Recent posts

#1

German - Deutsch / Upgrading package manager from...

Last post by dax67 - Today at 10:56:04 AM

Hallo,

nach dem Update auf 26.1.5 sind alle installierten Erweiterungen als (verwaist)markiert.
Nicht installierte Erweiterungen und Pakete sind nicht mehr sichtbar.

Was hat das

Code Select Expand

Upgrading package manager from version '2.5.1' to '2.3.1_1' zu sagen?

Hier die Ausgabe der Aktualiseirung:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 26.1.5 (amd64) at Wed Apr  1 10:40:09 CEST 2026
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data: .......... done
Processing entries: .......... done
OPNsense repository update completed. 929 packages processed.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
Fetching data: ........ done
Processing entries: .. done
SunnyValley repository update completed. 15 packages processed.
Updating ntop repository catalogue...
Fetching meta.conf: . done
Fetching data: . done
Processing entries: . done
ntop repository update completed. 6 packages processed.
All repositories are up to date.
Child process pid=93975 terminated abnormally: Segmentation fault
Upgrading package manager from version '2.5.1' to '2.3.1_1'
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
OPNsense is up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Child process pid=3736 terminated abnormally: Segmentation fault
Checking for upgrades (229 candidates): .......... done
Processing candidates (229 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Ich habe zwar im englischsprachischem Forum was dazu gefunden, werde aber nich schlau daraus.

Gruß DAX

#2

Intrusion Detection and Prevention / Performance Tunning on Opensta...

Last post by nhk - Today at 10:52:15 AM

Hello,

I am setting up IPS in an OpenStack environment. It works fine when I use a single NIC, but when I use more than one NIC, I encounter the following errors:

I tried configuring the system with:

dev.netmap.buf_num = 1000000
dev.netmap.admode = 0
dev.netmap.ring_num = 256
dev.netmap.buf_size = 4096

However, it did not work. When I changed dev.netmap.admode to 2, it started working, but only in emulated mode with poor performance.

I would appreciate any advice on how to run IPS efficiently in an OpenStack environment.

Thank you.

#3

General Discussion / Re: Which trigger for new IPv6...

Last post by meyergru - Today at 10:49:44 AM

Oh, I forgot: With services that actually allow to set a specific IP, you can use this to set the __MYIP__ variable for a custom get request with an interface prefix plus a specific EUI-64:
You cannot view this attachment.

#4

26.1 Series / Re: os-nut: Broken plugin kill...

Last post by Patrick M. Hausen - Today at 10:37:41 AM

1. it went into halt mode and stayed there

Does your device support ACPI power off? Some embedded systems don't.

2. UPS power was recycled so it killed everything, including OPNSense itself which was in halt mode, it never fully shutdown.

But power cycling when halted does not hurt.

And I already agreed hard wired shutting down the UPS is probably a bad idea - please raise a feature request on Github.

#5

26.1 Series / Re: os-nut: Broken plugin kill...

Last post by hakuna - Today at 10:21:19 AM

1. "/usr/local/etc/rc.halt" does call "shutdown -p now":

Code Select Expand

#!/bin/sh

# shutdown syshook / plugin scripts
/usr/local/etc/rc.syshook stop

/sbin/shutdown -op now

while :; do sleep 1; done

2. The hardwired killpower flag might call for a feature request to make it configurable.

I haven't noticed because here my OPNsense is the master NUT server and all other servers shut down first. I think the firewall killing the Internet connection should go down last.

HTH,
Patrick

When I was running OPNSense as master and was testing around:

1. it went into halt mode and stayed there
2. UPS power was recycled so it killed everything, including OPNSense itself which was in halt mode, it never fully shutdown.

Avoids NUT nonsense

Patrick, this also answer your "I think the firewall killing the Internet connection should go down last."

By having a NUT server, it gives me full control of everything:

1. Everybody BIOS is set to turn back online when the power is restored.
2. You can run a command from the NUT server to recycle the UPS power
3. If the battery is back above 80% for example, recycle the UPS power, and that will bring everybody back online [1]
4. This is a Dell Wyse 3040 5v3A so it will run forever before going down, it also turns on automatically when the power is restored.
5. NAS is my only priority, it must be the first one to go down. If OPNSense goes down first or later, so be it.
6. Proxmox scripts do check if the NAS is up and if the NFS shares are active before running backups, otherwise, skip.

I did what I did to keep the whole process fully automated.
I am novice so don't take me too seriously :)

#6

25.7, 25.10 Series / After power outage stuck initi...

Last post by pato - Today at 10:12:06 AM

Hi
My box has a power outage and isn't since booting anymore, see screenshot.
I did successfully boot in single user mode and check the file system, which was clean.
Any other ideas what I could check or do before nuking my installation?
Thanks
Pato

#7

26.1 Series / Re: os-nut: Broken plugin kill...

Last post by Stormscape - Today at 09:59:09 AM

Here's the secret: OPNsense has an API that can be called programmatically by shell scripts. I have another computer run this shell script when it shuts down for UPS to shut down my OPNsense. Avoids NUT nonsense. You might want to edit it a bit but it works fine for me. This script as written requires OPNsense to have a valid SSL cert, though:

Code Select Expand

#!/usr/bin/env bash
set -Eeuo pipefail

OPNSENSE_HOSTS=("https://opnsense.example.com")   # add more for HA
API_KEY="<API KEY HERE>"
API_SECRET="<API SECRET HERE>"
ENDPOINT="/api/core/firmware/poweroff"

CONNECT_TIMEOUT=3
MAX_TIME=10
RETRIES=3
RETRY_DELAY=2

log(){ logger -t ppb-opnsense -- "$*"; echo "[$(date -Is)] $*"; }

call_shutdown() {
  local url="${1%/}${ENDPOINT}"
  local args=(
    --silent --show-error
    --header "Content-Type: application/json"
    --user "${API_KEY}:${API_SECRET}"
    --data '{}'
    --connect-timeout "$CONNECT_TIMEOUT"
    --max-time "$MAX_TIME"
    --write-out "HTTP_CODE=%{http_code}\n"
    --output /dev/null
  )
  # With LE, system trust store is fine; no -k used.

  local out rc code
  for ((i=1;i<=RETRIES;i++)); do
    set +e
    out=$(curl -X POST "${args[@]}" "$url" 2>&1); rc=$?
    set -e
    code=""; [[ "$out" =~ HTTP_CODE=([0-9]{3}) ]] && code="${BASH_REMATCH[1]}"

    if [[ "$code" =~ ^2..$ || "$code" == "000" ]]; then
      log "Accepted by $url (HTTP:${code:-none})."
      return 0
    fi
    log "Attempt $i failed (rc:$rc HTTP:${code:-none}). Out: $out"
    (( i < RETRIES )) && sleep "$RETRY_DELAY"
  done
  return 1
}

main(){
  command -v curl >/dev/null || { log "ERROR: curl not found"; exit 2; }
  local fail=0
  for h in "${OPNSENSE_HOSTS[@]}"; do
    log "Requesting shutdown: $h"
    call_shutdown "$h" || { log "ERROR: $h did not acknowledge"; ((fail++)); }
  done
  (( fail==0 )) && { log "All shutdown calls issued."; exit 0; } || exit 1
}
main "$@"


#8

26.1 Series / Re: os-nut: Broken plugin kill...

Last post by Patrick M. Hausen - Today at 09:55:38 AM

1. "/usr/local/etc/rc.halt" does call "shutdown -p now":

Code Select Expand

#!/bin/sh

# shutdown syshook / plugin scripts
/usr/local/etc/rc.syshook stop

/sbin/shutdown -op now

while :; do sleep 1; done

2. The hardwired killpower flag might call for a feature request to make it configurable.

I haven't noticed because here my OPNsense is the master NUT server and all other servers shut down first. I think the firewall killing the Internet connection should go down last.

HTH,
Patrick

[Could not connect — xray-core may be stopped or port unreachable]

#9

Russian - Русский / Re: os-xray — плагин Xray-core...

Last post by bleur - Today at 09:42:47 AM

Добрый день, подскажите пожалуйста, после установки и xray и tun запущены ошибок нет , пинг до впн есть, валидация конфига работает, и на сотовом конфиг проверен, но тест соединения выводит ошибку "✗ Could not connect — xray-core may be stopped or port unreachable". Если проверять из консоли командой то код ответа 000. В логе xray следующее содержимое

Code Select Expand

2026/03/13 14:25:45.243584 [Info] [1046434210] proxy/socks: TCP Connect request to tcp:1.1.1.1:443
2026/03/13 14:25:45.243593 from tcp:127.0.0.1:54616 accepted tcp:1.1.1.1:443 [socks-in >> proxy]
2026/03/13 14:25:45.243604 [Info] [1046434210] app/dispatcher: default route for tcp:1.1.1.1:443
2026/03/13 14:25:45.243630 [Info] [1046434210] transport/internet/tcp: dialing TCP to tcp:IP_МОЕГО_VPN:443
2026/03/13 14:25:45.243637 [Debug] [1046434210] transport/internet: dialing to tcp:IP_МОЕГО_VPN:443
2026/03/13 14:25:45.464433 [Info] [1046434210] proxy/vless/outbound: tunneling request to tcp:1.1.1.1:443 via IP_МОЕГО_VPN:443
2026/03/13 14:25:45.464556 [Debug] [1046434210] proxy: XtlsFilterTls found tls client hello! 517
2026/03/13 14:25:45.464586 [Debug] [1046434210] proxy: XtlsPadding 517 798 0Заранее спасибо за помощь.

Аналогичная проблема возникает при проверке Could not connect — xray-core may be stopped or port unreachable
Несколько раз уже все сносил и ставил по новой. Все проверки делал из github, но не могу понять, почему не работает.
Аналогичная версия ОС стоит на домашнем роутере и такая-же версия приложения os-xray v3.0.0 и Xray 26.3.27 (Xray, Penetrates Everything.) d2758a0 (go1.26.1 freebsd/amd64)

как у вас порешалась проблема?

Code Select Expand

Xray 26.3.27 (Xray, Penetrates Everything.) d2758a0 (go1.26.1 freebsd/amd64)
A unified platform for anti-censorship.
2026/04/01 10:25:15.725096 [Info] infra/conf/serial: Reading config: &{Name:/usr/local/etc/xray-core/config-38d0f80c-f39b-4b64-9f09-8f2037f90c2c.json Format:json}
2026/04/01 10:25:15.739766 [Warning] core: Xray 26.3.27 started
{"level":"info","ts":1775028316.4993405,"caller":"engine/engine.go:237","msg":"[STACK] tun://proxytun2socks0 <-> socks5://127.0.0.1:10808"}
2026/04/01 10:25:20.460365 from tcp:127.0.0.1:14560 accepted tcp:1.1.1.1:443 [socks-in >> proxy]
2026/04/01 10:40:27.525360 from tcp:127.0.0.1:27483 accepted tcp:1.1.1.1:443 [socks-in >> proxy]

Code Select Expand

OPNsense 26.1.5-amd64
FreeBSD 14.3-RELEASE-p9
OpenSSL 3.0.19


#10

General Discussion / Re: Why I am retiring from con...

Last post by meyergru - Today at 09:37:09 AM

So you see how the cat jumps. You call it angry on the first encounter, some call it plain hostility after having experienced it multiple times. I understand your approach to cool down tempers and try to get to basics (I once did in vain), but that is an uphill battle that Franco has ceased to take. The FreeBSD folks are unwilling to change it for good, so that is that.

P.S.: "Frankenstein PF", I like that. Maybe we should call the other one "Zombie ICMPv6" (for missing parts). ;-)