Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - nero355

#1
Quote from: flushell on July 04, 2026, 05:16:46 PMYes, I see now that if I change then old one to Automatic, the other is on Automatic too now.
That's how it's designed to work : I asked about it earlier this week :)

IMHO you should keep things at Hybrid NAT Mode according to the Release Notes :
QuoteNote that this update brings the outbound to source NAT migration page, but it
is only a formality as outbound NAT will stay in 26.7 although the legacy
firewall rules page will move to a plugin during the major upgrade.  It is the
same process that was employed with ISC-DHCP.  Due to this addition, however,
the source NAT rules entered in the system will no longer work unless the
mode is set to either "manual" or "hybrid".
And from what I have read earlier in this topic : https://forum.opnsense.org/index.php?topic=52261.msg269516#msg269516
#2
26.1, 26,4 Series / Re: os-zerotier package missing
July 04, 2026, 09:28:11 PM
There is a button called Community Packages or something like that : Is it Enabled in your case ?

I don't use that part of OPNsense much but you will figure it out once you see it :)
#3
Quote from: tbk49 on July 03, 2026, 09:28:01 PMI can't tell whether you are having a joke here or not, but if not, you're telling me opnsense and neither freebsd have solved a 20 year old problem?...
I am telling you what I happen to know : That's all :)

Quote from: Patrick M. Hausen on July 03, 2026, 09:52:16 PMGRE does not have ports. It's its own protocol on top of IP independent of TCP and UDP. Port 0 might be a historical frontend abstraction of some product for not having port numbers at all.
Could be... I can't remember anymore... Too long ago...

Also no further experience with GRE or IPSec :)
#4
General Discussion / Re: firewall is toast
July 04, 2026, 04:55:27 PM
Quote from: robertkwild on July 04, 2026, 11:23:42 AMI have an external m2 ssd enclosure, can I put it in there and pull data off
Yes, but use a FreeBSD Live Boot Environment please :)

Linux based stuff won't get you far sadly...

And 100% AGREE with :
Quote from: newsense on July 04, 2026, 12:01:15 PMYou'll have to do a better job explaining your issue.

"Firewall toast" doesn't fit any SW or HW descriptions we can troubleshoot.

For a HW failure of anything other than the m.2 you can simply move the drive to another FW and boot it up as described above.

Data recovery is possible but complicated depending on the file system used and whether the m.2 partially failed or not.

Lastly, there's not much to recover. Mainly the config.xml and any third party configuration files such as the one used by adguardhome
:)
#5
Quote from: WiteWulf on July 03, 2026, 04:35:37 PMRFC 2132 states that:
QuoteServers SHOULD be listed in order of preference
So yeah, it's down to the client whether or not it respects the preference/order.

I believe macOS, Windows and Linux all respect the order given by the DHCP server, trying them in order, not parallel.
I don't know about others, like iOS and Android.

My PiHole is an adblocker, for convenience, not for filtering/blocking/censoring any other content, so I'm happy with this.
Like I said earlier : Mixing DNS Servers is not something you want for your network.

So I fully agree with :
Quote from: meyergru on June 30, 2026, 07:04:32 PMAFAIK, this is a common misconception: There is no guaranteed order if you specify multiple DNS servers. A client may choose to send out the DNS queries in parallel and take the first answer. Thus, the order is arbitrary, so this is not a "fallback" in its strict sense. This exact behaviour can be detrimental for DNS blocking.
&
Quote from: Patrick M. Hausen on July 03, 2026, 04:48:18 PMAs a firewall administrator you cannot rely on the client systems behaving in any particular manner nor can you force them to do so.

If I had a separate e.g. Pihole device I would hand that via DHCP to clients and that device only.
Then block all other DNS requests but from the named Pihole device.
:)

When it comes to this :
Quote from: Patrick M. Hausen on July 03, 2026, 04:48:18 PMAll Unix like operating system's resolver libraries have historically used the entries in /etc/resolv.conf in round-robin fashion.
I don't know what current e.g. systemd based implementations do.
My understanding is that some operating systems check who replies faster and then stick with that DNS Server until something changes for whatever reason...
#6
26.1, 26,4 Series / Re: PPPoE Connection Issue
July 03, 2026, 07:29:35 PM
Quote from: Liran on July 03, 2026, 09:17:14 AMFor some reason when the PPPoE connection is established, the device is getting an 10.x.x.x IP address instead of my public one.

According to the ISP, when this IP shows as connected they see a connection.
Sounds like my old ADSL connection back in 1999 or so :
- Client PC = 10.0.0.150
- ADSL Modem = 10.0.0.138
- PPTP Connection between the two.
- Actual WAN IP Address = 80.60.146.6

So my question here is : Do you have a working Internet Connection or not ?!

And what does something like https://whatismyipaddress.com/ show in the current situation ?

The output of tracert/traceroute would be nice to see too :)
#7
I have read a long time ago (Think towards 15 to 20 years!) that GRE needs Port 0 forwarded in order to work properly and some Routers could not handle that at the time.

Maybe you are dealing with something similar ?!
#8
Quote from: franco on July 03, 2026, 12:04:38 PMTraffic leaking isn't great but mostly a sign of misconfiguration.
True...

QuoteSome people also expect both private and public networks on their WAN link.

I've seen setups with virtual IPs for a local subnet on WAN that had a public address.
Adding an early kill switch for outbound traffic that can't be overridden would probably kill some people's working setups.
I guess you could add this :
Quote from: Bob.Dig on July 03, 2026, 12:11:52 PMMany people in the US probably had cable-modems web-UI on 192.168.100.1 for statistics.
To that situation too.

The same goes for Fibreglass ONTs and xDSL Modems :)

But I was thinking to have something like this :

But then two times each :
- Block Private Networks - Incoming
- Block Private Networks - Outgoing
- Block BOGON Networks - Incoming
- Block BOGON Networks - Outgoing

Would that be a good solution ?
#9
Quote from: franco on July 02, 2026, 07:34:59 AMYou can only migrate outbound NAT manual(or "hybrid") rules.
So if you have only a few then you might as well re-create them and delete the old ones ?
QuoteAutomatic rules are automatic and come from the same place for both components just for visibility.
I will double check if this is the case before I start, because I had Hybrid NAT Mode Enabled long before the new Source NAT section was added to OPNsense and when I checked after it was added I can't remember seeing anything there to be honest...

And just some quick checks about what the 26.1.11 Release Notes mentioned :
QuoteNote that this update brings the outbound to source NAT migration page, but it is only a formality as outbound NAT will stay in 26.7
Does this basically mean that the same "Grace period" that started for the Firewall Rules when 26.1 was released now apply to Outbound NAT and that it will probably be moved to a plug-in starting with 27.1 next year ?
Quotealthough the legacy firewall rules page will move to a plugin during the major upgrade. It is the same process that was employed with ISC-DHCP.
Does this mean that in order to avoid messing around with a plug-in for the Firewall Rules it would be smarter to migrate them to Firewall Rules (New) before the 26.7 upgrade ?

I have done the same when this was announced for ISC-DHCP and moved to KEA before upgrading to 26.x to avoid potential "Core functionality moving to a plug-in issues" that eventually turned out to effect some people who had not done the same, so I would like to do this again for the Firewall Rules now :)

QuoteDue to this addition, however, the source NAT rules entered in the system will no longer work unless the mode is set to either "manual" or "hybrid".
Does that setting sync between Outbound NAT and Source NAT or do you have to confirm both just to be sure nothing goes wrong ?

I will check it myself ofcourse, but I am curious about how it was designed to work so I can report back if anything turns out to be different than expected...

Quote from: Monviech (Cedrik) on July 01, 2026, 08:50:35 PMAnd /all/ NAT rule pages now also have CSV upload and download (you're welcome :))
I would hereby like to thank the OPNsense Team for their .CSV files addiction that makes Importing/Exporting Data and/or Settings of all the sub-sections that have this option SUPER EASY !!! :)
#10
Quote from: clash on June 30, 2026, 09:36:19 PMI will try to setup a downtime this weekend and make a screenshot via the impi console.
It's called IPMI :)

Do you happen to know how old the OPNsense installation is ?

Sometimes the Bootloader needs manual updating, but I am not sure if that's the case here...
#11
Quote from: meyergru on July 02, 2026, 05:29:07 PM
Quote from: nero355 on July 02, 2026, 04:45:48 PMIt's from their Rack Series : https://www.asrockrack.com/general/productdetail.asp?Model=X470D4U#Specifications
I know. I meant these specific Asrock Rack Mainboards are a chimera between consumer chipsets and server features and that never went that good, forums are full of failure reports. The stability of X470 / X570 was not stellar in the first place.
Ahh, OK. Much clearer, thnx! :)
#12
Quote from: staticznld on July 01, 2026, 09:14:02 AMAlso, I personally think adding an extra device for such a small task is a bit overkill.
Small devices are great at small tasks so that's why in the example a Raspberry Pi was used :)

But to each his own ofcourse!
#13
Quote from: Monviech (Cedrik) on July 02, 2026, 10:33:27 AMIn 26.7 the old rules will be turned into a plugin, so they will still work. No pressure to migrate yet.
I don't like depending on stuff that's moved to a plug-in so I guess it's time to migrate before the 26.7 upgrade :)

I did the same with ISC and moved to KEA before the 26.x upgrade to avoid plug-in weirdness that some people eventually had who did not follow the same plan as I did so I was very happy with my choice!

And it looks like I might have to do the same with the Outbound NAT to Source NAT migration according to the 26.1.11 Release Notes so it's going to be very interesting the next couple of weeks :P
#14
Quote from: meyergru on July 01, 2026, 09:29:16 PMX470 chips in general and the consumer platform based Asrock Mainboards are notorious for failing early, too.
It's from their Rack Series : https://www.asrockrack.com/general/productdetail.asp?Model=X470D4U#Specifications
So basically Workstation/Server hardware even though it's just a X470 Chipset which is indeed Mainstream Consumer stuff :)

But the first thing that came to my mind after reading the title : Why ask this on the OPNsense Forum ?!
And why did you not simply run memtest86+ to check the RAM ?!

Seems straightforward, but could be just me...
#15
IIRC the CISCO CCNA book(s) mention(s) a Router doing Layer 3 Switching somewhere along the way, but I can't remember the exact context anymore :)


/ToMakeThingsEvenWeirder... LOL!