Messages

Good day, here is a link to the latest version of my Device monitor plugin: https://github.com/hacesoft/opnsense-devicemonitor

Would it be possible to have as well notifications via webhook e.g to support ntfy instances?

Have a nice day, I added support for webhook, ntfy and custom

Hello,

there is a new hostdiscovery service on the OPNsense roadmap that uses a rust written daemon that captures arp and ndp messages via pcap to build a database of known devices.

https://github.com/opnsense/hostwatch

https://github.com/opnsense/core/pull/9354

So something comparable is a core feature soon and integrated into a few components like aliases and captive portal.

So as feedback, you could use the existing sqlite database of the hostwatch service since its in core anyway if you want your own GUI around it.

Have a nice day, it's not yet :), so I'll use my own solution. My plugin can even display devices that don't have an IP address :). And in the DHCP settings, 'Deny unknown clients' is enabled, then I only get the MAC address, which is what I wanted :). And to send the result by email :). If the future add-on works the same or even better, I'll use that, for now I have this :).

Looks interesting, and remembers me on NetalertX.

Few questions here:

Requirements

    1. OPNsense 24.x or newer
    2. Working SMTP configuration (System → Settings → Notifications)
    3. SSH access enabled (System → Settings → Administration → Secure Shell)
    4. Root password

2. Working SMTP configuration (System → Settings → Notifications)
Would it be possible to have as well notifications via webhook e.g to support ntfy instances?


3. SSH access enabled (System → Settings → Administration → Secure Shell)
4. Root password
Does this work only with a Root account? Or does this work with any active admin account with proper permissions?

Regards,
S.

Good day, it definitely wouldn't be a problem to use a webhook to send data instead of email notifications. I have something similar planned at home, where I will be sending data to a protocol center that I have on my NAS in BSD format (RFC 3164). I have the ROOT account disabled on the firewall, and I have my own Admin account on which the plugin works nicely.

Hello everyone! 👋
I've created my first OPNsense plugin:
https://github.com/hacesoft/opnsense-devicemonitor

And would like to share it with you. It's called Device Monitor - a tool for automatic network device monitoring and detection.
What the plugin does:

🔍 Automatic network device scanning (ARP + DNS)
📊 Online/offline status display
🔔 Email notifications for new device detection
🏷� Manufacturer identification using OUI database
📈 Dashboard with device overview

Technical details:

Python daemon with configurable scan interval
MVC architecture following OPNsense standards
REST API for control
Czech and English translations

The plugin is fully functional, but definitely not perfect. I would love to hear your feedback:

What could I improve?
What features would be useful?
Where did I make mistakes or violate best practices?
Any suggestions for improvements!

I'm open to constructive criticism and looking forward to your insights. Thanks for your time! 🙏

Thank you for your response and recommendations
I'd like to clarify a few things about my configuration:
DNS and hostname:
I'm using internal DNS (firewall.local), I don't have any DynDNS or public domain. I've already created an Unbound DNS override (firewall.local → LAN IP).
Problem resolution:
The problem wasn't NAT Reflection or DNS - the entire issue was a missing firewall rule. The WiFi VLAN was completely isolated and had no access to the firewall, so it couldn't reach the OpenVPN port either. After adding a rule that allows WiFi VLAN → Firewall IP:2000/UDP, everything works.
Security concerns:
Although the problem is solved, I'm not happy with this solution from a security standpoint. By opening a rule from WiFi VLAN to the firewall, I've essentially "punched a hole" in the isolation I originally didn't want.
Original intent:
My goal was to have the WiFi VLAN completely isolated from the local LAN network. Anything from WiFi VLAN that needs access to LAN should only be available through the VPN tunnel. I'm aware that without a valid certificate, nobody can connect to OpenVPN, but I still don't like that WiFi devices have direct access to the firewall IP.

Hello,
I need help with a MaxMind GeoIP problem in OPNsense. The GUI doesn't load the database, even though I'm setting everything up according to the documentation.

🎯 My goal:
I wanted to use a GeoIP alias to block selected countries (CN, RU, IR, KP, BY) on the WAN interface.

📋 Procedure according to documentation:
I followed the official guide:
https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
1. Creating MaxMind account:

Registered at https://www.maxmind.com/en/geolite2/signup
Generated Account ID and License Key

2. Creating URL with authentication:

According to the guide, I created a URL in the format:

  https://ACCOUNT_ID:LICENSE_KEY@download.maxmind.com/geoip/databases/GeoLite2-Country-CSV/download?suffix=zip
3. Testing URL in browser:

Pasted the URL into browser
✅ Database downloaded successfully (5.2 MB ZIP file)
Extracted it on my computer and checked the content
Files contain correct CSV files according to documentation:

GeoLite2-Country-Locations-en.csv
GeoLite2-Country-Blocks-IPv4.csv
GeoLite2-Country-Blocks-IPv6.csv



4. Configuration in OPNsense GUI:

Firewall → Aliases → GeoIP settings
Pasted URL into "Url" field
Clicked "Apply"

5. Creating GeoIP alias:

Firewall → Aliases → IP → Add
Name: Blocked_Countries
Type: GeoIP
Countries: CN, IR, KP, BY, RU
Save

6. Creating firewall rule:

Firewall → Rules → WAN → Add
Action: Block
Source: Blocked_Countries alias
Save → Apply


❌ Problem:
GUI doesn't load the database:

After applying URL in GeoIP settings, nothing happened
Total number of ranges: 0 (stayed at zero)
Warning: "In order to use GeoIP, you need to configure a source in the GeoIP settings tab"
Firewall rule with GeoIP alias doesn't work - nothing is blocked

Console check:
bashpfctl -t Blocked_Countries -T show
# Empty - no IP addresses

🔧 Alternative solution (SSH workaround):
Since GUI doesn't work, I tried to bypass the problem via SSH:
1. Manual download and installation of database:
bash# Download database
curl -L -o /tmp/GeoLite2-Country.tar.gz \
  -u ACCOUNT_ID:LICENSE_KEY \
  'https://download.maxmind.com/geoip/databases/GeoLite2-Country/download?suffix=tar.gz';

# Extract
cd /tmp
tar -xzf GeoLite2-Country.tar.gz

# Copy MMDB to correct directory
find . -name "*.mmdb" -exec cp {} /usr/local/share/GeoIP/ \;
chmod 644 /usr/local/share/GeoIP/*.mmdb

# Verification
ls -lh /usr/local/share/GeoIP/
# Result: GeoLite2-Country.mmdb (9.5 MB)
2. Refresh aliases:
bashconfigctl filter refresh_aliases
{"status": "ok"}
3. Functionality test:
bash# Number of IP addresses in table
pfctl -t Blocked_Countries -T show | wc -l
491970

# Test specific Chinese IP
pfctl -t Blocked_Countries -T test 1.0.1.1
1/1 addresses match.

# Check firewall rule
pfctl -vsr | grep -A 5 "Blocked_Countries"
block drop in log quick on pppoe0 ... from <Blocked_Countries> to any
[ Evaluations: 42    Packets: 0    Bytes: 0    States: 0 ]
✅ It works! GeoIP alias contains 491,970 IP ranges and blocking works.
4. Automating updates - creating update script:
bash# Create script
cat > /usr/local/bin/update-geoip.sh << 'EOF'
#!/bin/sh
curl -L -o /tmp/GeoLite2-Country-CSV.zip \
  -u ACCOUNT_ID:LICENSE_KEY \
  'https://download.maxmind.com/geoip/databases/GeoLite2-Country-CSV/download?suffix=zip';

/usr/local/sbin/configctl filter refresh_aliases

echo "GeoIP database updated: $(date)"
EOF

# Set permissions
chmod +x /usr/local/bin/update-geoip.sh

# Test script
/usr/local/bin/update-geoip.sh
# Result: {"status": "ok"}
# GeoIP database updated: Sat Nov 1 22:14:05 CET 2025
5. Setting up cron job in GUI:

System → Settings → Cron → Add
Minutes: 0
Hours: 3
Days of week: 2,5 (Tuesday, Friday)
Command: /usr/local/bin/update-geoip.sh
Description: Update GeoIP database
Save → Apply


✅ Result of workaround solution:

✅ GeoIP blocking works
✅ 491,970 IP ranges from CN, RU, IR, KP, BY
✅ Automatic updates twice a week
✅ Firewall rule active and blocking

BUT:

❌ GUI still shows Total number of ranges: 0
❌ Warning in GUI still present


💻 My environment:

OPNsense: Tested on both Community Edition 25.7.6 and Business Edition 25.10_2 - same problem on both
MaxMind: GeoLite2-Country (free)
Formats: Tried CSV (zip) and MMDB (tar.gz) - GUI doesn't load either


❓ Questions:

Why doesn't the GUI load the database from MaxMind URL, even though it downloads successfully in browser?
Is this a known issue in OPNsense 25.7.6 / 25.10_2?
Is there a way to get standard GUI downloading to work?
Or is my SSH workaround an acceptable long-term solution?

Thank you for any help

Hello,
I need help with an OpenVPN connection problem from my local network.
🎯 What I want to achieve:
Connect to OpenVPN server from my mobile phone, whether I'm connected on mobile data (outside) or on my home WiFi VLAN.

✅ What works:

Connection to OpenVPN from the internet (mobile data) works perfectly
OpenVPN server runs on UDP port 2451
Certificate-only authentication (without username/password) works


❌ What doesn't work:

Connection to OpenVPN from home WiFi VLAN - cannot establish connection
Mobile phone is connected to WiFi VLAN which has no access to home LAN (it's isolated)
Trying to connect to WAN IP/hostname of the firewall


🔧 What I have configured:
OpenVPN server configuration:

Protocol: UDP
Port: 2451
Bind address: 0.0.0.0

Client Export configuration:

VPN → OpenVPN → Client Export → Custom config:

  proto udp
  remote firewall.local 2451
NAT Reflection - I tried:

First attempt: NAT Reflection on specific WiFi VLAN interface

Interfaces → [WiFi_VLAN] → Settings → NAT Reflection


Second attempt: Global NAT Reflection

Firewall → Settings → Advanced → Network Address Translation
✅ "Reflection for port forwards" - enabled
✅ "Reflection for 1:1" - enabled



Result: Neither works - still cannot connect from WiFi VLAN.

💻 My environment:

OPNsense: Tested on both Community Edition 25.7.6 and Business Edition 25.10_2 - same problem on both
OpenVPN server: UDP on port 2451
WiFi VLAN: Isolated from LAN, but has internet access through WAN


❓ Question:
How to properly configure OPNsense so that OpenVPN works when connecting from local WiFi VLAN?
Do I need a special firewall rule? Or different NAT Reflection settings? Or maybe a completely different approach?
Thank you for any advice!