Messages

Hi Eric,

Thinks for reverting! I believe Support of Protocols is Important, VLAN can be Makeshift however if we can understand the Support on these Protocols.

Best,
VivekS

Hi all,

I'm working on securing an environment where both IT and OT networks are present, and I'm evaluating OPNsense as the firewall platform. I'm particularly interested in knowing whether OPNsense (natively or via plugins like Suricata or Zenarmor) supports the detection, filtering, or deep packet inspection (DPI) of common OT/ICS protocols such as:

Modbus

DNP3

OPC UA

BACnet

PROFINET

EtherNet/IP

I understand that OPNsense primarily focuses on traditional IP networking and Layer 3/4 firewalling, but any insights on visibility into these industrial protocols—whether through IDS/IPS rulesets, DPI capabilities, or plugin support—would be very helpful.

Has anyone deployed OPNsense in an IT/OT convergence setup and can share their experience or best practices?

Thanks in advance!

Hi Franco,


I was trying to build a new 24.7 ISO as my whole lab is setup with 24.7. My previous build machine is stuck on make ports and when tried to rebuild a build environment, getting pkg error 22.2 and this above method doesnt work as freebsd nomore supporting 1.19, Please help what can be done here:

Code Select Expand

USER=root
>>> Running build step: ports
>>> Passing arguments: (none)
Installed pkg version '2.1' does not match required version '1.19'
To fix this please run 'make -C /usr/ports/ports-mgmt/pkg clean all reinstall'
*** Error code 1

Stop.
make: stopped in /usr/tools


Code Select Expand

root@build:/usr/ports/ports-mgmt/pkg # make && make reinstall
===> Building/installing portconfig as it is required for the config dialog
===>  Cleaning for portconfig-0.6.2
/!\ ERROR: /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

No support will be provided if you silence this message by defining
ALLOW_UNSUPPORTED_SYSTEM.

*** Error code 1

Stop.
make[3]: stopped in /usr/ports/ports-mgmt/portconfig
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/ports-mgmt/portconfig

===> Options unchanged
/!\ ERROR: /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

No support will be provided if you silence this message by defining
ALLOW_UNSUPPORTED_SYSTEM.


Hi,

We have a network setup with two ISPs: Airtel and Spectra, both providing static and public IPs along with gateways. We have configured load balancing and failover with Airtel set as Tier 1 and Jio set as Tier 2.

Problem:
We are trying to ensure that speed test requests are routed through the correct gateway:

When Airtel is active, the speed test request should route through Airtel's gateway.
When Spectra is active, the speed test request should route through Spectra's gateway.
However, despite configuring the gateways in a failover setup with both gateways under Tier 1, this behavior is not occurring.

We would appreciate any advice or insights on making the speedtest request route through the correct active gateway, depending on which ISP is active.

Thanks!

Hi all,

I have a setup where two gateways are configured in a failover group and are assigned the same Tier (Tier 1) when creating the Gateway Group. I would like to understand how traffic is routed in this scenario:

Is traffic always routed through the currently active gateway in the failover setup?
Or could it still be routed through either gateway despite the failover configuration?
What I need to ensure is that traffic is routed strictly through the Active Gateway only, even during tests such as a speed test. In other words, I want the inactive gateway to not be used at all.

Could someone guide me on the correct configuration to achieve this behavior? Any help would be greatly appreciated!

Thanks!

Best,
VivekSP

Hi,

With reference with this thread

can anyone tell me how do I modify the installer repository and use it in the build? Like I have to add a extra dialogue box in the installer option which will help me store some info about device, I currently do the same by running a python script to ask questions and store their answers where I want.

but adding this in the installation script will help me make it more streamlined. I cloned the whole installer repo and modified it wherever needed
Then after that I did

make makesum

and run make install clean

with this Im getting error in make core : >

You may want to add user openvpn and group openvpn when creating your
configuration files, the example configuration shows this only as comments.
Could not find package: opnsense-installer
*** Error code 1

Stop.
make: stopped in /usr/tools

Any help or guidance on this would be much appreciated. Thanks in advance.


Best,
VivekSP

Hi,

I have configured an Alias (Hosts type) in the firewall to allow access to specific websites such as Stack Overflow and GeeksforGeeks, while blocking all other network traffic. However, when attempting to access these sites under this configuration, I observe the following issues:

Slow Response Time: Unlike unrestricted access, the websites take significantly longer to load.
Partial Page Rendering: Only the HTML body is rendered, while CSS stylesheets and JavaScript resources fail to load.
Domain Resolution Issue: External dependencies (e.g., CDNs, scripts, styles from third-party domains) are not being resolved correctly when using the Alias-based allow rule.

What additional configurations are required to ensure that websites load fully when using Alias (Hosts type) filtering in OPNsense? Could this be a DNS resolution or firewall handling issue?

Looking forward for a solution

Thanks,
Best,
VivekSP

How do I bring nano inside the build itself? so that upon fresh install of dvd/serial I get nano preinstalled in there?

Hi,

One of my partners required me to add a custom dialogue box in the opnsense-installer menu where it asks to change the root password | exit and reboot option after installation. The requirement is to add some questions there, and the answers would be stored in a file in the/usr/local/etc/ directory.

While I changed the Makefile of opnsense-installer to fetch it from my fork, it didn't work in make ports, and it said opnsense-installer no such pkg

can someone guide me on how to use my custom fork of the opnsense-installer? inside the build machine? any reference or documentation would be appreciated

Thanks in advance!

Best,
VivekSP

Hi,

I recently came across a feature in enterprise-level firewalls like Fortinet, where virtualized firewalls (virtual domains or VDOMs) can be used to isolate and manage different network segments or configurations. This concept seems incredibly useful, and I was wondering if OPNsense supports something similar, either through a virtual machine (e.g., using bhyve) or a containerized approach (e.g., Docker).

Has anyone tried implementing a virtualized firewall or additional OPNsense instance within an OPNsense setup? If so, I'd love to hear your recommendations or any guidance on how to configure this effectively.

Thanks!
Best,
VivekSP

Thank you for the suggestion, but unfortunately, I cannot afford Zenarmor at the moment. The free plan they offer doesn't provide many features, which is why I am exploring other options for content filtering and MiTM. Additionally, Squid requires at least mid-2025 for my needs, so I'm looking for an alternative that fits better within my current requirements and budget.

Appreciate your understanding!

Thanks for reverting! Does it mean there is no way to achieve this custom API blocking (For Gmail send | Linkedin Upload) without SSL bumping ? But as we know Squid will be resolved in June almost. and I don't find any other solution for SSL bumping. Until then no other way?

Hi,

I am seeking guidance on implementing the following configurations in OPNsense:

Restricting Gmail Send while Allowing Gmail Access

In our LAN setup, I plan to restrict the "Send" functionality for Gmail (SMTP traffic to smtp.gmail.com on port 587), while ensuring Gmail access is still allowed. My approach involves:
Creating an Alias for smtp.gmail.com.
Adding a block rule for the destination port 587, with the Alias set in the destination field.
Could you confirm if this is the correct approach? Additionally, how should I implement the same restriction for a WireGuard Full Tunnel configuration?

Blocking File Uploads on Facebook and LinkedIn Messengers

We want to allow access to Facebook and LinkedIn but block file uploads specifically in their messaging platforms.
Could you guide me on how to achieve this?
Are there specific rules, protocols, or plugins to use in OPNsense for such granular control?
I would greatly appreciate your assistance and recommendations. Thank you for helping me enhance our network's configuration and security!

Looking forward to your valuable insights.

Hi,

I tried installing mitmproxy on opnsense but couldn't as I didn't found any pkg in the repositories. Then I created a new Debian server with mitmproxy and added a NAT rule from Firewall> NAT> Port Forward. My certificate is created on the debian server using mitmproxy > certs. Still clients not able to trust the installed certificate even when I have put the certificate in the Trusted root C A in certmgr.msc.

Any idea on what might be going wrong here? or How can I do MITM in opnsense as I think maybe squid will require its v7 which will be released in June '25. I was hoping MITM can solve the SSL bumping for me meanwhile squid gets stable.

I've been working with the OPNsense build tools to create a custom ISO and have successfully built one. However, I'd like to include the nDPI package in the ISO itself so that it's pre-installed when installed.

I've gone through the build tools documentation, but I'm unsure about the best way to add an additional package like nDPI into the build process. Specifically:

Do I need to add nDPI to config/ports.conf or modify other build scripts?
If nDPI isn't available as a standard FreeBSD package, would creating a FreeBSD port be the right first step?
Are there any additional configurations needed to ensure the package works seamlessly after installation?
I'd greatly appreciate any guidance or references from the community. If someone has experience customizing OPNsense builds with additional packages, I'd love to hear your thoughts.

Thanks in advance!

Best,
VivekSP