Messages

Finally got around to installing this, and bought a plus license. Nothing much to add beyond the feedback already given - very impressed!

Agree with Seimus comments on VPN endpoints above

I don't think I've seen a comment for these:

-The manual/setup instructions don't explicitly tell you to enable logging for the rules you set up - that might not be obvious for less experienced users.

-Also when talking about Source/Destination and Block/Reject it says "For your LAN (source) rule you could use Reject" - per the rule examples is that not Rule 1 / Destination (rather than source)? 

How long before we might be able to utilise Domains and URLs feeds in OPNSense?

This sounds really good. I'm not sure I'd be able to offer any useful feedback, but I am very likely to deploy this at home - when is 'general availability' forecast? Thanks.

This position might make me reconsider my subscription to be honest. Multi core support for core functions is not really a 'power user' option when you offer IPS and Filtering policies as part of the Home subscription, but for many they are unusable on what is now a fairly standard 900mbps home connection if you want full throughput. How do you define 'broader home community?' I daresay that community probably doesn't use a next gen firewall, need 5 policies, use IPS, or even uses Zenarmor (or indeed OPNSense) at all! There wasn't multi-core support when I started my subscription, but I didn't realise that and was surprised, and later found I could not use the IPS as a result. When I thought it was a technical limitation it was annoying but something I tolerated whilst frequently considering if I was actually getting good value. Now the omission of multi-core support is a purely commercial decision, that shifts the balance for me.

One for me to think about carefully over the coming days.

Oooh this looks interesting. I have wanted to use PPSK via freeradius on Omada for a while - I am currently doing it by WiFi password which is quite annoying. How do I use your patch?

Hi,

Actually for the full TLS inspection, Zenarmor has SASE Starter license tier for home users. Did you check it?

I can't see that on the website - are you able to link to it so we can take a look?

Are you all using Suricata?

FWIW as another data point, have been updated for a few hours now and no issues. Not using Suricata.

So is the answer 1024 or 2048, and what's the downside of either? (Particularly the higher value).

Hello, I have a genuine question regarding Zenarmor's development. I've noticed there haven't been any updates since February, and the roadmap seems to be on hold. Additionally, the UI hasn't yet been updated to align with the new OPNsense interface. Like many others, I'm really hoping the promised multicore support will be released in July and made accessible beyond just premium users. I sincerely hope the team is doing well and continuing their great work. Thank you for all your efforts!

Yeah, I'm not sure. It does appear that ZA might be in some trouble? No official response to the feedback provided in this thread and the last release in February with no clear indication as to what's being worked on might indicate an issue. Although someone mentioned that the next release is sometime in July.

Version 2.0 releases tomorrow...

Turned out to be a hardware issue, but thanks for your reply!

What was the hardware issue, and did you solve it? I have suddenly started seeing the same.

@Taunt9930 - where did you see that mentioned in the docs?

Second Paragraph of the DHCP Reservations section. But, as indicated above by Cedrik, not considered a contributing factor so a red herring perhaps!

Please create separate threads for separate issues, this one is about tracking the weird dns forwarding issues of the OP.

Understood - not an issue, as such, was just seeking to understand if it might be contributing to this issue as the OP indicated that this is one area where they have deviated from the docs direction- hence asking the question in this thread. Your reply suggests it is not a factor, so noted - thanks.

@meyergru could you quickly provide some clarity on ranges?

If we set a DHCP range as per the docs of, say, 192.168.1.10 - 192.168.1.100 for dynamic leases, and then set a reservation up for 'Host A' at address 192.168.1.200 - do we need to set up a separate range but with mode 'static' that incorporates the desired reserved addresses?

The docs suggest we need to for DHCP v4, but the OP suggests they haven't done so and addresses are being set/reserved - what are the side effects of not doing so / why do we need a range set?

Just asking as this is contrary to what people are used to with Kea etc - the direction there was to ensure any reservations were explitly OUTSIDE of any defined ranges on the DHCP server...

Thanks.

Although it doesn't help with the DNS resolution issue, there is something strange going on with static reservations.

My desktop PC has 2 NICs (one of them is kept disabled).  Until now I was using the first NIC with a static reservation in Dnsmasq.  In this case, the DNS suffix was always coming as "h1.home.arpa" even though that client is not part of that DHCP range:

Code Select Expand

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : h1.home.arpa
   Description . . . . . . . . . . . : Intel(R) Ethernet Controller (2) I225-V
   Physical Address. . . . . . . . . : 24-xx-xx-xx-xx-CD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:xx:xxxx:xxxx:xxxx:xxxx:xxx:f69(Preferred)
   IPv6 Address. . . . . . . . . . . : fdf8:fb25:3a87:1030:xxxx:xxxx:xxxx:3a21(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:xx:xxxx:xxxx:9cb5:6288:f91:c4c6(Preferred)
   Temporary IPv6 Address. . . . . . : fdf8:fb25:3a87:1030:9cb5:6288:f91:c4c6(Preferred)
   Link-local IPv6 Address . . . . . : fe80::52cc:xxxx:xxxx:c813%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 19, 2025 3:58:47 PM
   Lease Expires . . . . . . . . . . : Tuesday, May 20, 2025 3:58:44 PM
   Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:39a0%11
                                       192.168.30.1
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-CD
   DNS Servers . . . . . . . . . . . : 192.168.30.1
                                       2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       h1.home.arpa

Switching over to the second NIC, this time I get a DHCP dynamic lease in the same range (192.168.30.x), but now the DNS suffix comes as "home.internal" (as configured in the pool):

Code Select Expand

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : home.internal
   Description . . . . . . . . . . . : Realtek PCIe 2.5GbE Family Controller
   Physical Address. . . . . . . . . : 78-xx-xx-xx-xx-55
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:xx:xxxx:xxxx:xxx:xxxx:2631:c6ff(Preferred)
   IPv6 Address. . . . . . . . . . . : fdf8:fb25:3a87:1030:xxxx:xxxx:xxxx:e66b(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:xx:xxxx:xxxx:1de4:e57c:4ae3:f9dd(Preferred)
   Temporary IPv6 Address. . . . . . : fdf8:fb25:3a87:1030:1de4:e57c:4ae3:f9dd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::ec8a:xxxx:xxxx:454c%8(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.164(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 19, 2025 4:02:00 PM
   Lease Expires . . . . . . . . . . : Tuesday, May 20, 2025 4:01:59 PM
   Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:39a0%8
                                       192.168.30.1
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-CD
   DNS Servers . . . . . . . . . . . : 192.168.30.1
                                       2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       h1.home.arpa

Why should static leases not get the same DNS suffix as the DHCP range configured?

Does the static address sit within a configured DHCP range (set as mode static) in DNSMASQ for that interface? E.g. an additional range for your reservations?

Per the Docs:

"DHCP reservations
A DHCP reservation will always assign the same IPv4 and IPv6 addresses to a client.

For an IPv4 reservation, a DHCPv4 range should exist. If this DHCPv4 range should only serve reservations, set it to static"

Hi,

Good news regarding multicore support. We have released a test binary. Kindly contact the support team via the "Have Feedback" option located in the bottom right corner of the UI if you wish to try it out.

Thank you, I will do this now.

Has it made a difference in your use-case?

It is literally in the docs.

Wow, completely missed that! Thank you.

Is there a recommended setting for percentage of RAM for both?