Topics

I'm trying to get netflow / insight reporting working and having an issue with data in the opnsense gui when viewing interface totals / bandwidth.

For testing I stream a UHD film and I can see the the correct/expected data in reporting / health (I think this data is not from netflow). It shows data rate of around 20Mb/s and this is what I expect from a this UHD stream.

I then use reporting / insight for interface totals and looks ok for a while then drops to zero while the film is still playing normally and reporting / health also looks normal.

I'm not sure if I am stupid or if this is a problem with my setup or a bug.

See screenshots attached.

How can I investigate further?

I have netflow enabled and outputting to influx via telegraf. Seems to be working fine but...

I don't really capture the data i expected so I probably misunderstand and I was hoping to get some help here.

What I want to visualise is internet usage (data rate) for a single client - for testing I am using MB/hr.

To achieve this I am using bytes_in where dest = ip and bytes_out where source = ip (sum grouped by hour)

but I am only getting a fraction of the data rate I expect.

Has anyone set this up and can explain what I am doing wrong?

and I have tried many different combos of bytes_in bytes_out dest / source etc

Hi all,

Just by coincidence I noticed that my prod (baremetal) opnsense 25.7.1 install does not have the bind920 (BIND DNS suite with updated DNSSEC and DNS64) while my testing opnsense setup (VM) has the package installed and the test system is very basic vanilla install without any plugins.

Thoughts?

I am a network / opnsense newbie and I am learning by using an isolated opnsense firewall/network using a VM environment.

I have this all working nicely - see architecture attached - don't laugh too much

I can easily access home network from test network (and i expected this as it is 'upstream).

What would I need to do to be able to access devices in test network from home?

Is a VPN the only way?

Using opnsense 25.7 with dnsmasq/unbound.

I have noticed that my wife's work laptop is spamming the dsnmasq log with a warning every 5 seconds.

I see this is related to the work laptop having a fqdn that is different to my home network. But why is this happening every 5 seconds?

Any way to turn off this type of log?

Warning    dnsmasq-dhcp    Ignoring domain au.xxxxx.net for DHCP host name xxxx

Hello all - first of all thanks for all the work for the 25.7 release.

I upgraded from 25.1.12 today and everything went well.

After upgrading to 25.7 I migrated from ISC to dnsmasq following the guide and DHCPv4 with DNS registration example but I have the adgaurd home plugin on opnsense and I think this is where my issue is. My configuration is:

Adguard on port 53
Unbound on port 5335
dnsmasq on port 53053

My main network (VLAN01 192.168.1.1/24) is working fine with adguard - unbound - dnsmasq

My guest network (VLAN20 192.168.20.1/24) I get a dhcp lease/ip correctly but web pages will not load. I think I need to change a setting/option so that the dhcp lease uses dns server / adguard on my main network.

I have tried adding dhcp options in the dnsmasq setting but I can't get it to work.

Any suggestions to try greatly appreciated   

Hi all,

I recently read this opnsense guide https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

And have realised that my setup is not 100% aligned/correct as I am mixing untagged (lan) and tagged (vlan) traffic

My setup is simple for a home network. I am really happy with opnsense and how everything is working. Current setup on a dedicated 4 port minipc:

wan - port0 (dhcp)
lan - port1 (static with dhcp via ISC)
vlan2 - lan as parent (static with dhcp via ISC)
vlan3 - lan as parent (static with dhcp via ISC)


I do not have a lagg and not sure I need one - i see it is optional in the guide linked above.

So what I was hoping to do is the following but transitioning is tricky as I think I will lose connectivity as soon as I disable the lan interface.


1. create a new vlan for my main network (to replace the lan) but I know that i can't give this vlan the same ip as lan yet!
2. remove lan interface so that port1 is unassigned
3. link vlan1 to port1 and set ip and dhcp config to the same as lan (now removed)
4. link vlan2 and vlan3 to unassigned port1

This can't be done using the gui but maybe using the console?

Any assistance appreciated!

Given that everything seems to be fine currently and I rarely use my vlans - is it worth doing this at all?

I use the following online resource for icons for my home server 'home page' but it still has the old opnsense branding.

https://github.com/homarr-labs/dashboard-icons

Is it easy for me to get the new icons so they can update the project?

Hi all

This was all working but not any longer and I haven't made any changes to my config. I am using duckdns, Let's Encrypt and DNS-01 challenge

I can successfully renew the cert if I remove the alt name (so mydomain.duckdns.org renews fine).

If I add back the alt name (opnsense.mydomain.duckdns.org) then the renewal fails.

Has something changed with letsencrypt and support for alt names?

Any assistance or advice appreciated.

I know this is probably a basic concept but I am a noob - so apologies and I hope someone can help me.

I understand that rules are applied in sequence from top to bottom and I wanted to check I am on the right track.

I want to block access to port 2375 apart from my 2 docker hosts on the LAN interface.

Is this close? Thanks in advance.


rule1: allow port 2375 for alias containing my two docker hosts
rule2: reject port 2375 for LAN net
rule3: default allow LAN net

I have a simple opnsense setup for my home network. I use the adguard plugin together with unbound on port 5335

Everything is working fine for dns resolution for all of my lan hosts.

I have one host that I need to resolve for any subdomain on this host as follows:

host.lan -- 192.168.1.10 (working)
test.host.lan  -- 192.168.1.10 (DOES NOT WORK)

Is there a way to allow / config so that anything.host.lan resolves to the same ip as host.lan?

I am on latest 24.7 and have tried switching to KEA dhcp (I only use ipv4 on my system) but have found that a number of clients do not resolve to their hostname using KEA so I went back to ISC.

Is this a known limitation for KEA dhcp at the moment?

I also remember reading a release note for opnsense 24.7 relating to ISC dhcp and static dhcp reservations - something about having to restart a service after changing/adding reservations. At the moment I need to restart opnsense for these new reservations to apply but there must be a way to do this without having to restart?

Hello,

This is my first post/question and I am new to opnsense so please go easy :-)

Very happy with opnsense by the way!

I have just rebuild my home network using opnsense on a mini-pc. All working well (so far) and I have more or less setup my network in the same way as my previous setup using asus router.

For a few key services such as home assistant (that I need to work both in the lan and over the wan when away from home), I use swag + reverse proxy in a docker with a wildcard ssl cert linked to my duckdns DDNS domain. It all works fine but I need to open and port forward 443 to my server that is hosting these services.

I wanted to get some advice on whether this setup is a good idea (security v. ease of use) or if there are other more secure configurations that I should look into now that I have opnsense.

Thanks!