"Recent posts
#1
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by BrandyWine - Today at 05:14:22 AMBefore doing anything manually, what does "netstat -na |grep 53" show?
#2
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by BrandyWine - Today at 04:56:05 AMQuote from: OPNenthu on December 08, 2025, 09:49:35 AMJust came across this: https://www.intel.com/content/www/us/en/support/articles/000005593/ethernet-products.htmlPROset no longer available for win10 after package 20.120
I wonder if Windows clients need this "Intel® PROSet" tool to expose these functions in Device Manager and that's maybe what the reference was in regard to.
Since win10 is basically over, Intel not interested in keeping PROset for it. Makes sense.
PROset though is basically the driver for winOS (gui+driver). I wonder how then you handle the vlan stuff from say Linux.
https://www.intel.com/content/www/us/en/support/articles/000026008/wireless.html
#3
Q-Feeds (Threat intelligence) / Re: q-feeds feedback
Last post by Q-Feeds - December 11, 2025, 11:15:19 PMHi Mokaz and Dirtyfreebooter,
Glad everything works as expected! And thanks a lot for your feedback, really appreciated. Please find our answers below.
1.
Your guess is correct, the Community edition only provides open-source intelligence. Our threat lookup (Plus and Premium licenses) feature gives more insight into where items come from. We're not planning to make this available for the Community edition.
2.
As Cedrik already mentioned. :)
3.
We went with this approach because several users asked for a specific category during our beta testing. I guess everyone has their own preferences. :) Our personal view is that it's clearer to keep a distinction between Security and Services, otherwise the Services menu becomes cluttered with too many different functions. That said, I do agree that adding other security related services (including Zenarmor) to the menu would help keep things clean and consistent. I'll add it to our next meeting agenda to have a look at it.
Thanks again!
Kind regards,
David
Glad everything works as expected! And thanks a lot for your feedback, really appreciated. Please find our answers below.
1.
Your guess is correct, the Community edition only provides open-source intelligence. Our threat lookup (Plus and Premium licenses) feature gives more insight into where items come from. We're not planning to make this available for the Community edition.
2.
As Cedrik already mentioned. :)
3.
We went with this approach because several users asked for a specific category during our beta testing. I guess everyone has their own preferences. :) Our personal view is that it's clearer to keep a distinction between Security and Services, otherwise the Services menu becomes cluttered with too many different functions. That said, I do agree that adding other security related services (including Zenarmor) to the menu would help keep things clean and consistent. I'll add it to our next meeting agenda to have a look at it.
Thanks again!
Kind regards,
David
#4
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by cookiemonster - December 11, 2025, 11:08:51 PMseems that way. In my setup I don't have this problem, probably because I don't bother with selecting interfaces for AdG. That is where the firewall rules come into their own. So my AdGuard has in its config
Code Select
dns:
bind_hosts:
- 0.0.0.0
port: 53 #5
Q-Feeds (Threat intelligence) / Re: [Feature Request] DNSBL fo...
Last post by Q-Feeds - December 11, 2025, 10:48:20 PMGood news, we expect to launch support for DNSCrypt-proxy in the next release (Plugin v1.4).
#6
Tutorials and FAQs / Re: OPNsense + PROXMOX + VLANs...
Last post by viragomann - December 11, 2025, 10:47:38 PMWhat? Is the pppoe on vtnet0 or vtnet1?
Can you post the Proxmox network and the switch configuration?
Can you post the Proxmox network and the switch configuration?
#7
German - Deutsch / Re: 10G Hardware Empfehlungen
Last post by meyergru - December 11, 2025, 09:59:17 PMMan muss bei den Alder Lake-Systemen ein paar Dinge beachten, sind hier unter Punkt 23 beschrieben. Insbesondere die Tuneables im dort verlinkten Post sind wichtig.
Darüber hinaus gibt es oft noch zwei Probleme:
1. Die Fertigungsqualität ist oft nicht die beste, weil die CPU nicht gut am Gehäuse anliegt oder die Wärmeleitpaste schlecht sitzt.
Außerdem wäre ein passiv gekühlter N3xx wohl zu viel des Guten, speziell, wenn noch die Abwärme der 10G-Ports hinzukommt
2. Die Hersteller (auch CWWK) betreiben die Nxxx CPUs meist am oberen Limit Ihrer möglichen TDP, beispielsweise beim N100 statt mit 6W mit 25 Watt, und oft genug kommt man im BIOS an diese Einstellungen nicht ohne weiteres heran.
Habe ich alles schonmal hier erzählt - aber Du hast ja einen mit Lüfter, da wiegt das nicht so schwer.
Darüber hinaus gibt es oft noch zwei Probleme:
1. Die Fertigungsqualität ist oft nicht die beste, weil die CPU nicht gut am Gehäuse anliegt oder die Wärmeleitpaste schlecht sitzt.
Außerdem wäre ein passiv gekühlter N3xx wohl zu viel des Guten, speziell, wenn noch die Abwärme der 10G-Ports hinzukommt
2. Die Hersteller (auch CWWK) betreiben die Nxxx CPUs meist am oberen Limit Ihrer möglichen TDP, beispielsweise beim N100 statt mit 6W mit 25 Watt, und oft genug kommt man im BIOS an diese Einstellungen nicht ohne weiteres heran.
Habe ich alles schonmal hier erzählt - aber Du hast ja einen mit Lüfter, da wiegt das nicht so schwer.
#8
Portuguese - Português / OPNsense 25.7.9 | OpenVPN TAP ...
Last post by glgontijo - December 11, 2025, 09:54:34 PMOlá pessoal,
Preciso que a VPN TAP (é... tem que ser TAP) não crie o gateway default (rota 0.0.0.0).
Já tentei "route-nopull", "route-noexec" (servidor, cliente via CSC, arquivo de exportação).
Vamos especificar o que eu preciso.
Seguem os arquivos (editei para remover dados sensíveis)
Servidor: # cat /var/etc/openvpn/*.conf | sed -n '1,200p'
dev ovpns1
ping-timer-rem
topology subnet
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
verify-client-cert require
remote-cert-tls client
server-bridge
username-as-common-name
client-config-dir /var/etc/openvpn-csc/1
auth-user-pass-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py --defer '29533187-c920-428c-b82f-6fd2c670ad14'" via-env
learn-address "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '1'"
client-disconnect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
multihome
push "explicit-exit-notify"
push "route 172.16.0.0 255.255.0.0"
route 172.16.0.0 255.255.0.0
persist-tun
persist-key
keepalive 10 60
dev-type tap
dev-node /dev/tap1
script-security 3
writepid /var/run/ovpn-instance-29533187-c920-428c-b82f-6fd2c670ad14.pid
daemon openvpn_server1
management /var/etc/openvpn/instance-29533187-c920-428c-b82f-6fd2c670ad14.sock unix
proto udp4
verb 7
disable-dco
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
port 1194
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
block-ipv6
float
explicit-exit-notify
fast-io
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
Cliente CSC: # cat /var/etc/openvpn-csc/1/guilherme.gontijo@uftm.edu.br | sed -n '1,200p'
ifconfig-push 172.16.7.2 255.255.0.0
Arquivo Exportado:
dev tap
persist-tun
persist-key
data-ciphers-fallback AES-256-GCM
client
resolv-retry infinite
remote 186.248.203.214 1194 udp4
remote 200.131.62.250 1194 udp4
lport 0
verify-x509-name "C=BR, ST=MG, L=Uberaba, O=UFTM, OU=PROTIC, CN=vpnserver-certificate.uftm.br" subject
remote-cert-tls server
auth-user-pass
auth-nocache
route-noexec
route-nopull
<ca>
-----BEGIN CERTIFICATE-----
OBS.: Chat GPT e Gemini não conseguiram me ajudar nessa... kkkk
Preciso que a VPN TAP (é... tem que ser TAP) não crie o gateway default (rota 0.0.0.0).
Já tentei "route-nopull", "route-noexec" (servidor, cliente via CSC, arquivo de exportação).
Vamos especificar o que eu preciso.
- Clientes autenticam com usuário e senha (freeradius, até aqui está perfeito)
- Somente clientes com configuração do CSC podem autenticar na VPN
- Clientes recebem IP da LAN via CSC
- Somente as rotas da LAN devem ser criadas no cliente. Mas ele cria a rota default e com métrica abaixo da já existente. AQUI ESTÁ MEU PROBLEMA!
Seguem os arquivos (editei para remover dados sensíveis)
Servidor: # cat /var/etc/openvpn/*.conf | sed -n '1,200p'
dev ovpns1
ping-timer-rem
topology subnet
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
verify-client-cert require
remote-cert-tls client
server-bridge
username-as-common-name
client-config-dir /var/etc/openvpn-csc/1
auth-user-pass-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py --defer '29533187-c920-428c-b82f-6fd2c670ad14'" via-env
learn-address "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '1'"
client-disconnect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '29533187-c920-428c-b82f-6fd2c670ad14'"
multihome
push "explicit-exit-notify"
push "route 172.16.0.0 255.255.0.0"
route 172.16.0.0 255.255.0.0
persist-tun
persist-key
keepalive 10 60
dev-type tap
dev-node /dev/tap1
script-security 3
writepid /var/run/ovpn-instance-29533187-c920-428c-b82f-6fd2c670ad14.pid
daemon openvpn_server1
management /var/etc/openvpn/instance-29533187-c920-428c-b82f-6fd2c670ad14.sock unix
proto udp4
verb 7
disable-dco
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
port 1194
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
block-ipv6
float
explicit-exit-notify
fast-io
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
Cliente CSC: # cat /var/etc/openvpn-csc/1/guilherme.gontijo@uftm.edu.br | sed -n '1,200p'
ifconfig-push 172.16.7.2 255.255.0.0
Arquivo Exportado:
dev tap
persist-tun
persist-key
data-ciphers-fallback AES-256-GCM
client
resolv-retry infinite
remote 186.248.203.214 1194 udp4
remote 200.131.62.250 1194 udp4
lport 0
verify-x509-name "C=BR, ST=MG, L=Uberaba, O=UFTM, OU=PROTIC, CN=vpnserver-certificate.uftm.br" subject
remote-cert-tls server
auth-user-pass
auth-nocache
route-noexec
route-nopull
<ca>
-----BEGIN CERTIFICATE-----
OBS.: Chat GPT e Gemini não conseguiram me ajudar nessa... kkkk
#9
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by Monviech (Cedrik) - December 11, 2025, 09:51:18 PMNothing weird I can see in the config.
All features I have tested and ran for months without crashes.
Strange.
I could only recommend slowly disabling features until it doesnt happen anymore.
E.g. first disable RA/DHCPv6...check, then DHCPv4... check
That could get to the bottom of this.
------
Also since the known memory leak seems to refer to reading hostnames from files, maybe check if dnsmasq_watcher.py is running?
I refer to this part
# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases
All features I have tested and ran for months without crashes.
Strange.
I could only recommend slowly disabling features until it doesnt happen anymore.
E.g. first disable RA/DHCPv6...check, then DHCPv4... check
That could get to the bottom of this.
------
Also since the known memory leak seems to refer to reading hostnames from files, maybe check if dnsmasq_watcher.py is running?
I refer to this part
# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases
#10
25.7, 25.10 Series / Re: random sFTP connection att...
Last post by Patrick M. Hausen - December 11, 2025, 09:39:30 PMIf you configure any of the automated backup plugins (SFTP, Nextcloud, git, ...) OPNsense will run a backup every night at 2:00. No need to configure an explicit cron job if daily backups are enough for you.
