Messages

Hi,

I was thinking and have done some UI revamp for MVC using react and have successfully included the static build of react app and hosted that using lighttpd, but that is not percistent also, I have to authenticate the APIs with key and secret, how do I do that internally ? so that I dont have to put the api pair into react app.

My goal is to have my React UI use the same authentication as the default .volt UI.

I would greatly appreciate any insights, documentation pointers, or examples you could share.

Best,
VivekSP

Hi,

I'm running OPNsense 24.7.1 and noticed that the latest package caddy-custom-2.10 includes the layer4 module. I tried to install this package on my 24.7 system, but it doesn't work — likely due to binary or ABI incompatibility with the current firmware.

Looks like I might need to upgrade to latest version now.

Hi Monviech,

I guess our version of caddy does not have layer4 module for my usecase of NAT46 workaround

Code Select Expand


root@Marge:/usr/local/etc/caddy/caddy.d # caddy list-modules | grep layer4
root@Marge:/usr/local/etc/caddy/caddy.d #


Trying with relayd, will update here..

Thanks

Hi Maurice,

I tried this configuration but didnt work as expected. The goal was to translate traffic from IPv4 address (192.0.2.66) to a real internal IPv6 address (fd00:abcd::10).

 Tayga startup script

Code Select Expand

#!/bin/sh
# /root/start-tayga46.sh

echo "[*] Cleaning up any previous NAT46 instance..."
ifconfig nat46 destroy 2>/dev/null
killall tayga 2>/dev/null

echo "[*] Starting TAYGA and waiting for it to create the nat46 interface..."
/usr/local/sbin/tayga -c /usr/local/etc/tayga46.conf &

# Poll for the interface to appear
INTERFACE_EXISTS=false
for i in $(seq 1 10); do
    if ifconfig nat46 >/dev/null 2>&1; then
        echo "[+] Interface nat46 created by Tayga."
        INTERFACE_EXISTS=true
        break
    fi
    sleep 0.5
done

if [ "$INTERFACE_EXISTS" = false ]; then
    echo "[!] TAYGA failed to create the interface. Aborting."
    exit 1
fi


# Configure the Proxmox interface with its IPv6 address.
ifconfig igc2 inet6 fd00:abcd::1/64 alias

# Configure the IPv4 side of the tunnel.
ifconfig nat46 inet 192.0.2.1 192.0.2.2 netmask 255.255.255.255 up

# Configure the IPv6 side of the tunnel using our new dedicated network.
ifconfig nat46 inet6 fd00:aabb::2 fd00:aabb::1 prefixlen 128 up

echo "[*] Adding NAT46 routes..."

# This route directs traffic for the fake IPv4 network to Tayga.
route add -inet 192.0.2.0/24 -iface nat46



and Tayga config

Code Select Expand

# /usr/local/etc/tayga46.conf

tun-device nat46

ipv4-addr 192.0.2.1

ipv6-addr fd00:aabb::1

map 192.0.2.66 fd00:abcd::10

data-dir /var/db/tayga46


When I run a packet capture, I can see that Tayga is translating the packets correctly! The initial packet from the client gets translated from IPv4 to IPv6, and the destination server sends back a [S.] (SYN-ACK) reply.

Code Select Expand

16:38:20.035896 IP 192.0.2.1.1612 > 192.0.2.66.8082: Flags [S], seq 729630911, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3783615226 ecr 0], length 0
16:38:20.035929 IP6 fd00:aabb::1.1612 > fd00:abcd::10.8082: Flags [S], seq 729630911, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3783615226 ecr 0], length 0
16:38:20.035955 IP6 fd00:abcd::10.8082 > fd00:aabb::1.1612: Flags [S.], seq 2602201702, ack 729630912, win 0, options [mss 1460], length 0

The connection stalls immediately. As you can see in the third packet, the IPv6 server (fd00:abcd::10) is responding with a TCP win 0.and the TCP handshake never completes and no data can be transferred.

what could be causing this win 0 response? Does this point to a problem in my Tayga/network configuration, or is it more likely an issue on the destination server (fd00:abcd::10) that is incompatible with the translated packet it's receiving? or is it the compatibility issue of PF with tayga NAT46?

As Monviech suggested, I may try relayd or caddy as an alternative, but I'd love to understand why this is failing.

Thank you all !

Hi,
Thanks for reverting! The user wants :

IPv4 clients must be able to reach a specific IPv6-only service on my internal network. This means the firewall needs to perform a NAT46 translation on inbound traffic. An external IPv4 client would send a request to a public IPv4 address on the box, and the firewall would translate that to the correct IPv6 address of my internal service.
looking forward for guidance to make this work reliably and securely within the environment.

Thanks again!

Best,
VivekSP

Hi,

I am having a unique requirement of NAT46 at one of my user, I'm aware that Linux-based machines like Jool or TAYGA support NAT46 via TUN/TAP interfaces or netfilter hooks. I'm hoping to either replicate that behavior natively with any native tool or find a more flexible workaround than an L7 reverse proxy. Any insights, documentation links, or experimental solutions would be very helpful — happy to test patches or contribute to development if needed.

Thanks in advance!

Best,
VivekSP

Hi,

I'm working on a requirement to bring VDOM-like functionality (Virtual Domains), inspired by how Fortinet enables multiple fully isolated firewall instances (tenants) on a single hardware appliance. Has any similar approach been explored before?

Are there thoughts on integrating bhyve or external orchestration in a more native way? Looking forward to your input and thoughts on how this can be achieved?

Best,
VivekSP

Actually my requirement is, I have to configure a public IP 112.xxx.xxx.37 and 192.168.xx.xx in a same interface with a NAT policy

Hi,

Thank you so much. Can you detail a bit more on how do you suggest this to be configured, first create IP Alias then Add the Alias IP on the loopback Address and then NAT or without NAT also this will Work ?
Looking forward to hear from you.

Thanks!

Hi Patrick,

Thanks for the clarification — I understand that from a traditional BSD networking model However, I've heard certain vendors (like Fortinet and Juniper) allow you to treat secondary IPs almost as if they were separate interfaces — using them in different routing instances, policies, or even NAT/firewall contexts. They often abstract this at the OS or control plane level to allow for that kind of flexibility.

Out of curiosity, does OPNsense offer any feature that might allow similar behavior? For example:

Creating a virtual interface or group that binds to a specific IP alias

Using aliases in policy-based routing or as part of a ruleset that treats them as more than just an additional address

Assigning a loopback or dummy interface with an alias and routing through that

Or is the OPNsense implementation (being FreeBSD-based) bound strictly to the traditional interface model with no way to "promote" an alias to interface-like behavior?

Appreciate any insights from others who've tried something similar or worked around this in creative ways.

Best regards,
VivekSP

Hi,

I've created an IP alias on my system, and now I'm trying to figure out how to create a new interface that uses this alias. The alias is already active and bound to the original interface, but I need to treat it as a separate interface (for routing or firewall purposes, for example).

Thanks in advance!

Best,
VivekSP

Hi Eric,

Thinks for reverting! I believe Support of Protocols is Important, VLAN can be Makeshift however if we can understand the Support on these Protocols.

Best,
VivekS

Hi all,

I'm working on securing an environment where both IT and OT networks are present, and I'm evaluating OPNsense as the firewall platform. I'm particularly interested in knowing whether OPNsense (natively or via plugins like Suricata or Zenarmor) supports the detection, filtering, or deep packet inspection (DPI) of common OT/ICS protocols such as:

Modbus

DNP3

OPC UA

BACnet

PROFINET

EtherNet/IP

I understand that OPNsense primarily focuses on traditional IP networking and Layer 3/4 firewalling, but any insights on visibility into these industrial protocols—whether through IDS/IPS rulesets, DPI capabilities, or plugin support—would be very helpful.

Has anyone deployed OPNsense in an IT/OT convergence setup and can share their experience or best practices?

Thanks in advance!

Hi Franco,


I was trying to build a new 24.7 ISO as my whole lab is setup with 24.7. My previous build machine is stuck on make ports and when tried to rebuild a build environment, getting pkg error 22.2 and this above method doesnt work as freebsd nomore supporting 1.19, Please help what can be done here:

Code Select Expand

USER=root
>>> Running build step: ports
>>> Passing arguments: (none)
Installed pkg version '2.1' does not match required version '1.19'
To fix this please run 'make -C /usr/ports/ports-mgmt/pkg clean all reinstall'
*** Error code 1

Stop.
make: stopped in /usr/tools


Code Select Expand

root@build:/usr/ports/ports-mgmt/pkg # make && make reinstall
===> Building/installing portconfig as it is required for the config dialog
===>  Cleaning for portconfig-0.6.2
/!\ ERROR: /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

No support will be provided if you silence this message by defining
ALLOW_UNSUPPORTED_SYSTEM.

*** Error code 1

Stop.
make[3]: stopped in /usr/ports/ports-mgmt/portconfig
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/ports-mgmt/portconfig

===> Options unchanged
/!\ ERROR: /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

No support will be provided if you silence this message by defining
ALLOW_UNSUPPORTED_SYSTEM.


Hi,

We have a network setup with two ISPs: Airtel and Spectra, both providing static and public IPs along with gateways. We have configured load balancing and failover with Airtel set as Tier 1 and Jio set as Tier 2.

Problem:
We are trying to ensure that speed test requests are routed through the correct gateway:

When Airtel is active, the speed test request should route through Airtel's gateway.
When Spectra is active, the speed test request should route through Spectra's gateway.
However, despite configuring the gateways in a failover setup with both gateways under Tier 1, this behavior is not occurring.

We would appreciate any advice or insights on making the speedtest request route through the correct active gateway, depending on which ISP is active.

Thanks!