Messages

I have currently opened only port 443 and the Wireguard port for my web service.

I'm also blocking inbound traffic from the WAN using several DB aliases, such as AbuseIPDB and Firehol.

Would it be a good idea to block outbound wan traffic as well?

I'm also curious whether applying the floating rule might be a better approach.

Code Select Expand

Installed packages to be UPGRADED:
opnsense: 26.1.7 -> 26.1.7_2 [OPNsense]

Number of packages to be upgraded: 1

6 MiB to be downloaded.
[1/1] Fetching opnsense-26.1.7_2.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Upgrading opnsense from 26.1.7 to 26.1.7_2...
[1/1] Extracting opnsense-26.1.7_2: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
[OPNsense\WazuhAgent\WazuhAgent:general.server_address] A value is required.{}
Model OPNsense\WazuhAgent\WazuhAgent can't be saved, skip ( OPNsense\Base\ValidationException: [OPNsense\WazuhAgent\WazuhAgent:general.server_address] A value is required.{}
 in /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:822
Stack trace:
#0 /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php(947): OPNsense\Base\BaseModel->serializeToConfig()
#1 /usr/local/opnsense/mvc/script/run_migrations.php(69): OPNsense\Base\BaseModel->runMigrations()
#2 {main} )
*** OPNsense\WazuhAgent\WazuhAgent migration failed from 0.0.0 to 1.0.3, check log for details
Flushing all caches...done.
Writing firmware settings: OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from opnsense-26.1.7_2:

--
One step ahead, one step behind it, now you gotta run to get even
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/opnsense-26.1.7_2.pkg
/var/cache/pkg/opnsense-26.1.7_2~0c703ebe71.pkg
The cleanup will free 6 MiB
Deleting files: .. done
Nothing to do.
Flushing temporary package files... done
Starting web GUI...done.
***DONE***

check cpu clock

Admins and developers who don't prioritize privacy or censorship resistance may not find this significant.

However, government and ISP censorship is intensifying not only in Russia and the EU but across many other nations as well.

I earnestly hope that os-amneziawg will be developed and implemented as an official OPNsense plugin, just like os-wireguard.

The update from v26.1.5 to v26.1.6 was completed successfully. Post-reboot, all systems are functioning normally as of now.

https://www.netgate.com/blog/pfsense-software-embraces-change-a-strategic-migration-to-the-linux-kernel

.

wg1: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
        description: Mullvad
        inet 10.x.x.x netmask 0xffffffff
        groups: wg wireguard

Selective routing has been configured, and traffic from specific hosts (192.168.10.0/24) is successfully being routed through Mullvad WireGuard.
vm(192.168.10.5) -> curl ifconfig.co -> show mullvad ip


However, it seems that traffic from the OPNsense machine itself through the wg1 interface is not going through Mullvad.
curl --interface wg1 ifconfig.co
> show wanip


How can I enable Mullvad routing from OPNsense (local)?

I also performed tuning by referring to that repository. Rather than simply copying it, I asked Gemini and ChatGPT what each configuration parameter does and which values would be suitable for my hardware specifications, and adjusted the settings based on that.

I didn't see it when I checked a few days ago, so that's good news.

v24.7 - freebsd 14.1 (July 25, 2024)
v25.1 - freebsd 14.2 (January 29, 2025)
v25.7 - freebsd 14.3 (July 23, 2025)

freebsd 15.0 release (December 2, 2025)
freebsd 15.1 release schedule (June 2, 2026) - https://www.freebsd.org/releases/15.1R/schedule/


There are many changes in FreeBSD 15.0+, but the things I'm looking forward to are the following.
- umb, umbctl (for cellular modem backup)
- amneziawg
- openzfs 2.4.0

https://forum.opnsense.org/index.php?topic=50758.0


I have recently observed an increase in RAM usage in the 26.1 update.

You cannot view this attachment.

Is it possible to require TOTP only for web logins? I would like local shell logins to use only a password.

Has anyone upgraded the firmware in Proxmox? Nothing is being displayed in nvmupdate64e.

You cannot view this attachment.


For optimal performance, I configured the settings as shown in the image and rebooted. However, when verifying via the `sysctl `command, it shows up as `C1`.

n100 cpu, opnsense 26.1