"Recent posts
#1
26.1 Series / Re: DHCP4 Legacy not showing a...
Last post by Patrick M. Hausen - Today at 07:28:28 PMAre you creating your static leases outside of the dynamic range?
#2
Q-Feeds (Threat intelligence) / Re: Update from Community to P...
Last post by Richard090969 - Today at 07:24:02 PMhallo,
>> However, I have found that the ability to look up IPs can be useful, including getting a site unblocked by qfeeds after some review.
--Translate with ChatGPT----
That is a valid point and, at the very least, adds value to the Plus package. While uninstalling CrowdSec is certainly possible, I do not see any urgent need for action at this time, as the solution currently consumes no significant resources and causes no apparent disadvantage. Whether this assessment will remain valid in the long term is something I would prefer to leave open for now.
As for Q-Feeds, I have a positive view of the project. Despite still being relatively young, it runs very reliably in my environment. My only reservation concerns outsourcing the rule sets to an external service provider — which, incidentally, also applies to CrowdSec
cu Richard
---Original German----
Das ist ein berechtigter Punkt und wertet das Plus‑Paket zumindest auf. Eine Deinstallation von CrowdSec ist zwar möglich; aus meiner Sicht besteht jedoch kein akuter Handlungsbedarf, da die Lösung derzeit keine nennenswerten Ressourcen bindet und keinen erkennbaren Nachteil verursacht. Ob diese Einschätzung langfristig Bestand hat, möchte ich zum jetzigen Zeitpunkt offenlassen.
Zu Q‑Feeds: Ich stehe dem Projekt positiv gegenüber. Trotz seines noch jungen Alters läuft es in meiner Umgebung sehr stabil. Der einzige Vorbehalt betrifft die Auslagerung der Regelwerke an einen externen Dienstleister – das gilt im Übrigen auch für CrowdSec.
VG Richard
>> However, I have found that the ability to look up IPs can be useful, including getting a site unblocked by qfeeds after some review.
--Translate with ChatGPT----
That is a valid point and, at the very least, adds value to the Plus package. While uninstalling CrowdSec is certainly possible, I do not see any urgent need for action at this time, as the solution currently consumes no significant resources and causes no apparent disadvantage. Whether this assessment will remain valid in the long term is something I would prefer to leave open for now.
As for Q-Feeds, I have a positive view of the project. Despite still being relatively young, it runs very reliably in my environment. My only reservation concerns outsourcing the rule sets to an external service provider — which, incidentally, also applies to CrowdSec
cu Richard
---Original German----
Das ist ein berechtigter Punkt und wertet das Plus‑Paket zumindest auf. Eine Deinstallation von CrowdSec ist zwar möglich; aus meiner Sicht besteht jedoch kein akuter Handlungsbedarf, da die Lösung derzeit keine nennenswerten Ressourcen bindet und keinen erkennbaren Nachteil verursacht. Ob diese Einschätzung langfristig Bestand hat, möchte ich zum jetzigen Zeitpunkt offenlassen.
Zu Q‑Feeds: Ich stehe dem Projekt positiv gegenüber. Trotz seines noch jungen Alters läuft es in meiner Umgebung sehr stabil. Der einzige Vorbehalt betrifft die Auslagerung der Regelwerke an einen externen Dienstleister – das gilt im Übrigen auch für CrowdSec.
VG Richard
#3
26.1 Series / Re: Rule or alias not matching
Last post by meyergru - Today at 07:23:39 PMWhat about the S/SA flags? If the packets do not match those, they will be dropped. Compare the working and non-working rules in /rmp/rules.debug.
#4
26.1 Series / DHCP4 Legacy not showing all l...
Last post by chop249 - Today at 07:12:32 PMI tried a search but couldn't find anything. I am looking at LAN and Leases and I am not showing all devices. Twice now I am trying to assign an IP to a device and I'm picking what I thought were unused IPs. It is really bizarre because I assigned this server an IP, it worked, I reinstalled the server OS and gave it the same IP but now I cannot connect and I can ping something when the server is powered down. Thoughts?
Versions
OPNsense 26.1.3-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19
Versions
OPNsense 26.1.3-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19
#5
26.1 Series / Rule or alias not matching
Last post by clarknova - Today at 06:55:33 PMOPNsense was version 25.7.11_2 when I noticed the problem, but upgrading to 26.1.3 hasn't fixed it.
I have a floating rule that allows internet access from multiple hosts on several networks (see screenshot). It looks like this in pfctl:
For some reason, about a week ago some hosts on multiple networks lost access to internet, as if this rule stopped matching packets. One such host has the address 10.15.4.52.
As you can see in the screenshot, I copied this rule and changed only the source from the alias to the explicit network 10.15.4.52/31 and enabled logging. This enabled this specific host to access the internet and the packets are logged as expected.
As you can also see in the screenshot, I have only one block rule in the floating rules. I can confirm there are no block rules in the group or on the interface specific to that network.
And finally, you can see in the screenshot that the alias <allowed_internet> includes the 10.15.0.0/21 network.
As these rules are not quick, I also moved the new rule above the old one, and the new rule still matches, passes and logs the packet, as if the old one isn't matching.
So why did the old rule stop matching packets while the new rule matches packets that should have matched the old one? The old rule used to work, and then stopped working at some point (at least for a handful of hosts that I've tested). I can't think of an explanation except that I'm seeing some sort of bug having to do with the rule or the alias.
I have a floating rule that allows internet access from multiple hosts on several networks (see screenshot). It looks like this in pfctl:
Code Select
pass in on aINTERNAL route-to (wan_gw) inet from <allowed_internet> to ! <rfc5735> flags S/SA keep state label "..."For some reason, about a week ago some hosts on multiple networks lost access to internet, as if this rule stopped matching packets. One such host has the address 10.15.4.52.
As you can see in the screenshot, I copied this rule and changed only the source from the alias to the explicit network 10.15.4.52/31 and enabled logging. This enabled this specific host to access the internet and the packets are logged as expected.
As you can also see in the screenshot, I have only one block rule in the floating rules. I can confirm there are no block rules in the group or on the interface specific to that network.
And finally, you can see in the screenshot that the alias <allowed_internet> includes the 10.15.0.0/21 network.
As these rules are not quick, I also moved the new rule above the old one, and the new rule still matches, passes and logs the packet, as if the old one isn't matching.
So why did the old rule stop matching packets while the new rule matches packets that should have matched the old one? The old rule used to work, and then stopped working at some point (at least for a handful of hosts that I've tested). I can't think of an explanation except that I'm seeing some sort of bug having to do with the rule or the alias.
#6
German - Deutsch / Re: Kea Option 108 für DHCP-Re...
Last post by bamf - Today at 05:57:45 PMDanke, ich habe ein Feature Request aufgemacht https://github.com/opnsense/core/issues/9918
#7
26.1 Series / Re: Large number of files accu...
Last post by franco - Today at 05:43:23 PMBusy dashboard open perhaps?
#8
26.1 Series / Re: [SOLVED] Upgrade in situ "...
Last post by jrx - Today at 05:41:56 PMFor anyone else, like me, who end up here from DuckDuckGo, the "Reloading firmware configuration" eventually completed after 5-10 minutes or so, and the rest of the upgrade went smoothly. Give it time.
#9
General Discussion / Re: Internet access problems
Last post by patient0 - Today at 04:21:29 PMQuote from: Jebecca on March 09, 2026, 09:19:39 PMDoes the client get an IP - WAN is set to DHCP due to ISPI was referring to the clients in your network, does the client you get an IP when on VLAN 5 - Trusted? What firewall rules do you on VLAN 5 and MGMT VLAN23? Do they differ?
Can you ping an outside IP from VLAN5? Meaning, does 'only' DNS not work are no access at all.
QuoteFrom what I've read the MGMT_VLAN doesn't need internet access.That is completely up to you. But yes, in general you give as little rights as needed and since the MGMT network can access every devices. But it also means that e.g you want to update firmware you have to download the necessary files before since you won't be able to do that from the MGMT VLAN.
QuoteHow would I check for access from OPNsense?If you login to the OPNsense GUI and check for updates.
#10
26.1 Series / Re: FW live view not working r...
Last post by lmoore - Today at 04:16:16 PMQuote from: franco on Today at 03:17:36 PM"not seen before" was directed towards the fact that regex are/were supported in the JS here, not the regex itself :D
Search for Disjunction in JS. You should get a few hits.
Cheers,
Larry.
