Topics

[SMART overall-health self-assessment test result: FAILED!]

Hi community,

I own a DEC750 with nvme running 25.1.10 Recently I got a failed smart message:


smartctl 7.5 2025-04-30 r5714 [FreeBSD 14.2-RELEASE-p3 amd64] (local build) Copyright (C) 2002-25, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION === Model Number: TS256GMTE652T2 Serial Number: H433990185 Firmware Version: 52B9T7OA PCI Vendor/Subsystem ID: 0x1d79 IEEE OUI Identifier: 0x000000 Controller ID: 1 NVMe Version: 1.3 Number of Namespaces: 1 Namespace 1 Size/Capacity: 256,060,514,304 [256 GB] Namespace 1 Utilization: 255,796,785,152 [255 GB] Namespace 1 Formatted LBA Size: 512 Local Time is: Tue Jul 15 09:47:04 2025 CEST Firmware Updates (0x14): 2 Slots, no Reset required Optional Admin Commands (0x0017): Security Format Frmw_DL Self_Test Optional NVM Commands (0x005f): Comp Wr_Unc DS_Mngmt Wr_Zero Sav/Sel_Feat Timestmp Log Page Attributes (0x0f): S/H_per_NS Cmd_Eff_Lg Ext_Get_Lg Telmtry_Lg Maximum Data Transfer Size: 32 Pages Warning Comp. Temp. Threshold: 85 Celsius Critical Comp. Temp. Threshold: 90 Celsius

Supported Power States St Op Max Active Idle RL RT WL WT Ent_Lat Ex_Lat 0 + 9.00W - - 0 0 0 0 0 0

Supported LBA Sizes (NSID 0x1) Id Fmt Data Metadt Rel_Perf 0 + 512 0 0

=== START OF SMART DATA SECTION === SMART overall-health self-assessment test result: FAILED!

NVM subsystem reliability has been degraded

SMART/Health Information (NVMe Log 0x02, NSID 0xffffffff) Critical Warning: 0x04 Temperature: 43 Celsius Available Spare: 100% Available Spare Threshold: 10% Percentage Used: 159% Data Units Read: 15,175,817 [7.77 TB] Data Units Written: 868,173,472 [444 TB] Host Read Commands: 166,826,964 Host Write Commands: 6,380,384,852 Controller Busy Time: 74,813 Power Cycles: 22 Power On Hours: 22,786 Unsafe Shutdowns: 16 Media and Data Integrity Errors: 0 Error Information Log Entries: 0 Warning Comp. Temperature Time: 234 Critical Comp. Temperature Time: 0 Thermal Temp. 1 Transition Count: 13638 Thermal Temp. 1 Total Time: 111289

Error Information (NVMe Log 0x01, 16 of 256 entries) No Errors Logged

Self-test Log (NVMe Log 0x06, NSID 0xffffffff) Self-test status: No self-test in progress Num Test_Description Status Power_on_Hours Failing_LBA NSID Seg SCT Code 0 Extended Completed: failed segments 22597 - - 2 - - 1 Extended Completed: failed segments 22556 - - 2 - - 2 Short Completed: failed segments 22554 - - 2 - - 3 Short Completed: failed segments 22549 - - 2 - - 4 Short Completed: failed segments 17155 - - 2 - - 5 Short Completed: failed segments 12464 - - 2 - -


I haven't open the box yet, so my questions are:

can the nvme be changed?

if yes what type should I buy

is there an install from scratch procedure?

Thanks you

Hi all,

I have a problem on my internal network regarding dns resolution.
the name of the opnsense box is firewall.balaci.eu
 
nslookup firewall.balaci.eu
Server:      172.16.10.1
Address:   172.16.10.1#53

Name:   firewall.balaci.eu
Address: 213.10.27.11
Name:   firewall.balaci.eu
Address: 10.0.0.1
Name:   firewall.balaci.eu
Address: 172.16.10.1
Name:   firewall.balaci.eu
Address: 172.16.40.1
Name:   firewall.balaci.eu
Address: 172.16.30.1

it replies well on nslookup. Now the problem is, I am using NGINX proxy manager to distribute a wildcard certificare to all my internal appliances and firewall.balaci.eu is pointing to 172.16.10.1/24 interface.
it is never loading when I write it in the browser.
What am I missing?

Thank you

Hi all,

I just switch to KPN Fiber and I can see that their router is using PPPoE to connect to KPN.
I created the connection on my opnsense, however I can't make it connect.
Does anyone have this done? I need some guidance to make this work.
KPN support is not helping.

Hi all,
I am looking for guidance.
I upgraded truenas core to scale. core jais had the possibility to get IPs from LAN DHCP, but the new OS with k8s can't. So, as on Truenas Scale all apps share the same ingress IP (turnas IP), can I add different DNS entries and filter by port & name ?

Thank you

Hi all,
I have a few floating rules on both WAN (direction IN)  and LAN (direction OUT) which are blocking one specific host from lan to reach outside connections.
I don't want to disable the rules on LAN (this is where it happens), instead, I tried excluding that particular host from the match by using invert. something doesn't work and I have no clue what

The blocking rule is Block DROP out 1 - LAN.
how can I exclude only 1 ip from matching this rule?

[2 networks have a problem:]

Hi all,
I got stuck with the following situation:
I have a few vlans and several networks.
2 networks have a problem:
network 1 -> 172.16.10.0/24 with x clients - no VLAN
network 2 -> 172.16.20.0/29 with only 2 clients - VLAN10
now this 2 networks intersect in my storage (TrueNAS) where I have 1 interface linked to network 1 and the second interface linked to network 2:
jail 1 -> connects to the non-vlan network and gets DHCP (172.16.10.11)
jail 2 -> connects to Vlan10 and gets DHCP (172.16.20.3)

now the problem is: VLAN10 network uses an openVPN gateway (SurfShark) to reach internet.
I need to make the 2 jails talk to each other by preventing 172.16.20.3 to use default gateway as internet gateway.

ping from 172.16.10.11 to 172.16.20.3 works
ping from 172.16.20.3 to 172.16.10.1 (gateway) works but it doesn't with 172.16.20.3.

what am i missing?
can be the switch port? network 2 binds to a tagged switch port. I think is blocked at the firewall level

thank you

Hi all,
I have a wierd unbond problem. It crashes once a day because of:

Code Select Expand

2022-10-31T05:03:13 Error unbound [75750:0] error: remote control failed ssl crypto error:02FFF020:system library:func(4095):Broken pipe
2022-10-31T05:03:13 Notice unbound [75750:0] notice: failed connection from 127.0.0.1 port 14221
2022-10-31T05:03:13 Error unbound [75750:0] error: remote control failed ssl crypto error:02FFF020:system library:func(4095):Broken pipe

I have DNS over TLS enabled with cloudflare and under Custome Options I manually added

Code Select Expand

tls-cert-bundle:  /var/unbound/unbound_server.pem
I have verified all CAs and Certifications. All (self signed + ACME) are valid

any clue what this error means?

Hi all,
I see the new version comes with sqlight as local db for the data in zenarmon. I was wondering, did anyone managed to define it as datasource in Grafana ?

Hi all,

I am on OPNsense 22.7.2-amd64

Sensei doesn't work because MongoDB cannot strat:
pkg check -da
Checking all packages: 100%
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
py37-pymongo has a missing dependency: python37
py37-pymongo has a missing dependency: py37-setuptools
py37-pymongo is missing a required shared library: libpython3.7m.so.1.0

Anyone can tell a repo from where to get these missing files?

thanks

Hi all,

I try to initialize an USB wifi (asus ac68) based on realtek chip.
looks like it has been detected:
ovpnc1: link state changed to UP
ugen1.3: <Realtek 802.11ac NIC> at usbus1 (disconnected)
ugen1.3: <Realtek 802.11ac NIC> at usbus1

but I can't see it as interface. how do I initialize it?
any guide is welcome

Thank you

Hi all,

I have a stupid problem.
I have 3 VLANS :
     Lan_Wifi tag 10 - 172.16.20.0/24
     Guest_Wifi tag 20 - 172.16.30.0/24
     Iot_wifi tag 30 - 172.16.40.0/24

Vlan 10 and 30 work perfectly. Every network has its own dhcp server.
Guest_Vlan which maps to a Wifi_Guest SSID, and has a DHCP server associated with it as well. The customers of this network are set not to have access internally, only internet access.
everytime I add a new customer, It gets the ip from the pool, the gw and dns. however is does 0 traffic.
If I add the device in the list of DHCP Static Mappings they start working as expected.
Once the client gets the ip from the dhcp server serving Wifi_Guest network, the client appears in the leases list as Offline


All other dhcp networks have mapping for every entry
Any clue why is this happening? I miss something for sure :(

thank you

Hello,

Did anyone managed to set a point-to-point Wireguard VPN?
Can you please point me to some docs (the one on opnsense is incomplete i believe)

Thanks

Hello,

Did anyone tested this hardware? looks pretty awesome
https://www.traverse.com.au/hardware-1.html

Hi there

Is there any compatible USB WIFI that works with Opnsense?
Has anyone tested any?

thanks

[Step 1]

Hi all,

My first time writing a howto, if there are inconsistencies just let me know and I'll be happy to address them.
Long story short: I was looking for a VPN provider for only 1 of my local ips (one Jail in particular). As so I decided to go with SurfShark VPN, and bellow is the step-by-step config:

Step 1
  Create SurfShark account and login
  Once in, Go to Manual Setup -> Manual -> Credentials. (Keep those safe)
  Switch back to Files and choose one of the servers you want (servers in the respective country you decide you
  will use as exit point)

Step 2
   In Opnsesen: Go to System -> Trust -> Certificates
     Press on + Add button. Then fill the fields out like this:
Descriptive Name: SurfsharkVPN
Method: Import an existing Certificate Authority
Certificate data:

-----BEGIN CERTIFICATE-----
MII3...

/UplsM=
-----END CERTIFICATE-----

This data can be also found in the CA&TLS certificates archive under the "Other configuration files" section on your SurfShark account.

Step 3
   In Opnsense: Under VPN -> OpenVPN -> Clients 
   Add new client:
  Disable this client: leave unchecked.
  Server mode: Peer to Peer (SSL/TLS);
  Protocol: UDP on IPv4 only (you can also use TCP);
  Device mode: tun – Layer 3 Tunnel Mode;
  Interface: WAN; (whatever name your wan interface has)
  Local port: leave blank;
  Server host or address: The server hostname that you want to connect to from the list of servers from
  Step 1
  Server port: 1194 (use 1443 if you use TCP as I do);
  Proxy host or address: leave blank;
  Proxy port: leave blank;
  Proxy Authentication: None;
  Description: Any name you like.
 
  Remember to use your credentials from step1 (the one advised to be kept safe  :P)
 
  Enable TLS Authentication for packets and use the following TLS Key:

-----BEGIN OpenVPN Static key V1-----
b02c4f079a4a49888da566b9978346
.......
e7279ff1a19cb092659e8c1860fbad0d

-----END OpenVPN Static key V1-----

TLS Key Usage Mode: TLS Authentication
Peer certificate authority: SurfsharkVPN;
Client certificate: webConfigurator default or as in my case the Let's Encrypt one
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM (256 bit key, 128 bit block)
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.
Don't pull routes: check
Compression: No prefference

Add this under Advanced:
   tls-client;
   remote-random;
   tun-mtu 1500;
   tun-mtu-extra 32;
   mssfix 1450;
   persist-key;
   persist-tun;
   reneg-sec 0;
   remote-cert-tls server;

Step 4
   In Opnsense interface go to Interfaces -> Assignment -> Add Interface ovpnc1 (in my case) to the interfaces and give it a name (in my case is simply Surfshark)
   Once the interface is created:  IPv4 Configuration Type : None

Step 4.1
   If you want all your traffic to be routed via Surfshark, then select this new created interface as the outgoing interface for DNS (Unbound & any other resolver)
   In order for the DNS to work, you need to :
   check Forwarding Mode
   uncheck DNSSEC support
   Services-> Unbound DNS-> Advanced: check both Hide Identity & Hide Version
   
Step 5
   Firewall -> NAT-> Outbound:  change from Automatic outbound NAT rule generation
  (no manual rules can be used) to Hybrid outbound NAT rule generation
  (automatically generated rules are applied after manual rules)
   Add one rule :
   Interface      Source                                 Source Port                   Destination       Destination Port   NAT Address      NAT Port   Static Port   Description   
Surfshark   <localhost you want to route >     <ports you want to route>     *                         *   Interface address   *   NO    SurfSharkVPN

#this will apply only to 1 host in your network
If you want to route all your traffic simply change source with the ip address of your lan interface (192.168.1.1/24 as example)

Step 6
Firewall-> Rules-> Surfshark
Protocol   Source       Port   Destination        Port   Gateway                Schedule   Description    
IPv4 *   Lan_Wired net   *   <my specific host>    *   SURFSHARK_VPNV4     *           VPN allow traffic
Firewall-> Rules-> Lan
Protocol        Source                Port  Destination        Port   Gateway                    Schedule   Description
IPv4 *   <my specific host>     *   *                  *   SURFSHARK_VPNV4   *   gateway VPN

Step 7
System-> Settings-> General:
Under DNS Servers add:
DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4

Step 8
Check the connection - VPN-> OpenVPN-> Log File & VPN-> OpenVPN-> Connection Status


I hope this will help.
enjoy

Hello,

I might miss something, however just after a fresh install, because the update was unsuccessful - resulting in a restart loop, I tried to load a configuration backup from yesterday.
Surprise, surprise, it doesn't load. Can someone guide me on where I can find a more detailed log for bkp restore?
Thank you

Hi everyone,

did any of you knows how to mount an nfs share?

i did tried and run into errors:

[tcp] 172.16.10.3:/mnt/Storage/Mihai/monitoring_metrics: RPCPROG_NFS: RPC: Port mapper failure - RPC: Timed out


Thanks

[Error add txt for domain:_acme-challenge.skynet.balaci.xyz]

Hi all,

does anyone has a step-by-step guide to create certificates on domains hosted on Cloudflare?

every time i try to create a certificate i got the :
/var/log/acme.sh.log
[Wed Nov 13 10:46:25 EET 2019]   _on_issue_err
[Wed Nov 13 10:46:25 EET 2019]   Error add txt for domain:_acme-challenge.skynet.balaci.xyz
[Wed Nov 13 10:46:25 EET 2019]   Invalid domain.

the domain cam be resolved pretty easy. However, I miss something on the acme certificate definition or validation.

any input is appreciated.
thank you

Hi all,

Does anyone manage to update a record on HE.net?
From the UI i tried, however i always get :
opnsense: /services_dyndns_edit.php: Dynamic DNS: (Error) Authentication failed
Nov 10 22:04:55    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz): Current Service: he-net
Nov 10 22:04:55    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz): _checkStatus() starting.
Nov 10 22:04:54    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz via HE.net): _update() starting.
Nov 10 22:04:54    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz): running dyndns_failover_interface for opt1. found pppoe0
Nov 10 22:04:54    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz): 212.54.118.220 extracted

Any clue?

Hi all,

I know it was discussed previously and there is a small topic in the archive. Unfortunately, I couldn't understand the resolution. My context is this:
I need to connect to an Asus router which unfortunately has only PPTP VPN enabled and I have an user/pass i can use.
On my WAN i have a PPPoE connection.
I created a Point-to-Point device assigning wan physical interface (tried with an unused interface too), added the username and password. I have assigned the newly created virtual interface to an interface and hoped it will connect.
unfortunately, nothing happens.
Point to point logs:
Oct 2 02:13:57   ppp: [opt2_link0] Link: reconnection attempt 3
Oct 2 02:13:56   ppp: [opt2_link0] Link: reconnection attempt 3 in 1 seconds
Oct 2 02:13:56   ppp: [opt2_link0] LCP: Down event
Oct 2 02:13:56   ppp: [opt2_link0] Link: DOWN event
Oct 2 02:13:56   ppp: [opt2_link0] PPTP call failed
Oct 2 02:12:41   

Is there another way I can make this work?