Messages

its not so straightforward doing this :P

Your ISP/TV will require specific configuration, google your provider name + pfsense or opnsense etc and hopefully you can find it. If not you look for a guide for another provider and adopt it to yours. Check your service provider support page for the IPTV configuration.

Here is an example for KPN netherlands (just translate the page), your config will end up similar.
https://j4me.synology.me/ - scroll down to iptv settings
Basically need specific interface config, igmp proxy, specific dhcp settings for tvbox so it pulls info from TVprovider, open up broadcasting, block the TV vlan from spamming your LAN etc

In my case i couldnt get it working nicely, it worked but after an hour or so it gave an error and stop working.

I got tired of it and in the end the simple solution for me was to install the android app from the TV provider on my smartTV or GoogleTV dongle. This takes 5mins of your time and works just as well.

[explicit-exit-notify]

As a long time user and having seen OPNsense grow; it certainly shows a level excellence and quality from the team(s) and everyone contributing; thank you - keep up the good work.

Time to time though its frustrating when things get simplified to a point its confusing/ less usable. The UI is keeping up with the times but removing configurability doesnt make it polished, i expect many rely on some of the lesser used functions...  As a backup we had the 'insecure' option in some places that have too many options to cover but it continues to gets phased out and this is one of them; imo an authentic 'advanced' feature for those that needed it. Its been asked too frequently over the years to keep it and it makes sense in certain places.

My earlier experience with instances was successful but finicky; anyway its looks better now and I tried to setup a client vpn and i am missing the following few things:

explicit-exit-notify - please add; my provider requires it to close session
bind address - option to select interface instead of specifying an address
fast-io - not sure if still relevant
key-direction - useful for vpn in some countries
data-ciphers / data-ciphers-fallback / tls-cipher - option to select
pull-filter

I originally wrote something about using ASNs, its can be more work to build up but just as effective with a smaller footprint.

Another option is to cook up a nice ip table list and using sources from emergingthreats etc, you can find lists for almost anything. It should be able to keep most of the riffraff off your servers without the necessary load of large geoip lists.

Here is my default blocklist, compiled from PRI1 Feed collections from pfB.

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
https://cinsarmy.com/list/ci-badguys.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt
set a 24hr refresh.. 

OP wasnt very specific in what he wanted to block other than certain countries..

Misread... nvm

GeoIP route tables get large, no way around this especially for large countries.

I just build a new minipc fw, and did the install on proxmox with NICs pci mapped directly.
The most obvious was traceroute not working through the firewall,  opnsense-update -zkr 24.7.1-icmp2  fixes it.
Im currently lurking the forums to see what else is up.

Overall it seems to work...  but here and there with routing, gateways (running vpns etc) there's some weird behavior that i cant pinpoint. It could be proxmox but i'm thinking opnsense. I could go barebones but i doubt it'll help my situation seeing the chatter on the forums.
I'll probably try install a fresh 24.1 on a VM before going barebones.

I need a couple of extra's on this host if possible ..  and working more reliable than where its at now.

I'm holding off the upgrade on my main fw's until we hit 24.7.2 at least.