Topics

Hi all,

Not sure if I'm hitting a bug here but I could narrow down my observed behaviors to a Squid configuration parameter.

- proxy setup in Transparent mode.
- setting the "Number of squid workers" to 4
- simple CLI request : curl www.perdu.com

Would randomly hit a Squid "id=ERR_INVALID_URL" thrown error message (and would sometimes pass through with no issues):

Code Select Expand

</head><body id=ERR_INVALID_URL>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="/">/</a></p>

<blockquote id="error">
<p><b>Invalid URL</b></p>
</blockquote>

<p>Some aspect of the requested URL is incorrect.</p>

<p>Some possible problems are:</p>
<ul>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or similar)</p></li>
<li><p>Missing hostname</p></li>
<li><p>Illegal double-escape in the URL-Path</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
</ul>

<p>Your cache administrator is <a href="mailto:admin@localhost.local">admin@localhost.local</a>.</p>
<br>
</div>

<hr>
<div id="footer">
<p>Generated Mon, 02 Mar 2026 06:52:39 GMT by squid.domain.local (squid)</p>
<!-- ERR_INVALID_URL -->
</div>
</body></html>
My guess is that this happens whenever the request is served by any workers other than 0 hence [1,2,3] in my tests.
Reverting to "Number of squid workers = 1" gets me a steady transparent proxy configuration which serve's any requests, all the time.

Any thoughts?

Thanks a lot,
Kind regards,
m.

Hi all,

Thanks for 26.1, migrated 6 nodes interlinked with full meshed WG + BGP on FRR etc all top notch, not a glitch! Excellent.

On one node though, I'm seeing the "Router Advertisements" listed within the "Services" widget in red and stopped (expected) while on all the other nodes the "Router Advertisements" isn't listed at all within the services widget. I do not have any configuration in there in regards to "Router Advertisements" (on any of my nodes that is). Is there anything I could check/assess here?

You cannot view this attachment.

One last quick question, what's the idea with "Firewall > Rules [new]" and "Firewall > Rules"? Will these two merge at some point? I migrated all my rules to the new scheme and find both menus now to be a source of confusion now.

Thanks for OPNsense, it rocks !

Cheers,
m.

Hi there,

I tested the free plugin and it works according to plan, thanks!

A few items though:
- I guess that with the Community - Self-Provisioned licensing scheme, the provided threat feeds include OSINT only. Are you intending to list what is included within your OSINT package? I.E: all the Q-Feeds triggering threats here were part of my next in line ingress policy object which is the IPSUM_L1 threat intelligence feed.

- I may think that the plugin does not release/give control back to OPNsense once the inactive administrative session timeout has been reached. One may still click on the three Q-Feeds menus. Although, while nothing refreshes within the Q-Feeds menus, once you click anywhere else within the GUI, you're routed to the usual OPNsense login page, which is the normal behavior under these circumstances.

- Why the "Security" new menuitem? why not simply within the "Services > Q-Feeds Connect" menu directly? Perhaps there are other unknown to me plugins that uses the "Security" menuitem although if you're the only one, I don't see the point TBH.

Let me know,
Thanks

Hi all,

I'd cut a long story short, I need (for lack of better solution) to restart an LTE router everyday. Without this, latencies just gets higher and higher and higher up until it's not operating no more. I couldn't yet nail the main issue down.

That LTE WAN uplink is seated within a dedicated VLAN on a DMZ switch (along a 2nd wan uplink on it's own dedicated VLAN etc etc..)

My issue at OPNsense was that once the device would be auto-rebooted once a day, that VLAN interface ip & gateway wouldn't be updated at the OPNsense level (the LTE router permit's a so called "passthrough" feature where a backend device would get the LTE bond IP address, in my case OPNsense, handy..).

So here is what I've cobbled, please read carefully what the main script does before blindly copy/paste/run.

The main script: (saved in /usr/local/bin/dhcp-renew)

Code Select Expand

#!/bin/sh

set -e

ENABLE_LOGGING=true
INTERFACE=$1

# Logging function
log_message() {
  if [ "$ENABLE_LOGGING" = "true" ]; then
    echo "$(date +%Y-%m-%d.%H:%M:%S) - $1" >> /var/log/dhcp-renew.log
  fi
}

# Function DHCP Renew
dhcp_renew() {
  /sbin/ifconfig $INTERFACE down
  /sbin/ifconfig $INTERFACE up
  /bin/rm -f /var/db/dhclient.leases.$INTERFACE
  /sbin/dhclient $INTERFACE
}

# Function Renew WAN
renew_wan() {
  /usr/local/etc/rc.newwanip $INTERFACE
  /usr/local/sbin/configctl interface reconfigure $(/sbin/ifconfig $INTERFACE | grep description | awk '{print $3}' | tr -d '()')
}

# Main script logic
main() {
  curtime=$(date +%s)
  uptime=$(sysctl kern.boottime | awk -F'sec = ' '{print $2}' | awk -F',' '{print $1}')
  uptime=$((curtime - uptime))

  log_message "========================"
  log_message "==== Process START ====="
  log_message "Interface given as parameter : '$INTERFACE'"
  log_message "System uptime: $uptime seconds"

  dhcp_renew
  log_message "DHCP Renew on interface '$INTERFACE' : DONE"

  renew_wan
  log_message "NEWWANIP & Interface Reconfigure on interface '$INTERFACE' : DONE"

  log_message "==== Process END ====="

}

# Run the main script logic
main

Making it executable:

Code Select Expand

chmod +x /usr/local/bin/dhcp-renew

The actions.d companion script: (saved in /usr/local/opnsense/service/conf/actions.d/actions_dhcp_renew.conf)

Code Select Expand

[start]
command:/usr/local/bin/dhcp-renew
parameters:%s
type:script
message:DHCP-RENEW on interface
description:DHCP-RENEW on specified interface

Restarting the configd service is needed:

Code Select Expand

service configd restart

And a quick log extract: (/var/log/dhcp-renew.log)

Code Select Expand

2025-12-08.12:33:00 - ========================
2025-12-08.12:33:00 - ==== Process START =====
2025-12-08.12:33:00 - Interface given as parameter : 'vlan0.8.888'
2025-12-08.12:33:00 - System uptime: 309327 seconds
2025-12-08.12:33:00 - DHCP Renew on interface 'vlan0.8.888' : DONE
2025-12-08.12:33:06 - NEWWANIP & Interface Reconfigure on interface 'vlan0.8.888' : DONE
2025-12-08.12:33:06 - ==== Process END =====

You can then edit your System>Settings>Cron jobs and schedule a specific interface forced renewal:
You cannot view this attachment.

Since I've put this in place, my specific interface gateway is now correctly set on OPNsense after each router restart and it's almost transparent if not for the router reboot cycle needed time. As said, the main issue has nothing to do with OPNsense itself. Finally, in my case, I'm also cycling any WireGuard instances that may use this path after the forced daily renewal.

Please do not hesitate to correct any mistake or provide any insight.
I.E:

• I did not took the needed time to completely understand what this does exactly : /usr/local/etc/rc.newwanip
• I'm not sure that the /usr/local/bin path may be advisable for user made scripts.

Hope this may help,
Cheers,
m.

hi all,

A quick question onto scheduling both of these commands:

Code Select Expand

System>Settings>Cron>+>ZFS pool scrub
System>Settings>Cron>+>ZFS pool trim
How often shall these run as a best practice?

Thanks,
Regards,

Hi team,

Been wondering if matching hosts from the host header in HTTP would be possible in order to address different upstream servers, obviously serving different purposes.

so the idea would be:
nginx:443 --> host header = host1.domain.suffix --> upstream_1
nginx:443 --> host header = host2.domain.suffix --> upstream_2
and so on.

The backend is not using TLS, so TLS is terminated at the NGINX level. In my testings, it seems that within the "location" I can match URL but not the requested hostname, maybe i'm missing something really obvious here. I succeeded at such a config using caddy but if ever possible I'd like to couple that with NGINX + Naxsi WAF.

Let me know,
regards,
m.

Hi there,

I'm trying to figure out how could I conditionally redistribute static routes (present on ONS_2 in my uploaded representation) within BGP.
The static routes at ONS_2 are tied to a gateway entry (=host ip_forward=1 in my representation), gateway entry which has a Monitor IP set.

You cannot view this attachment.

My goal would be to possibly redistribute these routes within BGP only and if the Monitored IP is up.
Any hints at enabling this?

Thanks a lot,
Regards

[not]

Hi all,

I have tested a root server @Hetzner with opnsense and I have the feeling that I'm witnessing all the traffic within the given /26 of the root server assigned public IP address... Had anyone seen this as well? Have I perhaps missed any "opnsense" settings on my WAN interface?

In example:

Code Select Expand

Interface     Time                       Source             Destination             Proto     Label
-------------------------------------------------------------------------------------------------------------------
WAN1        2025-09-20T09:42:11      65.109.83.177:51040    xx.xx.xx.14:9060    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:41840    xx.xx.xx.14:9901    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:51246    xx.xx.xx.14:9100    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      45.142.193.63:56217    xx.xx.xx.13:22363    tcp    CrowdSec (IPv4) in   
WAN1        2025-09-20T09:42:11      65.109.83.177:44502    xx.xx.xx.14:9113    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:38206    xx.xx.xx.14:9903    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:37934    xx.xx.xx.14:5054    tcp    WAN1_DENY_ALL   
WAN1        2025-09-20T09:42:11      65.109.83.177:37532    xx.xx.xx.14:9902    tcp    WAN1_DENY_ALL   

I do not own any of the destination IP listed above...

Let me know,
Kind regards,
m.

EDIT: the OPNsense wan interface is not in promiscuous mode / IPS is enabled on the interface in IPS mode

Hi all,

I would like to be able to "double" the access logs whenever possible:

1 - per Syslog facility and further sent to remote log aggregation.
2 - per File (/var/log/squid/access.log) to crawl the logs with SARG locally.

Perhaps I could do the point #2 using syslog datas but I wouldn't know "how" just yet.
If anyone could give some hints, thanks a lot.

Let me know,
Kind regards,
m.

Hi team,

Has anyone already implemented this Squid feature on OPNsense?
https://wiki.squid-cache.org/ConfigExamples/Portal/Splash

Roughly, this would use a "squid.conf" directive to present a "captive portal" web based authentication form for example.
using directive like:

Code Select Expand

deny_info 511:/etc/squid/splash.html session_is_activeI have to reckon that I haven't completely understood that Squid feature yet and what is needed behind it (backend auths, session state, time management etc..)

I was wondering if perhaps something like this could be implemented jointly with the OPNsense Captive Portal facility in fact, this in Explicit Proxy use cases.

Let me know,
Kind regards,
m.

Hi there folks,

A quick question / setup feasibility check on my side.

I've setup the followings to satisfaction:

• Squid on Loopback only
• ZenArmor in L3 emulated mode

To force a software hop, I've enabled Squid on Loopback only, thus requiring a NAT port forward rule for the Explicit Proxy port (8080) in my example.
Clients would connect through WPAD/wpad.dat with a return "PROXY VTNET0:8080" directive.

You cannot view this attachment.

My concern is that in such a setup, it seems to me that ZenArmor is missing the "vtnet0/LAN" based 8080 CONNECT requests sent towards the Squid Proxy daemon.

Without enabling the WAN interface "vtnet1" in the ZenArmor configuration, Web Controls doesn't catch offending bits/categories.
With the WAN interface enabled, it does, obviously so as Squid would initiate the requested connections through that interface for egress traffic.

I've tested as well using Squid directly bound to the "vtnet0" interface with the same results. I had hoped that perhaps adding a software HOP (loopback) would trigger ZenArmor Web Controls while monitoring the "vtnet0/LAN" interface only. It's not the case.

All in all, it's not a big issue, the real concern is that any offending bits would trigger as being sourced as/from the WAN interface IP, thus rendering analysis a bit more complex in order to find the originating host behind any potential ZA blocks. I'd also vouch that I'd prefer blocking the clients requests rather then the Squid initiated connections.

Is there anything I could do to get full CONNECT requests visibility sent towards the Squid daemon while monitoring the "vtnet0" interface only?
Or have I perhaps missed something obvious?

Let me know,
Thanks a lot,
m.

Hi there all,

I have a simple explicit proxy setup in which I didn't exclude (yet) a Guacamole host used for Remote Access (internal/external).
While connecting to that system through the OPNsense/Squid setup, I could log on with no issue although any Remote Access connection wouldn't work.
These are WebSocket based, is this possible through Squid? Have I missed some config options?

I have for now updated my wpad.dat with a DIRECT directive to that host and all is fine, just more for my knowledge.

Let me know,
Kind regards,
m.

Hi there all,

I'm here using Unbound DNS on OPNSense and I'd have a few questions about it.

• what is the difference(s) between Domain Overrides AND Query Forwarding?
• if using one or the other (Overrides OR Query Forwarding) is there a possibility to log where each queries are sent?

My goal is simple, forward a few domains onto internal servers while carrying the rest over DoT although I'd want to assess that internally geared resolutions aren't attempted toward the DoT setup. And well, tcpdump'ing DoT give some info's but obviously no queries details, which is the DoT purpose ain't it =)

Let me know,
Thanks,
m.

Hi all,

I'll try to summarize my setup:

- wg0 instance reachable through the WAN interface + peers + config + unbound DNS etc etc (all working super duper fine)
- ovpnc1 interface where I'm routing wg clients 0.0.0.0/0 type of traffic (working super duper)

My only current concern is that this setup as somewhat of an asymmetrical routing issue, as either WAN or ovpnc1 could reach 0.0.0.0/0 -- I sometimes have witnessed some UDP:51820 source port bound packets to fly out over the overlay/ovpnc1 interface, which is unwanted. I did countermeasure that through the firewall but I'd been hunting for a cleaner solution.

Would it be possible to bound a specific and unique gateway to the WireGuard service itself? Hence always receiving and sending WireGuard tunnel service traffic over the exact same interface/gw combo at the opnsense level.

Let me know,
Regards,
m.

Hi there Team,

I recently wanted to do the following's on my OPNsense system:

• add a new physical interface
• swap my WAN interface with the newly added vtnet5 adapter (was vtnet1.xxx)
• update my main gateway reflecting the changes
• the old WAN interface (the vLAN as well as its parent interface) would have been moved toward a different Zone (keeping an IPsec tunnel through here)

Sadly, my testings went pretty south TBH =) -- I ended up restoring a VM backup.
One of the artifact I've seen was that my old (vLAN based) gateway configuration kept coming back in the GUI/XML configuration and traffic didn't seemed to flow through the newly assigned WAN member. DHCP client had been functioning on the newly assigned interface though.

Is there anything I need to pay attention to before attempting the shift again ?

Let me know,
Cheers,
m.

Hi all,

I just wanted to share how I've setup OPNsense to provide Transparent Proxy over multiples interfaces.
The idea was to provide TP over: LAN, Internal WiFi, Guest WiFi and SSLVPN Road Warriors as well.

01 - For the SSLVPN part, you first need to assign your OpenVpn interface as an assigned interface.
02 - Enable the Web Proxy and assign all the interfaces you want your Squid Proxy daemon to listen to.
03 - Create NAT rules: Firewall --> NAT --> Port Forward / I have here created two rules (TCP:80 & TCP:443) involving all the interfaces I wanted to be Transparently Proxied/redirected (to TCP:3128 & TCP:3129 respectively).
04 - Within the Web Proxy > Forward Proxy > Access Control List -- you need to specify your Allowed Subnet within the Forward Proxy > Allowed Subnet.
05 - IF you're using Unbound DNS, you'll need to create Access Lists according to your different subnets using the Unbound DNS services.

You can see my config's within the attachments below.

Hope this helps.
Cheers,
m.

PS: can I use the attached images within my own post? couldn't figure how/if possible...

Hi all,

I've been trying to make my Squid transproxy to work for OpenVPN road warriors. Till now without success.
Has any of your got such a setup working ?

I've tried many things.. One idea was a loopback for squid and do the redirect to that IP instead of the 127.0.0.1 but no chance there either. At best I'd want to have a single loopback for squid if possible.

Attached a view of my vSSLVPN interface and the corresponding port forward NAT entries.

Thanks a lot,
mokaz