Messages

Hi,

Found this with no responses Forum thread but at this time the feature was not added on the GUI.

Is this stil working for our users? as I setup the squid with SSL bumping and it was working fine (configuration and bumping) but even after configuring the required domain, the header insertion didnt work. My main concern is, is it no longer working with google auth as with Oauth or other method which no longer recognise the header for allowed domains or am I missing something.

Also which update do we wait until get a stable squid proxy without any seg-faults?


Best,
VivekSP

Hi,

As Switching/Routing is also part of OPNsense, Please suggest whether other than FRR anybother Plugin can be installed to complete this requirement.

The requirement is such that in Device 1, eth1(one interface) is configured with iBGP(Physical Interface not carrying the IP) but VLAN created on it, will carry the IP, iBGP IP series 172 IP) which connects with AS of ISP, with relevant details provided from ISP.
Port 2 another Interface on same device is connected over OSPF to the Device 2 (and so forth. Till Last device which is also connected to the ISP through BGP, and connects ring topology through OSPF, similarly for the Edge device other interfaces are also connected on OSPF with other devices in the Ring with fallback) .

There is an Interface say eth0, Configured with a Public IP, and

 Problem Statement 1 :
eth0 have IP Alias ( 2 additional Public IPs and 1 Private Network on the same eth0 also to be Configured).

 Problem Statement 2.:

Private Network should get Dynamic IP from The DHCP Pool. (Remarkable is that the IP configured in Interface is Public IP).

 Problem Statement 3.

Private Network can access Internet only if the Traffic is NAT Ed through the Public IP configured on the the Interface. (this will be same for all the Devices in the Ring topology).

Considering OPNsense is a Full Fledged Switch and Router aswell, Please Guide how to resolve the above Problem Statement, what all Plugins in addition to FRR is required.

It says:

Code Select Expand

root@OPNsense:~ # zpool export zroot
cannot unmount '/var/log': pool or dataset is busy
root@OPNsense:~ #
and for every try got this device busy error.

Do I need to rename the default dataset for this from zroot to something else?

Oh alright:

Here it is:

Code Select Expand

root@Marge:~ # mount
/dev/iso9660/OPNSENSE_INSTALL on / (cd9660, local, read-only)
devfs on /dev (devfs)
tmpfs on /tmp (tmpfs, local)
zroot/tmp on /tmp (zfs, local, noatime, nosuid, nfsv4acls)
zroot/usr/src on /usr/src (zfs, local, noatime, nfsv4acls)
zroot/var/mail on /var/mail (zfs, local, nfsv4acls)
zroot/home on /home (zfs, local, noatime, nfsv4acls)
zroot/var/audit on /var/audit (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot/var/crash on /var/crash (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot/var/log on /var/log (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot/var/tmp on /var/tmp (zfs, local, noatime, nosuid, nfsv4acls)
<above>:/tmp/.cdrom/boot on /boot (unionfs, local, noatime, nosuid, nfsv4acls)
<above>:/tmp/.cdrom/conf on /conf (unionfs, local, noatime, nosuid, nfsv4acls)
<above>:/tmp/.cdrom/etc on /etc (unionfs, local, noatime, nosuid, nfsv4acls)
<above>:/tmp/.cdrom/home on /home (unionfs, local, noatime, nosuid, nfsv4acls)
<above>:/tmp/.cdrom/root on /root (unionfs, local, noatime, nosuid, nfsv4acls)
<above>:/tmp/.cdrom/usr on /usr (unionfs, local, noatime, nosuid, nfsv4acls)
<above>:/tmp/.cdrom/var on /var (unionfs, local, noatime, nosuid, nfsv4acls)
devfs on /var/dhcpd/dev (devfs)
devfs on /var/unbound/dev (devfs)
/usr/local/lib/python3.11 on /var/unbound/usr/local/lib/python3.11 (nullfs, local, read-only)
/lib on /var/unbound/lib (nullfs, local, read-only)
root@Marge:~ #


Hi Patrick,

This is the output for mount: mount

Hi Patrick,

My zpool status returns this :

Code Select Expand

root@Marge:~ # zpool status
  pool: zroot
 state: ONLINE
config:

        NAME        STATE     READ WRITE CKSUM
        zroot       ONLINE       0     0     0
          ada0p4    ONLINE       0     0     0

errors: No known data errors
root@opnsense:~ #


Also am I the only one facing this issue while reinstalling?

On a previosuly installed opnsense 25.7 when I booted into the 25.7 installer for reinstalling, it would fail with errors like "No disks present". When I dropped into the live shell to wipe the disk manually, I hit a wall of errors:

gpart destroy failed with Device busy

zpool destroy -f zroot failed with pool or dataset is busy

Even the low-level dd command failed with Operation not permitted

I was completely locked out from touching the internal hard drive, even as root. This was new to me; I've reinstalled older versions like 24.7 on many devices before without ever seeing this kind of stubborn lock.

How do I smoothly reinstall the machine without needing of another bootables of Gpart for drive cleaning ?

Thanks

Hi,

I was thinking and have done some UI revamp for MVC using react and have successfully included the static build of react app and hosted that using lighttpd, but that is not percistent also, I have to authenticate the APIs with key and secret, how do I do that internally ? so that I dont have to put the api pair into react app.

My goal is to have my React UI use the same authentication as the default .volt UI.

I would greatly appreciate any insights, documentation pointers, or examples you could share.

Best,
VivekSP

Hi,

I'm running OPNsense 24.7.1 and noticed that the latest package caddy-custom-2.10 includes the layer4 module. I tried to install this package on my 24.7 system, but it doesn't work — likely due to binary or ABI incompatibility with the current firmware.

Looks like I might need to upgrade to latest version now.

Hi Monviech,

I guess our version of caddy does not have layer4 module for my usecase of NAT46 workaround

Code Select Expand


root@Marge:/usr/local/etc/caddy/caddy.d # caddy list-modules | grep layer4
root@Marge:/usr/local/etc/caddy/caddy.d #


Trying with relayd, will update here..

Thanks

Hi Maurice,

I tried this configuration but didnt work as expected. The goal was to translate traffic from IPv4 address (192.0.2.66) to a real internal IPv6 address (fd00:abcd::10).

 Tayga startup script

Code Select Expand

#!/bin/sh
# /root/start-tayga46.sh

echo "[*] Cleaning up any previous NAT46 instance..."
ifconfig nat46 destroy 2>/dev/null
killall tayga 2>/dev/null

echo "[*] Starting TAYGA and waiting for it to create the nat46 interface..."
/usr/local/sbin/tayga -c /usr/local/etc/tayga46.conf &

# Poll for the interface to appear
INTERFACE_EXISTS=false
for i in $(seq 1 10); do
    if ifconfig nat46 >/dev/null 2>&1; then
        echo "[+] Interface nat46 created by Tayga."
        INTERFACE_EXISTS=true
        break
    fi
    sleep 0.5
done

if [ "$INTERFACE_EXISTS" = false ]; then
    echo "[!] TAYGA failed to create the interface. Aborting."
    exit 1
fi


# Configure the Proxmox interface with its IPv6 address.
ifconfig igc2 inet6 fd00:abcd::1/64 alias

# Configure the IPv4 side of the tunnel.
ifconfig nat46 inet 192.0.2.1 192.0.2.2 netmask 255.255.255.255 up

# Configure the IPv6 side of the tunnel using our new dedicated network.
ifconfig nat46 inet6 fd00:aabb::2 fd00:aabb::1 prefixlen 128 up

echo "[*] Adding NAT46 routes..."

# This route directs traffic for the fake IPv4 network to Tayga.
route add -inet 192.0.2.0/24 -iface nat46



and Tayga config

Code Select Expand

# /usr/local/etc/tayga46.conf

tun-device nat46

ipv4-addr 192.0.2.1

ipv6-addr fd00:aabb::1

map 192.0.2.66 fd00:abcd::10

data-dir /var/db/tayga46


When I run a packet capture, I can see that Tayga is translating the packets correctly! The initial packet from the client gets translated from IPv4 to IPv6, and the destination server sends back a [S.] (SYN-ACK) reply.

Code Select Expand

16:38:20.035896 IP 192.0.2.1.1612 > 192.0.2.66.8082: Flags [S], seq 729630911, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3783615226 ecr 0], length 0
16:38:20.035929 IP6 fd00:aabb::1.1612 > fd00:abcd::10.8082: Flags [S], seq 729630911, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3783615226 ecr 0], length 0
16:38:20.035955 IP6 fd00:abcd::10.8082 > fd00:aabb::1.1612: Flags [S.], seq 2602201702, ack 729630912, win 0, options [mss 1460], length 0

The connection stalls immediately. As you can see in the third packet, the IPv6 server (fd00:abcd::10) is responding with a TCP win 0.and the TCP handshake never completes and no data can be transferred.

what could be causing this win 0 response? Does this point to a problem in my Tayga/network configuration, or is it more likely an issue on the destination server (fd00:abcd::10) that is incompatible with the translated packet it's receiving? or is it the compatibility issue of PF with tayga NAT46?

As Monviech suggested, I may try relayd or caddy as an alternative, but I'd love to understand why this is failing.

Thank you all !

Hi,
Thanks for reverting! The user wants :

IPv4 clients must be able to reach a specific IPv6-only service on my internal network. This means the firewall needs to perform a NAT46 translation on inbound traffic. An external IPv4 client would send a request to a public IPv4 address on the box, and the firewall would translate that to the correct IPv6 address of my internal service.
looking forward for guidance to make this work reliably and securely within the environment.

Thanks again!

Best,
VivekSP

Hi,

I am having a unique requirement of NAT46 at one of my user, I'm aware that Linux-based machines like Jool or TAYGA support NAT46 via TUN/TAP interfaces or netfilter hooks. I'm hoping to either replicate that behavior natively with any native tool or find a more flexible workaround than an L7 reverse proxy. Any insights, documentation links, or experimental solutions would be very helpful — happy to test patches or contribute to development if needed.

Thanks in advance!

Best,
VivekSP

Hi,

I'm working on a requirement to bring VDOM-like functionality (Virtual Domains), inspired by how Fortinet enables multiple fully isolated firewall instances (tenants) on a single hardware appliance. Has any similar approach been explored before?

Are there thoughts on integrating bhyve or external orchestration in a more native way? Looking forward to your input and thoughts on how this can be achieved?

Best,
VivekSP

Actually my requirement is, I have to configure a public IP 112.xxx.xxx.37 and 192.168.xx.xx in a same interface with a NAT policy