"
thanks.
I should be ok i have a kvm plugged in my router.
I should be ok i have a kvm plugged in my router.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
General Discussion / Re: Home Assistant websocket not working
October 20, 2025, 07:10:45 PM
I quickly read the topic and have not a clear idea of your whole config.
does your opnsense have the same ip as your former router ? if not did you update the trusted proxies section in home assistant configuration.yaml
did you reboot all your machines involved in these communications ?
does your opnsense have the same ip as your former router ? if not did you update the trusted proxies section in home assistant configuration.yaml
did you reboot all your machines involved in these communications ?
#3
25.7, 25.10 Series / Re: Lan Interface randomly goes down
October 20, 2025, 06:38:11 PM
I flashed igc5 (unused) with 2.32
Thanks to you and meyergru ( i have the exact same interface and version) it went well.
Need to test. I guess the easiest way is to assign it to LAN.
Can you flash an interface in use ? My WAN need to be tied to igc0.
If flashing 2 interfaces tied in a lagg device i suppoose the best is to flash the 2 interfaces before rebooting.
Thanks to you and meyergru ( i have the exact same interface and version) it went well.
Need to test. I guess the easiest way is to assign it to LAN.
Can you flash an interface in use ? My WAN need to be tied to igc0.
If flashing 2 interfaces tied in a lagg device i suppoose the best is to flash the 2 interfaces before rebooting.
#4
25.7, 25.10 Series / Re: Lan Interface randomly goes down
October 20, 2025, 03:03:01 PM
I've not flashed for now. I don't even know what firmware version i have.
For now lan drops are solved since the change of my patch cables.
I have still an issue but i don't know if it's related.
My issue is with suricata and netmap. If i enable ips on lan and vlans interfaces i have frequent connections drops due to netmap errors.
I disabled ids and ips (currently using crowdsec and testing q-feeds).
edit: apparently i have 2.13
'dmesg | grep EEPROM
[1] igc0: EEPROM V2.13-0 eTrack 0x80000284
[1] igc1: EEPROM V2.13-0 eTrack 0x80000284
[1] igc2: EEPROM V2.13-0 eTrack 0x80000284
[1] igc3: EEPROM V2.13-0 eTrack 0x80000284
[1] igc4: EEPROM V2.13-0 eTrack 0x80000284
[1] igc5: EEPROM V2.13-0 eTrack 0x80000284'
For now lan drops are solved since the change of my patch cables.
I have still an issue but i don't know if it's related.
My issue is with suricata and netmap. If i enable ips on lan and vlans interfaces i have frequent connections drops due to netmap errors.
I disabled ids and ips (currently using crowdsec and testing q-feeds).
edit: apparently i have 2.13
'dmesg | grep EEPROM
[1] igc0: EEPROM V2.13-0 eTrack 0x80000284
[1] igc1: EEPROM V2.13-0 eTrack 0x80000284
[1] igc2: EEPROM V2.13-0 eTrack 0x80000284
[1] igc3: EEPROM V2.13-0 eTrack 0x80000284
[1] igc4: EEPROM V2.13-0 eTrack 0x80000284
[1] igc5: EEPROM V2.13-0 eTrack 0x80000284'
#5
25.7, 25.10 Series / Re: Lan Interface randomly goes down
October 18, 2025, 01:29:22 PM
I changed the patch cables and so far i had no more issues.
I try to move the cable and it seems better locked than the old one.
The switch is a chinese one (sks8300-8x). I found a new firmware.
On this switch i have several sfp+ modules some are fiber modules with lc connectors and some have RJ45 connectors.
The Lan is the one that had troubles. Speed is displayed at 2,5G
The two in lacp for vlans are displayed at 10G on the switch.
1/0/1 is dac cable to unifi switch
1/0/2 is RJ45 module to i226v router
1/0/3 is RJ45 module to i226v router
1/0/4 is RJ45 module to i226v router
1/0/5 is sfp fiber module to sfp on server
1/0/6 is sfp fiber module to sfp on server
1/0/7 & 8 are down i moved these module on the unifi switch (links to other floors)
I try to move the cable and it seems better locked than the old one.
The switch is a chinese one (sks8300-8x). I found a new firmware.
On this switch i have several sfp+ modules some are fiber modules with lc connectors and some have RJ45 connectors.
The Lan is the one that had troubles. Speed is displayed at 2,5G
The two in lacp for vlans are displayed at 10G on the switch.
Code Select
Ethernet1/0/1 usw48 Enabled fiber-auto 10G/Full Disabled auto
Ethernet1/0/2 vlans-router Enabled fiber-auto 10G/Full Disabled auto
Ethernet1/0/3 vlans-router Enabled fiber-auto 10G/Full Disabled auto
Ethernet1/0/4 lan-router Enabled fiber-auto 2500M/Full Disabled auto
Ethernet1/0/5 godzilla-eth1 Enabled fiber-auto 10G/Full Disabled auto
Ethernet1/0/6 godzilla-eth0 Enabled fiber-auto 10G/Full Disabled auto
Ethernet1/0/7 uplink-et3 Enabled fiber-auto Link Down Disabled auto
Ethernet1/0/8 uplink-et1 Enabled fiber-auto Link Down Disabled auto
Port-Channel1 vlans Enabled Auto/Auto 20G/Full Disabled auto1/0/1 is dac cable to unifi switch
1/0/2 is RJ45 module to i226v router
1/0/3 is RJ45 module to i226v router
1/0/4 is RJ45 module to i226v router
1/0/5 is sfp fiber module to sfp on server
1/0/6 is sfp fiber module to sfp on server
1/0/7 & 8 are down i moved these module on the unifi switch (links to other floors)
#6
25.7, 25.10 Series / Re: Lan Interface randomly goes down
October 17, 2025, 11:34:24 AM
On router interfaces are ethernet 2,5G
SFP+ are on switch.
SFP+ are on switch.
#7
25.7, 25.10 Series / Re: Lan Interface randomly goes down
October 16, 2025, 03:33:50 PM
Thank for your answer.
Finally seems to be my patch cable.
Yesterday i moved my router to change a defective usb cable (for a kvm hid).
This morning i plug the new usb cable and noticed that led on the switch interface attached to lan (igc1) went off. And when i slightly move the cable it goes off. The interface are sfp+ 2,5G ethernet modules.
These patch cables are way to rigid and i guess not very good quality.
I ordered new cables for all my router interfaces.
Finally seems to be my patch cable.
Yesterday i moved my router to change a defective usb cable (for a kvm hid).
This morning i plug the new usb cable and noticed that led on the switch interface attached to lan (igc1) went off. And when i slightly move the cable it goes off. The interface are sfp+ 2,5G ethernet modules.
These patch cables are way to rigid and i guess not very good quality.
I ordered new cables for all my router interfaces.
#8
25.7, 25.10 Series / Lan Interface randomly goes down
October 16, 2025, 10:55:16 AM
Hello,
Yesterday i upgraded to 25.7.5.
In the evening, i was looking at a film from my plex server and experienced connections issues.
The plex server in the vlan 30. The plex player (apple tv) is in lan (igc1 interface).
I never had this before.
I found nothing in the logs that could explain that.
The link on igc1 (lan) goes down.
Could you give me a hint where to look ?
here i the log from system/general
My opnsense hardware is a intel N100 box.
igc0 is Wan with (pppoe on vlan)
igc1 is Lan
all the vlans (9, 10, 20, 30, 40) are on a lagg of igc2 and igc3
Yesterday i upgraded to 25.7.5.
In the evening, i was looking at a film from my plex server and experienced connections issues.
The plex server in the vlan 30. The plex player (apple tv) is in lan (igc1 interface).
I never had this before.
I found nothing in the logs that could explain that.
The link on igc1 (lan) goes down.
Could you give me a hint where to look ?
here i the log from system/general
Code Select
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dns (execute task : unbound_configure_do())
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dns (execute task : dnsmasq_configure_do())
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dns ()
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : radvd_configure_dhcp())
2025-10-15T23:45:35Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt3(vlan0.20)
2025-10-15T23:45:35Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on lan(igc1)
2025-10-15T23:45:35Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt2(vlan0.10)
2025-10-15T23:45:35Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt1(vlan0.9)
2025-10-15T23:45:35Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt5(vlan0.40)
2025-10-15T23:45:35Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt4(vlan0.30)
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure())
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dhcp ()
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure ipsec (execute task : ipsec_configure_do(,lan))
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure ipsec (,lan)
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure monitor (execute task : dpinger_configure_do(,[]))
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure monitor (,[])
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: ROUTING: entering configure using lan
2025-10-15T23:45:35Noticekernel<6>[35632] igc1: link state changed to UP
2025-10-15T23:45:35Noticeopnsense/usr/local/etc/rc.linkup: DEVD: Ethernet attached event for lan(igc1)
2025-10-15T23:45:31Noticeopnsense/usr/local/etc/rc.linkup: DEVD: Ethernet detached event for lan(igc1)
2025-10-15T23:45:31Noticekernel<6>[35628] igc1: link state changed to DOWN
2025-10-15T23:41:04Noticekernel<6>[35361] arp: 192.168.2.52 moved from 02:6c:29:76:9a:a8 to 24:8a:07:d3:ea:b0 on igc1
2025-10-15T23:40:59Noticekernel<6>[35356] arp: 192.168.2.52 moved from 24:8a:07:d3:ea:b0 to a0:d3:c1:34:03:e6 on igc1
2025-10-15T23:40:50Noticekernel<6>[35348] arp: 192.168.2.50 moved from 02:8d:24:b7:27:0e to 58:47:ca:74:70:2b on igc1
2025-10-15T23:40:48Noticesyslog-ngSyslog connection broken; fd='34', server='AF_INET(192.168.2.50:1514)', time_reopen='60'
2025-10-15T23:40:48Errorsyslog-ngI/O error occurred while writing; fd='34', error='Host is down (64)'
2025-10-15T23:40:48Noticesyslog-ngSyslog connection established; fd='34', server='AF_INET(192.168.2.50:1514)', local='AF_INET(0.0.0.0:0)'
2025-10-15T23:40:13Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure newwanip:rfc2136 (,[lan])
2025-10-15T23:40:11Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dns (execute task : unbound_configure_do())
2025-10-15T23:40:11Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dns (execute task : dnsmasq_configure_do())
2025-10-15T23:40:11Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dns ()
2025-10-15T23:40:11Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : radvd_configure_dhcp())
2025-10-15T23:40:11Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt3(vlan0.20)
2025-10-15T23:40:11Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on lan(igc1)
2025-10-15T23:40:11Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt2(vlan0.10)
2025-10-15T23:40:11Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt1(vlan0.9)
2025-10-15T23:40:11Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt5(vlan0.40)
2025-10-15T23:40:11Warningopnsense/usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on opt4(vlan0.30)
2025-10-15T23:40:11Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure())
2025-10-15T23:40:11Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure dhcp ()
2025-10-15T23:40:11Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure ipsec (execute task : ipsec_configure_do(,lan))
2025-10-15T23:40:11Noticeopnsense/usr/local/etc/rc.linkup: plugins_configure ipsec (,lan)My opnsense hardware is a intel N100 box.
igc0 is Wan with (pppoe on vlan)
igc1 is Lan
all the vlans (9, 10, 20, 30, 40) are on a lagg of igc2 and igc3
#9
25.7, 25.10 Series / Re: NAT Reflection Issues with Unraid Docker Containers
October 11, 2025, 02:16:17 PM
When you have 2 containers that need to communicate with each other the best practice is to put then in a custom network. That way they can communicate even with hostname e.g: postgres:5432
#10
25.7, 25.10 Series / Re: Looking for testers Q-Feeds plugin
October 11, 2025, 11:47:44 AM
Hello,
Installed it a few hours ago.
I, first thought there was an error as i didn't see it in services and then noticed there was a new entry : "security"
It loaded 475628 entries in __qfeeds_malware_ip alias.
I created 2 floating rules:
one on the wan interface
one on Lan and vlans interfaces
after 2 hours i have 58 events all on the wan interface.
These events have source ips mainly from usa which are geo filtered. I guess that is because the q-feed rule is matched before geo ip rule.
What i don't understand is the count of ips in alias that don't match anything on the tip dashboard.
On my tip dashboard i have :
Installed it a few hours ago.
I, first thought there was an error as i didn't see it in services and then noticed there was a new entry : "security"
It loaded 475628 entries in __qfeeds_malware_ip alias.
I created 2 floating rules:
one on the wan interface
one on Lan and vlans interfaces
after 2 hours i have 58 events all on the wan interface.
These events have source ips mainly from usa which are geo filtered. I guess that is because the q-feed rule is matched before geo ip rule.
What i don't understand is the count of ips in alias that don't match anything on the tip dashboard.
On my tip dashboard i have :
#11
25.7, 25.10 Series / Re: Looking for testers Q-Feeds plugin
October 10, 2025, 08:14:20 PM
Hello,
I didn't see that topic.
I'd like to try it.
I dropped suricata on Lan and vlan interfaces as it was causing issues when i have a spike in traffic.
I use crowdsec on wan but i had to desactivate it for nextcloud (too many false positives). Still active for other apps.
For now the most effective is geoip blocking inbound connections. It's ok for a homelab not so much for a company.
For the test do you need crowdsec disabled ?
I didn't see that topic.
I'd like to try it.
I dropped suricata on Lan and vlan interfaces as it was causing issues when i have a spike in traffic.
I use crowdsec on wan but i had to desactivate it for nextcloud (too many false positives). Still active for other apps.
For now the most effective is geoip blocking inbound connections. It's ok for a homelab not so much for a company.
For the test do you need crowdsec disabled ?
#12
General Discussion / Re: How to block outgoing traffic?
September 19, 2025, 03:19:07 PM
Not sure but when you setup a rule it's better to put it on the first interface hit by the traffic.
So in that case on dmz-debi in.
Supposing you don't have a rule on that interface that allow other traffic, you can make this one
action: pass
direction: in
protocol: tcp
source: dmz-debi net
destination: !Private_Networks
dest port: webserver (webserver should be created first as an alias for port group 80&443)
I wonder what should be the utility of that rule.
Edit: it could be different according the other rules already in place.
So in that case on dmz-debi in.
Supposing you don't have a rule on that interface that allow other traffic, you can make this one
action: pass
direction: in
protocol: tcp
source: dmz-debi net
destination: !Private_Networks
dest port: webserver (webserver should be created first as an alias for port group 80&443)
I wonder what should be the utility of that rule.
Edit: it could be different according the other rules already in place.
#13
General Discussion / dns, certificate
September 17, 2025, 10:57:12 AM
Hello,
Until now i use a certificate for each service which has a cname record.
I registered mydomain.tld and myservices have a cname record: service1.mydomain.tld CNAME mydomain.tld.
So i have as many certificates as i have services. Some are publicly accessibles some are not. I use caddy and private services are restricted in caddy to lan ips.
I want to simplify that with a wildcard certificate.
But i certainly need to modify parts of my setup as :
- i use mydomain.tld as my domain in opnsense (dns and dhcp are configured as per the recommandations : unbound on port 53 and dnsmasq on 53053). I have query forwarding for mydomain.tld to dnsmasq
- i have to other services which i setup recently which are hosted elsewhere: external_service1 A another_public_ip1
For those 2 services i have a query forwarding from unbound to 1.1.1.1
- i have host override for externally accessible services: caddy.mydomain.tld -> lan_ip_of_opnsense and an alias for each service
So i need advice on:
- what domain should i use on opnsense ? lan.mydomain.tld or keep mydomain.tld
- should i use one domain per vlan ? lan.mydomain.tld, iot.mydomain.tld, ...
- should i change domain of external services (also used as endpoints for wireguard or openvpn tunnels) ?
- what domain should i use for publicly facing services ?
Until now i use a certificate for each service which has a cname record.
I registered mydomain.tld and myservices have a cname record: service1.mydomain.tld CNAME mydomain.tld.
So i have as many certificates as i have services. Some are publicly accessibles some are not. I use caddy and private services are restricted in caddy to lan ips.
I want to simplify that with a wildcard certificate.
But i certainly need to modify parts of my setup as :
- i use mydomain.tld as my domain in opnsense (dns and dhcp are configured as per the recommandations : unbound on port 53 and dnsmasq on 53053). I have query forwarding for mydomain.tld to dnsmasq
- i have to other services which i setup recently which are hosted elsewhere: external_service1 A another_public_ip1
For those 2 services i have a query forwarding from unbound to 1.1.1.1
- i have host override for externally accessible services: caddy.mydomain.tld -> lan_ip_of_opnsense and an alias for each service
So i need advice on:
- what domain should i use on opnsense ? lan.mydomain.tld or keep mydomain.tld
- should i use one domain per vlan ? lan.mydomain.tld, iot.mydomain.tld, ...
- should i change domain of external services (also used as endpoints for wireguard or openvpn tunnels) ?
- what domain should i use for publicly facing services ?
#14
25.7, 25.10 Series / Re: Can't Access Static IP dnsmasq Hosts reservations
September 15, 2025, 10:48:00 AM
What is your LAN address? 10.10.1.0/24.
If so you can't assign @ip outside of your lan. 10.10.0.x is outside of your lan.
Do you have any vlan defined?
If so you can't assign @ip outside of your lan. 10.10.0.x is outside of your lan.
Do you have any vlan defined?
#15
General Discussion / Re: disk full
August 24, 2025, 01:43:56 PM
yes. I run query log until i finish my setup. I'm moving some apps to dmz and need that logs until all is running fine including acccess from wan, lan with a single hostname for apps using authentik provider or having their own auth.
It's not straight forward as i have apps accessed only from lan others from both wan and lan. Some are using authentik others don't.
And i'm still wondering which apps to put in dmz.
It's not straight forward as i have apps accessed only from lan others from both wan and lan. Some are using authentik others don't.
And i'm still wondering which apps to put in dmz.
