Recent posts

#1
General Discussion / Re: Help Needed, VLANs on mult...
Last post by SirBiggin - Today at 11:54:04 PM
thanks for the comment, the problem i have is that i cannot assign a LAGG to a bridge. i understand that i can assign a vlan to multiple bridges, but i need that LACP bond for my C3850 switches.


i would like to have all my vlans available on my UDMSE so that i can have the traffic route between my two switches so i can have a management vlan


Already god the tunables in place :)
#2
26.1 Series / Potential Bug/Exploit Witnesse...
Last post by Werewolf71 - Today at 11:53:32 PM
Versions
OPNsense 26.1.2_5-amd64
FreeBSD 14.3-RELEASE-p8
OpenSSL 3.0.19

It was noticed today when an unknown party performed a UDP port scan on my home's public IP that a node on my private subnet would 'react' and initiate outbound UDP traffic towards the scanning IP address and source port.  See sanitized SYSLOG messages below.  I can provide more log messages, if required.

Sharing this for awareness as in checking the SYSLOG, no other traffic has been witnessed from the scanning IP address before the scan took place.


11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9319,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,46652,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9321,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,15946,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9318,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,28496,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9317,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,64274,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9331,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,56299,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9316,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,37499,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9320,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,25566,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9323,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,41253,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9324,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,15935,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,54,9328,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,30811,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9322,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,37367,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9325,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,35622,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9327,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,24423,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9326,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,51875,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9330,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,52030,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9329,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,53247,49
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,18484,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51536,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,18484,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,61503,51536,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,53287,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51537,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,53287,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,39173,51537,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,35093,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51538,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,35093,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,59266,51538,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,3406,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51539,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,3406,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,45066,51539,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,873,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51540,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,873,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,2356,51540,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,33810,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51541,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,33810,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,54597,51541,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,57291,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51542,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,57291,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,28222,51542,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,50441,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51543,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,50441,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,60136,51543,48
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9334,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,48008,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51544,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,48008,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,3600,51544,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,42554,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51545,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,42554,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,15340,51545,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,25127,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51546,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,25127,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,60149,51546,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,1807,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51547,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,1807,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,44900,51547,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,64006,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51548,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,64006,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,34174,51548,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,53892,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51549,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,53892,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,42543,51549,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,22058,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51550,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,22058,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,42140,51550,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,38924,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51551,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,38924,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,44999,51551,48
88,,,32b0c9606bf44cc4ae86af3b6e178b80,igc0,match,pass,in,4,0x0,,64,63294,0,none,17,udp,68,<HOME_NODE_PRIVATE_IP>,<SCANNER_IP>,59858,51552,48
77,,,528d46c993d2f22268135be7b26815f2,igc1,match,pass,out,4,0x0,,63,63294,0,none,17,udp,68,<HOME_PUBLIC_IP>,<SCANNER_IP>,19522,51552,48
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9359,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9367,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
11,,,02f4bab031b57d1e30553ce08e0ec131,igc1,match,block,in,4,0x0,,53,9377,0,DF,17,udp,69,<SCANNER_IP>,<HOME_PUBLIC_IP>,51536,57665,49
#3
General Discussion / Re: Deutsche Telekom - Glasfer...
Last post by Maurice - Today at 11:16:55 PM
Quote from: nero355 on Today at 09:31:00 PMCan you choose a different ISP that operates on their network and get one that way ?
Sure. Deutsche Telekom, Vodafone, o2, 1&1 will happily sell you the very same ONT with a slightly customized enclosure and their own logo slapped on it. :)

https://hack-gpon.org/ont-sercomm-fg1000b/#other-brand-names

Quote from: meyergru on Today at 10:14:40 PMAs long as you do not have a rate > 1 Gbps, you can use a GPON ONT, because XGS-PON is mostly downwards-compatible.
A GPON ONT can't talk to an XGS-PON OLT, they even use different wavelengths.
#4
General Discussion / Re: Please help me get connect...
Last post by viragomann - Today at 10:44:35 PM
Quote from: TrafficChaos on Today at 03:13:53 AMI have also connected a USB to WiFi adapter to my phone and connected
the ethernet end of the adapter to the WAN
Are you sure, you have connected it to the correct network port?

Which hardware did you install OPNsense on?

In nterfaces: Assignments open the drop-down next to WAN and check if the plug symbol is green.

If you want to use the USB adapter on OPNsense, you have to change the network device here to ue1 or alike and save the setting.
#5
What do you mean they wont stay connected? I think you need to give more info on your setup and error messages TBH.
#6
26.1 Series / Re: Client is being assigned b...
Last post by FarmServer - Today at 10:35:14 PM
Quote from: LisaMT on Today at 04:07:05 PMDon't use Dnsmasq.  Kea/Unbound.

This was also happening with the older isc dhcp service.

I also disconnected my 192.168.3.x subnet and turned all the PCs off to check and see of one of my computers was the rogue DHCPer but it didn't change what was happening.

I may have found the issue, or an issue at least. It seems when the corporate PC connects to my wifi but not the IPSEC connection it only gets assigned the 192.168.1.1 dns server like everything else. It only acquires the 192.168.3.41 primary dns address when it connects to the corporate network via IPSEC. Which seems like a lazy and incorrect use of subnet addressing on their end. Perhaps the coincidence of me also having a 192.168.3.x subnet was freaking it out.

I took the equally lazy path and just reassigned my 192.168.3.x subnet to a different address further away from 3 and I have yet to hear any complaints.
#7
General Discussion / Re: Deutsche Telekom - Glasfer...
Last post by meyergru - Today at 10:14:40 PM
XGS-PON ONT prices are a lot higher than GPON ONTs. They often draw a lot more power, as well. As long as you do not have a rate > 1 Gbps, you can use a GPON ONT, because XGS-PON is mostly downwards-compatible. In Germany, there are only a few ISPs who already offer XGS-PON - we sometimes use to call it "digital diashora".

In theory, one could have up to 2.5 Gbps downstream over plain GPON, BTW.
#8
25.7, 25.10 Series / Re: Hostwatch - high disk writ...
Last post by nero355 - Today at 09:38:00 PM
Quote from: Slybunda on Today at 09:30:39 PMwhat happens if you turn this feature off?
See : https://forum.opnsense.org/index.php?msg=259577

But you discovered that topic already I see :)


IIRC it's eventual goal is to assist with certain IPv6 related features, but for now you don't really need it...
#9
25.7, 25.10 Series / Re: How to find out which proc...
Last post by Slybunda - Today at 09:33:00 PM
Quote from: buedi on February 07, 2026, 08:37:10 PM```
top -S -m io -o total
```

Shows the processes causing I/O.

thanks for this. for me it shows hostwatch and crowdsec causing the writes.
need to find out why crowdsec writes soo much
#10
General Discussion / Re: Deutsche Telekom - Glasfer...
Last post by nero355 - Today at 09:31:00 PM
Quote from: Maurice on Today at 03:38:24 PMDeutsche Telekom does not give you a free ONT. You have to buy or rent one.
Can you choose a different ISP that operates on their network and get one that way ??

Quote from: meyergru on Today at 04:52:46 PMReally? Interesting. Both M-Net and Deutsche Glasfaser give you one.
We have something really weird here in The Netherlands on the Delta Fiber Network :
- Choose Delta as ISP and you don't get a Nokia 010 ONT and get a Nokia "All-in-One" model instead.
- Choose any other ISP that operates on their network and you get the Nokia 010 ONT and a seperate Router from ZyXel.
And that Nokia 010 ONT has a huge DELTA sticker on it !!! LOL !!!

QuoteEither way, they are dirt cheap (30-50€). I just bought an LXT-010H-D from wisp.pl and that also has 2.5 Gbps.
Over here most people buy either a Huawei ONT or Nokia ONT for XGS-PON connections like this one : https://www.wisp.pl/p12211,huawei-optixstar-en8010ts-20-terminal-xgs-pon-ont.html
(Sometimes from the very same webshop by the way!)

Usually not very cheap and the availability is not that great either...