Topics

Versions:
OPNsense 25.1.7-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16

Setup:
2 WAN connections, 1 physical connection to switch, several VLANs, crowdsec & ips (from the "regular" intrusion detection) active on both WAN interfaces, maltrail active on all VLANs, and network configured as router-on-a-stick.

Issue:

I am running ip cams on vlan 1006, which are being streamed to my nas on vlan 1002

The traffic graph correctly shows the traffic of both interfaces, BUT:

it is also showing that exact same traffic going over the default, untagged vlan ("lan_default") where there is no real traffic.
the "top hosts" dots are also showing correctly that there's pretty much no traffic on that default vlan, but the graphs itself do not (see attached screenshot, showing only that default lan)

this same inconsistency also shows on insights, and is not fixed by a reboot, reset of netflow/rrd data, or repair of netflow data.

i've been using opnsense for years, and admittedly i changed too much at once (updating to 25.1.7, rebuilding fw rules back mostly to interface instead of floating because of the number of rules, ....) but have never had an issue like this (that wasn't fixed by resetting the graphs or just rebooting the machine)

so, does anyone have any idea where to go look for this issue ?

So, while i had no issues on a 21.7.5 machine, i just setup a new opnsense,
so a completely NEW setup, no tinkering, no importing, no whatever.

while configuring haproxy i keep running into the issue that it says "There are pending configuration changes that must be applied in order for them to take effect. To review them visit the Config Diff page."
and when i hit apply.... it does not apply.
and so, no way to start haproxy.

when i move haproxy.conf.staging to haproxy.conf manually, and start haproxy manually, there is no issue and the gui happily says there are no config changes.
i then change something in the gui again aaaaaand.... broken again.

is this a known issue for 21.7.7 ?
is someone else experiencing this ?

we have opnsense support if needed, so i could always contact their paid support, but before bothering them  like that,
i wanted to verify in the community if anyone else is seeing this.

a few (questions/suggestions/remarks) regarding the firewall and the log functionality:

1) is it possible to ignore an interface in the live log without disabling logging on it completely?
=> i have several rules applied to multiple interfaces through the floating ruleset, and there are a few vlans that i dont need in my live log, but where i dont want to make new rules just for those interfaces, to not overcomplicate rule management

2) in that same live log, would it be possible to add an icon for the direction, so we could see if it is coming into or going out of the interface without clicking on the info button?
=> i opened up issue #2804 for this and have a 'proof of concept' code there
EDIT: thanks to AdSchellevis this is now already available in the master, thanks!

3) another item i miss in the live log is the ability to let it resolve hostnames immediately, again having to use the info button to resolve hostnames... yet i thought that this was an existing option somewhere (long ago) in the past?
(there is issue #2287 for this, but i remember it being possible when we still had the 'normal' log, before the live log, or am i mistaken?)

setup:
router => opnsense wan/lan => lan

config:

router has a /56
opnsense wan port has an ipv6
opnsnense lan port has fd00:1::1 as address
lan host has fd00:1::200 as address
npt is set to wan - aaaa:bbbb:cccc:dddd::/56 - fd00:1::/56

what goes right:
ping OUT from my lan pc to an internet host:
pc -> opnsense lan port ok (internal lan ip -> ipv6 host)
opnsense wan port ok (translated lan ip -> ipv6 host)
ping arrives perfectly on the internet host.

ping reply comes back:
opnsense wan port gets a request from the router's link-local to see who has the translated lan ip

expected: opnsense translates that ip back to its local ip, responds to the request and routes the traffic
reality: nothing happens... opnsense does not reply that it knows the address

what am i doing wrong or am i forgetting here?