Messages

I created firewall rules for GeoIP blocking and spam blocking using spamhaus.

Is it necessary to update these rules every so often, or do they update on their own or is an update not needed at all?

Thank You

I just check for updates on on of my routers and the version it is currently run is 25.7.7_4 (amd64) at Sun Nov  9 17:17:29 UTC 2025.

I had everything working correctly, then this past weekend Fri Oct 31 actually I had to restore defaults. I believe an update was done after I initially got it configured, but before the restoring of defaults.

I have three local LANS - LAN1, LAN2, and LAN3.

The issue I am having is after a restart ISC DHCPv4 Server is running. That would be fine, however only LAN2 and LAN3 can get IP Address' form DHCP, LAN1 cannot. However, if I stop ISC DHCPv4 Server and start Dnsmasq DNS/DHCP. Then all three networks can get IP Address' from DHCP.

How can I either get all three networks to get IP Address' from ISC DHCPv4?
Or make Dnsmasq DNS/DHCP the default DHCP server?

Is there any benefit from using one over the other?

I need to set up dual WANS on multiple routers.

I found this Multi WAN.

Is this the best tutorial to use
If it is the best, what is the point of the monitor IPs. I get what they are (going by the name anyway, maybe they aren't what I think), what is their purpose for dual wans? IE why are they need for a multi WAN setup but not a single WAN setup?
If this is not the best tutorial, what is?

Did you install the plugin ? GUI or SSH would work just fine

Code Select Expand

pkg install os-realtek-re

Thank You that resolved the issue. All five NICS are now visible and usable by OPNSense.

Did you install the plugin ? GUI or SSH would work just fine

Code Select Expand

pkg install os-realtek-re

No, I did not. I didn't have to with the i5's. However, I will try it.

I just recently purchased five (5) Lenovo M920Q with I3 processors. I also just recently purchase five (5) H!Fiber quad port 2.5G Network Card with the Realtek RTL8125 Chip. One NIC card for each of the M920Qs. All five M920Qs came with Windows 10.

With in Windows all five NICS (4 on the NIC and the one on board or integrated) connect at 1G to a 1G switch. However, when doing automatic port assignment only the on board NIC is recognized to have an active connection. All four ports on the quad NIC and on the switch get link lights but not activity or connection speed light.

I also have two M920Q with i5 processors and they work fine. I do not know if it matters but these were running version 24.7 and I upgraded them t0 25.1. The i3's are a fresh install of 25.1.

I am going to try to install 24.7 for giggles (if I can find the image)

Anybody have any suggestions

Thank You

Does this UPS have a network interface? If yes there should be a web UI for tasks like this. If it doesn't you probably need APC's proprietary software on Windows or Linux and a USB or serial connection.

For my Cyberpower UPS with RMCARD205 I can do it in the web UI.

It does but it is only for surge protection (In and out). It does not receive an IP address.

Thank you. I am trying to get SSH to work so I can try. Using the console would be difficult in my situation.

I am running 25.1.1

I have just connected a APC Back-UPS XS 1500 LCD, I have a few of questions.

• Both in the Apcupsd widget on the dashboard and in status under the Apcupsd service it says the battery date is Dec 7, 2006. I just replaced the battery February 15. How can I update this?
• The APC Windows app has a button to test the UPS, is it possible to perform this test in OPNSense?
• In the APC Windows app the minimum and maximum voltages can be change for it to go on battery. Is it possible to change these in OPNSense?

The way I got it working my not be ideal but I didn't have to beat my head against a brick wall to get it to work.

I first posted on the OpenWRT forums, was told I need to create a route on OPNSense.
I then post here and was told it would be better to create the route on the Debian (spam) server
I posted on the Debian forums and was told I should redo part of my network.

It appeared that it was not going to be fun nor easy to get OPNSense, OpenWRT and Debian to all play nice. So I modified what I already had. I already had a cable connected to the 10.78.239.0 network and one connected to the 192.168.107.0 network, although 192.168.107.0 was DHCP -- not ideal but was meant to be temporary. I changed it to a static IP with no assigned gateway. I then created firewall rules on the Debian server to allow SMTP traffic then block everything else.

Yes, basically I'd have what you described. 10.78.239.106 is my spam server which will forward any "clean" / "legit" email to the exchange server. I do have a web server and an RMM server also in the DMZ, but the spam server will be the only one to send unsolicited or unrequested traffic to the 192.168.107.0 network.

Thanks you for the advice, I have never had to set up a static route on any firewall or OS

I am looking for some assistance adding a route.

From the image below I need to create a route preferably only from 10.78.239.106 to 192.168.107.10. If I understand correctly I need to create another gateway. If so, do I use 10.78.239.1 or 10.78.239.2?

I'd appreciate if somebody could add some clarity or provide a good link that does a good job of describing the process.

Thank You

I got it working, however, being completely honest I have no idea how.

I decided that I did not like the network scheme. It half matched the scheme that I use on my private network. I deceided I wanted my DMZ to closely match the public scheme. I changed the 2nd,3rd and 4th octets of the private IPs to match the 2nd,3rd and 4th octets of my public IPs. Now for what ever reason all port forwards, work as I want.

I am having issues with DNS. It works locally, but will not work for public sites / addresses. But I don't see how that would have affected port forwarding.

I agree with dseven.  Run a packet capture on the WAN. Assuming you see them, then alter your one to one NAT rule to log. Also create a rule on the LAN side to permit logging of packets to the Debian 12 box.

I have run a packet capture on the WAN, and only got a "Who is" with no response. I did run it with one-to-one enable. I will also run it with it disabled.

You do mention that even with the one to one in place, you are getting the wrong IP for outbound packets, so it's possible the packets are making it all the way to the Debian box, but the replies to the TCP handshake come from the .105 ip instead of .106. A packet capture on the Debian 12 box could be informative too.

This is why I posted to the forums as well as here, I have been trying to figure this out for quit a few days and I think I might be getting tunnel vision.

But then again, 443 is open on .105 as well which goes to the Exchange Server. So wouldn't it still report as being open?

I will say you should do more to narrow down in what point in the process are things breaking. With that info, others that have worked with 1 to 1 NATs may have some insight.

Again, this why I asked for help, may times I have been sitting here looking at my screen telling my self I don't know what else to do. I did not think of this.

Is it possible something on the Debian firewall is permitting LAN but not non-LAN?

Possible? I suppose - in theory anyway. But I doubt it. I did try to access it and used the port checker with the host firewall disabled. Both attempts failed.

I have done everything I can think of.

• I can take the IP in question and put it in my notebook and ping in and out.
• I have tried two different versions of OPNSense 24.7.3_1 and 24.7.12
• I have tried two different PCs, one with an Intel quad port NIC and one with two RealTek NICS
• I have restored to defaults and manually reconfigured all settings on both PCs and both versions tried
• Of the three virtual IPs i have set up and enabled with one-to-one enabled I am unable to ping any of them, with the virtual IP disabled I can ping all of them. (Yes I know that is backward.
• Running NMAP on the IP in question with the one-to-one enabled nmap tells me the system appears to be down, with the one-to-one disabled I get more "positive" results IE trace rt, port scan etc.
• I have tried a packet capture on the IP in question and the only thing I got was a "Who is" broadcast, with no response.
• MY ISP (Comcast) swears (I spoke with multiple people) there is no issue with the IP, IE has not been assigned to another customer (which makes since), no router issues, ports not blocked etc. Although I am expecting a phone call by Saturday from tier 2 support.
• Host firewall is in use but disabled for testing purposes
• Other virtual IPs although experience the same behavior with pinging, only get response with one-to-one disabled, all work just fine. IE ports forwarded and work on those IPs just as intended. It is just the one IP that is having issues.

I would ask my ISP for a new block of IPs if I thought that would work, but I don't want to go through all that work, update DNS etc if it isn't going to work. But then on the other hand if I don't try how will I know?

I am at a loss of what to do from here!

Anyone else have any ideas?