Topics

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.10 (amd64) at Wed Oct 15 09:56:42 MDT 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 911 packages processed.
Updating SunnyValley repository catalogue...
pkg: Repository SunnyValley has a wrong packagesite, need to re-create database
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

blocking ip 149.154.175.55. its blocking all telegram.

is it possible for unbound to support blocklist in this format or similar?

Code Select Expand

server:
local-zone: "doh.dns.apple.com." always_nxdomain
local-zone: "mask.apple-dns.net." always_nxdomain
local-zone: "mask.icloud.com." always_nxdomain
local-zone: "mask-h2.icloud.com." always_nxdomain
local-zone: "mask-api.icloud.com." always_nxdomain
local-zone: "use-application-dns.net." always_nxdomain
most blocking i want to return 0.0.0.0 but for a handful of domains, i want to return NXDOMAIN. right now i do this by putting a custom file in

Code Select Expand

/usr/local/etc/unbound.opnsense.d/
but that not ideal as it doesn't get backed up or restored with normal config.xml tools. i would like to provide unbound with an custom URL for a blocklist that also specifies the response type, like NXDOMAIN instead of the global setting.

trying to check for updates.. i now get this. using the default business mirror.

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.4.3 (amd64) at Thu Sep 18 08:14:58 MDT 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 908 packages processed.
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
EDIT: i guess this in problem with ZenArmor...

curious as to hear how people are working with opnsense developement.. git clone / git branch / make mount / edit / git commit / git push / create pull request, is great and all. currently doing that on a Proxmox VM and its fairly simple.

but using vim/emacs on the terminal is so-so. vscode via remote SSH to freebsd doesn't really work without linux binary support, which the opnsense repo seems to be missing essential packages

Code Select Expand

devel/linux-rl9-libsigsegv
emulators/linux_base-rl9
i don't necessarily have to have vscode, but largely gotten use to it at this point. neovim seems like its possible with some effort to get it working on freebsd.

so i'd like to hear what other solutions people are using before i spend too much time in one direction.

thanks

[Results]

** SOLVED ** it was the firewall setting, Disable Reply-To. By default its unchecked. After checking it, all my test setups immediately went to full speed in both directions.




i am seeing a weird issue when with wireguard speeds going out of the firewall, but not in.

Code Select Expand

client (Debian 12 i7-13700 with Mellanox Connect-X5 25g NIC) -> opnsense -> server (Windows 11 AMD 7950X3d with Intel E810 25g NIC)
No internet, this is a local test

the test run on the client is:

Code Select Expand

iperf3 --client <server ip> --no-delay --parallel 8
iperf3 --client <server ip> --no-delay --parallel 8 --reverse
every time i do the --reverse test, i can't seem to get any faster than 545 Mbits/sec.

i have now tested this with 6 different nics and 3 versions of opnsense on 3 different setups.

Setup 1:
Supermicro X11SCL-iF with Intel Xeon E 2278g (8c/16t 5Ghz)

NICs tested:

• Intel i210 (motherboard nics using igb driver)
• Intel i350-t4 (igb driver)
• Intel i225V-b3 (qnap 2.5g x4 card using the igc driver)
• Intel x520-da2 (ix driver)
• Intel x710-da2 (ixl driver)
• Mellanox Connect-X3 (mce driver)
• Mellanox Connect-X5 (mce driver)

Setup 2:
Lenovo P3 Tiny with Intel i3 14100t (4c/8t 4.4Ghz)

NICs tested:

• Intel i350-t4 (igb driver)
• Intel x710-da2 (ixl driver)

Setup 3:
Odroid H4 Ultra with Intel N-305 (8c/8c 3.8Ghz)

NICs tested:

• Intel i226V (igc driver)

All of these systems have enough CPU on OPNsense to do more than 500 Mbit/sec with Wireguard.

I have tried each with system with 3 versions of OPNsense:

• 24.7.1
• 24.10.2 (business edition)
• 25.1

this is a vanilla install. install cpu-microcode-intel. configure wireguard via the road warrior instructions. nothing else is added or configured on the systems.

Results

• with the 1G and 2.5G nics, going in the upload direction i was able to get full line speed. going in download direction (--reverse), 545 Mbit/sec
• with the 10G and 25G nics, upload directions i was able to achieve between 4-7 Gbit/sec. going in download direction (--reverse), 545 Mbit/sec

Looking at top when this is happening, the CPUs on all 3 systems, all 3 versions of OPNsense are basically idle. using maybe 5%-10% cpu max.

so all systems, no matter what i change on the iperf3 side, etc, all stuck at 545 Mbit/sec in that one direction. I have tried various ethernet cables, OM3 fiber, DAC cables. its all the same, 545 Mbit/sec.

MTUs on the systems are 1500 for NIC and 1420 for wireguard interfaces. upload direction is great performance. download 100% terrible all the time, 100% reproducible. from 24.7.1 to 25.1.

if i don't go through the wireguard interface, if i setup a NAT port forward, i get full speeds in both directions.

this must be some error or bad configuration on my part?

https://imgur.com/a/5AxiqUY

currently in an infinite loop.

Code Select Expand

New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1

4 MiB to be downloaded.
[1/1] Fetching pkg-1.19.2_2.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-1.19.2_2...
[1/1] Extracting pkg-1.19.2_2: .......... done
New pkg package has been installed. Running sensei updater again from new package...
New pkg package available, installing...
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
pkg-1.19.2_2 [OPNsense]

assuming zenarmor has to switch something over? seems like moving from 24.7.6 community to 24.10 business edition, none of the widgets are available and it looks like an older version is available only.

also now getting the pkg misconfigured issue.

hi.

i wanted to switch from community to business edition for 2 reasons. 1, to pay for this amazing software. 2, want to be on a more stable, less updated release train.

i am currently on 24.7.6. seems like 24.10 was just released and based off 24.7.6. seems like it would be a good time to switch. if i just save my config, reinstall with 24.10 and restore my config, would that be the best way to move over? running unbound, caddy, zenarmor, and chrony. pretty simple setup.

a question or check of my setup. i recently added a backup internet connection.

WAN1: 1 gbps quantum fiber
WAN2: 150 mbps / 20 mbps xfinity/comcast cable

i started out by looking at the opnsense docs and the multi-wan section with gateway groups. but it seems like for my simple setup, "Default gateway switching" and setting the gateway priorities seems to just work without any gateway groups, etc.

is that correct? if so, that is much simpler and awesome!

the only other adjustments i had to make were:

• any port forwards, i had to add both WAN interfaces to the forward definitions.
• forwarding 80/443 to public for caddy reverse proxy, so had to duplicate that rule on each WAN interface

i disabled sticky connections in settings > firewall > advanced, as this is a pure failover situation and not load balancing.

really only a few minutes to make these config changes and everything seems great. OPNsense is such a gem :)

i have a vlan, 170, that is my kid network at home. i also have a wireguard interface that used by kid devices when remote (phone, ipad).

vlan170 - 192.168.170.0/24
wg1 - 192.168.212.0/24

vlan170 is on igb3, with 2 other vlans, vlan180, vlan190

vlan180, vlan190 are under a different zenarmor policy

--

under settings, i have wg1 and igb3 (the parent device) selected. now i am trying to figure out the best way to have this Kid policy apply to both vlan170 and wg1.



doesn't seem like this would work? because it would try and apply the vlan id 170 to wg1?

i use unbound DNS over TLS for my upstream. this seems to cause issues with using DNS challenge and cloudflare. not sure if its an unbound issue with the TXT records or not. i am running the unbound default values for everything except the DNS over TLS entries.

Unbound DNS over TLS


Then in my general settings, i have no nameservers, as i want to use 127.0.0.1 for everything so that it all goes through TLS


Results in my resolv.conf looking like

Code Select Expand

# cat /etc/resolv.conf
domain lan
nameserver 127.0.0.1
search lan

everything else works as normal, except caddy on certificate renewal. ACME renewal for the SSL cert used by the os-acme plugin for the OPNsense GUI itself renews fine.

if i put the cloudflare server IPs in the general settings page, restart caddy, all certs renew immediately. this can also work if i put the resolvers option in the TLS block of the caddyfile. https://caddyserver.com/docs/caddyfile/directives/tls#resolvers

has anyone ever encountered this before? maybe its some config issue? it is possible to specify the resolvers in the os-caddy plugin? i didn't see that in any of the "additional fields" help when you are configuring a DNS provider.

thx

i updated to 24.7, after the update, there were new packages from sensi, installed them, elasticsearch still does not start, log show

Code Select Expand

java.lang.IllegalArgumentException: unknown setting [xpack.monitoring.templates.enabled] did you mean [xpack.profiling.templates.enabled]?
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:563) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:509) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:479) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:449) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:132) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:50) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.node.Node.<init>(Node.java:494) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.node.Node.<init>(Node.java:344) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:236) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:236) ~[elasticsearch-8.11.3.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:73) ~[elasticsearch-8.11.3.jar:?]

i had an issue where i was debugging a WAN issue and had to reboot OPNsense. 24.1.9_4. the WAN was dropping packets, etc, but "starting caddy..." just hangs. i had to SSH and kill the caddy processes to get the rest of the boot to finish.

anybody experience this. why does caddy need internet access to start?

23.7.12, this is just for 1 host, an Xbox Series X. Xbox has been turned off for over 12 hours at this point. Every time the Xbox is turned on, a new mapping occurs. Old mappings never get cleaned up.

/var/etc/miniupnpd.conf

Code Select Expand

ext_ifname=pppoe0
port=2189
listening_ip=igb1
secure_mode=yes
presentation_url=https://192.168.160.1:4269/
uuid=528c8e6c-4a3c-6598-999a-0e9df15ad32
serial=528C8E6C
model_number=23.7.12
allow 1024-65535 192.168.160.61/32 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
enable_upnp=yes
enable_natpmp=no
clean_ruleset_interval=600
min_lifetime=120
max_lifetime=86400

hi. its unclear to me with all the netmap bug and emulated driver stuff around ZenArmor.. Are these bugs specific to using interfaces with VLANs enabled on the router?

i have a 4-port router device with i226 using igc. i don't use VLANs on router since i have 1 WAN + 3 subnets that i just give them their own physical ports. VLANs only used on the switches. if that is the case, is ZenArmor supported with igc driver? and if so, what mode should i be using? Native NETMAP? Emulated NETMAP?

thanks

i know os-ddclient is intended to replace os-dyndns but currently os-ddclient support for servers is terrible. does not even support cloudflare, especially with tokens.

is this a known issue? and something that is planned to be resolved before removing os-dyndns? since using os-dyndns currently warns you in the UI about its pending removal

i noticed 2 things with ZFS install on SSDs

one, autotrim is off by default, that is easy enough to turn on, but the other, ashift=0 is bad for SSDs, and should be ashift=12 which is not harmful to HDDs. maybe the ashift default should just be 12?