Topics

I'm trying to install OpnSense on a new mini PC.

https://www.aliexpress.com/item/1005007278560105.html

During startup, only the SFP+ ports are detected. The RJ45 ports aren't even activated. I already reset the BIOS to defaults and am certainly running a fresh install, but no avail.

EDIT Running "pciconf -lcbv" lists two 82599ES 10Gb devices but nothing else.

I'd like to use the SFP and RJ45 ports in parallel. Is that even possible? What am I missing?

Regards

Christian

Hi, I'd like to run OpnSense on a device providing at least one SFP+ port for a fiber connector.

The standard decisio hardware surely is great but too expensive for my home use.

Is there any budget recommendation for this? I'm using OpnSense on a $150 4c NUC currently, and that thing is vastly overpowered (although fun :-) for what it does. I'd simply need something similar, but with a SFP slot.

Any ideas? Kind regards

Christian

Hi all,

I was using the DNS blocklist feature of Unbound to save my home lan from ads and other malicious stuff. In particular, I activated the "blocklist.site ads" element.

Seems this overdid it a little. Eg the Deezer client on my Linux PC stated that it was offline every few minutes. Playing songs worked, however. Also, my Smart TV reported it wasn't able to download software updates.

I switched to the AdAway list recently, and the issues went away. Here's my question:

How would I log/monitor blocklist activities in particular? I'd like to keep an eye on blocklisted replies, along with the IP from where the request originated. Simply increasing the Unbound log level quickly filly my HD with GB worth of log data. Too much.

Regards

Christian

So I had my OpnSense running smoothly on a NUC-like mini PC (like the Protectly Vault FW4B). I wanted to upgrade my home network to 2.5GBit and upgraded the router hardware as well.

On my old appliance, the Intel I210at interfaces were numbered as igb[0,1,2,3]

On the new one, it is Intel I225-V, and they are named igc[0,1,2,3]

I did not expect the network interface names to change. So when I swapped the m.2 drive from the old to the new hardware, a lot of settings were broken, because they referred to non-existing interfaces.

Is there a smarter way to do this, something that would have accounted for the change in interface names? Regards

Christian

Dear all,

(sorry for cross-posting, I already asked for help in the german sub-forum)

I'm trying to configure my opnsense 22.1.5 with proper dualstack IPv4/IPv6.

• WAN IPv6 is set to DHCP, request prefix only, delegation size /59
• LAN IPv6 is set to "track interface WAN"

This has been successful in the past, but it doesn't work now. WAN doesn't seem to receive an IPv6 prefix, and LAN isn't assigned a public (non fe80) address either.

But: The DHCP debug log file reads:

IA_PD prefix: 2a02:908:696:2b20::/59 pltime=43200 vltime=86400

That is my prefix, right there. Am I doing this wrong? Any help is appreciated. Regards

Christian

Hallo zusammen,

ich verwende ein Technicolor TC4400 Modem mit einem Unitymedia/Vodafone Gigabit Kabelanschluss (NRW). Ich hatte erreicht, dass ich ein IPv6 Subnetz zusätzlich bekomme, die Delegation hat in der Vergangenheit auch funktioniert.

* Das WAN Interface nutzt DHCP6 um ein /59 Prefix zu erfragen
* Das LAN Interface ist bzgl IPv6 auf "Track Interface" gestellt

Damit funktionierte dann auch alles weitere: Zwei Gateways (eines IPv4, eines IPv6) DNS für beide Protokolle, radvd & Co.

Seit einiger Zeit scheint das nicht mehr zu klappen. Ich sehe kein Prefix mehr in der UI, dabei finden sich im dhcp6 Logfile Zeilen wie diese:

IA_PD prefix: 2a02:908:696:2b20::/59 pltime=43200 vltime=86400

Das ist das Prefix, das ich auch früher verwenden konnte, aber OpnSense 22.1.5 scheint damit nicht mehr zu arbeiten. Hat jemand einen Tipp, wie ich das wieder zum Laufen bringe? Gruß

Christian

Dear all,

I'm running current stable OpnSense on an APU 2E4 AMD GX-412TC SOC (4 cores) w/ 4GB RAM. No VPN, typical load average ~0.5, 20-40% CPU usage.

I started using this setup while I was on a 400 Mb WAN, and it was well capable to saturate the line. My ISP upgraded to 1Gb 6 months ago, and I was never able to see more than ~600 Mb throughput, whatever I tried. I installed iperf on the router and on a wired client, also nowhere near one gigabit.

I've read about router performance issues with the kernel that comes with 20.7. Are these expected to be mitigated any time soon? Will upgrading onto a stronger CPU help? Should I downgrade to 20.1?

Any help is appreciated. Regards

Christian

Hallo zusammen,

ich verwende ein Dual Stack Setup mit HEnet IPv6, da mir Unitymedia keinen nativen IPv6 Support bietet. Das klappt auch alles prima. Nur Netflix gucken kann ich nicht, und das liegt daran, dass deren Hosts IPv6 DNS-Adressen haben und Netflix HEnet als Proxy klassifiziert und den Zugang blockt.

https://forums.he.net/index.php?topic=3566.0

Es gibt viele Lösungsansätze, am vielversprechendsten ist es, die DNS Antworten zu filtern, sodass Clients für gewisse Netflix-Domains nur noch A Antworten erhalten und keine AAAA Einträge mehr.

Es gibt Anleitungen, wie man diese Domains an einen separaten DNS Server (zB BIND) delegiert und diesen anweist, keine IPv6 Ergebnisse auszuliefern. Ich frage mich: Geht das auch ohne separaten DNS Server? Kann das die opnsense allein? Fällt jemandem was dazu ein? VG

Christian

Hi,

my 17.7.9 install reports errors like this:

Code Select Expand

[07-Dec-2017 15:15:01 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/etc/inc/filter.inc on line 1640


Is this something with my installation, does it require me to do something? Regards

Christian

It'd be great if I could use MAC addresses in alias lists, e.g. for filter rules by source. Usecase: Restrict access for certain devices on the network, no matter what IP address they use.

I understand that there is a way using the captive portal to achieve something similar but it feels rather complicated. One could also use static DHCP assignments although this would be trivial to circumvent. As I understand, FreeBSDs ipfw is capable of filtering by MAC address [1] although I'm not sure how opnsense builds on ipfw (or pf). Also I see that spoofing of MAC addresses is possible, although it's probably a little harder than just requesting/configuring another IP address.

Any thoughts on this? Regards,

Christian

[1] https://www.freebsd.org/cgi/man.cgi?ipfw(8)

Hi,

I've started to use Graylog to analyze opnsense logs and others, and it occurred to me that lots of blocked traffic originates from our local lan. This puzzles me since our LAN has exactly those 3 rules:

• Anti-Lockout Rule
• Default allow LAN to any rule (IPv4)
• Default allow LAN to any rule (IPv6)

Why is traffic from LAN blocked on our firewall? Regards

Christian

ps: Where do I find documentation on the log format opnsense uses? Read: It logs a number of values separated with comma. Where can I find the attribute names?

I'd like to set up rules on a subnet so that hosts on that network may access the gateway ip and external IPs but not each other. opnsense is the gateway for that /24 subnet as well as DNS forwarder. Is there a way to set this up? Regards

Christian