Topics

Dear Community,
After two or three updates, I'm writing to say that I'm still having issues with the WebUI and even with an unresponsive SSH. We use the Business version of the system and typically a hardware appliance that is fully compatible with the system, since it is a Deciso/OPNSense product. 8 GB AMD EPYC 3101 4-core processor DEC3840 – OPNsense

 top -aSH
last pid: 37524;  load averages: 19.72, 22.81, 27.25                                                                                                                                 up 75+17:14:16  17:25:58
722 threads:   23 running, 677 sleeping, 22 waiting
CPU:  6.3% user,  0.0% nice, 93.6% system,  0.2% interrupt,  0.0% idle
Mem: 2338M Active, 3065M Inact, 504M Laundry, 971M Wired, 2058K Buf, 874M Free
ARC: 308M Total, 63M MFU, 136M MRU, 38M Anon, 2677K Header, 68M Other
     144M Compressed, 480M Uncompressed, 3.34:1 Ratio
Swap: 8418M Total, 4243M Used, 4175M Free, 50% Inuse

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
28535 root         68    0    17M  2624K RUN      0   0:04  72.71% /sbin/ifconfig -m -v
24521 root         68    0    17M  2628K CPU2     2   0:04  57.40% /sbin/ifconfig -m -v
    0 root        -64    -     0B  1712K CPU3     3 526.4H  55.32% [kernel{if_igc3_tq}]
22164 root         68    0    17M  2624K RUN      1   0:03  42.03% /sbin/ifconfig -m -v
33088 root         94    0    17M  2624K RUN      3   0:02  40.91% /sbin/ifconfig -m -v
33192 root         68    0    17M  2612K CPU1     1   0:03  33.31% /sbin/ifconfig -m -v
36021 root         68    0    17M  2624K RUN      2   0:01  13.56% /sbin/ifconfig -m -v
61959 ntopng       32    0   716M   186M RUN      0 274.2H   4.84% /usr/local/bin/ntopng /usr/local/etc/ntopng.conf -U ntopng -G /var/run/ntopng/ntopng.pid -1 /usr/local/share/ntopng/httpdocs -2 /usr/local
  370 root         68    0   246M    49M accept   1   1:19   0.28% /usr/local/bin/python3 /usr/local/opnsense/service/configd.py console (python3.11){python3.11}


This happens every time I stay on the dashboard for too long.
Is there a patch or another solution I can implement myself?

Thank you in advance

Regards,

Joel

Dear OPNSense community,


We have a scenario where we need to update the rules for one of our in-house developed professional apps, but without a direct exception like the one available for the user interface in ModSecurity. We need something like the ability to use a whitelist file. Something like this: 
SecRule ARGS:mainForm:sometabview:mycompany "@pmFromFile /usr/local/etc/apache24/Includes/modsecurity_wl.txt" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveById=932250"
2nd example (with the text of the whitelist): SecRule ARGS:mainForm:sometabview:mycompany "@contains SH GmbH" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveById=932250"

This is really important for our application, as we sometimes conduct EPA/PEN-TEST audits.
Rule 932250 serves its purpose very precisely and blocks a company's input. However, it would be nonsensical to disable rule 932250, as it is truly important for security...[ Unix direct remote command execution ]

Could you give us some guidance on what we can adjust and how we can set this up permanently, or how the appliance can maintain this for as long as possible?
Thank you in advance.

Regards,
Joel.

Dear OPNSense community,

We performed an upgrade this morning, and the proxy authentication via LDAP (AD) in Squid is not working as intended.
The Chromium browser prompts for a username and password, and even when these are entered correctly, the login window keeps reappearing.
It works with Firefox and we juste need to enter the username and password one time. Unfortunately, this shows us that the proxy cannot work with SSO, as was the case with a Sophos appliance, where this feature was truly user-friendly (one-time password at Windows login, no double/triple login with the browsers/ web app).
Even if the website is on the list of local websites (some of which we host ourselves), the proxy still displays the login window!!!

My infos:
Version: OPNsense 25.10.2_4 / FreeBSD 14.4-RELEASE
os-squid: 1.4
os-web-proxy-sso: 2.2_3
os-OPNProxy 1.0.5_4
Services -> Squid Web Proxy -> Forward Proxy -> Authentication Settings -> Authentication method -> LDAP

Do you have any idea why the Chromium browser isn't working with Squid/OPNSense?
Is it possible to set up a working web proxy with SSO on an OPNSense server? (This might also be of interest to the customers.)
Is there a better alternative to Squid that is also more user-friendly? (without requiring users to enter a username and password in the browser)

Thank you in advance for the information.

Regards,

Joel.

Dear community,

We have already made several updates to the system since December, but we are experiencing an issue with our Deciso Business Appliance. When we are logged into the dashboard, the CPU goes out of control. We can observe the CPU usage increasing without us doing anything.


   0 root        -64    -     0B  1824K iflib    2 263.1H  61.26% [kernel{if_igc3_tq}]
16330 root         68    0    17M  2524K iflib    1   0:02  30.67% /sbin/ifconfig -m -v
16386 root         68    0    17M  2520K iflib    1   0:02  22.59% /sbin/ifconfig -m -v
 2915 root         68    0    17M  2528K iflib    2   0:04  22.14% /sbin/ifconfig -m -v
15589 root         68    0    17M  2528K iflib    2   0:02  19.85% /sbin/ifconfig -m -v

Is this a bug or a known issue?
I've seen some users complain about this in recent versions, but we're using an official Deciso business device, not a VM or home server.

DEC3842
hw.model: AMD EPYC 3101 4-Core Processor

Base Board Information
        Manufacturer: Deciso B.V.
        Product Name: NetBoard-A20
        Version: R2.0

Ethernet Controller I225-V

I would appreciate it if you could give me some advice.
I feel that the latest business versions are not as stable as the older ones.

Thank you ahead.

Regards,

Joel.

Dear community,
I am trying to disable the rules (the manual part) in order to set up the rules using policies only, but when I select all entries (or 1000/500/200) and click the "Disable" button, the waiting circle appears, and when it is finished, nothing happens; the checkboxes are not empty.
Is this a known bug or something similar? Because it's crazy to manually deactivate about 30,000 entries.
Thank you in advance for your help.
Best regards,
Joel.

Dear Opnsense community,

This morning we performed our monthly maintenance and we are certain that we lost some rules and objects during the upgrade.
We noticed this because our AMS group created a ticket for some rules that had already been created for a customer project, and we couldn't find any of these rules or categories after the upgrade.
The upgrade went strangely: Without warning, we were downgraded from version 25.10.1_2 to version 25.10, and after that we had to upgrade again to get version 25.10.2. Is this a mistake on the part of the OPNsense team? Has anyone ever heard of anything like this before?
We did not attempt to uninstall anything. The device did this on its own.

It's quite disturbing as a customer.

2026-02-19T08:16:56
Notice
pkg-static
opnsense-business-25.10.2 installed
2026-02-19T08:15:52
Notice
pkg-static
opnsense-business-25.10 deinstalled
2026-01-22T06:18:23
Notice
pkg-static
opnsense-business-25.10.1_2 installed

Regards

Joel.

Dear community,

I cannot see the other severity of the access log in Squid (plug-in Squid Web Proxy). It remains empty. The only thing that works is the notification.
Can anyone give me a hint about this?

example:

only 2026-02-19T12:23:41
Notice
squid
ACL-REQ |opnproxy_ext_acl_net| |

even with multiple selection

with ssh:
tail -f /var/log/squid/access.log

xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT static.licdn.com:443 HTTP/1.1" 200 39 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_TUNNEL:HIER_DIRECT
xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT platform.linkedin.com:443 HTTP/1.1" 403 20345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE
xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT ponf.linkedin.com:443 HTTP/1.1" 403 20349 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE


Thank you in advance

Joel.

Dear Community,

right now for us there's some penetration tests from an external company in progress on our opnsense appliance and we need a possibility to remove ip addresses from the blacklist without any whitelisting, because they will attack again with another kind of attack.
Is there any possibility to remove the ip address from the blacklist "on demand"?

Thank you ahead.
Regards

Joel.

Dear OPNsense community,

for us it's not the first time that nevertheless a Business Edition after an Upgrade we are loosing some of our connection to our dmz application for our company (for example with suricata which broke some our communications if IPS mode wasn't deactivated) .
This time, we have simply lost the access management on our main GW (cisco) and the communication with our NATed systems to our DMZs. The NATed systems are done on our main Gateway (cisco)

The routing configuration is really simple by us Network 0.0.0.0/0 to our main GW (cisco) and we have a bridge LAN/WAN to use IPS/IDS/Proxy possibilities of OPNSense. Until now this setting has worked flawlessly, but after the upgrade, we cannot manage our main GW anymore and the resolution of our dmz web app aren't accessible.

On our side it's critical because every colleagues here cannot work anymore on any our app. I cannot check anything on the main GW because it's not accessible too.

Could something give me a hint?
We used to believe that the Business Edition is well tested and tailored for the Business environment.

Thank you in Advance for your information,

Regards,

Joel.

Dear Opnsense Community,

Is there a way, as with NGINX and Naxsi, with the OPNWAF Web Application Business plugin to limit the simultaneous connections of an IP for the proxied applications?
As it's a well-knows needed security feature of the web application proxies. It's possible that is in the plugin present, but I've found nothing. Maybe it's possible on another layer of the OPNsense Firewall or in another plugin.

Thank you ahead,

Regards,

Joel.

Dear Community and OPNsense Team,

we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.

The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)

here the infos on the warning message:

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault

segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen

We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.

Thank you ahead for you help.

Regards,

Joel.

Dear OPNsense Community,

for one week every request that are longer as 30 sec are reset or finalized and we are receiving an AH00989 from the OPNWAF Business plugin. The service is active on an official Deciso OPNsense appliance. If it's less than 30 sec, it will work. I've setup on the location a connection timeout of 300 secs. I've no clue what could reset the connection every time after 30 secs. It seems that some FIN packets are send from the OPNsense OPNWAF to quickly. There's another error but it's less often: AH01102: error reading status line from remote server xx.xx.xx.xx:xxx. My colleagues have confirmed that there's an error in Edge browser 502 proxy error after 30 secs.
I've checked the status of the application server. The server responds and is available for the OPNWAF. The system has flawlessly worked without OPNsense during more than 3 years (It was an apache proxy-system too), that's why I'm a little perplex with this case. The worst for us. That's a system already in production.

Could you please give me a hint where I can look in OPNsense to fix this?

Thank you ahead,
Regards,
Joel.

Dear OPNSense Community,

I'm trying to use one of our Business OPNSense in transparent bridge mode in one of our DMZ. The Bridge will work until I reboot the system. The appliance is an official Deciso OPNSense DEC3842.
The topology is not so complex but more complex than what we find on internet and forums in general. It's a 3-tier environnement and OPNSense isn't used for NATing. I've tried to integrate the OPNSense to scan the traffic (IPS/IDS, CrowdSec and the firewall) between the 1st and 2nd HOP of our Networks.
Every time I restart the appliance, I have to save the bridge interface again to restore to connections behind the OPNSense. If I don't do that, I can't access the various applications, remote sessions and https interfaces. It works for about 2 or 3 days then the connection is lost again. I press the "save" button and it works again.
The online applications are working without that because they're proxied by the OPNSense, but our intern connection between the network not. What is really strange and that's why I believe that's a problem from the OPNSense, I can access the UI of the OPNSense and nothing behind (the last time), sometimes I can access some of the UIs / RDP.

I've found a second problem and I think it's an effect of this bridge's problem. If I don't save the parameter from suricata again (IPS/IDS) the logs are filled with thousands of those lines: [101142] <Error> -- bridge0: error reading netmap data via polling: No buffer space available
Some times it's written also with bridge0^. I've found something about on internet but it doesn't match my case.
I just need to save the suricata configuration and it's gone and works as it should.

The topology looks something like this: 1st Hop Router (with NAT) -> OPNSense as transparent bridge + proxies connected to some Web Apps -> 2nd Hop Router (with NAT) -> application servers etc...

It seems that OPNSense is interfering with something in the communication between the routers. I've suspected something with ARP, but the last test with some static ARP entries (neighbors) has failed. Before the OPNSense we had a Sophos XG (in bridge mode too) and it has worked flawlessly. But with the EOL it was the time to change.

The only solution for me was to save the bridge and the IPS/IDS configuration again(interface bridge+lan).

Could you please help me?
I'll go into detail, when some information is needed. But it could be a really long topic, so I made this summary.

All the best

Regards

Joel T.

Dear Community / OPNsense Team,
actually we are trying to publish our own web application through the OPNWAF (Apache + ModeSecurity) and we have a problem the remains event with the latest version unsolved.
 There is a core rule that block our web application and we cannot upload anything bigger than 8MB with the web application.
The triggered core rule is the id 200004. We have found now that often this rule generate false positive (example https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/827), but with the OPNWAF Business we have no possibility to disable this rule (thanks, by the way, for the "disable security rules by id" combo box). We are trying to use the Business OPNsense functions (paid functions) as professional. What are our possibilities in this case?
-> We know that we can edit the conf and comment the rule, but this isn't really a professional solution and the next time that we will update our firewall, those comments will be gone.

I hope you can provide us a solution or give us a hint to avoid this kind of problems.

Thank you ahead
Regards,

Joel T.

Dear OPNSense Community,

We have purchased a DECISO appliance with a Business license to replace our Sophos UTM. We thought that it would be possible to replace the Sophos UTM Webfilter (transparent with LDAP) with the OPNSense plugins (WEB PROXY + OPNPROXY + SSO). But it doesn't work for us right now. The Business plugin OPNPROXY could be the solution. It seems that the plugin cannot work with the SSO plugin. That's really sad. We have setup the Access control but nothing is applied as it should. The policy tester is working, but in reality im browser nothing is filtered. It's like that the OPNPROXY plugin isn't enable or present and I've setup lot of rules. The WEB PROXY is working as it should.
Is it right that this Business plugin cannot work with SSO? (AD)
If yes, I think that's the biggest lack of feature in this plugin. If no, what could I've missed, please?

Thanks ahead,

Regards,

Joel T.

Dear OPNSense community,

we have a Business license, that's normally to receive a stable version after every update / upgrade, but it's not the case. Last Upgrade from the 24.4.3 to the version 24.10_7 (amd)
os-OPNWAF Version 1.6 - os-crowdsec 1.0.8_1 and Intrusion Detection is activated
After the upgrade the Logs from Suricata went full (and the disk too) -> Resource limit succeeded Service RootFs

Topology:
we have a bridge the firewall is in our DMZ behind the 1. HOP where there is an another router./firewall The OPNSense is there for his WAF / PROXY functions (OPNWAF / SURICATA / Crowdsec)

We have some Nextcloud and we are securing the traffic to Nextcloud with OPNSense.
Since the last upgrade the logs went full with Suricata. I've deleted some logs they were bigger than 100GB.

Now the Firewall is simply blocking the traffic from the Nextcloud to everything, event if I've made some rules like Nextcloud to everything with any ports.

All the services are green.

I cannot explain what is happen, but for a Business license, I think this version has a bug!

I've restarted already nothing is working and I don't where to beginning with this kind of Stuff. In the OPNWAF the logs won't show any problem. It seems to be a problem with the firewall!

example:
__timestamp__   2024-11-22T08:31:43
ack   3809070810
action    [block]
anchorname   
datalen   0
dir    [in]
dst   XX.X.XXX.XXX (OPNSense Firewall/PROXY)
dstport   48012
ecn   
id   4409
interface   bridge0
interface_name   BRG
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   52
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   4
seq   
src   XX.X.XXX.XXX (Nextcloud)
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   506

The worst I've change nothing. Everything is going wrong after the ugprade of the version 24.10_7

Could please help me

Thank you in advance!

Regards,

Joel.

Dear OPNsense community,

We bought the 3-year package to have business capabilities on our firewall in our company. But as soon as we started configuring OPNWAF (Web Application) Business, it didn't work as expected. We can't upload any documents or photos, regardless of file size (error 413). Some nextcloud applications generate errors (such as "photos", or we lose the ability to change profile status). On the firewall, in the Web Protection tab, I've configured Nextcloud-specific rule exclusions, but that doesn't seem to do anything...

We have found that there's is a limitation in the modsecurity on the OPNWAF. The info is in the Web Error Log.
ModSecurity: Request body no files data length is larger than the configured limit (131072).. Deny with code (413) [hostname "xxxxxxxxx"] [uri "/remote.php/dav/files/

The problem with this plugin is that we couldn't find any documentation of the plugin paths on the hard disk. We have no idea how to set up this plugin, and there's no way of changing anything in the user interface. That's sad for a Business tool.

If someone with experience on this plugin can explain to me where I can change the configured limit, I'd be very happy not loose my time with this kind of stuffs.

Thank you ahead.

Regards,

Joel. T

Dear community,

I've setup a web application firewall with OPNWAF (Business) and ACME Letsencrypt. It works well, but I cannot obtain on SSL Labs the A+ because there's an invalid HSTS policy.
I don't want to deploy the certificates on every Nextcloud and we are using the service ACME Client on the OPNsense firewall with a wildcard. Is there a possibility to setup Nextcloud and OPNWAF to act as reverse proxy to solve this problem? I would like that SSL Labs check the HSTS from the OPNWAF and not from the Nextcloud to keep the easy aspect of the self-signed on every system.
Is there any other possibility with OPNsense?
I've no clue anymore.

Thanks an advance for your help.

Regards,

Joel T.

Liebe OPNSense Community,
wir haben für einen Webserver eine WAF in der OPNSense mit Nginx und Naxsi aufgesetzt.
Derzeit erstellen wir die Regeln hierfür.
Jedoch scheinen die Regeln nicht übernommen/angewendet zu werden.
Gibt es die Möglichkeit die Regeln auf der Maschine einzusehen (im Terminal)?
Unsere Regeln sind gleichermaßen geschrieben (in der Weboberfläche) wie die voreingestellten Regeln die bereitgestellt werden.
Ich würde mich um jede Unterstützung freuen!
Mit freundlichen Grüßen
T.B.

Dear OPNSense community,
I'm missing some information about the OPNWAF-Plugin. It's not clear with the certificate management where NGINX + NAXSI it's clear and explained. When I try to activate this plugin the service doesn't start and the settings are the same with a functional NGNIX+NAXSI. The problem with NAXSI is that this block the Apple devices with Safari and without a disabling of a base Ruleset, it won't work. It's not really safe like that.

OPNWAF seems to be easier but it simply doesn't work with our certificates. (no let's encrypt here)
here some info from the log: pass request body failed, AH00898: Error during SSL Handshake with remote server
The Set-UP is simple: Der HTTPS Port für den Virtual Server is not standard, SSL Proxy check peer is enable and the URI matches the CN, the certificate field in the Virtual Server is the same as in HTTP Server from NGNIX in the field TLS Certificate. The Location>Remote destinations in OPNWAF is the https://XX.XX.XX.XX (X = IP) of our Webserver.
With the same certificate-setting with NGNIX + NAXSI it will work, that's why I don't understand.

I hope with these information you can help me.

I was thinking that with the business license it would be easier for us.

Thank you ahead.

Joel T.