Topics

How to properly setup shaper with deflicit round robin sheduler type. This the same setup as fq codel? I want to test it. I dont know do i need to use mask or not. There is no info in official opnsense documentation.

My maltrail detected mass connection to malware related domains in about 3 minutes (many different domains). This gonnections was made over port 53 even when i have set dns over tls. This connecions was made from WAN ip adress not from lan. Is it possible that my opnsense instance is infected?

EDIT: Currently partially solved by blocking outgoing traffic from WAN with port 53 destination. But i am network newbie i dont know its enough.

Adding block rule with destination "vlan net" built in alias (autogenerated) has no any effect on destination it still can be pinged from LAN net. Same with reversed direction with blocked LAN net destination.

When i set my own alias with 192.168.3.1/24 network (vlan net ip range) and block it as destination it works as intended destination cannot be pinged (whole address pool).

I know proper rule order in opnsense. It dont even work when one rule is present on lan interface with access to all from any address but with !vlan net destination (reverse destination). With this rule ip adresses in vlan net can be pinged without any restriction.

for example this rule wont block access to tv net (vlan): IPv4 *    LAN net    *    ! tv net    *    *    *  (pass rule)

Only aliases set by me worked, but not any * net aliases autogenerated by opnsense.

Im newbie so i may dont understand something.

Ive decided to separate clients in my network by making vlans because i have decoder maded by Shenzhen SDMC Technology CO.,Ltd.   

i got vlan named "television" put static lease in dhcp setup by mac address. Ive set to on this options:
-If this is checked, only the clients defined below will get DHCP leases from this server.
-By default, the same MAC can get multiple leases if the requests are sent using different UIDs. To avoid this behavior, check this box and client UIDs will be ignored.

Ive set rules in firewall for television vlan to separate networks: IPv4 *    *    *    ! LAN net , mama net    *    *    *
So decoder is jailed.
But this decoder breaking into my LAN net leasing address from LAN net dhcp even with same options set for lan net. Iptv decoder mac address is not on the LAN net list.

I dont know what to do with this. This is weird behavior. Same thing happened with my wi-fi access point . It "leaks" into my LAN net where my main pc is connected.

Leases for iptv decoder are doubled:

LAN 192.168.1.107 xx:xx:xx:xx:xx:xx Shenzhen SDMC Technology CO.,Ltd.2025/04/29 04:45:54 2025/04/29 06:45:54 active dynamic
telewizja 192.168.2.2 xx:xx:xx:xx:xx:xx Shenzhen SDMC Technology CO.,Ltd. telewizja active static

Im using OPNsense 25.4-amd64

Sorry, my bad, bad googling. I found solution. Go to ISC DHCPv4>>[LAN]>>MAC Address Control>>Use this option: Enter a list of partial MAC addresses to deny access, comma-separated, no spaces, such as 00:00:00,01:E5:FF . Ive set blacklist of mac for lan and any vlan that i have. This should be easier than copying each mac from any unwanted device for any subnet/lan/vlan. This should be clickable solution. Selecition from leases : "select this device to acces only vlan1". To many devices to many macs and setting this in any vlan.

My maltrail instance on 25.4 detects malicious dns queries from my wan address on port 53. Decided to block outbound connections from wan with destination port 53. I have enabled dns over tls(quad9). When i block port 53 im loosing dns resolving. No domains are resolved. So all the time i had no dns encryption? What servers opnsense is using then? Why tls port 853 is not used?

EDIT: This dns servers was used to resolve malicious domains ips: 162.159.38.3, 172.64.35.93, 192.33.14.30 . I never set anywhere this ip addreses. I got enabled unbound as resolver + dns over tls.

This domains was resolved: cdn.prod.website-files.com, prod.website-files.com, .website-files.com
Maybe its just false positive in mailtrail?

Ive tested bufferbloat here: https://www.waveform.com/tools/bufferbloat with A+ result and here https://speed.cloudflare.com/ with result: great (top result) . But when im downloading with full speed and pinging some domains in my country i get ping over 750+ ms (its variable up to this value). I dont understand why this is happening. Im currently using fq codel setup from opnsense docs: https://docs.opnsense.org/manual/how-tos/shaper_bufferbloat.html

Why this tests lie?

Services widget on dashboard indicates that crowdsec is not running. But when i get in to services:crowdsec:overview thats tells me that crowdsec and firewall bouncer is running. So which one is bugged?

EDIT: Post can be deleted. I just misunderstood some blocklists from github. Used them as alias for firewal rules. It was dnsblocklists. Removed from alias, and moved them to custom blocklists for unbound. Now everything works fine. Sorry. Im newbie.

Trapphic graph widget on version 25.1.3 not forking for me. Buf graphs in Reporting>>Traffic working.

If logs or more info needed just tell me what, and how to check this.

Its not HOW TO but its informational topic. I get much better results with my hybrid fiber-coaxial (docsis 3.0) modem when im using flow queue pie than flow queue codel. With fq codel i need to waste 20% of my bandtwith for good bufferbloat results. With fq pie i waste 3% for sqm, and have better results than with fq codel. Anyone can tell me what results achieve with fq pie? Im using "Enable PIE"(linux man pages says thas fq pie uses pie by default but i have different results with that option enabled), and "CoDel ECN" on download only (ecn setting works for fq pie when fq pie is used). Increased FQ-CoDel flows to 4096 (it works as fq pie flows when fq pie is used) but i must WARN you. Increasing flows requires reboot (flows are alocated in ram during bot time) but if you increase them to much you can brick your router because it consumes some ram. Im using 4096 now for 8 gig of ram on router. Tune your target and interval as is described here : https://docs.opnsense.org/manual/how-tos/shaper_bufferbloat.html Pie uses many codel parameters but has different defaults. But i dont know do its implemented in opnsense to control this parameters for fq pie. Just tuned it as codel and have much better results than with fq codel. Fq pie is implemented as default queue mechanism in docsis 3.1 standard. Docsis 3.1 is described as low latency docsis.

You can try it and share your results.

EDIT: I must say that my results may be different each time i test bufferbloat. I have low quality isp with no guaranteed speed. My max bandwith fluctuates. On weekends i have always worse results than during week.

I cannot access facebook facebook.com even with default 25.1.2 opnsense firewall. When i switched to mikrotik router page starts working imediately. Something is blocking facebook. It not even working with syn cookies disabled. This is error from debug console in firefox (ctrl+shift+i):

Code Select Expand

ErrorUtils caught an error:

GraphQL server responded with error 1675030: Błąd podczas wykonywania zapytania
 [Caught in: caught error in module a [from CometSSRMultipassBoundary.react] (base)]

Subsequent non-fatal errors won't be logged; see https://fburl.com/debugjs.

Its no matter what settings i use in my firefox esr and no matter what adblock or security addon in firefox im using. It even dont working on windows 11 with edge browser or any other linux distro in my local network. Tried browsers : chromium, firefox, firefox-esr, falkon, edge, brave, opera. Facebook with opnsense not working. I get only white page with: "Sorry, an error occured."

It worked until i cleared all cookies and data from browsers. Old cookies alowed me to acces facebook,com.

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.1.1 (amd64) at Thu Feb 13 20:04:31 CET 2025
vulnxml file up-to-date
cpu-microcode-intel-20241112 is vulnerable:
  Intel CPUs -- multiple vulnerabilities
  CVE: CVE-2024-37020
  CVE: CVE-2024-39355
  CVE: CVE-2023-43758
  CVE: CVE-2024-36293
  CVE: CVE-2024-31068
  WWW: https://vuxml.freebsd.org/freebsd/d598266d-7772-4a31-9594-83b76b1fb837.html

1 problem(s) in 1 installed package(s) found.
***DONE***

Im running opnsense on hp elite desk 800 g2 ssf (intel i5-6500). Bios updates are no longer supported. Produckt is outdated. What i can do with this vulnerabilities?

Zenarmor packet engine stopping itself. No error messages just stops working. When i enable it it stops after short time. Its only for packet engine.

EDIT: Now i made fresh instal of zenarmor on 25.1.1 and it working.

Code Select Expand

2025-02-12T20:33:40 Error suricata [101313] <Error> -- opening devname netmap:igb0-0/R@conf:host-rings=4 failed: Cannot allocate memory
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'http.dottedquadhost' is checked but not set. Checked in 2021076 and 0 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017761 and 0 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'ET.DMTP_Protocol' is checked but not set. Checked in 2858384 and 0 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023672 and 1 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
2025-02-12T20:32:39 Warning suricata [100499] <Warning> -- flowbit 'exe.no.referer' is checked but not set. Checked in 2020500 and 0 other sigs
2025-02-12T20:30:08 Error suricata [110140] <Error> -- opening devname netmap:igb0-0/R@conf:host-rings=4 failed: Cannot allocate memory
2025-02-12T20:29:08 Warning suricata [100920] <Warning> -- flowbit 'http.dottedquadhost' is checked but not set. Checked in 2021076 and 0 other sigs
2025-02-12T20:29:08 Warning suricata [100920] <Warning> -- flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017761 and 0 other sigs
2025-02-12T20:29:08 Warning suricata [100920] <Warning> -- flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
2025-02-12T20:29:08 Warning suricata [100920] <Warning> -- flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
2025-02-12T20:29:08 Warning suricata [100920] <Warning> -- flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
2025-02-12T20:29:08 Warning suricata [100920] <Warning> -- flowbit 'ET.DMTP_Protocol' is checked but not set. Checked in 2858384 and 0 other sigs
2025-02-12T20:29:08 Warning suricata [100920] <Warning> -- flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023672 and 1 other sigs

Like in topic.

After update to 25.1 intrusion detection no longer works. I case logs are needed just tell me how to provide logs because im newbie.

After update to 25.1 production series zenarmor packet engine stops working. I tried to reinstall it but:

Code Select Expand

***GOT REQUEST TO INSTALL***
Currently running OPNsense 25.1 (amd64) at Wed Jan 29 15:51:42 CET 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
pkg: os-sensei has a missing dependency: os-sensei-updater
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***
Currenty i am without zenarmor.

My opnsense router (OPNsense 24.7.11_2-amd64) at least once per day switch all connections from 1gbit to 100mbit. I dont know why it happends but rebooting router always solves this issue for some time. I am newbie so i dont know what else i need provide to solve issue. Just ask me and i do what i can. Thank you for help in advance. I mudt also say that my english is not perfect. My network card is i350-t2 connected with some cheap tp-link 8 port non manageable switch(gigabit).

EDIT: I think its software related. Because when i set to different interface speed than autoselect and then back to autoselect there is no need of restarting router.

Do the firewalling with ipv6 works only on end clients? Is there way to make nat/firewall for dual stack ipv4/ipv6 network? Im not network specialist. Simple explanation please.

I no longer can access to WebUI. Cant do this over http or https. 192.168.1.1 responds to ping and router is accesible over SSH. Internet connection trough the router works fine. What can i do for access to the WebUI?
Tired different browsers with no success.

EDIT: i get same situation after fresh install. Still have access over ssh but dont know what can i do to restore user interface. Just updated opnsense to 24.1.8 installed os-realtek-re and disabled user interface access over wan (it properly done, same as ssh but i have access over ssh).Nobody can help me?

EDIT2: Solved now unwanted wan acces by setting custom port for WebUI and blocking this port in firewall on wan side. This is just workaround for this bug. Now access from wan is blocked and lan access working.

Is there are some new tunnables for os-realtek-re drivers? Im currently using default installation with bsd re driver. How i can list possible nic tunnables? I tried:

Code Select Expand

sysctl dev.re
And there was few of them. Nothing usefull. Installing os-realtek-re drivers changes something?