"
My OPNsense firewall is behind my ISP router and setup as a DMZ host. I have setup DDNS on the ISP router, since it has the public WAN IP. This has been working for over 2 years. I now want to put a web server behind my OPNsense firewall, but I would like to use Caddy on the OPNsense firewall, for proxy and certificate management. Would it be advisable to use HTTP or DDNS for certificate issuance and management? In my mind's eye I would like to register the domain name, in this case *.petrilloconsulting.net, to Caddy and then use subdomains to identify the actual web services.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Intrusion Detection and Prevention / IDS Web Server
February 02, 2026, 07:08:45 PM
Hello all,
Does Suricata have a web interface that I could expose, so ppl could have read access to see the alerts?
Thanks,
Steve
Does Suricata have a web interface that I could expose, so ppl could have read access to see the alerts?
Thanks,
Steve
#3
General Discussion / Certificate Removal
February 02, 2026, 06:59:46 PM
Hello all,
I had used Let's Encrypt to protect a web server that is proxied by Caddy. I would like to revoke the certs in OPNsense but its not doing as it shows it should work. What is the right process?
Thanks,
Steve
I had used Let's Encrypt to protect a web server that is proxied by Caddy. I would like to revoke the certs in OPNsense but its not doing as it shows it should work. What is the right process?
Thanks,
Steve
#4
26.1 Series / 26.1 - Success
February 02, 2026, 06:27:47 PM
Hello all,
I have upgraded 3 firewalls to 26.1 and they all have been successful. This is the first time in at least 2 years where I did not have an issue with the upgrade, so kudos to the team. On 2 of the 3 firewalls I have also migrated my firewall rules...all without issue. The 3rd is a production firewall and will be done in my upgrade window next weekend.
Way to go team!
Steve
I have upgraded 3 firewalls to 26.1 and they all have been successful. This is the first time in at least 2 years where I did not have an issue with the upgrade, so kudos to the team. On 2 of the 3 firewalls I have also migrated my firewall rules...all without issue. The 3rd is a production firewall and will be done in my upgrade window next weekend.
Way to go team!
Steve
#5
25.7, 25.10 Series / Unbound to DNSmasq/KEA?
January 20, 2026, 08:10:20 PM
Hello all,
I am still using ISC for DHCP and would like to rip the band aid off and migrate to KEA for DHCP, DNSMasq for local DNS, and Unbound as the DNS that talks to the Internet. Has anyone done this? Is this a good plan or is there a better solution? Is there a document that talks about making the split? I did not find one.
Thanks,
Steve
I am still using ISC for DHCP and would like to rip the band aid off and migrate to KEA for DHCP, DNSMasq for local DNS, and Unbound as the DNS that talks to the Internet. Has anyone done this? Is this a good plan or is there a better solution? Is there a document that talks about making the split? I did not find one.
Thanks,
Steve
#6
25.7, 25.10 Series / CSRF Check
January 19, 2026, 07:35:44 PM
Hello all,
Ever since I upgraded to 25.7.11 I am getting the following when I login:
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
I have rebooted OPNsense but it does not fix this. What is this about?
Thanks,
Steve
Ever since I upgraded to 25.7.11 I am getting the following when I login:
CSRF check failed. Your form session may have expired, or you may not have cookies enabled.
I have rebooted OPNsense but it does not fix this. What is this about?
Thanks,
Steve
#7
General Discussion / Dual Public IP Usage
January 07, 2026, 01:05:59 AM
Hello all,
I have a /29 of public IPs from my ISP.
I have production and test web servers that need to be public facing. My production servers go out via the normal WAN interface. I have begun to setup the test servers and setup a virtual IP in OPNsense, using another of the public IPs. I have setup NATs and firewall rules, which are attached. When both the prod and test rules are active I cannot issue SSL certificates to either the prod or test servers.
Does anyone know what I am doing wrong? I need both test and prod rules running.
Thanks,
Steve
I have a /29 of public IPs from my ISP.
I have production and test web servers that need to be public facing. My production servers go out via the normal WAN interface. I have begun to setup the test servers and setup a virtual IP in OPNsense, using another of the public IPs. I have setup NATs and firewall rules, which are attached. When both the prod and test rules are active I cannot issue SSL certificates to either the prod or test servers.
Does anyone know what I am doing wrong? I need both test and prod rules running.
Thanks,
Steve
#8
General Discussion / Virtual IP Question
January 06, 2026, 05:04:04 PM
Hello all,
I have a /29 of public IPs. I am using one for the WAN interface, but now I want to separate prod and test web services, by using a second of the /29 to assign to my test web stuff. I have added the virtual IP but I specified it with a /32. Is this correct or should I be using the /29 instead.
Thanks,
Steve
I have a /29 of public IPs. I am using one for the WAN interface, but now I want to separate prod and test web services, by using a second of the /29 to assign to my test web stuff. I have added the virtual IP but I specified it with a /32. Is this correct or should I be using the /29 instead.
Thanks,
Steve
#9
25.7, 25.10 Series / Unbound DNS Questions
December 30, 2025, 08:16:59 PM
Hello all,
I am running Unbound as my DNS server. I have a server who's resolv.conf is setup as:
nameserver 127.0.0.53
options edns0 trust-ad
search rics.prod regulatoryintelligence.com
The hosts file is setup as:
10.0.2.21 app1.rics.prod app1
When I run nslookup app1 it responds as:
Server: 127.0.0.53
Address: 127.0.0.53#53
Name: app1.rics.prod
Address: 10.0.2.21
Why am I not seeing my Unbound server in the server or address section? Should I not see this, since Unbound is the only DNS server? Am I misconfigured?
Thanks,
Steve
I am running Unbound as my DNS server. I have a server who's resolv.conf is setup as:
nameserver 127.0.0.53
options edns0 trust-ad
search rics.prod regulatoryintelligence.com
The hosts file is setup as:
10.0.2.21 app1.rics.prod app1
When I run nslookup app1 it responds as:
Server: 127.0.0.53
Address: 127.0.0.53#53
Name: app1.rics.prod
Address: 10.0.2.21
Why am I not seeing my Unbound server in the server or address section? Should I not see this, since Unbound is the only DNS server? Am I misconfigured?
Thanks,
Steve
#10
25.7, 25.10 Series / DNSmasq and Unbound Peacefully Co-Existing?
December 22, 2025, 05:10:43 PM
Hello all,
I made the move to DNSmasq for local DNS and DHCP services, with Unbound as my authoritative server that looks at Quad9 on the Internet. Attached is my Dnsmasq config and Unbound config. Am I missing anything in the configs? Lastly I am using the DNSSEC services from Quad9. When I try to hit their URL for this I get back an unable to parse request message. Does this mean I do not have DNSSEC configured correctly?
Thanks,
Steve
I made the move to DNSmasq for local DNS and DHCP services, with Unbound as my authoritative server that looks at Quad9 on the Internet. Attached is my Dnsmasq config and Unbound config. Am I missing anything in the configs? Lastly I am using the DNSSEC services from Quad9. When I try to hit their URL for this I get back an unable to parse request message. Does this mean I do not have DNSSEC configured correctly?
Thanks,
Steve
#11
25.7, 25.10 Series / DNSmasq DHCP Problem?
December 22, 2025, 03:59:22 PM
Morning all,
I am using dnsmasq as my default DHCP server. I have two DHCP entries that do not seem to want to clear from my leases. Attached is the screenshot. You will see 192.168.1.68 and 192.168.1.78. Both VMs do not exist but I cannot seem to clear them. How can I fix this?
Thanks,
Steve
I am using dnsmasq as my default DHCP server. I have two DHCP entries that do not seem to want to clear from my leases. Attached is the screenshot. You will see 192.168.1.68 and 192.168.1.78. Both VMs do not exist but I cannot seem to clear them. How can I fix this?
Thanks,
Steve
#12
General Discussion / ECS and DNSSEC Setup
December 21, 2025, 05:21:41 PM
Hello all,
I am using Quad9's Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled DNS service. How do I configure Unbound to handle this? Do I need to worry about dnsmasq DNS services also?
Thanks,
Steve
I am using Quad9's Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled DNS service. How do I configure Unbound to handle this? Do I need to worry about dnsmasq DNS services also?
Thanks,
Steve
#13
25.7, 25.10 Series / 26.1 Release Question
December 17, 2025, 04:13:34 PM
How that we are closer to January of 2026 I was wondering if the OPNsense team knows what version of FreeBSD will be included in the package. I am trying to determine if support for the Intel E610 will be part of this.
Thanks,
Steve
Thanks,
Steve
#14
Tutorials and FAQs / OPNsense under Proxmox - Why Oh Why Does This Not Work???
December 11, 2025, 01:16:36 AM
I am still struggling with this. I have made major changes to my VLAN structure but this still is not working. So let me step through my setup.
VLANs:
VLAN 2: Network devices and APs
VLAN 3: Servers
VLAN 10: Home wireless
VLAN 12: IoT wireless
VLAN 20: Streaming
My Proxmox server has an onboard 1 gig NIC. I have added a two port 10 gig PCIe adapter, as well as a USB 2.5 gig adapter. Proxmox UI is on USB adapter(vmbr0.2). OPNsense VLANs are on the 10 gig ports(vmbr1 and vmbr2). OPNsense WAN is on the onboard NIC(vmbr3).
My Proxmox networking config is as follows:
iface enp2s0f0 inet manual
auto vmbr1
iface vmbr1 inet manual
bridge-ports enp2s0f0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2,3,20
#FW 2,3,20
iface enp2s0f1 inet manual
auto vmbr2
iface vmbr2 inet manual
bridge-ports enp2s0f1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10,12
#FW 10,12
iface eno1 inet manual
auto vmbr3
iface vmbr3 inet dhcp
bridge-ports eno1
bridge-stp off
bridge-fd 0
#FW WAN
iface enx6c1ff70ad1e0 inet manual
auto vmbr0
iface vmbr0 inet manual
bridge-ports enx6c1ff70ad1e0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2,3
#VMs 2,3
auto vmbr0.2
iface vmbr0.2 inet static
address 192.168.1.66/26
gateway 192.168.1.65
#Mgmt
My OPNsense VM config is attached. I have a managed 1 gig switch I am testing with. Port 1 of the switch is connected to my PC and is configured for vlan 2 untagged. Port 2 of the switch is connected to the first port of the 10 gig adapter and both vlan2/3 are set to tagged. VLAN 2 is the LAN side of my OPNsense VM, with an IP of 192.168.1.1/26. I configure my PC side for 192.168.1.10/26 and assign the adapter to VLAN 2 also. When I try to ping 192.168.1.1 from my PC(192.168.1.10) I get nothing. I fully expected the LAN side of the OPNsense firewall to respond, but it is not.
Have I done anything incorrect? I believe the networking is correct but I do not know for sure.
Thanks,
Steve
VLANs:
VLAN 2: Network devices and APs
VLAN 3: Servers
VLAN 10: Home wireless
VLAN 12: IoT wireless
VLAN 20: Streaming
My Proxmox server has an onboard 1 gig NIC. I have added a two port 10 gig PCIe adapter, as well as a USB 2.5 gig adapter. Proxmox UI is on USB adapter(vmbr0.2). OPNsense VLANs are on the 10 gig ports(vmbr1 and vmbr2). OPNsense WAN is on the onboard NIC(vmbr3).
My Proxmox networking config is as follows:
iface enp2s0f0 inet manual
auto vmbr1
iface vmbr1 inet manual
bridge-ports enp2s0f0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2,3,20
#FW 2,3,20
iface enp2s0f1 inet manual
auto vmbr2
iface vmbr2 inet manual
bridge-ports enp2s0f1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10,12
#FW 10,12
iface eno1 inet manual
auto vmbr3
iface vmbr3 inet dhcp
bridge-ports eno1
bridge-stp off
bridge-fd 0
#FW WAN
iface enx6c1ff70ad1e0 inet manual
auto vmbr0
iface vmbr0 inet manual
bridge-ports enx6c1ff70ad1e0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2,3
#VMs 2,3
auto vmbr0.2
iface vmbr0.2 inet static
address 192.168.1.66/26
gateway 192.168.1.65
#Mgmt
My OPNsense VM config is attached. I have a managed 1 gig switch I am testing with. Port 1 of the switch is connected to my PC and is configured for vlan 2 untagged. Port 2 of the switch is connected to the first port of the 10 gig adapter and both vlan2/3 are set to tagged. VLAN 2 is the LAN side of my OPNsense VM, with an IP of 192.168.1.1/26. I configure my PC side for 192.168.1.10/26 and assign the adapter to VLAN 2 also. When I try to ping 192.168.1.1 from my PC(192.168.1.10) I get nothing. I fully expected the LAN side of the OPNsense firewall to respond, but it is not.
Have I done anything incorrect? I believe the networking is correct but I do not know for sure.
Thanks,
Steve
#15
Intrusion Detection and Prevention / Alot of SSH Traffic
December 02, 2025, 08:08:16 PM
Hello all,
I am noticing that Suricata is blocking alot of SSH traffic that is not coming from any valid IPs. If ppl want to use SSH they have to be on my VPN. Here is a snippet of what I am seeing in the alert log:
2001219 blocked Prod 134.199.195.142 54062 10.0.2.21 22 ET SCAN Potential SSH Scan
Could I just add an inbound rule that drops any traffic destined to the IP using port 22? I would prefer to drop the traffic at the front door rather than letting it get to my IDS for processing.
Thanks,
Steve
I am noticing that Suricata is blocking alot of SSH traffic that is not coming from any valid IPs. If ppl want to use SSH they have to be on my VPN. Here is a snippet of what I am seeing in the alert log:
2001219 blocked Prod 134.199.195.142 54062 10.0.2.21 22 ET SCAN Potential SSH Scan
Could I just add an inbound rule that drops any traffic destined to the IP using port 22? I would prefer to drop the traffic at the front door rather than letting it get to my IDS for processing.
Thanks,
Steve
#16
General Discussion / Weird DHCP Problem?
November 24, 2025, 02:47:06 PM
Morning all,
I seem to be having a very weird DHCP problem with my wireless devices only. I am not sure if DHCP is the real problem or what is just showing up as the problem. Every 6 hours or so my wireless devices seem to lose connectivity, meaning they try to obtain an IP and cannot. It fails, so that is why I am saying DHCP. Now here comes the weird part. I reboot my OPNsense firewall and connectivity is restored.
What would you look at to determine what is happening? I see nothing obvious in the DHCP logs, but either my wireless subnet loses its gateway or DHCP is doiing something funny.
Thanks,
Steve
I seem to be having a very weird DHCP problem with my wireless devices only. I am not sure if DHCP is the real problem or what is just showing up as the problem. Every 6 hours or so my wireless devices seem to lose connectivity, meaning they try to obtain an IP and cannot. It fails, so that is why I am saying DHCP. Now here comes the weird part. I reboot my OPNsense firewall and connectivity is restored.
What would you look at to determine what is happening? I see nothing obvious in the DHCP logs, but either my wireless subnet loses its gateway or DHCP is doiing something funny.
Thanks,
Steve
#17
Virtual private networks / Wireguard Access and Global IP Blocks
November 18, 2025, 05:55:53 PM
Hello all,
I am trying to balance the need of my developers to access my internal systems via WG VPN and the need to block IPs on a country basis. Has anyone found a way to do this? I have one developer who might be in Colombia one day and India the next day. How do I set him and others to get in while blocking the global IPs?
Thanks,
Steve
I am trying to balance the need of my developers to access my internal systems via WG VPN and the need to block IPs on a country basis. Has anyone found a way to do this? I have one developer who might be in Colombia one day and India the next day. How do I set him and others to get in while blocking the global IPs?
Thanks,
Steve
#18
General Discussion / Maxmind Block of Countries Inbound
November 17, 2025, 07:22:00 PM
Hello all,
I have setup a rule to block inbound access from countries I do not allow, via Maxmind. The rule allows me to log enties that are processed by this rule. What is the name and location of the log? I would like to see if I could use Monit to alert me when this rule is invoked.
Thanks,
Steve
I have setup a rule to block inbound access from countries I do not allow, via Maxmind. The rule allows me to log enties that are processed by this rule. What is the name and location of the log? I would like to see if I could use Monit to alert me when this rule is invoked.
Thanks,
Steve
#19
Intrusion Detection and Prevention / IDS and Monit
November 17, 2025, 12:13:56 AM
Hello all,
I am trying to use Monit to monitor Suricata and email me when a block happens. I have read the documentation and I have setup the condition as per the documentation, but I cannot save the test condition. It tells me the condition would change the block. Has anyone seen this. I believe this issue started with 25.7.
Thanks,
Steve
I am trying to use Monit to monitor Suricata and email me when a block happens. I have read the documentation and I have setup the condition as per the documentation, but I cannot save the test condition. It tells me the condition would change the block. Has anyone seen this. I believe this issue started with 25.7.
Thanks,
Steve
#20
Hardware and Performance / OPNsense on VMware
November 15, 2025, 06:52:45 PM
Hello all,
My client runs an OPNsense firewall on VMware. It runs really well and takes no real resources. I am building a replacement 25.7 firewall. As I got to the storage config I stopped thinking...should I allocate two disks and run these in a ZFS raid 1 pair. Well can someone comment if this makes any sense under VMware?
Thanks,
Steve
My client runs an OPNsense firewall on VMware. It runs really well and takes no real resources. I am building a replacement 25.7 firewall. As I got to the storage config I stopped thinking...should I allocate two disks and run these in a ZFS raid 1 pair. Well can someone comment if this makes any sense under VMware?
Thanks,
Steve
