"
hi all,
is there a way I can reset the password for AdGuard?
I've locked myself out due to a bitwarden fuckup
is there a way I can reset the password for AdGuard?
I've locked myself out due to a bitwarden fuckup
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
General Discussion / Re: addguard + unbound config issue
October 25, 2025, 11:28:52 AM
can be closed. there was a nat rule blocking the access :(
#3
General Discussion / Re: fresh install (25.7) unable to ping the fw after backup restore
October 24, 2025, 11:32:25 AM
fixed. I believe there is a bug with KEA FW rules management.
I will open one once I close my investigation.
I reverted to ISC and now all works
I will open one once I close my investigation.
I reverted to ISC and now all works
#4
General Discussion / addguard + unbound config issue
October 24, 2025, 11:31:11 AM
Hi all,
I have a simple setup for my dns filtering:
Add Guard is set to listen as primary DNS on port 53. It fw all requests to unbound on port 5353.
all good here. everything works. Unbound will DoT on 853 to various servers.
the only thing that is not working is the google nexus devices. they cannot reach internet. I know they use 853 for DNS, but for some reason with Add guard in front it fails. I don't see anything blocked by Adsguard in the logs.
If I remove Add Guard and just keep Unbound on 53, then all works.
Any clue?
I have a simple setup for my dns filtering:
Add Guard is set to listen as primary DNS on port 53. It fw all requests to unbound on port 5353.
all good here. everything works. Unbound will DoT on 853 to various servers.
the only thing that is not working is the google nexus devices. they cannot reach internet. I know they use 853 for DNS, but for some reason with Add guard in front it fails. I don't see anything blocked by Adsguard in the logs.
If I remove Add Guard and just keep Unbound on 53, then all works.
Any clue?
#5
General Discussion / Re: fresh install (25.7) unable to ping the fw after backup restore
October 21, 2025, 03:04:35 PM
reverting to the old dhcp server fixed the issue. I suspect KEA firewall rules option is the issue.
#6
General Discussion / Re: fresh install (25.7) unable to ping the fw after backup restore
October 21, 2025, 12:23:48 PM
I see nothing in the logs:
tail -f /var/log/filter/latest.log
<134>1 2025-10-16T16:23:49+02:00 firewall.balaci.eu filterlog 82344 - [meta sequenceId="335"] 125,,,056f491d90cabb2432e063d44f2e443a,igb1,match,pass,in,4,0x0,,64,44626,0,none,17,udp,67,172.16.10.70,172.16.10.1,55846,53,47
<134>1 2025-10-16T16:23:57+02:00 firewall.balaci.eu filterlog 82344 - [meta sequenceId="336"] 125,,,056f491d90cabb2432e063d44f2e443a,igb1,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,172.16.10.70,76.223.92.165,49670,443,0,SEC,3674017377,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
<134>1 2025-10-16T16:23:58+02:00 firewall.balaci.eu filterlog 82344 - [meta sequenceId="337"] 125,,,056f491d90cabb2432e063d44f2e443a,igb1,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,172.16.10.70,13.248.212.111,49672,443,0,SEC,2784660919,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
root@firewall:/ # tail -f /var/log/dhcpd/latest.log
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="99"] Listening on BPF/igb1_vlan10/f4:90:ea:00:9f:4e/172.16.20.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="100"] Sending on BPF/igb1_vlan10/f4:90:ea:00:9f:4e/172.16.20.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="101"] Listening on BPF/igb1/f4:90:ea:00:9f:4e/172.16.10.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="102"] Sending on BPF/igb1/f4:90:ea:00:9f:4e/172.16.10.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="103"] Listening on BPF/igb1_vlan20/f4:90:ea:00:9f:4e/172.16.40.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="104"] Sending on BPF/igb1_vlan20/f4:90:ea:00:9f:4e/172.16.40.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="105"] Listening on BPF/igb1_vlan30/f4:90:ea:00:9f:4e/172.16.30.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="106"] Sending on BPF/igb1_vlan30/f4:90:ea:00:9f:4e/172.16.30.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="107"] Sending on Socket/fallback/fallback-net
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="108"] Server starting service.
<187>1 2025-10-16T16:25:57+02:00 ****** dhcpd 44049 - [meta sequenceId="1"] Dynamic and static leases present for 172.16.10.70.
<187>1 2025-10-16T16:25:57+02:00 ****** dhcpd 44049 - [meta sequenceId="2"] Remove host declaration s_opt5_34 or remove 172.16.10.70
<187>1 2025-10-16T16:25:57+02:00 ****** dhcpd 44049 - [meta sequenceId="3"] from the dynamic address pool for 172.16.10.0/24
<190>1 2025-10-16T16:25:57+02:00 ****** dhcpd 44049 - [meta sequenceId="4"] DHCPREQUEST for 172.16.10.70 from 00:e0:4c:c2:06:9a via igb1
<190>1 2025-10-16T16:25:57+02:00****** dhcpd 44049 - [meta sequenceId="5"] DHCPACK on 172.16.10.70 to 00:e0:4c:c2:06:9a via igb1
seems to work well. but i have no direct access into the router, no matter what I do.
tail -f /var/log/filter/latest.log
<134>1 2025-10-16T16:23:49+02:00 firewall.balaci.eu filterlog 82344 - [meta sequenceId="335"] 125,,,056f491d90cabb2432e063d44f2e443a,igb1,match,pass,in,4,0x0,,64,44626,0,none,17,udp,67,172.16.10.70,172.16.10.1,55846,53,47
<134>1 2025-10-16T16:23:57+02:00 firewall.balaci.eu filterlog 82344 - [meta sequenceId="336"] 125,,,056f491d90cabb2432e063d44f2e443a,igb1,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,172.16.10.70,76.223.92.165,49670,443,0,SEC,3674017377,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
<134>1 2025-10-16T16:23:58+02:00 firewall.balaci.eu filterlog 82344 - [meta sequenceId="337"] 125,,,056f491d90cabb2432e063d44f2e443a,igb1,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,172.16.10.70,13.248.212.111,49672,443,0,SEC,2784660919,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
root@firewall:/ # tail -f /var/log/dhcpd/latest.log
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="99"] Listening on BPF/igb1_vlan10/f4:90:ea:00:9f:4e/172.16.20.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="100"] Sending on BPF/igb1_vlan10/f4:90:ea:00:9f:4e/172.16.20.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="101"] Listening on BPF/igb1/f4:90:ea:00:9f:4e/172.16.10.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="102"] Sending on BPF/igb1/f4:90:ea:00:9f:4e/172.16.10.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="103"] Listening on BPF/igb1_vlan20/f4:90:ea:00:9f:4e/172.16.40.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="104"] Sending on BPF/igb1_vlan20/f4:90:ea:00:9f:4e/172.16.40.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="105"] Listening on BPF/igb1_vlan30/f4:90:ea:00:9f:4e/172.16.30.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="106"] Sending on BPF/igb1_vlan30/f4:90:ea:00:9f:4e/172.16.30.0/24
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="107"] Sending on Socket/fallback/fallback-net
<190>1 2025-10-16T16:19:58+02:00 ****** dhcpd 44049 - [meta sequenceId="108"] Server starting service.
<187>1 2025-10-16T16:25:57+02:00 ****** dhcpd 44049 - [meta sequenceId="1"] Dynamic and static leases present for 172.16.10.70.
<187>1 2025-10-16T16:25:57+02:00 ****** dhcpd 44049 - [meta sequenceId="2"] Remove host declaration s_opt5_34 or remove 172.16.10.70
<187>1 2025-10-16T16:25:57+02:00 ****** dhcpd 44049 - [meta sequenceId="3"] from the dynamic address pool for 172.16.10.0/24
<190>1 2025-10-16T16:25:57+02:00 ****** dhcpd 44049 - [meta sequenceId="4"] DHCPREQUEST for 172.16.10.70 from 00:e0:4c:c2:06:9a via igb1
<190>1 2025-10-16T16:25:57+02:00****** dhcpd 44049 - [meta sequenceId="5"] DHCPACK on 172.16.10.70 to 00:e0:4c:c2:06:9a via igb1
seems to work well. but i have no direct access into the router, no matter what I do.
#7
General Discussion / fresh install (25.7) unable to ping the fw after backup restore
October 21, 2025, 11:23:46 AM
Hi all,
I just reinstalled my DEC 750 after changing the broken ssd.
Everything went great. I have a fresh new 25.7.
Once installed I connected to the default lan address (192.168.1.1) and loaded my backup file. everything went well, the router restarted, all my vlans and interfaces are there, my dhcp static mappings as well.
the problem: I connect the cable in my igb1 (lan) and I get a dhcp ip. all great.
the problem is I cannot ping my fw from my lan device or vice versa.
I am pretty stuck. no clue what's happening.
I just reinstalled my DEC 750 after changing the broken ssd.
Everything went great. I have a fresh new 25.7.
Once installed I connected to the default lan address (192.168.1.1) and loaded my backup file. everything went well, the router restarted, all my vlans and interfaces are there, my dhcp static mappings as well.
the problem: I connect the cable in my igb1 (lan) and I get a dhcp ip. all great.
the problem is I cannot ping my fw from my lan device or vice versa.
I am pretty stuck. no clue what's happening.
#8
Hardware and Performance / Re: DEC750 NVME failing
July 15, 2025, 02:11:28 PM
amazing, I will do this.
weird it degraded in less than 2 years
I will probably disable any cache in the future.
Thank you
weird it degraded in less than 2 years
I will probably disable any cache in the future.
Thank you
#9
Hardware and Performance / DEC750 NVME failing
July 15, 2025, 11:22:56 AM
Hi community,
I own a DEC750 with nvme running 25.1.10 Recently I got a failed smart message:
smartctl 7.5 2025-04-30 r5714 [FreeBSD 14.2-RELEASE-p3 amd64] (local build) Copyright (C) 2002-25, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION === Model Number: TS256GMTE652T2 Serial Number: H433990185 Firmware Version: 52B9T7OA PCI Vendor/Subsystem ID: 0x1d79 IEEE OUI Identifier: 0x000000 Controller ID: 1 NVMe Version: 1.3 Number of Namespaces: 1 Namespace 1 Size/Capacity: 256,060,514,304 [256 GB] Namespace 1 Utilization: 255,796,785,152 [255 GB] Namespace 1 Formatted LBA Size: 512 Local Time is: Tue Jul 15 09:47:04 2025 CEST Firmware Updates (0x14): 2 Slots, no Reset required Optional Admin Commands (0x0017): Security Format Frmw_DL Self_Test Optional NVM Commands (0x005f): Comp Wr_Unc DS_Mngmt Wr_Zero Sav/Sel_Feat Timestmp Log Page Attributes (0x0f): S/H_per_NS Cmd_Eff_Lg Ext_Get_Lg Telmtry_Lg Maximum Data Transfer Size: 32 Pages Warning Comp. Temp. Threshold: 85 Celsius Critical Comp. Temp. Threshold: 90 Celsius
Supported Power States St Op Max Active Idle RL RT WL WT Ent_Lat Ex_Lat 0 + 9.00W - - 0 0 0 0 0 0
Supported LBA Sizes (NSID 0x1) Id Fmt Data Metadt Rel_Perf 0 + 512 0 0
=== START OF SMART DATA SECTION === SMART overall-health self-assessment test result: FAILED!
NVM subsystem reliability has been degraded
SMART/Health Information (NVMe Log 0x02, NSID 0xffffffff) Critical Warning: 0x04 Temperature: 43 Celsius Available Spare: 100% Available Spare Threshold: 10% Percentage Used: 159% Data Units Read: 15,175,817 [7.77 TB] Data Units Written: 868,173,472 [444 TB] Host Read Commands: 166,826,964 Host Write Commands: 6,380,384,852 Controller Busy Time: 74,813 Power Cycles: 22 Power On Hours: 22,786 Unsafe Shutdowns: 16 Media and Data Integrity Errors: 0 Error Information Log Entries: 0 Warning Comp. Temperature Time: 234 Critical Comp. Temperature Time: 0 Thermal Temp. 1 Transition Count: 13638 Thermal Temp. 1 Total Time: 111289
Error Information (NVMe Log 0x01, 16 of 256 entries) No Errors Logged
Self-test Log (NVMe Log 0x06, NSID 0xffffffff) Self-test status: No self-test in progress Num Test_Description Status Power_on_Hours Failing_LBA NSID Seg SCT Code 0 Extended Completed: failed segments 22597 - - 2 - - 1 Extended Completed: failed segments 22556 - - 2 - - 2 Short Completed: failed segments 22554 - - 2 - - 3 Short Completed: failed segments 22549 - - 2 - - 4 Short Completed: failed segments 17155 - - 2 - - 5 Short Completed: failed segments 12464 - - 2 - -
I haven't open the box yet, so my questions are:
can the nvme be changed?
if yes what type should I buy
is there an install from scratch procedure?
Thanks you
I own a DEC750 with nvme running 25.1.10 Recently I got a failed smart message:
smartctl 7.5 2025-04-30 r5714 [FreeBSD 14.2-RELEASE-p3 amd64] (local build) Copyright (C) 2002-25, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION === Model Number: TS256GMTE652T2 Serial Number: H433990185 Firmware Version: 52B9T7OA PCI Vendor/Subsystem ID: 0x1d79 IEEE OUI Identifier: 0x000000 Controller ID: 1 NVMe Version: 1.3 Number of Namespaces: 1 Namespace 1 Size/Capacity: 256,060,514,304 [256 GB] Namespace 1 Utilization: 255,796,785,152 [255 GB] Namespace 1 Formatted LBA Size: 512 Local Time is: Tue Jul 15 09:47:04 2025 CEST Firmware Updates (0x14): 2 Slots, no Reset required Optional Admin Commands (0x0017): Security Format Frmw_DL Self_Test Optional NVM Commands (0x005f): Comp Wr_Unc DS_Mngmt Wr_Zero Sav/Sel_Feat Timestmp Log Page Attributes (0x0f): S/H_per_NS Cmd_Eff_Lg Ext_Get_Lg Telmtry_Lg Maximum Data Transfer Size: 32 Pages Warning Comp. Temp. Threshold: 85 Celsius Critical Comp. Temp. Threshold: 90 Celsius
Supported Power States St Op Max Active Idle RL RT WL WT Ent_Lat Ex_Lat 0 + 9.00W - - 0 0 0 0 0 0
Supported LBA Sizes (NSID 0x1) Id Fmt Data Metadt Rel_Perf 0 + 512 0 0
=== START OF SMART DATA SECTION === SMART overall-health self-assessment test result: FAILED!
NVM subsystem reliability has been degraded
SMART/Health Information (NVMe Log 0x02, NSID 0xffffffff) Critical Warning: 0x04 Temperature: 43 Celsius Available Spare: 100% Available Spare Threshold: 10% Percentage Used: 159% Data Units Read: 15,175,817 [7.77 TB] Data Units Written: 868,173,472 [444 TB] Host Read Commands: 166,826,964 Host Write Commands: 6,380,384,852 Controller Busy Time: 74,813 Power Cycles: 22 Power On Hours: 22,786 Unsafe Shutdowns: 16 Media and Data Integrity Errors: 0 Error Information Log Entries: 0 Warning Comp. Temperature Time: 234 Critical Comp. Temperature Time: 0 Thermal Temp. 1 Transition Count: 13638 Thermal Temp. 1 Total Time: 111289
Error Information (NVMe Log 0x01, 16 of 256 entries) No Errors Logged
Self-test Log (NVMe Log 0x06, NSID 0xffffffff) Self-test status: No self-test in progress Num Test_Description Status Power_on_Hours Failing_LBA NSID Seg SCT Code 0 Extended Completed: failed segments 22597 - - 2 - - 1 Extended Completed: failed segments 22556 - - 2 - - 2 Short Completed: failed segments 22554 - - 2 - - 3 Short Completed: failed segments 22549 - - 2 - - 4 Short Completed: failed segments 17155 - - 2 - - 5 Short Completed: failed segments 12464 - - 2 - -
I haven't open the box yet, so my questions are:
can the nvme be changed?
if yes what type should I buy
is there an install from scratch procedure?
Thanks you
#10
General Discussion / Re: DNS resolver question
July 10, 2025, 01:49:30 PM
this works. thank you
i missed that check.
i missed that check.
#11
General Discussion / DNS resolver question
July 08, 2025, 05:10:14 PM
Hi all,
I have a problem on my internal network regarding dns resolution.
the name of the opnsense box is firewall.balaci.eu
nslookup firewall.balaci.eu
Server: 172.16.10.1
Address: 172.16.10.1#53
Name: firewall.balaci.eu
Address: 213.10.27.11
Name: firewall.balaci.eu
Address: 10.0.0.1
Name: firewall.balaci.eu
Address: 172.16.10.1
Name: firewall.balaci.eu
Address: 172.16.40.1
Name: firewall.balaci.eu
Address: 172.16.30.1
it replies well on nslookup. Now the problem is, I am using NGINX proxy manager to distribute a wildcard certificare to all my internal appliances and firewall.balaci.eu is pointing to 172.16.10.1/24 interface.
it is never loading when I write it in the browser.
What am I missing?
Thank you
I have a problem on my internal network regarding dns resolution.
the name of the opnsense box is firewall.balaci.eu
nslookup firewall.balaci.eu
Server: 172.16.10.1
Address: 172.16.10.1#53
Name: firewall.balaci.eu
Address: 213.10.27.11
Name: firewall.balaci.eu
Address: 10.0.0.1
Name: firewall.balaci.eu
Address: 172.16.10.1
Name: firewall.balaci.eu
Address: 172.16.40.1
Name: firewall.balaci.eu
Address: 172.16.30.1
it replies well on nslookup. Now the problem is, I am using NGINX proxy manager to distribute a wildcard certificare to all my internal appliances and firewall.balaci.eu is pointing to 172.16.10.1/24 interface.
it is never loading when I write it in the browser.
What am I missing?
Thank you
#12
Virtual private networks / Re: vlan routing to openvpn
October 29, 2024, 01:28:27 PM
Use the same gateway for the ips on your different vlan
#13
Virtual private networks / Re: vlan routing to openvpn
October 29, 2024, 12:37:42 PM
1. Is possible
Create the openvpn setup - connect and valide it works. Then associate a virtual interface to your ovpn instance (ovpn1 in my case), enable it but don't add any ip or rules on it. Then create an nat outbound rule on that interface to any.
I suppose your vlan network has a few ip's assigned and everything works. If so, create a new gateway for the recently created openvpn connection and go to fw rules - vlan interface :
Add a pass rule for that interface, source you entire lan, destination any and gateway (the ovpn gateway)
This should do it.
Create the openvpn setup - connect and valide it works. Then associate a virtual interface to your ovpn instance (ovpn1 in my case), enable it but don't add any ip or rules on it. Then create an nat outbound rule on that interface to any.
I suppose your vlan network has a few ip's assigned and everything works. If so, create a new gateway for the recently created openvpn connection and go to fw rules - vlan interface :
Add a pass rule for that interface, source you entire lan, destination any and gateway (the ovpn gateway)
This should do it.
#14
Virtual private networks / Re: [SOLVED] Wireguard selective routing
October 27, 2024, 04:49:42 PM
I got the rule fixed. Thanks Bob.Dig
you helped me fixed this
my VLAN10 rule was wrong
you helped me fixed this
my VLAN10 rule was wrong
#15
Virtual private networks / Re: [SOLVED] Wireguard selective routing
October 27, 2024, 04:28:42 PM
you were right! the connection was broken. now it works.
interface: wg2
public key: IiTLluo4hmsCYRq9Ln25Dj7sXn0zq9Ik********
private key: (hidden)
listening port: 51820
peer: L79E4IoaVZBXOyoMM82TvUIbiKlloRbUn********
endpoint: 83.97.115.18:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 34 seconds ago
transfer: 184 B received, 680 B sent
persistent keepalive: every 20 seconds
step1 done.
now let's see the rules.
1. I have no rules for the virtual interface mapping wg2.
2. the lan interface where I plan to use this as gateway has the following rule:
https://ibb.co/4JdGFHT
3. NAT outbound
https://ibb.co/Px5sskg
one interesting situation is this: when I add SURFSHARK_Wireguard as gateway for a specific host in the VLAN10 lan, If I ping the VLAN10 gateway from the host itself, I can't get to it.
interface: wg2
public key: IiTLluo4hmsCYRq9Ln25Dj7sXn0zq9Ik********
private key: (hidden)
listening port: 51820
peer: L79E4IoaVZBXOyoMM82TvUIbiKlloRbUn********
endpoint: 83.97.115.18:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 34 seconds ago
transfer: 184 B received, 680 B sent
persistent keepalive: every 20 seconds
step1 done.
now let's see the rules.
1. I have no rules for the virtual interface mapping wg2.
2. the lan interface where I plan to use this as gateway has the following rule:
https://ibb.co/4JdGFHT
3. NAT outbound
https://ibb.co/Px5sskg
one interesting situation is this: when I add SURFSHARK_Wireguard as gateway for a specific host in the VLAN10 lan, If I ping the VLAN10 gateway from the host itself, I can't get to it.
