Topics

Hello everyone,
I'm hoping to get some advice on a strange issue I've been running into since updating OPNsense to version 25.7.
After the update, the uplink port on my UniFi switch that connects to my OPNsense box is showing as "STP Blocked" in the UniFi controller. My network topology hasn't changed, and everything was working fine before the upgrade. The link between the two is a direct cable, and there's no physical loop in the network.
This is causing a major problem, obviously, as my internet connection is now down. I've tried a few basic things like rebooting both the OPNsense machine and the UniFi switch, but the problem persists. The UniFi controller logs show "Port disabled by STP to prevent a network loop."
Has anyone else experienced this after the 25.7 update? I'm looking for guidance on where to start troubleshooting this.
Things I'm considering:
 * Are there new STP settings in OPNsense 25.7 I need to be aware of?
 * Is OPNsense now broadcasting something that UniFi is interpreting as a loop?
 * Are there any settings in UniFi I should check, like STP priority, to force it to prefer the OPNsense uplink?
Any advice on where to look in the logs on either OPNsense or UniFi, or specific commands to run, would be greatly appreciated.
Thanks in advance for any help!

System details:
   •   OPNsense version: 25.1.10
   •   Hardware: Sophos GX125
   •   Install method:  SSD
   •   Typical uptime before failure: ~7 days
   •   Active services: NAT, DHCP, DNS Resolver, WireGuard
   •   Plugins: No heavy plugins like Zenarmor or Suricata installed

⸻

Symptoms:

Roughly once per week:
   •   The Web GUI becomes unreachable
   •   SSH access is also unavailable
   •   However, internet access still works, and WireGuard remains active
   •   I can still access remote servers via WireGuard tunnels
   •   Some managed switches (on LAN) become unreachable until a manual reboot

After reboot, everything works normally for another week.

⸻

What I've observed:
   •   No crash reports appear in System > Crash Reporter
   •   No partitions appear full (df -h shows healthy disk usage)
   •   Health graphs show memory usage gradually increasing
   •   No errors stand out in /var/log/* before crash (though I may be missing something)
   •   The system is still routing traffic, which suggests the kernel/network stack is alive

⸻

Suspicions:
   •   Memory or resource leak affecting web/ssh daemons?
   •   Lighttpd/nginx and sshd silently dying after prolonged uptime?
   •   Cron job or logrotate process causing silent failure?
   •   ARP/cache/broadcast issues causing LAN-side disconnects?

⸻

Questions:
   1.   Is this a known issue on 25.1.10 or the Sophos GX125 platform?
   2.   How can I better log or monitor what's failing before GUI/SSH becomes unreachable?
   3.   Any specific services I can safely restart from the console (if reachable) to avoid a full reboot?
   4.   Would a scheduled reboot (e.g. every 6 days) be a safe temporary workaround?

I'm happy to provide more logs or config info if helpful.

Thanks in advance for any insights or suggestions!

Hi all,

I'm running OPNsense 25.1.7_4-amd64 (FreeBSD 14.2-RELEASE-p3, OpenSSL 3.0.16) on a hardware appliance (not virtualized).
Today I noticed that the LAN interface is showing 5 errors in the interface statistics.

The network seems to be functioning fine, but I would like to understand:

where these errors come from,

whether I should be worried about them,

and what steps I can take to troubleshoot the issue.

Questions:

What types of errors are reported under the LAN interface stats (CRC errors, packet drops, collisions, etc.)?

Is there a log or diagnostic view in OPNsense where I can see more detail about these errors?

Could they be caused by bad cables, switch ports, or NIC driver issues?

Is a small number of errors (5 errors) considered normal, or does it point to a potential problem?

What steps would you recommend to troubleshoot and hopefully eliminate the cause?

System Details:

OPNsense version: 25.1.7_4

FreeBSD: 14.2-RELEASE-p3

Appliance type: hardware

LAN NIC: Intel(R) I211 (Copper)

Thanks for any advice or experiences you can share!

Hi everyone,

We're planning to migrate a customer from pfSense to OPNsense and are currently validating compatibility for their setup.

We've successfully tested PPPoE on OPNsense, but we need to confirm if PAP (Password Authentication Protocol) is supported and working reliably in this context.

This is important for us before moving forward with the migration.

Has anyone used PAP authentication on OPNsense? Any known issues or limitations?

Thanks in advance!

Hi All,

I hope you're doing well.

We've encountered an issue with port forwarding for our cameras. After enabling port forwarding (NAT port to the camera recorder), it causes our WireGuard VPN and external access to the GUI to stop working. However, when we disable the NAT ports, everything starts working again.

Could you advise who might be able to help resolve this issue? Additionally, is it necessary to port forward or NAT the camera port to maintain all services functioning properly, or is there an alternative configuration we should consider?

Looking forward to your guidance.

Hello everyone,

I received two /29 subnets from our ISP. Currently, I'm using the first /29 as the uplink, with the other 7 IPs functioning as virtual IPs, which is working well.

The second /29 subnet has its own gateway, which has been added as well, with those IPs also set up as virtual. However, our Layer 3 switch is having trouble routing this second subnet because we need to configure a static route in OPNSense.

Could someone advise on how to set up the static routing for the second subnet?

Your support is greatly appreciated.

Thank you!

Hi everyone,

We are using WireGuard as a site-to-site VPN between four offices. These offices are connected to site A, so sites B, C, D, and E are connected to site A.

I want to allow RDP and ICMP from sites B and C, and allow all traffic from sites D and E. Can you please advise how to set this up? I appreciate any support.

Hi Everyone,

I created a NAT rule to allow access to our internal camera system from outside the network. The rule is applied on the NAT and is automatically reflected on the WAN interface of the firewall.

However, when I try to access the cameras from an external location, I get the following error message: "Default Deny / State Violation." I've attached a screenshot showing the error.

Could someone please advise on what I might need to do to resolve this issue? Any guidance would be greatly appreciated.

Thanks in advance!

Hi everyone,

I'm currently working on configuring multi-WAN on our OPNsense firewall. Despite following various tutorials, I'm encountering issues with the setup. Here's what I've done so far:

1. Created two gateways for the two upstream links from both ISPs. Both gateways are marked as "up."
2. Configured a gateway group with the option "member down" so that if the first gateway goes down, traffic should switch to the second one.
3. Added the gateway group to the LAN any any rule in the firewall settings.
4. Implemented a DNS rule at the top of the LAN firewall rules to forward DNS traffic to the firewall.
5. Specified both gateways in the system settings.

However, when I disabled the WAN1 interface to test the setup, nothing seemed to work. My question is: Are my configurations correct, or did I miss something? Is disabling WAN1 the wrong way to test this setup?

Your guidance on troubleshooting or any suggestions for improvement would be greatly appreciated.

Hi Guys,

somehow i noticed this subnet in our network.
192.168.178.0/24.
is there a way to block it using a alias?

 I'm currently facing a routing issue that I'm hoping to get some guidance on.

Here's a brief overview of our setup:

We have two separate subnets from our ISP, both /29.
We are utilizing a layer 3 switch from our ISP with VLAN tagging to connect to the OPNsense firewall.
The switch port connecting to the OPNsense firewall is tagged with VLAN 130, and VLAN 130 is utilizing both /29 subnets for the uplink to the firewall.

What I'm attempting to achieve:

I want to separate the subnets so that the uplink will have two VLANs, specifically VLAN 130 and VLAN 131.
However, when I configure this setup, it seems to only route one subnet and not both.

The Cisco team has mentioned that OPNsense needs to be configured to route these subnets internally.

I would greatly appreciate any insights, advice, or guidance on how to properly configure OPNsense to internally route these subnets. If there are specific settings or configurations I should be looking at, please point me in the right direction.

Thank you in advance for your support!

Hi everyone,

I hope you're doing well. I'm currently working on a networking project and could use some advice. Here's a brief overview of my setup:

I'm using two subnets on the WAN, each with a /29 configuration, providing me with a total of 8 IP addresses. These IPs are utilized as virtual IPs on the WAN side. My primary concern arises when configuring NAT for these IPs.

I've successfully configured NAT for one IP on port 443, directing traffic to the internal domain. However, I'm facing an issue with the remaining IPs. Even though I haven't set up NAT for these IPs, they seem to be accessible.

Any insights into why this might be happening and how I can ensure that only the intended IP with NAT is reachable? Your expertise would be greatly appreciated.

Thank you!

Hey Opnsense community,

I've been running Opnsense on an HPE Gen 10 server, and I'm experiencing slower than expected network speeds. The server is equipped with an Intel x5220 DA 10GB RJ45 network card, but my speed test results are not reaching the full 10GB speed.

I'd like to optimize my network setup to get the most out of this hardware configuration. Any suggestions or advice on how to troubleshoot and improve the network speed with Opnsense and this Intel network card would be greatly appreciated. Thanks!