Recent posts

#1
General Discussion / Re: Trouble with VLAN setup on...
Last post by pfry - Today at 03:43:53 AM
Nothing stands out as potentially problematic. You could try the VLANs to the bridge, and see if that's happier.
#2
General Discussion / Re: website update looks great...
Last post by petarl - Today at 02:37:50 AM
I managed to change it to dark mode in Firefox by using Midnight Lizard extension (it's supported in Chrome, too).
#3
German - Deutsch / Re: Opnsense DNS Warum funktio...
Last post by Gh0sti - Today at 02:03:33 AM
Bei den Reservations in KEA kann man die DNS für den client angeben. Gibt man da z.b. die ip .200 ein und danach die .1, also erst lancache und dann opnsense, trägt er automatisch erst die .1 in die reihenfolge ein obwohl man es anders herum eingibt.

Gibt man für DNS als Beispiel .210 .111 und .110 ein nimmt er diese reihenfolge.

Also wird die .1 (opnsense) immer an die erste stelle gestellt sobald man sie bei DNS mit angibt. Das darf so nicht sein! Meine reihenfolge muss schon beachtet werden.

Ein FIX wäre toll...
#4
German - Deutsch / Re: VOIP mit SWN NEumünster, F...
Last post by Maurice - Today at 12:37:51 AM
Bei den Query Forwardings musst Du die IP-Adresse eines DNS-Servers deines Providers eintragen, nicht die IP-Adresse des SIP-Servers. Die DNS-Server findest Du z. B. unter Interfaces / Overview / WAN / Details / Dynamic nameserver received.
Der SIP-Port 5060 hat dort auch nichts zu suchen.

OPNsense verwendet in den Standardeinstellungen nicht die DNS-Server des Providers, sondern seinen eigenen rekursiven Resolver. Ist schließlich keine Fritzbox.
#5
Documentation and Translation / Re: AdGuard Home setup guide
Last post by dmopn - Today at 12:32:57 AM
Quote from: yeraycito on September 22, 2022, 06:54:08 PMOpnsense 22.7.4 Install:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

      Tick: Enable Unbound ( Listen Port: 5353 )

      Tick: Enable DNSSEC Support
     
      Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

          192.168.1.1:5353

         
Extra Wireguard: If we have created a wireguard network in Opnsense, for example, 10.0.0.1/24 we have to set the dns 10.0.0.1 in the wireguard clients. In Wireguard Opnsense it is not necessary to configure anything.


This mostly worked for me for my main LAN (10.10.18.1), except under Services – DHCPv4 – [LAN1] I had to set the DNS server to 10.10.18.1 otherwise the clients don't get any DNS server address, but my clients on my secondary LAN (10.10.21.1) weren't working until I set the DNS server for LAN2 to 10.10.21.1 rather than 10.10.18.1. When I had Adguard running externally on 10.10.18.200 I was able to use that for both LANs but apparently OPNsense is a bit fussy about routing traffic across interfaces to itself.

This meant that I also had to create separate NAT-Port Forward "Force DNS traffic that is NOT addressed to my Adguard server" rules for LAN1 and LAN2, so I've got four rules in total, to cover port 53 and port 853 on both LANs.
#6
25.7, 25.10 Series / Re: Can't update 25.7
Last post by Jboy4 - Today at 12:26:10 AM
Not fully following. Was seeing if someone had a work around because I had a fully functioning multi vlan setup with crowdsec and unbound as resolver. But after trying to update (because it refused to allow packages until doing so.) Ive not been able to do so.

Was just seeing if there is a work around or a possible way to load directly to 25.7.7.

Ive tried mounting the partition in live usb mode and i still run into issues eventually along the way.

Im not sure with the link pointing to hard ware issues or my lack of understanding. But man I was loving this setup until I attempted the upgrade.

I can get things back up on 25.7 but packages still wont update so it leaves me without things that I was hoping to fix...

Thanks.
#7
25.7, 25.10 Series / Re: Can't update 25.7
Last post by meyergru - Today at 12:08:51 AM
Look at this. It is also mentioned here: https://forum.opnsense.org/index.php?topic=42985.0, point 23.
#8
25.7, 25.10 Series / Can't update 25.7
Last post by Jboy4 - Today at 12:06:46 AM
Not able to install packages because updating 25.7 causes a frozen machine and forces me to reboot after waiting over 20 mins. Ive tried multiple reformats back to 25.7 then updating the loading my xml but the update process fails each time. Some errors below arter it attempts then failure on reboot.

system: Error (1) aunching the init system... Id-elf.so.1: Shared object "libxm12.so.16" not found, required by "php" Enter full pathname of shell or RETURN for /bin/sh:

#9
That is strange. If a TLS client does not send the hostname any more, how would name based access in HAproxy work? It serves as the selector for the presented certificate in the first place. Of course, there is a fallback that you can create in HAproxy, but this would only be used for really ancient clients, IP-based access or a catch-all for unknown hostnames.

It that something "new" for IOS 26? If so, it will sure break things.
#10
General Discussion / Re: Trouble with VLAN setup on...
Last post by User074357 - November 22, 2025, 10:53:20 PM
Quote from: pfry on November 21, 2025, 03:04:54 PM
Quote from: User074357 on November 21, 2025, 12:33:14 PMI was under the impression the "Default allow LAN to any rule" would be enough to allow pinging devices in the DMZ from LAN.[...]

It should be, and blocked packets would be logged, assuming default block logging is enabled. Valid sessions would be visible regardless of logging.

How about "Interfaces: Devices: Bridge" and "Interfaces: Overview"?

Yeah, nothing seems to be getting blocked.

Here are the bridge settings and interface overview (had to remove some of the VPN interfaces due to their names containing private information).