Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - robert.haugen@gmail.com

Pages1

General Discussion / Re: Can’t get the shaper on OPNsense to work.

November 15, 2025, 11:08:06 PM

Thanks.

Using IPv6, I think the client is communicating with the default gateway using its link-local address. The link-local subnet is the same on both GUEST and LAN:

fe80::/64

Could that be the culprit?

General Discussion / Can’t get the shaper on OPNsense to work.

November 15, 2025, 06:25:32 PM

I want the LAN network to have priority for download traffic.
When the network is not congested, the GUEST network should still have full speed.
However, when both LAN and GUEST are heavily used, LAN should receive significantly higher priority.

I've tried all combinations of Pipes, Queues, and Rules without success.

Reference:
https://docs.opnsense.org/manual/how-tos/shaper_prioritize_using_queues.html

For testing, I'm using two Debian Linux clients — one on LAN and one on GUEST — running the "Speedtest by Ookla" CLI tool.

Intrusion Detection and Prevention / Re: Telemetry status Failed to load widget - ETPRO Telemetry edition

September 18, 2025, 07:54:09 PM

Add Sectigo Public Server Authentication CA OV R36 to

Save this as a file with a txt editor: Sectigo Public Server Authentication CA OV R36.pem

Code Select

copy the file to /usr/share/certs/trusted/ (WinSCP...)
Symlink the file /etc/ssl/certs

Reboot

It Works !

This is a temporary fix until they get the cert for opnsense.emergingthreats.net fixed !

Intrusion Detection and Prevention / Re: Telemetry status Failed to load widget - ETPRO Telemetry edition

September 18, 2025, 05:13:54 PM

An insecure fix:

Modify /usr/local/opnsense/scripts/suricata/lib/downloader.py

Code Select

if str(url).split(':')[0].lower() in ('http', 'https'):
            frm_url = url.replace('//', '/').replace(':/', '://')
            # stream to temp file
            if frm_url not in self._download_cache:
                req_opts = {
                    'url': frm_url,
                    'stream': True,
                    'verify': False  
                }

Modify

/usr/local/opnsense/scripts/etpro_telemetry

send_heartbeat.py
send_telemetry.py
sensor_info.py

Code Select

parser.add_argument('-i', '--insecure', help='Insecure, skip certificate validation',
                    action="store_true", default=True)

Intrusion Detection and Prevention / Re: Telemetry status Failed to load widget - ETPRO Telemetry edition

September 18, 2025, 02:27:23 PM

Quote from: meyergru on September 18, 2025, 01:12:02 PMThat is because curl does not trust the certificate for opnsense.emergingthreats.net, which is issued by Sectigo.

You can verify this via:

Code Select Expand
# curl -v https://opnsense.emergingthreats.net * Host opnsense.emergingthreats.net:443 was resolved. * IPv6: (none) * IPv4: 72.12.200.25 * Trying 72.12.200.25:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * closing connection #0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the webpage mentioned above.
IDK why it is not trusted, though, because the top-level issuer "Sectigo Public Server Authentication Root R46" CA seems to be present.

Is the code that´s handling the telemetry and signature trusting Sectigo?

Intrusion Detection and Prevention / Telemetry status Failed to load widget - ETPRO Telemetry edition

September 18, 2025, 11:09:57 AM

Hi,

Yesterday, Telemetry status Failed to load widget appeared. Using ETPRO Telemetry edition.

Using curl from OPNsense:
OPNsense:~ # curl -v https://opnsense.emergingthreats.net/api/v1/telemetry
* Host opnsense.emergingthreats.net:443 was resolved.
* IPv6: (none)
* IPv4: 72.12.200.25
* Trying 72.12.200.25:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Hardware and Performance / Re: High CPU usage every 10 secounds.

August 19, 2025, 05:31:49 PM

It is significant.

General Discussion / Re: Change IAID on WAN interface.

August 08, 2025, 05:18:28 PM

Thanks you so much @meyergru

I works. My ISP Altibox is just banning me for a week when Prevent release wan not ticked on.

Ended up with this config.

Hardware and Performance / Re: High CPU usage every 10 secounds.

August 02, 2025, 12:19:02 PM

Spinned up an OPNsense test instance. Same issue there.

#10

Hardware and Performance / High CPU usage every 10 secounds.

July 29, 2025, 03:37:32 PM

Hi.

Hawing two OPNsense installations. The CPU´s peek every 10 seconds. It was on 25.1 and the same on 25.7.

#11

General Discussion / Re: Change IAID on WAN interface.

June 02, 2025, 08:36:37 PM

Thanks:-)

I am still having problems with getting IPv6 address from my ISP Altibox.

Could there be some trotling of Solicit messages ?

Have used IAID = 2 before. The DUID is

DHCPv6
Message type: Solicit (1)
Transaction ID: 0xc5c7f8
Client Identifier
Option: Client Identifier (1)
Length: 10
DUID: 00030001b8d5XXXXXXXX
DUID Type: link-layer address (3)
Hardware type: Ethernet (1)
Link-layer address: b8:d5:XX:XX:XX:XX
Link-layer address (Ethernet): ZyxelCommuni_XX:XX:XX (b8:d5:XX:XX:XX:XX)
Identity Association for Non-temporary Address
Option: Identity Association for Non-temporary Address (3)
Length: 12
IAID: 00000002
T1: 0
T2: 0
Rapid Commit
Option: Rapid Commit (14)
Length: 0
Elapsed time
Option: Elapsed time (8)
Length: 2
Elapsed time: 3330ms
Option Request
Option: Option Request (6)
Length: 4
Requested Option code: DNS recursive name server (23)
Requested Option code: Domain Search List (24)
Identity Association for Prefix Delegation
Option: Identity Association for Prefix Delegation (25)
Length: 41
IAID: 00000002
T1: 0
T2: 0
IA Prefix

#12

General Discussion / Re: Change IAID on WAN interface.

May 31, 2025, 05:12:29 PM

Quote from: meyergru on May 31, 2025, 04:47:56 PMYou can set that under Interfaces: WAN -> "DHCPv6 client configuration" -> "Advanced" tab -> "Prefix Delegation" -> "id-assoc pd ID"

Thanks.

When I switch to Advanced,
I can't find where to set:

Prefix delegation size
and
Send prefix hint

#13

General Discussion / Change IAID on WAN interface.

May 31, 2025, 12:30:35 PM

Hi,

Anyone know how to change IAID on WAN interface ?

Looks like Opensense use IAID=0 on WAN by default.

Mikrotik gives
lo interface IAID=1
First Interface IAID=2
Second Interface IAID=3

#14

23.7 Legacy Series / Re: DUID-LL generation

August 16, 2023, 08:54:08 PM

Thanks Maurice :-) :) :)

#15

23.7 Legacy Series / DUID-LL generation

August 12, 2023, 08:15:34 AM

Hello.

According to my knowledge, the DUID-LL value is generated on the basis of the MAC address. Today, when I clicked "Insert a new LL DUID", a new "DHCP Unique Identifier" is generated. The MAC address is not changed. Should´t this value be the same every time?

Pages1