"Recent posts
#1
General Discussion / Re: Crowdsec Observations
Last post by philippe_crowdsec - Today at 11:25:20 AM@dan786: Don't hesitate to discuss those points on our discourse.
The tables populated by CrowdSec are entirely dynamic. <TL/DR> It contains the IP your local machine blocks and a part of what the other in the network are blocking. The 1st step is really about checking your "stack health" in the SaaS console (or using the Claude Skill we published) to see that everything is properly configured.
The default 4h ban is meant to avoid a lengthy ban, since any IP caught locally will have its ban refreshed if needed, and if it is globally aggressive, it'll be added to a global blocklist (reputation vs. behavior).
CrowdSec now runs on hundreds of thousands of servers and we are confident the software is stable, behaving as intended, but this doesn't mean we can't have an OpenSense integration issue. So step 1: stack health or check the config with a Claude + the crowdsec skill. If it's cleared, please raise a bug and we'll investigate.
The tables populated by CrowdSec are entirely dynamic. <TL/DR> It contains the IP your local machine blocks and a part of what the other in the network are blocking. The 1st step is really about checking your "stack health" in the SaaS console (or using the Claude Skill we published) to see that everything is properly configured.
The default 4h ban is meant to avoid a lengthy ban, since any IP caught locally will have its ban refreshed if needed, and if it is globally aggressive, it'll be added to a global blocklist (reputation vs. behavior).
CrowdSec now runs on hundreds of thousands of servers and we are confident the software is stable, behaving as intended, but this doesn't mean we can't have an OpenSense integration issue. So step 1: stack health or check the config with a Claude + the crowdsec skill. If it's cleared, please raise a bug and we'll investigate.
#2
High availability / HA broken since update to 26.1...
Last post by StephB - Today at 11:16:39 AMI have a pair of OPNsense firewalls in simple HA setup, regulary upgraded since 23.x . I use the standard upgrade procedure : upgrade fw2 (the backup), Enter Persistent CARP Maintenance Mode on fw1 (the master), upgrade fw1, Leave Persistent CARP Maintenance Mode on fw1. I run a ping from LAN to internet to check that traffic is flowing during the upgrade process.
Upgrade from 25.7.x to 26.1.6 went OK as usual. During the upgrade from 26.1.6. to 26.1.9, the traffic stopped during the reboot of fw1. The status of CARP was showing OK : fw1 as CARP backup and fw2 as CARP master.
With the 2 firewalls on 26.1.9, fw1 as master and fw2 as backup, I disconnected WAN interface on fw1 : CARP failover succeeded as showed in the dashboard but no traffic to internet. Ping to the LAN VIP and WAN VIP was OK.
Any hints to resolve this issue ?
Upgrade from 25.7.x to 26.1.6 went OK as usual. During the upgrade from 26.1.6. to 26.1.9, the traffic stopped during the reboot of fw1. The status of CARP was showing OK : fw1 as CARP backup and fw2 as CARP master.
With the 2 firewalls on 26.1.9, fw1 as master and fw2 as backup, I disconnected WAN interface on fw1 : CARP failover succeeded as showed in the dashboard but no traffic to internet. Ping to the LAN VIP and WAN VIP was OK.
Any hints to resolve this issue ?
#3
General Discussion / Re: newbie trying to set up ne...
Last post by OPNenthu - Today at 05:02:59 AMQuote from: lumilumi on June 04, 2026, 09:13:44 AMI thought that wireless access points were by default a bit unsecure - do you have a reccommendation for one less than $100?
Looks like you're already sorted for hardware but in case you have to go shopping, keep the U7 Lite on your list. Unlike its bigger WiFi-7 siblings it lacks 6GHz and only has 2x2 antennas, but depending on the size of your home it may suit you fine. Mine has surprisingly good coverage and only uses ~6W PoE budget with conservative settings (I don't go crazy with high gain and ultrawide/DFS channels).
They don't bundle a power supply, though. You need either a PoE switch or an injector.
Supposedly you can set it up easily from your phone with just the app making it basically plug & play. I haven't tried that method.
#4
General Discussion / Re: losing internet connection...
Last post by BrandyWine - Today at 04:52:12 AM4 miles on limited power of wifi, on flat ribbon antenna?
A well tuned yagi probably will struggle. Do those wifi devices provide dBm info (Tx and Rx), I am curious what level the signal is at.
But using that diagram, my guess, an ARP issue is presenting itself. When the problem happens does the ARP tables look ok?
Is that bridge doing actual bridging or proxy-ARP'ing ?
A well tuned yagi probably will struggle. Do those wifi devices provide dBm info (Tx and Rx), I am curious what level the signal is at.
But using that diagram, my guess, an ARP issue is presenting itself. When the problem happens does the ARP tables look ok?
Is that bridge doing actual bridging or proxy-ARP'ing ?
#5
General Discussion / Re: Allow IGMP queries on WAN ...
Last post by OPNenthu - Today at 04:51:35 AMJust checked my settings and apparently I still have it enabled on my network :) In any case, the WAN doesn't participate in IGMP and unless something stops working (hasn't yet) that's how it'll stay.
#6
General Discussion / Re: newbie trying to set up ne...
Last post by BrandyWine - Today at 04:29:56 AMAn interface is an interface. If the device has a builtin wifi device, then it can be used as an interface. Wifi can be AP, ad-hoc, bridge.
So what's the question?
So what's the question?
#7
General Discussion / Re: Hello all! And thank you ...
Last post by BrandyWine - Today at 04:21:17 AMQuote from: sopex on June 09, 2026, 05:28:05 PMDoes the firewall itself have internet access?......... and, ....... at least read all the official OPNsense documentation, as there's plenty to read.
Also, since you are a beginner I would first try opnsense on the actual hardware, except if you already have proxmox experience.
#8
Hardware and Performance / Re: Sanity check for N100 / i2...
Last post by pfry - Today at 02:03:29 AMI didn't have PCI-e clock on my bingo card. I probably should have, as I have an AMD B650 system where its e810 card will not run at 16Gt/s (v4) in a CPU slot, but will in the chipset slot (the two available slots are both x4). So I habitually look at pciconf when I put together FreeBSD/OPNsense systems.
#9
General Discussion / Re: Hello all! And thank you ...
Last post by nero355 - Today at 01:10:54 AMQuote from: donkeydiq on June 09, 2026, 05:06:37 PMI am completely lost.It seems your ENTER key got lost too :P
Anyways...
Read this : https://forum.opnsense.org/index.php?topic=44159.0
If you are going to continue with the Proxmox VM setup for OPNsense :)
The best thing you can do is read both the Proxmox and OPNsense Documentation and try to learn how everything works together.
There is no other way IMHO because when stuff stops working it's YOU who needs to know how to fix it!
#10
General Discussion / Re: newbie trying to set up ne...
Last post by nero355 - Today at 01:05:44 AMQuote from: RobertoZ on June 09, 2026, 07:37:11 PMConfigure it to get an automatic IP from upstream DHCP server (OPNsense)I always do two things :
- Give important devices their own Static IP Address configuration.
- Only configure a Static DHCP Mapping based on the MAC Address as the backup option for that configuration in case something breaks in the OS because of some update or whatever...
I would never use just one of the above on my network(s) :)
