"
The strange thing about the BIOS flash is that the device simply shuts itself off at 100%. There's no information given that this is about to happen, and the process just sits at 100%. In reality, nothing else is being updated at that point. You'd expect some kind of message like 'powering off...', then a blank screen, and only then the shutdown. Just keep an eye on the power LED.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Hardware and Performance / Re: Latest BIOS update bricked my DEC740
February 13, 2026, 01:04:18 PM #2
Virtual private networks / RFC 8784 Standards Track - PostQuantum VPN (IPSec IKEv2) - current progress?
February 11, 2026, 05:48:01 PM
To whom it may concern..
what`s the current state of the RFC 8784 [1] in OPNsense/stronswan/..?
(and whats the state at client side, windows11 :-D)
Maybe OPNsense may write use two lines about?
facts:
- stronswan seems to have it implemented already. [2]
- DH/RSA/EC should be considered as broken soon [3]
- symmetric AES256 should be used everywhere, because AES128 is dead soon too, as Grover [4] tells us quantum will reduce AES256 to a AES128 problem.
- BSI (Bundesamt für Sicherheit in der Informationstechnik) finally told us today, we need to be quantum safe at about ~2030 [5]
- i prefer symmetric only encryption like aes256 or one-time-pads ;-), so RFC 8784 will mix the "best" of both worlds
- a seemless integration is being specified, so you can deploy new PPK ("the anti-quantum 2nd PSK key" or lets say additional key for encryption) as optional first. once deployed you can enable enforcement later.
[1] https://datatracker.ietf.org/doc/html/rfc8784
[2] https://docs.strongswan.org/docs/latest/features/ietf.html
[3] https://en.wikipedia.org/wiki/Shor%27s_algorithm (Wikipedia! :-P)
[4] https://en.wikipedia.org/wiki/Grover%27s_algorithm (Wikipedia!)
[5] https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2026/260211_Ende_klassischer_Verschluesselungsverfahren.html
what`s the current state of the RFC 8784 [1] in OPNsense/stronswan/..?
(and whats the state at client side, windows11 :-D)
Maybe OPNsense may write use two lines about?
facts:
- stronswan seems to have it implemented already. [2]
- DH/RSA/EC should be considered as broken soon [3]
- symmetric AES256 should be used everywhere, because AES128 is dead soon too, as Grover [4] tells us quantum will reduce AES256 to a AES128 problem.
- BSI (Bundesamt für Sicherheit in der Informationstechnik) finally told us today, we need to be quantum safe at about ~2030 [5]
- i prefer symmetric only encryption like aes256 or one-time-pads ;-), so RFC 8784 will mix the "best" of both worlds
- a seemless integration is being specified, so you can deploy new PPK ("the anti-quantum 2nd PSK key" or lets say additional key for encryption) as optional first. once deployed you can enable enforcement later.
[1] https://datatracker.ietf.org/doc/html/rfc8784
[2] https://docs.strongswan.org/docs/latest/features/ietf.html
[3] https://en.wikipedia.org/wiki/Shor%27s_algorithm (Wikipedia! :-P)
[4] https://en.wikipedia.org/wiki/Grover%27s_algorithm (Wikipedia!)
[5] https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2026/260211_Ende_klassischer_Verschluesselungsverfahren.html
#3
25.1, 25.4 Legacy Series / Re: Referring to CRL Distribution Point as quick hack?
February 06, 2026, 05:16:38 PMQuote from: franco on October 06, 2025, 01:56:54 PMA random string for security requirement reasons? Maybe I'm in the wrong field. ;)I bet you guessed me wrong.
I just want to have an option to add crl url attribute to my CA/Certs.
I dont like CRL, in my use case, but MS enforces it.
#4
25.1, 25.4 Legacy Series / Re: Referring to CRL Distribution Point as quick hack?
November 14, 2025, 12:40:38 PM
The Problem is, for internal RDP Access or internal Exchange CA, we need a CRL Url, as MS forces it to be present.
It is not about OCSP/CRT which one is better or if it is useful. It is just about what MS dictates. Thats the law.
Currently we can make CRL files, but the URL is not included in the Certificate.
We just would need a simple Attribute for the CRL, which could be manually entered (or defaulted).
This would be no security risk. it does not need to be managed.
Also it would be good practice and a useful optional feature to just set the url.
It would be very easy to implement (i guess 10 minutes ;-), it has not disadvantage and is logical, as it adds a connection to the already offered crl.
Currently it is strange, that we can make CRL but not add them to certs anyway.
Nevertheless if opnSense would upload and maintain the CRL list using sftp on a webserver it would be perfect.
But this would be much work todo, so i did not suggest the full feature.
It is good practice, to use your own CA for management devices etc.
The own CA is better than any third-party one imho.
Also for internal IPs it is not possible to gain Certs from big CAs.
If a CRL is not set, we are forced to use the self-signed snail certs from MS or have to deploy AD Certs...
It is not about OCSP/CRT which one is better or if it is useful. It is just about what MS dictates. Thats the law.
Currently we can make CRL files, but the URL is not included in the Certificate.
We just would need a simple Attribute for the CRL, which could be manually entered (or defaulted).
This would be no security risk. it does not need to be managed.
Also it would be good practice and a useful optional feature to just set the url.
It would be very easy to implement (i guess 10 minutes ;-), it has not disadvantage and is logical, as it adds a connection to the already offered crl.
Currently it is strange, that we can make CRL but not add them to certs anyway.
Nevertheless if opnSense would upload and maintain the CRL list using sftp on a webserver it would be perfect.
But this would be much work todo, so i did not suggest the full feature.
It is good practice, to use your own CA for management devices etc.
The own CA is better than any third-party one imho.
Also for internal IPs it is not possible to gain Certs from big CAs.
If a CRL is not set, we are forced to use the self-signed snail certs from MS or have to deploy AD Certs...
#5
25.1, 25.4 Legacy Series / Referring to CRL Distribution Point as quick hack?
October 04, 2025, 04:49:34 PM
Hi,
referring to my Feature Request, is it possible to get a CRL Attribute quickly into a new Server Certificate?
MS Exchange Server, MS Remotedesktop, ... all need an valid CRL URL.
Its just a simple string...
Maybe there is a way to edit a template or pass sth?
referring to my Feature Request, is it possible to get a CRL Attribute quickly into a new Server Certificate?
MS Exchange Server, MS Remotedesktop, ... all need an valid CRL URL.
Its just a simple string...
Maybe there is a way to edit a template or pass sth?
#6
25.1, 25.4 Legacy Series / IONOS DynDNS Api - HowTo
April 26, 2025, 04:15:47 PM
Hi,
let's start giving sth. to the community, before posting ask-posts...
How-To Setups IONOS API with Dynamic DNS?
1. Install ddclient Package
2. Goto Services>Dynamic DNS
3. Check if General Settings is to "native" for backend
4. Use the Update URL from IONOS Manual [1]
5. Add Account (+) with: Service: custom, Protocol: Custom GET
For Server put: https://ipv4.api.hosting.ionos.com/dns/v1/dyndns?q=xxxxxxxxxxxxxxxxxxxxxxSECRETxxxxxxfromxxxxAPIxxxxPortal&ipv4=__MYIP__
Hostname: Your DynDNS Hostname which should be the same as in API command
Check ip method: Interface [IPv4] if direct dialin/connection (OPNsense knows WAN IP)
Interface to monitor: WAN IF (e.g. VLAN 7 or PPoE)
Force SSL: enabled (default)
The main difference which can cause problems is:
1. You try POST instead of GET (because IONOS writes about POST...)
2. You can use the GET URL in your Browser and it works without &ipv4=__MYIP__ but if you dont add this in this Server URI, it wont work.
Logs are so bad, even on verbose, there should be a much more detailed Web-UI for debugging this...
Anyway i hope someone finds this information usefull.
if so, please just reply if it worked for your.
[1] https://www.ionos.de/hilfe/domains/ip-adresse-konfigurieren/dynamisches-dns-ddns-einrichten-bei-company-name/
let's start giving sth. to the community, before posting ask-posts...
How-To Setups IONOS API with Dynamic DNS?
1. Install ddclient Package
2. Goto Services>Dynamic DNS
3. Check if General Settings is to "native" for backend
4. Use the Update URL from IONOS Manual [1]
5. Add Account (+) with: Service: custom, Protocol: Custom GET
For Server put: https://ipv4.api.hosting.ionos.com/dns/v1/dyndns?q=xxxxxxxxxxxxxxxxxxxxxxSECRETxxxxxxfromxxxxAPIxxxxPortal&ipv4=__MYIP__
Hostname: Your DynDNS Hostname which should be the same as in API command
Check ip method: Interface [IPv4] if direct dialin/connection (OPNsense knows WAN IP)
Interface to monitor: WAN IF (e.g. VLAN 7 or PPoE)
Force SSL: enabled (default)
The main difference which can cause problems is:
1. You try POST instead of GET (because IONOS writes about POST...)
2. You can use the GET URL in your Browser and it works without &ipv4=__MYIP__ but if you dont add this in this Server URI, it wont work.
Logs are so bad, even on verbose, there should be a much more detailed Web-UI for debugging this...
Anyway i hope someone finds this information usefull.
if so, please just reply if it worked for your.
[1] https://www.ionos.de/hilfe/domains/ip-adresse-konfigurieren/dynamisches-dns-ddns-einrichten-bei-company-name/
#7
24.7, 24.10 Legacy Series / Re: Feature Request - DualImage and Write Memory
March 16, 2025, 06:05:18 PMQuote from: meyergru on March 16, 2025, 06:00:32 PMMaybe you should take a look at snapshots, which would probably solve all of those problems - and they do not use double the HDD space...
This seems to be a quite intelligent solution, so we can define a snapshot in a good well known state and set it to recover on next boot.
then play and fiddle with the config and lets see if we can do 1-2 days.
then make a new snapshot and set it as default.
seems to be a good solution, maybe we can automate this a bit?
#8
24.7, 24.10 Legacy Series / Feature Request - Dirty WOL Machine (Magic Packet)
March 16, 2025, 06:02:35 PM
If someone needs WOL, it needs to be easy for users. Users arent admins, users are lazy, they need scripts etc.
If we inject WOL Packets from another Router using NAT or over same Router using IPSec, we cant WakeUp using Wake-On-LAN.
We can use the UDP Relay Plugin, so the NAT Router will forward Port x UDP to the goal subnet for a specific IP...
Imagine we use a wakeup tool, which creates an UDP Packet with dst-pc-for-wakeup like aa:bb:cc:dd:ee:ff and as parameter for UDP packet an IP Address like 192.168.x.123 or 192.168.x.255.
In the first case, we will know that this IP Address is not there, as the device is sleeping. so no response of being heared..
in this case, the router should be intelligent, and detect, that the package is for broadcast ff:ff:ff:ff:ff layers 2 and resend it here.
maybe we can add a dummy alias ip as neighbour like 129.168.x.222 with broadcast ff.. mac.. so if proxy arp for this IP is enabled.. the OPNsense will send to broadcast.. anyway thats tricky. there should be a simple thing like:
forward and obey magic packets correctly
OR
add an alias ip, when this ip is pinged from IPsec connection n, then wakeup this host. maybe it could be the same ip of the host.
OR
just notice that an UDP packet to ...255 broadcast address should just be resend on ff:.... even if in routing mode for IPSec client etc. or behind NAT.
maybe someone may understand whats my concern ;)
If we inject WOL Packets from another Router using NAT or over same Router using IPSec, we cant WakeUp using Wake-On-LAN.
We can use the UDP Relay Plugin, so the NAT Router will forward Port x UDP to the goal subnet for a specific IP...
Imagine we use a wakeup tool, which creates an UDP Packet with dst-pc-for-wakeup like aa:bb:cc:dd:ee:ff and as parameter for UDP packet an IP Address like 192.168.x.123 or 192.168.x.255.
In the first case, we will know that this IP Address is not there, as the device is sleeping. so no response of being heared..
in this case, the router should be intelligent, and detect, that the package is for broadcast ff:ff:ff:ff:ff layers 2 and resend it here.
maybe we can add a dummy alias ip as neighbour like 129.168.x.222 with broadcast ff.. mac.. so if proxy arp for this IP is enabled.. the OPNsense will send to broadcast.. anyway thats tricky. there should be a simple thing like:
forward and obey magic packets correctly
OR
add an alias ip, when this ip is pinged from IPsec connection n, then wakeup this host. maybe it could be the same ip of the host.
OR
just notice that an UDP packet to ...255 broadcast address should just be resend on ff:.... even if in routing mode for IPSec client etc. or behind NAT.
maybe someone may understand whats my concern ;)
#9
24.7, 24.10 Legacy Series / Feature Request - Preselected Algos everywhere
March 16, 2025, 05:52:58 PM
If we dont need to be compatible or world-open, we just dictate... just use SHA512 or better, just use aes-256 etc..
okay for Webservers we need to obey (maybe) some minimal algos, but...
i think we just need to support current firefox, chrome, edge, and lynx/wget.
so we need paranoia-templates, so we can save them once and reuse them everytime we create a new ipsec dialin, a new cert, etc.
also we need presets for lame vendors who just support RSA2048+SHA256.. maybe we could name these presets like the vendor netg*** and so on.
Off-topic: also we need export options for exporting certs in different styles like binary/ms rdp style etc...
okay for Webservers we need to obey (maybe) some minimal algos, but...
i think we just need to support current firefox, chrome, edge, and lynx/wget.
so we need paranoia-templates, so we can save them once and reuse them everytime we create a new ipsec dialin, a new cert, etc.
also we need presets for lame vendors who just support RSA2048+SHA256.. maybe we could name these presets like the vendor netg*** and so on.
Off-topic: also we need export options for exporting certs in different styles like binary/ms rdp style etc...
#10
24.7, 24.10 Legacy Series / Feature Request - DualImage and Write Memory
March 16, 2025, 05:49:21 PM
Currently we are not state-of-the-art, we can change settings and apply them.
But why do we force them to save?
i would prefer the normal CLI way, that every setting (not for CA, etc, but for Firewall/IFs/..), we should have no immediate save.
Instead after changing settings and/or pressing apply, all settings should be inside a running-config.
If and only if we do a logout with save confirmation or manually save action using write-memory from CLI (shell) or GUI, we wont persist on the current conf.
Another variant would be, to have some tagged configs, which work fine, so if we go to our OPNsense and know it was running fine, we make a tagged config.
This tagged config should be selectable, maybe we could have 20 or more of them with a description like an svn commit.
Anyway if we put the power plug, running-config needs to be dropped and we want to start with startup-config instead so we cant ever lockout ourself.
okay plugging out is ancient, but another way would be:
If OPNsense notices, that the Web or SSH connection which initiated the change is not communicating anymore, it should do a rollback to a well known state.
Also it needs to check a new handshake... and some more tests..
Maybe its ancient, but its well prooven. we could have a watchdog, which notices, that the admin is not connected anymore, and then it could rollback.
a bit offtopic but also same thing:
add dual firmware image / dual installation like android project treble with AB image.
if update fails, we need a super quick way to get back.
no time for playing BSD admin on shell or sth else.. nobody wants this...
we just want to go back to previous installation before update.
means just use double HDD space for installation.
But why do we force them to save?
i would prefer the normal CLI way, that every setting (not for CA, etc, but for Firewall/IFs/..), we should have no immediate save.
Instead after changing settings and/or pressing apply, all settings should be inside a running-config.
If and only if we do a logout with save confirmation or manually save action using write-memory from CLI (shell) or GUI, we wont persist on the current conf.
Another variant would be, to have some tagged configs, which work fine, so if we go to our OPNsense and know it was running fine, we make a tagged config.
This tagged config should be selectable, maybe we could have 20 or more of them with a description like an svn commit.
Anyway if we put the power plug, running-config needs to be dropped and we want to start with startup-config instead so we cant ever lockout ourself.
okay plugging out is ancient, but another way would be:
If OPNsense notices, that the Web or SSH connection which initiated the change is not communicating anymore, it should do a rollback to a well known state.
Also it needs to check a new handshake... and some more tests..
Maybe its ancient, but its well prooven. we could have a watchdog, which notices, that the admin is not connected anymore, and then it could rollback.
a bit offtopic but also same thing:
add dual firmware image / dual installation like android project treble with AB image.
if update fails, we need a super quick way to get back.
no time for playing BSD admin on shell or sth else.. nobody wants this...
we just want to go back to previous installation before update.
means just use double HDD space for installation.
#11
24.7, 24.10 Legacy Series / Feature Request - Add CIDRless IPSec Pool
March 16, 2025, 05:40:19 PM
Currently we are allowed to obey CIDR if configuring IPs inside a Pool for IPSec Clients.
If we dont need routing, we dont need CIDR, because we use Proxy ARP, so please allow to enter an IP Address range like 192.168.x.123-192.168.x.125,
so we can save many IP Addresses inside a Subnet, when we just use Proxy ARP for some Homeoffice Users.
If we dont need routing, we dont need CIDR, because we use Proxy ARP, so please allow to enter an IP Address range like 192.168.x.123-192.168.x.125,
so we can save many IP Addresses inside a Subnet, when we just use Proxy ARP for some Homeoffice Users.
#12
24.7, 24.10 Legacy Series / Feture Request - Add CRL Distribution Point to own CA Certs
March 16, 2025, 05:17:11 PM
Please add "crlDistributionPoints" Attribute to the own Trust->CA. (means to every new Certificate)
Currently MS Remotedesktop, MS Exchange Server, etc. forces an CRL to be present, even if it is useless in many cases.
So we need to have an option to set this cert value to an CRL url like http://crl.example.com/crl/root.crl
Also please preserve several settings like DNS Names, and all other values, if updating a certificate.
Also add an option to sync Trust/CA on 2 OPNSense firewalls as CA Backup, without having to import/export whole config.
Maybe a CA only export/import including all certs.
About the CRL Download: Pfsense already fixed it [1], we need an empty CRL as download.
nobody starts with an 1+ CRL size, most we a clean and dont need a revocation.
Also offer automatic upload like OPNsense could upload the current CRL to a sftp server after a change.
[1] https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e
Kind Regards
BGP4
Currently MS Remotedesktop, MS Exchange Server, etc. forces an CRL to be present, even if it is useless in many cases.
So we need to have an option to set this cert value to an CRL url like http://crl.example.com/crl/root.crl
Also please preserve several settings like DNS Names, and all other values, if updating a certificate.
Also add an option to sync Trust/CA on 2 OPNSense firewalls as CA Backup, without having to import/export whole config.
Maybe a CA only export/import including all certs.
About the CRL Download: Pfsense already fixed it [1], we need an empty CRL as download.
nobody starts with an 1+ CRL size, most we a clean and dont need a revocation.
Also offer automatic upload like OPNsense could upload the current CRL to a sftp server after a change.
[1] https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e
Kind Regards
BGP4
Pages1
