Recent posts

[vlan]

#1

25.7, 25.10 Series / Re: Adding a VLAN takes 26 cli...

Last post by mtlynch - Today at 01:43:03 AM

Basically what people are asking for is a setup wizard. We'll be extending the existing wizard with a few use-case type presets in 26.1 but nothing that resembles a non-first-time setup yet.

Not sure if this is in response to the blog post or subsequent discussion, but I think one of the important pieces here is that OPNsense in a lot of places asks the user to manually enter data when OPNsense already knows the answer:

• On the create VLAN device page, OPNsense insists the user manually prefix the name with vlan
• On the DHCPv4 page, OPNsense makes the user type the IP range assignment instead of defaulting to the full range of the subnet

I also feel like there are low-lift opportunities to improve the default options, like when the user assigns a static IPv4 to a VLAN, the default is a /32, when it feels like /24 is likely a more common choice. I think on a lot of these "whatever the user chose last time" would be a pretty good default.

[*]

#2

25.7, 25.10 Series / Re: Transparent Filtering Brid...

Last post by Jose - November 21, 2025, 11:55:51 PM

Hello, I will post my rather clunky TFB setup and my own answer, in case someone is asking for a similar config on a Transparent Filtering Bridge with slightly different config from the How-To's, just for the non-networking guys like me, IPv6 is completely disabled in this example*.

This requires for 3 interfaces as expected, in my case two physical IF(passthrough) for the [TFB] and one virtual admin IF(vtnet0, virtio).

Scenario, you follow the How-To to setup an TFB, but added an 3rd interface to administer OPNsense, now Updates and/or Plugins downloads does not work because you've set the Transparent Filtering Bridge related interfaces to NONE as recommended in the How-To:

Set Interfaces [WAN] + [LAN] + [BRIDGE] to:
  IPv4 Configuration Type: NONE
  IPv6 Configuration Type: NONE*

However since we added a 3rd interface for admin, all we have to do is to set the Gateway for it under [System: Gateways: Configuration], my admin interface is called [ADM]:
You cannot view this attachment.

Now under [System: Settings: General] I've set the preferred DNS to use that Gateway (192.168.0.1):
You cannot view this attachment.

After reboot OPNsense is now able to update and install plugins again thru the admin interface while leaving its pure Transparent Filtering Bridge operation intact:
You cannot view this attachment.

However in my case this was a bit different as the OPNsense is a VM guest and the admin virtual interface(vtnet0) is connected to the host(Bhyve) on the public switch, so the admin interface internet-connection will be thru the hypervisor which in contrast loops back to the TFB access-point.

Regards

#3

25.7, 25.10 Series / Re: Monitoring gateway status ...

Last post by meyergru - November 21, 2025, 11:24:26 PM

I just did that and it works fine the way you described it - although the $.status probably is only the request status, not the status of a specific gateway in the response (you would have to select that).

Of course, you have to have an API key and secret, those must not be quoted in the Uptime Kuma input fields. You can use them verbatim as in the curl parameters. The key must be associated to a user that has the appropriate permissions, but if it did not, you would be getting an error with curl as well.

Since you do not get any qualified error at all: Can your Uptime Kuma instance access the HTTPS port of your OpnSense or is it blocked by a firewall rule? You can check by using a plain HTTPS request.

#4

25.7, 25.10 Series / Re: High CPU on Dashboard

Last post by JimmyLostOne - November 21, 2025, 11:01:29 PM

I'm seeing something similar since upgrading to 25.7.  Same CPU spikes on dashboard loads, same errors in the logs, but I also see some of the widgets failing to load.  I'm curious if this has to do with the number of widgets and types?  Seems like a bunch of connections being opened for each widget?

My specs:
J4125 Intel
32G DDR4
Msata 128G drive
6x I226v7

#5

25.7, 25.10 Series / Monitoring gateway status with...

Last post by julsssark - November 21, 2025, 10:36:10 PM

I am trying to monitor the status of my WAN gateway using Uptime Kuma and the OPNsense API. Despite my best efforts and google skills, I cannot get it to work and would appreciate any help. The monitor is showing red/down continually and there are no errors in the Uptime Kuma messages area. I am pretty sure it is an error in the way I am configuring Uptime Kuma. Here's what I have done:

1) Setup a new user, with access to the Gateways and generated the key/secret
2) Used CURL -k -u "<key>":"<secret>" https://myIP/api/routes/gateway/status from the Uptime Kuma console and I get the expected response
3) Configured Uptime Kuma as follows:

• Monitor type = HTTP(s)-Json Query and the URL is the same as in step #2
• Json Query expression and associated fields are set to $.status == ok
• Method is GET, body encoding is JSON and body/header fields are blank
• Authentication is set to basic auth and I put the key/secret into the username/password fields

I've tried various combinations of putting the authorization into the header/body, encoding the key/secret into base64, checking/unchecking the "ignore TLS/SSL errors". I'm probably just not using the right combination of things.

#6

General Discussion / Re: Rule confusion between sep...

Last post by meyergru - November 21, 2025, 09:29:45 PM

Usually, you will want an "in" rule like "allow any to any" for normal LANs and there is such a default rule for the first LAN.

However, this is generally too broad, because it allows access to any other (V)LAN when applied to all (V)LANs. The general recommendation is to use a "block any to RFC1918" rules before the "allow any to any" rule, with RFC1918 created as an alias for all RFC1918 ranges.

You can achieve the same effect if you deny access for specific destination interfaces.

Usually, you will have one or more (V)LANs that really have the permission to allow access to all other (V)LANs, like your main LAN or a Management VLAN. Only for those, you will not define a block rule.

#7

High availability / Re: HA setup is flapping betwe...

Last post by Tanker_UA - November 21, 2025, 09:25:06 PM

I just completely removed the backup firewall/router from my network, and all is working correctly. Until I get this resolved, I will not connect the backup unit to my network. It is amazing how little help I got from these forums! I wonder if I paid for a license (which I'm inclined to do so there are no excuses for lack of support), I would get the same treatment from the pricey support.

Thank you all,

Martin M. Mune
US Army Combat Veteran
Operation Iraqi Freedom
 
Volunteer Soldier
International Legion for the Defense of Ukraine

Слава Україні!
Героям Слава!

#8

General Discussion / Rule confusion between separat...

Last post by brigmaticlaw - November 21, 2025, 08:59:17 PM

Hi everyone! I was hoping you may be able to point me in the right direction on this small obstacle I've been hitting.I am not at all ruling out gross ignorance here so please accept my apologies in advance.

I am attempting to have two physically separate networks both going through my OPNsense box. One is my main home network with several VLANS (Lab,  Main, Guest, etc) all trunked to my main switch on a 10Gbe NIC, ix0. The second is plugged into a 4 port NIC on em2 (em1 is WAN) and is intended to be an internet access only mini-LAN for all work-owned devices to connect to. This hardware is nothing more than a 5 port unmanaged switch connected to an older Linksys router set to Bridge Mode with a static IP and its own SSID.

Other than the auto-generated rules, the only rule I have on the "Work" interface is to allow internet. At first I thought the segmentation was working but I have discovered that is not actually the case. I tried setting a rule on the Work interface to block all outbound traffic from Work net to all other interfaces in my trusted network. However, using my work laptop connected hardwire and WiFi, I am still able to access all of my resources running on my Lab VLAN on the trusted network.

I also tried setting a rule on the Lab interface to block all incoming traffic from Work net but that also didn't seem to work.

It doesn't seem to matter whether I'm using the IP of the service or the local FQDN I have set up through Nginx Reverse Proxy Manager.

I feel like one of these rules should work but, again, I could just be incredibly ignorant.

Any ideas of what I'm doing wrong? I appreciate any direction you may be able to provide.

#9

Zenarmor (Sensei) / Re: Provide firm date on multi...

Last post by PietPiraat - November 21, 2025, 08:00:28 PM

I have all 10Gb+ internally and ZA just did not work at all.

And this is exactly what I am all the time pointing out. The problem that is caused by not having multicore >

"InterVLAN" throughput is due to ZA bottle-necked.

Regards,
S.

Thank you for creating this thread and prevent me from stepping on this landmine. Putting multicore processing behind a business paywall that is out of reach for home users is ridiculous. It is not groundbreaking new technology.

#10

25.7, 25.10 Series / Re: High CPU on Dashboard

Last post by cyberfarer - November 21, 2025, 07:48:37 PM

It does exist and the permissions match similar file types.

Code Select Expand

srwxr-x---  1 root    wheel     0 Nov 20 15:53 php-fastcgi.socket-0
srwxr-x---  1 root    wheel     0 Nov 20 15:53 php-fastcgi.socket-1
srwxr-x---  1 root    wheel     0 Nov 20 15:53 php-fastcgi.socket-2
srwxr-x---  1 root    wheel     0 Nov 20 15:53 php-fastcgi.socket-3