
24.7, 24.10 Series / Unexplained drop in LAN to WAN speed
January 02, 2025, 02:12:32 PM
OPNsense 24.7.11_2-amd64
Intel Core i5-8500 CPU @ 3.00GHz Tiny PC
Generic NIC with Intel T4xI350
WAN 1 gbps
iperf3 LAN host to Opnsense Firewall ~ 900 mbps
Opnsense Firewall to WAN speedtest ~ 900 mbps
But LAN host to Speedtest (same server id) ~ 300 mbps
Tested across multiple LAN hosts
Disabled Zenarmor, no change
Disabled traffic shaping, no change
Not running any IDS/IPS, Crowdsec etc.
Any troubleshooting tips?
Intel Core i5-8500 CPU @ 3.00GHz Tiny PC
Generic NIC with Intel T4xI350
WAN 1 gbps
iperf3 LAN host to Opnsense Firewall ~ 900 mbps
Opnsense Firewall to WAN speedtest ~ 900 mbps
But LAN host to Speedtest (same server id) ~ 300 mbps
Tested across multiple LAN hosts
Disabled Zenarmor, no change
Disabled traffic shaping, no change
Not running any IDS/IPS, Crowdsec etc.
Any troubleshooting tips?
#10
24.1, 24.4 Legacy Series / Re: OpenVPN - Selective Routing to External VPN Endpoint
February 25, 2024, 08:34:24 AM #11
24.1, 24.4 Legacy Series / Re: OpenVPN - Selective Routing to External VPN Endpoint
February 23, 2024, 10:33:01 AM
Some additional troubleshooting, packet capture only shows packet leaving the interface, but nothing from remote
Also, lan clients can ping VPN interface IP on firewall
Btw, I have only route-noexec enabled on the VPN client configuration
Also, lan clients can ping VPN interface IP on firewall
Btw, I have only route-noexec enabled on the VPN client configuration
#12
24.1, 24.4 Legacy Series / OpenVPN - Selective Routing to External VPN Endpoint
February 22, 2024, 09:28:58 PM
Versions OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
I have OpenVPN client connected to a VPN provider, VPN connection is up and Interface/Gateway are also up (VPN -->OpenVPN-->Instances). I can ping and traceroute through the tunnel IP to internet (Gateway --> Diagnostic) from the firewall itself.
I have use case similar to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html where I need only few LAN client traffic to traverse through the VPN connection/interface.
For some reason, I cannot seems to get it working. I have the Outbound NAT and Rule on LAN interface configured but none these LAN clients cannot seem to be able to reach internet. Traceroute/Ping just timeout. Removing the LAN interface firewall rule cause all traffic to go through WAN interface, which is not what I want.
Any ideas how to troubleshoot or fix this?
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
I have OpenVPN client connected to a VPN provider, VPN connection is up and Interface/Gateway are also up (VPN -->OpenVPN-->Instances). I can ping and traceroute through the tunnel IP to internet (Gateway --> Diagnostic) from the firewall itself.
I have use case similar to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html where I need only few LAN client traffic to traverse through the VPN connection/interface.
For some reason, I cannot seems to get it working. I have the Outbound NAT and Rule on LAN interface configured but none these LAN clients cannot seem to be able to reach internet. Traceroute/Ping just timeout. Removing the LAN interface firewall rule cause all traffic to go through WAN interface, which is not what I want.
Any ideas how to troubleshoot or fix this?
#13
23.7 Legacy Series / [SOLVED] LAN clients cannot ping internet IPv6 addresses
December 02, 2023, 04:08:20 PM
Solved this with following config, IPV6 works with Etisalat Dubai, which gives /64 prefix. LAN clients get IPv6 Global Addresses and routing to external IPv6 addresses
[WAN]
[LAN]
Services: Router Advertisements: [LAN]
[WAN]
Code Select
IPv4 Configuration Type: PPPoE
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration
Use IPv4 connectivity: Checked
[LAN]
Code Select
IPv4 Configuration Type: Static IPv4
IPv4 Configuration Type: Track Interface
Track IPv6 Interface
IPv6 Interface: WAN
Manual configuration: Checked (Allow manual adjustment of DHCPv6 and Router Advertisements)
Services: Router Advertisements: [LAN]
Code Select
Router Advertisements: Unmanaged
#14
23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses
November 16, 2023, 04:29:39 AM
That would required DHCPv6 and Route Advertisement enabled, right?
QuoteThat is perfectly ok and intended. Your LAN clients will (if all else goes well) be able to communicate using the GUA from that single /64 and your OPNsense will route the packets using a link-local address.
#15
23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses
November 15, 2023, 10:01:13 PM
The IPv6 I get on WAN/LAN are identical except last octet with /64 prefix
The reddit post mentioned above is the exact situation I am in.
Can someone translate it to OPNsense setup?
If I change WAN to "Request only an IPv6 prefix", the WAN interface only get a link-local address
Code Select
LAN 2001:XX:XX:XX:XX:XX:XX:2f10/64
WAN 2001:XX:XX:XX:XX:XX:XX:2f13/64The reddit post mentioned above is the exact situation I am in.
Can someone translate it to OPNsense setup?
QuoteI gave up on MikroTik and used cisco ISR router. I was able to configure dialer interface via ppp, request dhcp-pd prefix and create own DHCP with ULA addresses. So now I have both stable internal IPv6 network and ipv6 internet access.
If I change WAN to "Request only an IPv6 prefix", the WAN interface only get a link-local address
Code Select
fe80::7e5a:1cff:fe6d:2f11
