Recent posts

#1

General Discussion / Re: How do predefined net alia...

Last post by OPNenthu - June 29, 2026, 11:19:50 PM

[...] if I put in any predefined interface net alias into a rule it will allow all the networks from the interfaces in the rules. So if I have a floating rule with interfaceA and interfaceB, sources as exact-host-from-interfaceA-network and the predefined interfaceB net alias, then the rule will still match traffic from interfaceA from any host in that network, instead of just the exact-host-from-interfaceA-network.

A test rule like you describe expands like this on the back end:

You cannot view this attachment.

Code Select Expand

# [prio: 200000]
pass in quick on vlan0.1030 inet from $HOSTS_MGMT to {any} keep state label "e92ba5aa-e088-4435-8244-1410fd42334b" # test
pass in quick on vlan0.1040 inet from $HOSTS_MGMT to {any} keep state label "e92ba5aa-e088-4435-8244-1410fd42334b" # test
pass in quick on vlan0.1030 inet from {(vlan0.1040:network)} to {any} keep state label "e92ba5aa-e088-4435-8244-1410fd42334b" # test
pass in quick on vlan0.1040 inet from {(vlan0.1040:network)} to {any} keep state label "e92ba5aa-e088-4435-8244-1410fd42334b" # test

I can see that using multiple sources in a rule creates a potential hole where any of the sources will pass on either interface.  Maybe two rules would be better than a single rule here to avoid the spoofed source IP problem but then they can't stay in Floating and would change to interface level rules.

I don't see that other sources from vlan0.1030 (the source network for hosts defined in HOSTS_MGMT alias) would pass, unless either the HOSTS_MGMT alias contained a netmask (which they can't) as Patrick suggested, or, the hosts alias contained an incorrect entry.

Another possibility: did you have an active state from a prior rule change?  Maybe it would clear up after a reset.

They have, in pfSense.

Yeah, that's an important distinction too.  It's not safe to read pfSense docs/tutorials and assume floating works the same here.

#2

Hardware and Performance / Re: PPPoE performance with cur...

Last post by mattuz - June 29, 2026, 10:43:44 PM

Just a side not: I've been trying the same setup with OpenWRT since based on google suggestions it handles PPPoE better, the results are worse than Opnsense. I get 380-400 Mbit/s. With ip-ip link the results are great as with opnsense (2.3-2.4Gbit/s)
I was starting to think the issue is coming from the PPPoE server but it doesn't make much sense since I'm getting the same performance using my laptop as a server (i7-11th mobile cpu) and my desktop (ryzen 9 3900x).

#3

Tutorials and FAQs / Re: [HOWTO] Sonos speaker in m...

Last post by cookiemonster - June 29, 2026, 10:14:12 PM

Pics seems to be hosted in imgur. Those are unavailable in the UK (I can't see them). But it might apply also to other locales.

#4

Intrusion Detection and Prevention / Re: Suspicious repeated DNS tr...

Last post by cookiemonster - June 29, 2026, 10:11:49 PM

It sounds like somehow your firewall rules are or were left too open and allowed traffic into your AdGuardHome port.
If you use the ADGH UI and go to "Setup guide" you'll see it listening to all interfaces unless you've changed from defaults, which are the result of "$ifconfig | grep inet" on your OPN.
That will include your WAN ip address.
Therefore my thinking is firewall rules need revising.
So 1. **Open DNS resolver on the WAN**: seems to have caught it. It might only need reset of firewall states. Hopefully.!

#5

Russian - Русский / Re: os-xray — плагин Xray-core...

Last post by Al-x - June 29, 2026, 10:10:10 PM

Подскажите, пожалуйста, не работает. Само подключение через программу на ПК работает норм, сервисы норм открываются, скорость есть. Настройки подключения такие, вроде ничего особого.

{
    "tag": "proxy",
    "protocol": "vless",
    "settings": {
        "vnext": [
            {
                "address": "адрес",
                "port": порт,
                "users": [
                    {
                        "id": "ид",
                        "encryption": "none",
                        "flow": ""
                    }
                ]
            }
        ]
    },
    "streamSettings": {
        "network": "xhttp",
        "security": "reality",
        "realitySettings": {
            "serverName": "сайт",
            "fingerprint": "chrome",
            "show": false,
            "publicKey": "ключ",
            "shortId": "928c",
            "spiderX": "ещё какой-то пароль"
        },
        "xhttpSettings": {
            "path": "/",
            "mode": "auto"
        }
    }
}

В разделе диагностики сервисы подняты, какой-то трафик есть, и в первый момент после запуска сервиса какая-либо страница открывается, а дальше затык.

TUN Interface   proxytun2socks0
TUN Status   running
TUN IP   10.255.0.1/30
MTU   1500 bytes
Bytes In   136.1 KiB
Bytes Out   125.9 KiB
Packets In   549
Packets Out   671
xray-core Uptime   7m 3s
tun2socks Uptime   7m 3s
Server Ping RTT   21.997 ms

При проверке Could not connect — xray-core may be stopped or port unreachable. Если проверять из консоли командой то код ответа 301.

Outbond настроено, для удобства отладки планшет напрямую отправил через правила в шлюз тунеля. Что и как ещё можно посмотреть?

На соседнем сервере стоит 3X-UI панель, она подключена по этой же ссылке - через неё траффик тоже идёт. А вот через OPNsense нефига.

Так же не понятно откуда взяты/придуманы адреса 10.255.0.1 (интерфейса), 10.255.0.2 (шлюза). Если с интерфейсом понятно, то с чего решается, что шлюз именно 2. Но влияет это или нет - не знаю.

Ни захват пакетов, ни таблица Lixe view фаэрвола ничего толком не показывает, как проследить где пакеты теряются - не понимаю.

#6

26.1, 26,4 Series / [OPNsense v26.1.10] IGMPProxy:...

Last post by FvdAa - June 29, 2026, 09:08:10 PM

Hi,

Since I updated OPNsense to v26.1.10 I'm experiencing issues with IGMPProxy and my KPN Interactive TV.

After a while, it seems that certain actions, f.e. starting an earlier recorded video is not possible and return and error (STB-zap-06) and when restarting the STB it hangs at 85% while starting up. When I then restart IGMPProxy, it directly proceeds the startup and I can also play the recorded video again.

Looking at the logs I can see the following warnings:
 - select() failure; Errno(4): Interrupted system call
 - MRT_DEL_MFC; Errno(49): Can't assign requested address

So far, this seems to happen every 3 days (23rd, 26th and 29th of June).

I found an older topic that looks like similar problem, also with IGMPProxy and KPN:
https://forum.opnsense.org/index.php?topic=41719.45

Anything to check the next time I encounter this issue?

Regards,

Frank

#7

Hardware and Performance / Re: Problems With Nics not bee...

Last post by BrandyWine - June 29, 2026, 08:58:22 PM

Sorry, its in pciutils pkg, but pciconf is ok. Wondering what that looks like, etc.

#8

Hardware and Performance / Re: PPPoE performance with cur...

Last post by mattuz - June 29, 2026, 07:57:53 PM

Edit: For the heck of it (quoting myself), you might try "netstat" - "-m", "-i", perhaps "-Q", "-T", "-x", "-s" options (most have to be issued separately), and see if anything looks bad. I'm not sure if these will provide useful data for a PPPoE device.

Thanks I will try these commands and update the thread with the results.

Did you use the Realtek vendor or the FreeBSD native driver on OpnSense?

I'm using os-realtek-re drivers. The card plugged in without those didn't even show the interfaces on the GUI. I had "pci3: <network, ethernet> at device 0.0 (no driver attached"

Looking at netstat -Q it seems CPU 2 is handling major traffic compared to others. (this is during an iperf3 test)

Code Select Expand

=== netstat -Q ===
Configuration:
Setting                        Current        Limit
Thread count                         4            4
Default queue limit                256        10240
Dispatch policy               deferred          n/a
Threads bound to CPUs          enabled          n/a

Protocols:
Name   Proto QLimit Policy Dispatch Flags
ip         1   1000    cpu   hybrid   C--
igmp       2    256 source  default   ---
rtsock     3    256 source  default   ---
arp        4    256 source  default   ---
ether      5    256    cpu   direct   C--
ip6        6   1000    cpu   hybrid   C--
ip_direct     9    256    cpu   hybrid   C--
ip6_direct    10    256    cpu   hybrid   C--

Workstreams:
WSID CPU   Name     Len WMark   Disp'd  HDisp'd   QDrops   Queued  Handled
   0   0   ip         0    29        0     7688        0   101826   109514
   0   0   igmp       0     0        0        0        0        0        0
   0   0   rtsock     0     0        0        0        0        0        0
   0   0   arp        0     1        0        0        0       33       33
   0   0   ether      0     0     5905        0        0        0     5905
   0   0   ip6        0     1        0        0        0        1        1
   0   0   ip_direct     0     0        0        0        0        0        0
   0   0   ip6_direct     0     0        0        0        0        0        0
   1   1   ip         0    18        0     4310        0    64904    69211
   1   1   igmp       0     0        0        0        0        0        0
   1   1   rtsock     0     0        0        0        0        0        0
   1   1   arp        0     2        0        0        0    10006    10006
   1   1   ether      0     0      718        0        0        0      718
   1   1   ip6        0     1        0        0        0       10       10
   1   1   ip_direct     0     0        0        0        0        0        0
   1   1   ip6_direct     0     0        0        0        0        0        0
   2   2   ip         0    83        0    26970        0   227620   254590
   2   2   igmp       0     0        0        0        0        0        0
   2   2   rtsock     0     3        0        0        0       36       36
   2   2   arp        0     0        0        0        0        0        0
   2   2   ether      0     0   529402        0        0        0   529402
   2   2   ip6        0     1        0        0        0        2        2
   2   2   ip_direct     0     0        0        0        0        0        0
   2   2   ip6_direct     0     0        0        0        0        0        0
   3   3   ip         0    24        0     5346        0   174797   180143
   3   3   igmp       0     0        0        0        0        0        0
   3   3   rtsock     0     0        0        0        0        0        0
   3   3   arp        0     1        0        0        0      106      106
   3   3   ether      0     0    26856        0        0        0    26856
   3   3   ip6        0     0        0       16        0        0       16
   3   3   ip_direct     0     0        0        0        0        0        0
   3   3   ip6_direct     0     0        0        0        0        0        0


#9

General Discussion / Re: How do predefined net alia...

Last post by Monviech (Cedrik) - June 29, 2026, 07:45:15 PM

Sorry it feels like we are hijacking this thread now. If this needs to be discussed further best create a new thread.

#10

General Discussion / Re: How do predefined net alia...

Last post by Bob.Dig - June 29, 2026, 07:21:39 PM

Thanks for pointing to that discussion. My English ain't that good, so I have the feeling, that I still might miss something. Let's say I have two WANs, for both I block RFC1918 outgoing, so I used one floating rule. But for one WAN, I have an allow rule for WAN_network before that. Now I am forced to do things differently.

in which you can move rules at any spot you want

That sounds like more freedom but yet we will get less. :)
I kinda think that you could achieve that goal in the same time without that floating-decision, I can't see that benefit, yet. ;) And some people hate any friction.