"Recent posts
#1
General Discussion / Re: LAGG flapping at regular t...
Last post by Seimus - Today at 12:44:56 AMFast timeout is pain in Enterprise too.
At one point I had enough and enforced across company to use timeout slow (30s) for cross vendor connections.
Because the fast was constantly causing for example FW switchovers and other nonsense....
And thats the reason its in OPNsense docs too cause I was crying to Cedrik when he was writing it :)
https://github.com/opnsense/docs/pull/610#issuecomment-2424144823
Regards,
S.
At one point I had enough and enforced across company to use timeout slow (30s) for cross vendor connections.
Because the fast was constantly causing for example FW switchovers and other nonsense....
And thats the reason its in OPNsense docs too cause I was crying to Cedrik when he was writing it :)
https://github.com/opnsense/docs/pull/610#issuecomment-2424144823
Regards,
S.
#2
Tutorials and FAQs / Re: Tutorial 2024/06: HAProxy ...
Last post by sveinse - Today at 12:40:27 AMPart 6 in the tutorial adds support for hosting public services as well as internal services. This works great, but after some consideration I deemed it too risky. The safety of the internal services ending up publicly on the net is the src address condition rule. In addition, the webui of OPNsense (currently 26.1.9) doesn't handle the order of the "select rules" where it is critical to get the order of the `LOCAL_SUBDOMAINS_rule` and the `PUBLIC_SUBDOMAINS_rule` to have a functioning setup. I deemed this too risky.
I was running 1_HTTP_frontend and 1_HTTPS_frontend directly to 0.0.0.0:80 and 0.0.0.0:443 respectively. I'm not running 0_SNI_frontend.
1. Clone 1_HTTP_frontend into 1_HTTP_WAN_frontend. Change the listen address to use the *WAN* address :80.
2. Clone 1_HTTP_frontend into 1_HTTP_LAN_frontend. Change the listen address to use the *LAN* address :80.
3. Disable 1_HTTP_frontend
4. Clone 1_HTTPS_frontend into 1_HTTPS_WAN_frontend. Change the listen address to use the *WAN* address :443. Under Select rules, select only the PUBLIC_SUBDOMAINS_rule.
5. Clone 1_HTTPS_frontend into 1_HTTPS_LAN_frontend. Change the listen address to use the *LAN* address :443. User Select rules, select only the LOCAL_SUBDOMAINS_rule.
6. Disable 1_HTTPS_frontend.
7. Press Apply
For this to work, one needs to override the external addresses to internal addresses.
8. Go to Unbound DNS -> Overrides.
9. Add a new entry. Set host, domain and entry. Use the IP for the *LAN* port from above. E.g. www, my.domain, A to 192.168.1.1.
10. Rinse an repeat for all entries that must be overridden.
I was running 1_HTTP_frontend and 1_HTTPS_frontend directly to 0.0.0.0:80 and 0.0.0.0:443 respectively. I'm not running 0_SNI_frontend.
1. Clone 1_HTTP_frontend into 1_HTTP_WAN_frontend. Change the listen address to use the *WAN* address :80.
2. Clone 1_HTTP_frontend into 1_HTTP_LAN_frontend. Change the listen address to use the *LAN* address :80.
3. Disable 1_HTTP_frontend
4. Clone 1_HTTPS_frontend into 1_HTTPS_WAN_frontend. Change the listen address to use the *WAN* address :443. Under Select rules, select only the PUBLIC_SUBDOMAINS_rule.
5. Clone 1_HTTPS_frontend into 1_HTTPS_LAN_frontend. Change the listen address to use the *LAN* address :443. User Select rules, select only the LOCAL_SUBDOMAINS_rule.
6. Disable 1_HTTPS_frontend.
7. Press Apply
For this to work, one needs to override the external addresses to internal addresses.
8. Go to Unbound DNS -> Overrides.
9. Add a new entry. Set host, domain and entry. Use the IP for the *LAN* port from above. E.g. www, my.domain, A to 192.168.1.1.
10. Rinse an repeat for all entries that must be overridden.
#3
26.1, 26,4 Series / Re: OPNSense not able to re-cl...
Last post by cookiemonster - Today at 12:26:56 AMIf creating swap is at all possible, it is hardly a bad idea to provide it to a system. Even when there is what appears to be plenty of memory for it.
It's quite easy to see most unix-like/*bsd systems with suitable amount of memory, they swap from time to time, even if in small amounts. For the sake of a few gigabytes of storage, it's an easy and cheap help to give it.
It's quite easy to see most unix-like/*bsd systems with suitable amount of memory, they swap from time to time, even if in small amounts. For the sake of a few gigabytes of storage, it's an easy and cheap help to give it.
#4
General Discussion / Re: How Can i modify the lease...
Last post by cookiemonster - Today at 12:21:13 AMQuote from: somanet on June 12, 2026, 10:57:34 AMIs that a typo in the dhcp server address, which is different to the address assigned to the client?Quote from: sopex on June 12, 2026, 10:07:52 AMMy Current RangeQuote from: somanet on June 12, 2026, 09:55:39 AMHave set the range and lease time but its not picking the new leases its still using old configurations
You need to tell the local clients to renew their lease manually.
For Windows:
ipconfig /release
ipconfig /renew
But you need to do some research and use AI. Its great for these kinds of things.
192.168.2.101 - 192.168.2.200
what am getting
eferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.171(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Lease Obtained. . . . . . . . . . : 12 June 2026 11:48:37
Lease Expires . . . . . . . . . . : 12 June 2026 13:48:36
Default Gateway . . . . . . . . . : fe80::f690:eaff:fe01:fb24%17
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
Instead of making us guess, can you please tell the setup, what is the OPN version, which dhcp service are you using on it, what are the devices involved in the setup? Perhaps a router behind another router. Maybe more than one dhcp server running on the network.
#5
26.1, 26,4 Series / Re: OPNSense not able to re-cl...
Last post by sopex - Today at 12:17:42 AMQuote from: cookiemonster on June 12, 2026, 11:39:59 PMIMHO running any system without swap is not a very good idea. If the system needs it for any reason, it is best for it to have it than not.
It's not a perfect science. In my limited experimentation, the chances of swap getting used and the whole system becoming sluggish are much higher than a 16GB+ system being starved of memory.
#6
26.1, 26,4 Series / Re: OPNSense not able to re-cl...
Last post by cookiemonster - June 12, 2026, 11:39:59 PMQuote from: sopex on June 12, 2026, 11:34:16 PMYes, let the defaults be. You don't need swap.IMHO running any system without swap is not a very good idea. If the system needs it for any reason, it is best for it to have it than not.
#7
26.1, 26,4 Series / Re: OPNSense not able to re-cl...
Last post by cookiemonster - June 12, 2026, 11:38:59 PMSeems like a virtual machine but that's not in itself a problem. Many run it on VM without problem.
If external monitoring is not setup or available, you need to regularly check for running processes to see which ones are using up the memory.
Telling what the setup and running services and plugins would help too.
If external monitoring is not setup or available, you need to regularly check for running processes to see which ones are using up the memory.
Telling what the setup and running services and plugins would help too.
#8
26.1, 26,4 Series / Re: OPNSense not able to re-cl...
Last post by sopex - June 12, 2026, 11:34:16 PMYes, let the defaults be. You don't need swap.
#9
General Discussion / Re: LAGG flapping at regular t...
Last post by nero355 - June 12, 2026, 11:24:32 PMQuote from: Patrick M. Hausen on June 12, 2026, 09:59:00 PMupdate - I can confirm there might be an interoperability problem with Mikrotik devices and FreeBSD/OPNsense concerning LACP.I think I can confirm this :
Since I changed the LACP timeout from 1s/fast to 30s/slow on both sides and disabled "strict" mode on the OPNsense side the connection now seems to be stable.
On the Mikrotik side there is nothing to adjust but the timeout. I also disabled flowid explicitly on OPNsense but if I am not mistaken that was the default all the time, anyway.
Quote from: Seimus on June 12, 2026, 11:05:43 PMYea the fast timeout cross vendor is always problematic.When I use to build a lot of Linux Bonding LACP links we use to set this :
This is not only applying for FBSD & Mikrotik, but as well other vendors.
Quotebond-lacp-rate rateTo SLOW too :)
Denotes the rate of LACPDU requested from the peer.
The rate can be given as string or as numerical value.
Valid values are slow (0) and fast (1). The default is slow.
And this :
Quotebond-miimon intervalWas always set at 100 IIRC...
Denotes the MII link monitoring frequency in milliseconds.
This determines how often the link state of each slave is inspected for link failures.
A value of zero disables MII link monitoring. The default is 0.
Source : https://manpages.ubuntu.com/manpages/jammy/man5/interfaces-bond.5.html
#10
General Discussion / Re: LAGG flapping at regular t...
Last post by Seimus - June 12, 2026, 11:05:43 PMYea the fast timeout cross vendor is always problematic.
This is not only applying for FBSD & Mikrotik, but as well other vendors.
Regards,
S.
This is not only applying for FBSD & Mikrotik, but as well other vendors.
Regards,
S.
