"Recent posts
#1
26.1, 26,4 Series / Update to 26.1 really odd beha...
Last post by opn69a - Today at 07:51:28 PMAlright, so I don't quite know what's going on... So going to give all the experiences I've had this morning so far. Note that I actually updated to 26.1.6 (from 25.7.x) on April 28th and had no problems during that upgrade/reboot itself, or at least not that was obvious to me. But this morning, an update went for 26.1.7_1 and then I did run into some major problems. I don't think it's actually specific to that patch, but maybe it is.
I woke up this morning to no internet, and then saw that my firewall was blocking and accepting a bunch of requests that were completely against my rules (migrating to the new rules and deleting all my old rules made NO difference). Upon further inspection, I found that I was able to change one of the block rules to a direct host instead of an alias and then it worked correctly. When looking at the diagnostics>aliases section, it showed "No results found" for *all* aliases, even those that are just hardcoded ips/ports instead of pulling data via external resources and such.
I looked at the changelog for the new patch and don't see anything about aliases other than:
> o firewall: fix typo in alias update error log and make parser a bit more resilient
I doubt that would be it. To troubleshoot, from some forum searches I made, I tried to duplicate one of the aliases, but it always showed "0 loaded". I saw in the general log some errors related to pulling down the GeoIP list from Maxmind, so I removed the url from my GeoIP settings to see if that'd resolve it - it didn't. There are no other logs showing up in the general firewall logs either.
While troubleshooting for like 3 hours, out of nowhere all my aliases filled up and the firewall was properly using them. I don't understand why, even after several reboots and repetitive 'saves' to my settings, it just suddenly decided to work out of no where. But my problems are not completely solved.
I still appear to be getting an error in the logs about not being able to reach maxmind. Here's the error I get:
geoip update failed : HTTPSConnectionPool(host='download.maxmind.com', port=443): Max retries exceeded with url: /app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=[REDACTED]&suffix=zip (Caused by NewConnectionError("HTTPSConnection(host='download.maxmind.com', port=443): Failed to establish a new connection: [Errno 65] No route to host"))
I did a DNS lookup through the firewall's terminal and dns diagnostics tool and can see it properly gets the IP address back, so it's not a DNS issue. I tried to ping the IP directly and it times out. I used the Ping diagnostics tool and various random external ip addresses fail (internal ones like my router and stuff work fine). This appears to be that any request that comes from the firewall itself is being blocked. But... I see this in the logs for _all_ pings:
"let out anything from firewall host itself"
I get success pings for sites like: opnsense.org, google.com, and yahoo.com; but failures for sites like: maxmind.com, linuxmint.com, and ebay.com (where these 3 pings are successful on my local laptop)... All those requests are being permitted, yet that's where they end - it's as though it's still being blocked somewhere that I cannot quite figure out...
I looked more at my aliases and noticed any alias related to Maxmind and GeoIP lookup and they all showed "last update" on 04/28. The general log files for maxmind failures only date back to 05/01 evening, though (the update was 05/02 morning, maybe 6 hours later)... I did absolutely nothing to my firewall at the time the started failing, and in fact was just playing a game at the time it started erroring out. I'm wondering if the update to 26.1 caused the firewall to have some extra rules somewhere that's initiating some kind of killswitch and refuse to hit those ip addresses, but this is just a theory in my mind, nothing to support it.
So with that, does anyone have any suggestions on where I can troubleshoot further? I'm out of ideas with having no useful logs other than the ones mentioned above. I don't know if the timeouts from external sites are what's causing the aliases to not work initially on boot or if it's something else, but I'm hoping resolving the general connection issues from the firewall part will perhaps get it to work and then prevent me from experiencing this rather scary experience where traffic could have been "free to do whatever it wants", had I not had a single alias that was just by chance blocking things and taking down the network.
I woke up this morning to no internet, and then saw that my firewall was blocking and accepting a bunch of requests that were completely against my rules (migrating to the new rules and deleting all my old rules made NO difference). Upon further inspection, I found that I was able to change one of the block rules to a direct host instead of an alias and then it worked correctly. When looking at the diagnostics>aliases section, it showed "No results found" for *all* aliases, even those that are just hardcoded ips/ports instead of pulling data via external resources and such.
I looked at the changelog for the new patch and don't see anything about aliases other than:
> o firewall: fix typo in alias update error log and make parser a bit more resilient
I doubt that would be it. To troubleshoot, from some forum searches I made, I tried to duplicate one of the aliases, but it always showed "0 loaded". I saw in the general log some errors related to pulling down the GeoIP list from Maxmind, so I removed the url from my GeoIP settings to see if that'd resolve it - it didn't. There are no other logs showing up in the general firewall logs either.
While troubleshooting for like 3 hours, out of nowhere all my aliases filled up and the firewall was properly using them. I don't understand why, even after several reboots and repetitive 'saves' to my settings, it just suddenly decided to work out of no where. But my problems are not completely solved.
I still appear to be getting an error in the logs about not being able to reach maxmind. Here's the error I get:
geoip update failed : HTTPSConnectionPool(host='download.maxmind.com', port=443): Max retries exceeded with url: /app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=[REDACTED]&suffix=zip (Caused by NewConnectionError("HTTPSConnection(host='download.maxmind.com', port=443): Failed to establish a new connection: [Errno 65] No route to host"))
I did a DNS lookup through the firewall's terminal and dns diagnostics tool and can see it properly gets the IP address back, so it's not a DNS issue. I tried to ping the IP directly and it times out. I used the Ping diagnostics tool and various random external ip addresses fail (internal ones like my router and stuff work fine). This appears to be that any request that comes from the firewall itself is being blocked. But... I see this in the logs for _all_ pings:
"let out anything from firewall host itself"
I get success pings for sites like: opnsense.org, google.com, and yahoo.com; but failures for sites like: maxmind.com, linuxmint.com, and ebay.com (where these 3 pings are successful on my local laptop)... All those requests are being permitted, yet that's where they end - it's as though it's still being blocked somewhere that I cannot quite figure out...
I looked more at my aliases and noticed any alias related to Maxmind and GeoIP lookup and they all showed "last update" on 04/28. The general log files for maxmind failures only date back to 05/01 evening, though (the update was 05/02 morning, maybe 6 hours later)... I did absolutely nothing to my firewall at the time the started failing, and in fact was just playing a game at the time it started erroring out. I'm wondering if the update to 26.1 caused the firewall to have some extra rules somewhere that's initiating some kind of killswitch and refuse to hit those ip addresses, but this is just a theory in my mind, nothing to support it.
So with that, does anyone have any suggestions on where I can troubleshoot further? I'm out of ideas with having no useful logs other than the ones mentioned above. I don't know if the timeouts from external sites are what's causing the aliases to not work initially on boot or if it's something else, but I'm hoping resolving the general connection issues from the firewall part will perhaps get it to work and then prevent me from experiencing this rather scary experience where traffic could have been "free to do whatever it wants", had I not had a single alias that was just by chance blocking things and taking down the network.
#2
Hardware and Performance / Re: Achieving sustained 25Gbps...
Last post by VRBitman - Today at 06:56:42 PMQuote from: enzo on Today at 04:56:09 PMQuote from: pfry on May 01, 2026, 11:32:15 PMQuote from: VRBitman on May 01, 2026, 05:13:27 PM[...]
I live alone and I generally use only one device to surf the Internet.
At 25Gb/s? That's some surfing.
For sure he lives in Switzerland, with init7 it's the same price for 1, 10 or 25Gb/s
Yes I can confirm that.
And I've received confirmation somewhere else that RAM is not important for achieving very high speeds.
Thank you everyone.
#3
Hardware and Performance / Re: Achieving sustained 25Gbps...
Last post by VRBitman - Today at 06:54:52 PMQuote from: pfry on May 01, 2026, 11:32:15 PMQuote from: VRBitman on May 01, 2026, 05:13:27 PM[...]
I live alone and I generally use only one device to surf the Internet.
At 25Gb/s? That's some surfing.
Well I download things every now and then as well.. maybe a game on Steam, an ISO somewhere else..
#4
Hardware and Performance / Re: Achieving sustained 25Gbps...
Last post by enzo - Today at 04:56:09 PMQuote from: pfry on May 01, 2026, 11:32:15 PMQuote from: VRBitman on May 01, 2026, 05:13:27 PM[...]
I live alone and I generally use only one device to surf the Internet.
At 25Gb/s? That's some surfing.
For sure he lives in Switzerland, with init7 it's the same price for 1, 10 or 25Gb/s
#5
26.1, 26,4 Series / Re: Set specific IP address fo...
Last post by nero355 - Today at 04:19:31 PMQuote from: rama3124 on May 01, 2026, 11:30:40 PMI've lost all my dhcp mappings.Why didn't you export them into a .CSV file ?!
You can do it from the webGUI directly :)
QuoteMy unraid server IP address has been given to another device.Your UNRAID Server should have a Static IP Address configured in it's OS and only use the Static DHCP Mapping based on the MAC Address as a backup solution in case some OS update/upgrade does something weird to your network's configuration !!
How do I kick this device off the address and give it to my unraid server?
I would put the device that has "stolen" the IP Address offline now and configure your UNRAID Server correctly first.
Then when the "bad device" goes online again it should get a new IP Address :)
And last but not least :
Make sure all your Clients that connect to the UNRAID Server use host.domain.tld to connect to it instead of the IP Address.
So for example unraid.athome.lan or simply use the new .internal domain for private use : unraid.internal
This way you can just change the IP Address of the DNS Record and solve the issue too if something like this happens again in the future...
#6
General Discussion / OpenWRT and OPNsense - NEWB co...
Last post by dogshome - Today at 04:16:32 PMOPNsense: Powerful, easy to us (once you have a clue what it is you are trying to achieve) and it hasn't failed in what I wanted out of it. Loads of info, and the GUI helps you. Top Job :-)
OPENwrt: Very much like a Raspberry Pi clone in terms of software. I have a couple of Friendly ARM SBCs, an Orange Pi and a horrible Mango Pi. Most of them have some restriction or a dozen required work-arounds. They are gainfully employed as security cams, christmas lights etc and until recently a pi-hole. Only the Mango lies dormant though. No support.
It's not that bad, but reminds me of certain motor drives I've configured in my work. Limited instructions, 'simplified' software diagrams and things you are told to set up monkey-see monkey-do. Doesn't work? start at step 1 again. Thanks Rockwell. Siemens on the other hand, give you masses of good paper and online information, plus detailed diagnostics to see what's happening. It's overwhelming to start with, but much easier once you've got the basics.
OPENwrt: Very much like a Raspberry Pi clone in terms of software. I have a couple of Friendly ARM SBCs, an Orange Pi and a horrible Mango Pi. Most of them have some restriction or a dozen required work-arounds. They are gainfully employed as security cams, christmas lights etc and until recently a pi-hole. Only the Mango lies dormant though. No support.
It's not that bad, but reminds me of certain motor drives I've configured in my work. Limited instructions, 'simplified' software diagrams and things you are told to set up monkey-see monkey-do. Doesn't work? start at step 1 again. Thanks Rockwell. Siemens on the other hand, give you masses of good paper and online information, plus detailed diagnostics to see what's happening. It's overwhelming to start with, but much easier once you've got the basics.
#7
Hardware and Performance / Re: N150 Mini PC, RTL8153, AX8...
Last post by dogshome - Today at 03:51:29 PMUpdate: it had been running for 9 days until 01:00 on 1st May. Then a total crash. This is the exact same time I'd set a CRON task to update Unbound blocklists. Rebooted.
Ran again for an exact number of hours, and this time just the WAN gateway was missing. Smoking gun?....... This was the exact time I'd set another CRON task to check for firmware update. Reaches for smokes in the old brown, leather top desk. Leans back in the creaky old chair. The dusky New York office lights up for a brief spark, before drifting back into the gloom.......
Anyhow. There WAS a firmware update and it did say 'CRON error fixed'. Where's that Linux Pi to test with gone? Before I get Roger Rabbit arrested :-)
Ran again for an exact number of hours, and this time just the WAN gateway was missing. Smoking gun?....... This was the exact time I'd set another CRON task to check for firmware update. Reaches for smokes in the old brown, leather top desk. Leans back in the creaky old chair. The dusky New York office lights up for a brief spark, before drifting back into the gloom.......
Anyhow. There WAS a firmware update and it did say 'CRON error fixed'. Where's that Linux Pi to test with gone? Before I get Roger Rabbit arrested :-)
#8
26.1, 26,4 Series / Re: Dnsmasq DHCP on new guest ...
Last post by nero355 - Today at 03:51:10 PMQuote from: bernieo on May 01, 2026, 12:59:31 AMI feel silly now. Somehow I forgot that you have to add each new interface scoped for to the list in: Services: Dnsmasq DNS & DHCPPlease add [SOLVED] at the beginning of your Topic Title if the issue has been resolved :)
#9
26.1, 26,4 Series / Re: Old Rules --> New rules
Last post by nero355 - Today at 03:46:28 PMQuote from: torwag on April 30, 2026, 11:58:13 PMI would love to see a possibility to mark certain entries, including those I don't use, in the particular menu bar to set them to be invisible. Potentially indicating that the current view of the menu bar is a shortened version, by a very subtle "..." sign at the end of a menu-bar. Clicking on that three dots, will extend the menu bar to its complete and full glory.There has been recent talk about a "Favorites" feature for the webGUI and you can follow it here : https://github.com/opnsense/core/pull/10033
Thus, users could shorten and customize the menus for daily use, without losing the possibility to quickly access seldomly used features.
#10
26.1, 26,4 Series / Re: OPNsense 26.1.7-amd64 - Gu...
Last post by frade - Today at 03:32:37 PMI've already discovered the source.
Whenever I change the Dashboard (remove or add a widget), a <dashboard> tag with incorrect formatting is created in the user's line in the config.xml file.
When I delete the tag, the user can save correctly again.
Why is the tag incorrectly formatted?
Thank you for your help.
Whenever I change the Dashboard (remove or add a widget), a <dashboard> tag with incorrect formatting is created in the user's line in the config.xml file.
When I delete the tag, the user can save correctly again.
Why is the tag incorrectly formatted?
Thank you for your help.
