"Recent posts
#1
26.1, 26,4 Series / Re: picky DHCP on WAN
Last post by TheSHAD0W - Today at 03:16:42 AMThe dhclient.leases.igb2 looks as expected. I was looking at packets through tcpdump and did not see any request packets at all at the 1800 second mark, none until it was nearly expired.
#2
26.1, 26,4 Series / Re: WAN Interface speed duplex...
Last post by pfry - Today at 02:27:20 AMQuote from: drosophila on Today at 12:50:46 AMThat makes sense: the surge protection adds varistors or / and discharge tubes / or / and "high voltage zeners" towards ground or / and across pairs.[...]
The latter two: diodes for response and gas tubes if you want the diodes to survive. Tubes alone wouldn't help much. I've never seen a MOV implementation for Ethernet - I wouldn't expect much from one.
#3
General Discussion / Re: Connecting to DHCP managed...
Last post by drosophila - Today at 01:32:53 AMThat sounds a little like MAC spoofing doesn't work properly on the default Realtek drivers - sending may work but the NIC might just drop received packets as "not my MAC". The vendor driver may do it correctly. Why this works without spoofing now suggests the reports are correct but why it would not do anything with the default driver is odd in that case. Maybe some leftover from the previous config. Backing up the working config will safeguard you from any config missteps you might do. Also, you could attempt to use a fresh -nano on an USB stick to see if a clean OPNsense install would do anything differently to rule out configuration cruft.
#4
26.1, 26,4 Series / Re: WAN Interface speed duplex...
Last post by drosophila - Today at 12:50:46 AMQuote from: OPNenthu on Today at 12:32:12 AMin-line Ethernet surge protectionThat makes sense: the surge protection adds varistors or / and discharge tubes / or / and "high voltage zeners" towards ground or / and across pairs. This adds capacitance and possibly non-linear leakage currents, both of which degrade signal integrity. These ports probably aren't made with 2.5GBps in mind and depending on age may be lucky if they were meant for 1GBps. The internal routing may also not even meet Cat6 requirements.
(...)
The 2.5GbE port on the modem was problematic
Quote from: OPNenthu on Today at 12:32:12 AMMy current cable modem (an ISP-issued replacement, newer model) doesn't seem to care and the 2.5GbE port negotiates fine.Your new modem may have better PHYs or just care less about such issue. Or the old one might just have had degraded components (age) that already led to degraded signal integrity and the additional effects of the surge protection just tipped it out of tolerance.
#5
26.1, 26,4 Series / Re: WAN Interface speed duplex...
Last post by OPNenthu - Today at 12:32:12 AM@stumper doesn't mention this being the case, but I've also seen this kind of issue on my previous cable modem while using the in-line Ethernet surge protection on my UPS.
---(coax)---[modem]---(cat6)---[ups]---(cat6)---[router]---
The 2.5GbE port on the modem was problematic so I used one of its adjacent 1GbE ports for a while. It was anyway enough for my ISP plan.
My current cable modem (an ISP-issued replacement, newer model) doesn't seem to care and the 2.5GbE port negotiates fine.
---(coax)---[modem]---(cat6)---[ups]---(cat6)---[router]---
The 2.5GbE port on the modem was problematic so I used one of its adjacent 1GbE ports for a while. It was anyway enough for my ISP plan.
My current cable modem (an ISP-issued replacement, newer model) doesn't seem to care and the 2.5GbE port negotiates fine.
#6
26.1, 26,4 Series / Hairpin/Reflexive NAT Assistan...
Last post by Flerp - Today at 12:30:55 AMI setup an OPNSense box as a replacement for an old SonicWALL and I'm struggling with NAT reflexively for https and game servers
On the old SonicWALL I'd setup a NAT Rule for a locally hosted website like so
Original Source: LAN Subnets
Translated Source: WAN1 IP
Original Destination: WAN1 IP or FQDN
Translated Destination: Reverse Proxy LAN IP
Service: http and https
This worked well, even though my web servers are cloudflare proxied, and then behind a reverse proxy routing to hosts via SNI
It would catch the traffic on the way out, heading towards the cloudflare proxy IP then redirect it immediately
I have been trying to setup something similar on OPNSense but I have failed repeatedly to get traffic to NAT this way
I also run several old game servers that refuse LAN connections and WAN connections at the same time, so they need to have reflexive rules, too
The NAT on OPNSense is seemingly split into a few different pieces instead of having single logical rules, being unable to translate both source and destination at the same time
On the old SonicWALL I'd setup a NAT Rule for a locally hosted website like so
Original Source: LAN Subnets
Translated Source: WAN1 IP
Original Destination: WAN1 IP or FQDN
Translated Destination: Reverse Proxy LAN IP
Service: http and https
This worked well, even though my web servers are cloudflare proxied, and then behind a reverse proxy routing to hosts via SNI
It would catch the traffic on the way out, heading towards the cloudflare proxy IP then redirect it immediately
I have been trying to setup something similar on OPNSense but I have failed repeatedly to get traffic to NAT this way
I also run several old game servers that refuse LAN connections and WAN connections at the same time, so they need to have reflexive rules, too
The NAT on OPNSense is seemingly split into a few different pieces instead of having single logical rules, being unable to translate both source and destination at the same time
#7
26.1, 26,4 Series / Re: Redirect URL After Success...
Last post by Al Muckart - Today at 12:22:28 AMQuote from: Moeni on June 18, 2026, 10:42:13 AMI've opened a feature request with the details (validation helper, the open-core changes, and the two Business Edition controller inserts described by file/method): https://github.com/opnsense/core/issues/10433
Brilliant! Thank you so much.
#8
26.1, 26,4 Series / Re: OIDC and Automatic User Cr...
Last post by Al Muckart - Today at 12:21:28 AMThank you Marco.
#9
26.1, 26,4 Series / Re: WAN Interface speed duplex...
Last post by drosophila - Today at 12:10:59 AMIf that is a grounding issue, then it would be possible to confirm this by connecting only the outer shell of the ISP coax to the modem, leaving the inner connection out. For example by bringing the plug and socket together on the outside only, fixating by rubber bands or something else that creates a bit of spring tension. This would eliminate the possibility of your ISP using TR-069 to mess up your devices, as it would leave the entire broadband link down, retaining the exact same logical case as with the fully unplugged coaxial cable.
However, both your Protectcli box and the Asuswrt have an external PSU that doesn't connect the ground pin, at least that's what I get from the ad pictures. Their respective external PSUs may still differ electrically but these devices themselves don't seem to be grounded.
However, both your Protectcli box and the Asuswrt have an external PSU that doesn't connect the ground pin, at least that's what I get from the ad pictures. Their respective external PSUs may still differ electrically but these devices themselves don't seem to be grounded.
#10
26.1, 26,4 Series / Re: DNSMasq - Am I missing som...
Last post by nero355 - Today at 12:06:02 AMQuote from: besalope on June 18, 2026, 11:25:08 PMhoping this DNSMasq crap blows over with the next couple years before an upgrade fails that requires bare metal reinstall.Pi-Hole FTLDNS = DNSmasqd + Additional Features added by the Pi-Hole Developers ;)
And it's AWESOME!!!
I think you don't need the "tag based stuff" at all and can configure anything you want by adding stuff to the config files just like you can when using Pi-Hole as your DHCP Server so take a look at : https://linux.die.net/man/8/dnsmasq
