"Recent posts
#1
26.1, 26,4 Series / Re: Degraded Speed Ghost
Last post by pfry - June 19, 2026, 10:19:43 PMQuote from: juicemain on June 19, 2026, 09:04:21 PM[...]The opnsense machine didn't even recognize the realtek nic that I tried to use with it[...]
What chip? RTL8126 support may be spotty and 8127 nonexistent. The plugin driver will support the 8125, at least. While you have it, it can't hurt to try it.
Naturally it's tough to characterize your situation to/from a forum. What OS were you running on the client PCs?
#2
26.1, 26,4 Series / OPNCentral: Automatic Certific...
Last post by ig-it1342 - June 19, 2026, 09:45:51 PMHi everyone,
recently, the update mechanism for pushing SSL certificates to OPNCentral-managed hosts from the main host seems to have stopped working.
Unfortunately, I don't precisely know which versions broke the functionality, however it is not working at least on the latest 26.4.1 patch.
The host is configured as following:
This is the certificate configured on the provisioning:
The provisioning for Web GUI is apparently complete (no new data):
However, the certificate is not set in the Web GUI config of the Host, and is nowhere to be found in the Certificate store:
Both firewalls were restarted and updated, and I manually tried to start the provisioning, but nothing happens.
No related log lines / errors are present in the system log of either firewalls.
Has anyone experienced the same issue recently?
---
Versions: Both firewalls are running
OPNsense 26.4.1-amd64
FreeBSD 14.3-RELEASE-p15
OpenSSL 3.0.21
with plugin versions
os-OPNBEcore 1.8_2
os-OPNcentral 1.12_2
recently, the update mechanism for pushing SSL certificates to OPNCentral-managed hosts from the main host seems to have stopped working.
Unfortunately, I don't precisely know which versions broke the functionality, however it is not working at least on the latest 26.4.1 patch.
The host is configured as following:
This is the certificate configured on the provisioning:
The provisioning for Web GUI is apparently complete (no new data):
However, the certificate is not set in the Web GUI config of the Host, and is nowhere to be found in the Certificate store:
Both firewalls were restarted and updated, and I manually tried to start the provisioning, but nothing happens.
No related log lines / errors are present in the system log of either firewalls.
Has anyone experienced the same issue recently?
---
Versions: Both firewalls are running
OPNsense 26.4.1-amd64
FreeBSD 14.3-RELEASE-p15
OpenSSL 3.0.21
with plugin versions
os-OPNBEcore 1.8_2
os-OPNcentral 1.12_2
#3
German - Deutsch / Re: Kleine OPNsense mit WLAN? ...
Last post by Patrick M. Hausen - June 19, 2026, 09:19:35 PMQuote from: NDregger on June 19, 2026, 09:10:45 PMIch weiß noch aus meinen Anfängen mit OPNsense das es nicht die tollste Idee ist ein WLAN Modul in einer OPNsense betreiben zu wollen
Richtig.
Quote from: NDregger on June 19, 2026, 09:10:45 PMaber vielleicht hat sich ja hier mittlerweile richtig was getan und wir könnten dem Kreuz Kosten ersparen?
Falsch.
Kauft einen kleinen AP wie einen Mikrotik hAP ax S oder eine Fritzbox im LAN-Client-Modus.
Sorry, aber es gilt nach wie vor: WLAN infrastructure mode on FreeBSD - don't. Der Mikrotik AP liefert noch einen 5-Port Switch mit. Alles fein.
#4
German - Deutsch / Re: Kleine OPNsense mit WLAN? ...
Last post by Monviech (Cedrik) - June 19, 2026, 09:16:55 PMIch glaube bei FreeBSD hat sich hauptsächlich was für den Client Mode gemacht, eher weniger für den AP mode.
Also ich empfehle einen externen Access Point, weil dann hat man auch die neuesten Funk und Protokollstandards.
Schlechtes WLAN regt nur alle auf und ist das rumgefrickel nicht wert.
BTW viele Grüße :)
Also ich empfehle einen externen Access Point, weil dann hat man auch die neuesten Funk und Protokollstandards.
Schlechtes WLAN regt nur alle auf und ist das rumgefrickel nicht wert.
BTW viele Grüße :)
#5
German - Deutsch / Kleine OPNsense mit WLAN? Hard...
Last post by NDregger - June 19, 2026, 09:10:45 PMHallo Freunde der OPNsense,
nach nun auch schon wieder mehreren Jahren bin ich ja mittlerweile echt verliebt in die OPNsense und komme mittlerweile in wirklich vielen Bereichen wunderbar mit ihr zum Ziel, nur heute hatte ich bei uns im DRK eine Frage von Kollegen wo ich mit den Schultern zucken musste:
Wir haben im Ortverband eine Protectli mit OPNsense an einem Vodafone COAX Internet Anschluss mit fester IP im Einsatz, alles wunderbar mit VPN und Co, nur haben wir einen Mini Außenstandort mit einem Vodafone Gigacube - nur der kann halt nicht VPN und Co so wie wir es wollen. Also kam die Idee auf eine kleine OPNsense mit WLAN Modul zu verwenden die dann hinter dem Gigacube sitzt und die WLAN Funktion übernimmt.
Ich weiß noch aus meinen Anfängen mit OPNsense das es nicht die tollste Idee ist ein WLAN Modul in einer OPNsense betreiben zu wollen - aber vielleicht hat sich ja hier mittlerweile richtig was getan und wir könnten dem Kreuz Kosten ersparen?
Im Idealfall würden wir gerne PSK und Radius abbilden, denn unsere Laptops laufen im Hauptstandort mit Radius und wenn wir selbst das noch im Außenstandort beides mit nur einem Gerät abbilden könnten wäre das natürlich traumhaft!
Norbert
nach nun auch schon wieder mehreren Jahren bin ich ja mittlerweile echt verliebt in die OPNsense und komme mittlerweile in wirklich vielen Bereichen wunderbar mit ihr zum Ziel, nur heute hatte ich bei uns im DRK eine Frage von Kollegen wo ich mit den Schultern zucken musste:
Wir haben im Ortverband eine Protectli mit OPNsense an einem Vodafone COAX Internet Anschluss mit fester IP im Einsatz, alles wunderbar mit VPN und Co, nur haben wir einen Mini Außenstandort mit einem Vodafone Gigacube - nur der kann halt nicht VPN und Co so wie wir es wollen. Also kam die Idee auf eine kleine OPNsense mit WLAN Modul zu verwenden die dann hinter dem Gigacube sitzt und die WLAN Funktion übernimmt.
Ich weiß noch aus meinen Anfängen mit OPNsense das es nicht die tollste Idee ist ein WLAN Modul in einer OPNsense betreiben zu wollen - aber vielleicht hat sich ja hier mittlerweile richtig was getan und wir könnten dem Kreuz Kosten ersparen?
Im Idealfall würden wir gerne PSK und Radius abbilden, denn unsere Laptops laufen im Hauptstandort mit Radius und wenn wir selbst das noch im Außenstandort beides mit nur einem Gerät abbilden könnten wäre das natürlich traumhaft!
Norbert
#6
26.1, 26,4 Series / Re: Degraded Speed Ghost
Last post by juicemain - June 19, 2026, 09:04:21 PMWell, a few interesting updates with one I believe is very important:
1. On the parameter suggestions, opnsense logs, pcie lane status, and PPS everything was nominal both before and during the decayed speed state. No unexpected messages, pcie lane status checked out the whole time, etc. It was even harder this time to catch the link flaps for some reason. I can post the command line results if needed, but none of it adds new information to the situation. If there are any other metrics or parameters I should check, please advise.
2. The opnsense machine didn't even recognize the realtek nic that I tried to use with it, so with that combined with how abysmal everyone says the realtek drivers perform, I decided not to pursue that any further. Unless it's recommended that I do for testing sake. Just gonna return it.
3. [the most important] I decided to retry the double NAT solution, this time observing the speed during the degraded state on a second computer that was connected to the initial primary NAT, the ISP provided router (not in bridge mode), to see what speed it would show. I was expecting it to show a normal speed even when the opnsense machine was showing degraded speed if this were a problem local to the opnsense machine. To my surprise, BOTH client pc's, one connected to the opnsense machine AND the one connected to the ISP provided router showed the decayed speed state. Does this show that the problem then is being generated by the opnsense machine (since it never happens with just the ISP provided router alone) and is affecting my modem handshake / connection to my ISP?
To be clear, the setup here was as follows:
client PC #1 -> [Opnsense LAN port] -> Opnsense machine -> [Opensense WAN port] -> ISP provided router (client PC #2 connected via LAN port) -> ISP provided modem
May be important to note here that this behavior persists across opnsense and pfsense as well.
4. I have ordered a Protectli device just to hopefully rule out the PCIE bus / PCIE NIC cards once and for all.
Hopefully, any of this helps add new information. I feel like the next step is to reach out to my ISP, but I have no idea where to even begin the conversation there, or what to speculate could be the problem. They've been receptive enough so far with helping out, but I have a feeling they might put this request on the back burner. They've been pretty shy about providing support for 3rd party router solutions. Thanks again all.
1. On the parameter suggestions, opnsense logs, pcie lane status, and PPS everything was nominal both before and during the decayed speed state. No unexpected messages, pcie lane status checked out the whole time, etc. It was even harder this time to catch the link flaps for some reason. I can post the command line results if needed, but none of it adds new information to the situation. If there are any other metrics or parameters I should check, please advise.
2. The opnsense machine didn't even recognize the realtek nic that I tried to use with it, so with that combined with how abysmal everyone says the realtek drivers perform, I decided not to pursue that any further. Unless it's recommended that I do for testing sake. Just gonna return it.
3. [the most important] I decided to retry the double NAT solution, this time observing the speed during the degraded state on a second computer that was connected to the initial primary NAT, the ISP provided router (not in bridge mode), to see what speed it would show. I was expecting it to show a normal speed even when the opnsense machine was showing degraded speed if this were a problem local to the opnsense machine. To my surprise, BOTH client pc's, one connected to the opnsense machine AND the one connected to the ISP provided router showed the decayed speed state. Does this show that the problem then is being generated by the opnsense machine (since it never happens with just the ISP provided router alone) and is affecting my modem handshake / connection to my ISP?
To be clear, the setup here was as follows:
client PC #1 -> [Opnsense LAN port] -> Opnsense machine -> [Opensense WAN port] -> ISP provided router (client PC #2 connected via LAN port) -> ISP provided modem
May be important to note here that this behavior persists across opnsense and pfsense as well.
4. I have ordered a Protectli device just to hopefully rule out the PCIE bus / PCIE NIC cards once and for all.
Hopefully, any of this helps add new information. I feel like the next step is to reach out to my ISP, but I have no idea where to even begin the conversation there, or what to speculate could be the problem. They've been receptive enough so far with helping out, but I have a feeling they might put this request on the back burner. They've been pretty shy about providing support for 3rd party router solutions. Thanks again all.
#7
26.1, 26,4 Series / Wake on Lan
Last post by MasterTimAX - June 19, 2026, 08:45:14 PMSince the June 2 update, the Wake-on-LAN feature in OPNsense has stopped working.
Is there any known issue currently open regarding this behavior?
Is there any known issue currently open regarding this behavior?
#8
Virtual private networks / Automatic WireGuard initalizat...
Last post by Monju0525 - June 19, 2026, 06:00:45 PMHad problems connecting to wg0 interface that required re-starting wg0, so I am sharing my monit implementation.
It is equivalent to re-starting/toggling the dashboard's WG.
Monit needs to start first (3 to 4 minutes) before Monit re-starts WG.
Tested under OpnSense 26.1.10
Monit Implementation
Steps
#1 Set Opnsense Monit Service setings and Service tests settings
#2 Add wg0_monit_start.sh
#3 Service -> Monit -> Status
#1
Opnsense Services Monit
Service Settings
Name: wg0_monit_start
Type: custom
Path: /usr/local/bin/bash /usr/local/opnsense/scripts/wireguard/wg0_monit_start.sh
Start: /bin/sh -c '/usr/local/sbin/pluginctl -s wireguard restart'
Tests: ZeroStatus
Service Tests Settings
Name: ZeroStatus
Condition: status == 0
Action: Start
#2
nano /usr/local/opnsense/scripts/wireguard/wg0_monit_start.sh
======
#!/bin/bash
# RC is the connection state which defaults = 1
RC=1
# Test wg0 connection state and if no packets are received it needs to be restarted with RC=0
# RC=0 uses the ZeroStatus test to re-start wg0
[[ $(netstat -i | grep -F -- " 0 - " | \
grep "VPN Instance Tunnel IP address" | wc -l) -eq "1" ]] && RC=0 && echo !connected && exit $RC \
|| echo connected && exit 1
======
chmod + /usr/local/opnsense/scripts/wireguard/wg0_monit_start.sh
#3
Program 'wg0_monit_start'
status OK
monitoring status Monitored
monitoring mode active
on reboot start
last exit value 1
last output connected
data collected Fri, 19 Jun 2026 11:49:02
====
It is equivalent to re-starting/toggling the dashboard's WG.
Monit needs to start first (3 to 4 minutes) before Monit re-starts WG.
Tested under OpnSense 26.1.10
Monit Implementation
Steps
#1 Set Opnsense Monit Service setings and Service tests settings
#2 Add wg0_monit_start.sh
#3 Service -> Monit -> Status
#1
Opnsense Services Monit
Service Settings
Name: wg0_monit_start
Type: custom
Path: /usr/local/bin/bash /usr/local/opnsense/scripts/wireguard/wg0_monit_start.sh
Start: /bin/sh -c '/usr/local/sbin/pluginctl -s wireguard restart'
Tests: ZeroStatus
Service Tests Settings
Name: ZeroStatus
Condition: status == 0
Action: Start
#2
nano /usr/local/opnsense/scripts/wireguard/wg0_monit_start.sh
======
#!/bin/bash
# RC is the connection state which defaults = 1
RC=1
# Test wg0 connection state and if no packets are received it needs to be restarted with RC=0
# RC=0 uses the ZeroStatus test to re-start wg0
[[ $(netstat -i | grep -F -- " 0 - " | \
grep "VPN Instance Tunnel IP address" | wc -l) -eq "1" ]] && RC=0 && echo !connected && exit $RC \
|| echo connected && exit 1
======
chmod + /usr/local/opnsense/scripts/wireguard/wg0_monit_start.sh
#3
Program 'wg0_monit_start'
status OK
monitoring status Monitored
monitoring mode active
on reboot start
last exit value 1
last output connected
data collected Fri, 19 Jun 2026 11:49:02
====
#9
26.1, 26,4 Series / Re: VLAN - DHCP/Gateway Issue ...
Last post by pfry - June 19, 2026, 05:33:26 PMQuote from: Mark_the_Red on June 19, 2026, 04:45:01 PM[...]Is there a "MAKE THIS god dam @#$@!#%@# device / MAC address move to this VLAN!!!" hidden setting somewhere in the DHCP menu?[...]
Just to clarify, where are you looking to have the VLAN tag assigned, and by what mechanism? I'd generally expect that to be via a managed Ethernet switch, either by port or by MAC (or possibly other differentiators depending on your hardware, but I stick to "port").
#10
General Discussion / Re: 802.1x certificate for the...
Last post by lmoore - June 19, 2026, 05:24:26 PMThere isn't enough information what the WAN port would be connected to.
It could be a port on an infrastructure switch requiring authentication, we don't know.
Perhaps wpa_supplicant could be used but I don't know if one of the EAP methods supports Certificate Authentication Greg is mentioning.
This package is already installed in my OPNsense. I don't use it and I don't know if it's included in a default install.
Looking at the sample configuration file (/usr/local/etc/wpa_supplicant.conf.sample) under the "AP scanning/selection" section, the value of 0 is described as;
I don't know how this would be configured in OPNsense, however, this site has a configuration for a wired device - https://skybert.net/linux/wired-network-with-8021x-authentication/
It could be a port on an infrastructure switch requiring authentication, we don't know.
Perhaps wpa_supplicant could be used but I don't know if one of the EAP methods supports Certificate Authentication Greg is mentioning.
This package is already installed in my OPNsense. I don't use it and I don't know if it's included in a default install.
Looking at the sample configuration file (/usr/local/etc/wpa_supplicant.conf.sample) under the "AP scanning/selection" section, the value of 0 is described as;
Quote# AP scanning/selection
.
.
.
# 0: This mode must only be used when using wired Ethernet drivers
# (including MACsec).
I don't know how this would be configured in OPNsense, however, this site has a configuration for a wired device - https://skybert.net/linux/wired-network-with-8021x-authentication/
