"Recent posts
#1
Web Proxy Filtering and Caching / Squid Web Proxy Error (1)
Last post by lf.fsilva - Today at 02:42:21 AMOpenSense updated as of 30/11/2025. When a rule is created in Squid in Access control,
it returns Error configuring policies - Error (1)
Does anyone have a suggestion?
#2
General Discussion / Degraded printer functionality...
Last post by Lu - Today at 01:56:02 AMI'm posting this in the hope others benefit from our pain. After a large Toshiba printer/MFC was replaced on our network with a newer model (an e-STUDIO3525AC), it had a great deal of trouble. The previous model had worked fine, and there were no changes to the OPNsense box's config between the two. Despite trying both dynamic and static network configs, IPv4-only, IPv6-only, etc., the new one could not get DNS resolution of any address, could not ping public IP addresses (even directly, like 8.8.8.8), and was generally poor at obtaining and holding onto its network config. It even complained at various points that the network cable wasn't connected. I used OPNsense's Interfaces > Diagnostics > Packet Capture, limited to the printer's MAC, and saw it was fairly chatty. I tested the new printer on a secondary physical network and all was okay, so it was something about the main network.
When I realised I could ping public addresses from my own PC, but not the firewall's, I found this thread about it. I enabled ICMP with this rule on the LAN interface, in order to test ping from the printer again:
To my surprise, everything started behaving. I'm not blaming OPNsense; I think the printer was deciding it wouldn't or couldn't do basic communication without the router responding to certain queries, or something. If you're experiencing such issues, they may be being triggered by default firewall policies.
When I realised I could ping public addresses from my own PC, but not the firewall's, I found this thread about it. I enabled ICMP with this rule on the LAN interface, in order to test ping from the printer again:
| Protocol | Source | Port | Destination | Port | Gateway | Schedule |
| IPv4+6 ICMP | * | * | This Firewall | * | * | * |
To my surprise, everything started behaving. I'm not blaming OPNsense; I think the printer was deciding it wouldn't or couldn't do basic communication without the router responding to certain queries, or something. If you're experiencing such issues, they may be being triggered by default firewall policies.
#3
25.7, 25.10 Series / Re: Unable to watch Yortube
Last post by nicholaswkc - Today at 01:53:40 AMOther sites working perfectly, just youtube didn't working. I don't have squid.
#4
General Discussion / boost-libs: missing redis
Last post by Lucid1010 - Today at 12:53:03 AM- check health
Code Select
>>> Check for missing or altered package files
Checking all packages:
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/adapt.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/any_adapter.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/detail/adapters.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/detail/response_traits.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/detail/result_traits.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/ignore.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/adapter/result.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/config.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/connection.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/connection_logger.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/coroutine.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/exec_fsm.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/health_checker.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/helper.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/multiplexer.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/reader_fsm.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/redis_stream.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/resp3_handshaker.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/detail/write.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/error.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/ignore.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/connection.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/connection_logger.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/error.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/exec_fsm.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/ignore.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/log_to_file.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/logger.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/multiplexer.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/reader_fsm.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/request.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/resp3_handshaker.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/impl/response.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/logger.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/operation.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/request.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/impl/parser.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/impl/serialization.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/impl/type.ipp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/node.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/parser.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/serialization.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/resp3/type.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/response.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/src.hpp
boost-libs-1.89.0_1: missing file /usr/local/include/boost/redis/usage.hpp
Checking all packages............. done
>>> Check for core packages consistency
Core package "opnsense" at 25.7.8 has 67 dependencies to check.
Checking packages: .................................................................... done
***DONE***I previously installed and removed Redis for ntopng.
Given that boost-libs has a dependency on Redis, is it necessary to reinstall os-redis?
#5
General Discussion / How to block specific trackers...
Last post by Plus0974 - Today at 12:46:06 AMI'm setting up ad/tracker blocking for the first time using the blocklists in unbound DNS and after doing some adblock tests I keep getting something saying it failed to stop the google domain tracker "https://pagead2.googlesyndication.com" I tried adding it to the block list domain but it still didn't show as successfully blocked. Is there somewhere else I'm supposed to paste it into or something else I'm supposed to do?
#6
25.7, 25.10 Series / Re: MIgrating IPsec Legacy to ...
Last post by thorstenR - Today at 12:16:05 AMBTW: 25.7.8
#7
25.7, 25.10 Series / MIgrating IPsec Legacy to Conn...
Last post by thorstenR - Today at 12:08:53 AMI'm about to migrate 25.7.8 IPsec configuration from legacy tunnels to the new connections mode. I read the migration hints at https://docs.opnsense.org/manual/vpnet.html#migrating-from-tunnels-to-connections using the sdwanctl.conf download & comparison method. Seemed pretty straight forward. But the new config fails to work at all.
Few important things to notice: my local opnsense sits behind NAT-T, so my CARP-IP and my identifier are not identical. Beside of the installed policy routes, there must be a 1:1 rule in between my local BGP running in the opnsense os-frr module (10.205.11.1) and the BGP peer on the other end (10.205.208.30), otherwise all routes back to my environment wouldn't work - it initially only knows the BGP route and nothing else. The other end claims either the BGP peer on my end could not be contacted (no TCP 179 traffic in logs) and/or the tunnel is not established at all. The shared secret is 100% accurate.
this is my running and working legacy config according to export file:
this is my migrated counterpart:
Can someone give me some advice where my copy & paste artwork has gone in such faulty wrong direction? Do I have to put in more details in case of NAT-T? I added the shared secret with both the local IP and the NAT identitier, just to make sure. With just one of both, it worked even worse for phase 2. The original legacy-based configuration was created using the opnsense UI years ago, with no customizations beyond that.
I'm lost.
Thank you!
Thorsten
Few important things to notice: my local opnsense sits behind NAT-T, so my CARP-IP and my identifier are not identical. Beside of the installed policy routes, there must be a 1:1 rule in between my local BGP running in the opnsense os-frr module (10.205.11.1) and the BGP peer on the other end (10.205.208.30), otherwise all routes back to my environment wouldn't work - it initially only knows the BGP route and nothing else. The other end claims either the BGP peer on my end could not be contacted (no TCP 179 traffic in logs) and/or the tunnel is not established at all. The shared secret is 100% accurate.
this is my running and working legacy config according to export file:
Code Select
connections {
con4 {
unique = replace
aggressive = no
version = 2
mobike = yes
local_addrs = 10.205.11.1
local-0 {
id = 195.62.45.163
auth = psk
}
remote-0 {
id = 13.95.14.84
auth = psk
}
encap = no
remote_addrs = 13.95.14.84
proposals = aes256-sha256-modp1024
children {
con4 {
start_action = trap
policies = yes
mode = tunnel
sha256_96 = no
local_ts = 0.0.0.0/0,10.205.11.1
remote_ts = 10.205.208.0/21,10.205.208.30,10.205.72.0/22,10.205.92.0/22
reqid = 63
esp_proposals = aes256-sha256-modp1024
life_time = 27000 s
}
}
}
}
pools {
}
secrets {
ike-p1-0 {
id-0 = 13.95.14.84
secret = xxxx
}
}this is my migrated counterpart:
Code Select
connections {
a2840a37-e9f9-413d-804c-27c20b2eb2e6 {
proposals = aes256-sha256-modp1024
unique = replace
aggressive = no
version = 2
mobike = yes
local_addrs = 10.205.11.1
remote_addrs = 13.95.14.84
encap = no
send_certreq = no
send_cert = never
local-36f8606f-f753-447c-b540-f13b16e388d9 {
round = 0
auth = psk
id = 195.62.45.163
}
remote-17e2d106-2cbd-4618-aff5-556002a6d703 {
round = 0
auth = psk
id = 13.95.14.84
}
children {
631762c1-93bc-4c8d-8b85-e632d87d0dab {
reqid = 1000
esp_proposals = aes256-sha256-modp1024
sha256_96 = no
start_action = trap|start
close_action = trap
dpd_action = trap
mode = tunnel
policies = yes
local_ts = 0.0.0.0/0,10.205.11.1
remote_ts = 10.205.208.0/21,10.205.208.30,10.205.72.0/22,10.205.92.0/22
rekey_time = 3600
updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child 631762c1-93bc-4c8d-8b85-e632d87d0dab
}
}
}
}
pools {
}
secrets {
ike-246570cb-9b0f-40b9-91d2-eee09afabd4e {
id-0 = 10.205.11.1
id-1 = 13.95.14.84
secret = xxxx
}
ike-159cd80d-4fb5-479f-b263-8a7b74292b33 {
id-0 = 195.62.45.163
id-1 = 13.95.14.84
secret = xxxx
}
}Can someone give me some advice where my copy & paste artwork has gone in such faulty wrong direction? Do I have to put in more details in case of NAT-T? I added the shared secret with both the local IP and the NAT identitier, just to make sure. With just one of both, it worked even worse for phase 2. The original legacy-based configuration was created using the opnsense UI years ago, with no customizations beyond that.
I'm lost.
Thank you!
Thorsten
#8
Zenarmor (Sensei) / Re: Zenarmor Packet Engine Not...
Last post by dirtyfreebooter - November 30, 2025, 11:20:56 PMthe answer is in the output
maybe stop setting sysctls you don't understand?
Code Select
[589] 040.632011 [1363] netmap_config_obj_allocator requested objtotal 2048 out of range [2, 1024]
maybe stop setting sysctls you don't understand?
#9
25.7, 25.10 Series / Re: DNS Leaks on WG with Proto...
Last post by pitoucol - November 30, 2025, 11:19:55 PMHello
I am also facing the DNS leak issue.
Have you managed to get the correct configuration to avoid DNS leak?
Everything works fine, except that I cannot complete part 6 of https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
Can you tell me what I need to set in the source field (IP address of your DNS server)? When I set it to 10.2.0.1, I get an error: nothing found.
Should I set my VPN interface instead?
Thanks
I am also facing the DNS leak issue.
Have you managed to get the correct configuration to avoid DNS leak?
Everything works fine, except that I cannot complete part 6 of https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
Can you tell me what I need to set in the source field (IP address of your DNS server)? When I set it to 10.2.0.1, I get an error: nothing found.
Should I set my VPN interface instead?
Thanks
#10
General Discussion / Re: Is public-dns.info still a...
Last post by Mpegger - November 30, 2025, 11:10:54 PMAlready have 53 and 853 blocked, and 53 forwarded. I'm more concerned about DNS over HTTP and supposedly that site also tracked DoH sites, and thier list was updated daily. Keyword there seeming to be "was". Even looking at the country listings shows everything lat being checked 2 or more years ago.
I should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?
I should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?
