"Recent posts
#1
General Discussion / Re: Fresh install blocking mos...
Last post by coffeecup25 - Today at 03:34:29 PMpetski,
You are taking a simple situation and overcomplicating it by a lot.
That switch is overkill for what you have described. A $15 TP-Link dumb switch would have been better. Do a factory reset on the Cisco switch to turn it back into a dumb switch and leave it as a dumb switch. Do not do DHCP on it. Ever.
Use Kea DHCP and Unbound DNS. Google for how to set up Unbound. Unbound will be a fallback DNS server. KEA is fairly simple to use now that it does not have hidden boxes for simple config options.
Use the DNS override box on KEA to access Pihole. Find a box associated with your LAN interface where it asks for DNS servers. It will probably have 192.168.1.1 if 192.168.1.1 is your router address. Put the static address for pihole in that box in place of 192.168.1.1.
I am assuming all devices are on the same LAN. If you have more than one subnet, then I don't know if KEA can point to a pihole server on a different home subnet. Probably not. Look into Adguard Home instead, but you will have to edit AdguardHome.yaml to add all the local subnets it needs to serve.
You are taking a simple situation and overcomplicating it by a lot.
That switch is overkill for what you have described. A $15 TP-Link dumb switch would have been better. Do a factory reset on the Cisco switch to turn it back into a dumb switch and leave it as a dumb switch. Do not do DHCP on it. Ever.
Use Kea DHCP and Unbound DNS. Google for how to set up Unbound. Unbound will be a fallback DNS server. KEA is fairly simple to use now that it does not have hidden boxes for simple config options.
Use the DNS override box on KEA to access Pihole. Find a box associated with your LAN interface where it asks for DNS servers. It will probably have 192.168.1.1 if 192.168.1.1 is your router address. Put the static address for pihole in that box in place of 192.168.1.1.
I am assuming all devices are on the same LAN. If you have more than one subnet, then I don't know if KEA can point to a pihole server on a different home subnet. Probably not. Look into Adguard Home instead, but you will have to edit AdguardHome.yaml to add all the local subnets it needs to serve.
#2
25.7, 25.10 Series / Re: Captive Portal slows down ...
Last post by HappyUserB - Today at 02:56:57 PMThat are good and bad news at the same time. Bad news: it seems as if there are more user affected, good news: it should be easier to reproduce and seems to be directly traceable to .10 .
#3
25.7, 25.10 Series / Re: DNSmasq and Unbound Peacef...
Last post by vimage22 - Today at 02:13:36 PMI have been testing with DNSSEC off, but DoT is still on. I am starting to agree with DEC740airp414user on this, even though information found seems to lead in another direction.
In particular, this option appears to affect performance:
"Harden DNSSEC Data"
In particular, this option appears to affect performance:
"Harden DNSSEC Data"
#4
General Discussion / Re: TUI for viewing and analys...
Last post by allddd - Today at 01:53:12 PMThanks for checking it out :)
I don't think a separate column is necessary, since the direction always appears before the interface name and it's therefore just as easy to spot as it would be in a separate column. I'll try adding a space or using another char to see if it improves readability.
Jumping to the beginning/end would require checking the view length on every render, and with such a compact view it's just not worth it. Preventing scrolling past the right edge has the same issue. I looked at how less handles it to get an idea, and even there you can scroll infinitely, so in my opinion it's fine to do the same here, especially now that horizontal scrolling is rarely needed.
Yes, as plain text that view isn't very easy to read. Does your terminal support formatting/colors? I haven't updated the screenshot in the repo yet since the view may still change a bit, but I've added formatting that makes it easy to see the difference between IPs and ports:
You cannot view this attachment.
If I make the ">" line up at the same position for all lines, we basically end up with the old view again.
Quote from: patient0 on December 28, 2025, 02:15:25 PMAnd the view is a lot more compact, I do like >/< as indicator for incoming or outgoing traffic. It does make it a bit harder to read, I'd prefer to have the direction in it's own column or maybe a space between it and the interface (or O/I, not sure)?
I don't think a separate column is necessary, since the direction always appears before the interface name and it's therefore just as easy to spot as it would be in a separate column. I'll try adding a space or using another char to see if it improves readability.
Quote from: patient0 on December 28, 2025, 02:15:25 PMAnd I can scroll to the right for infinity, maybe it would make sense to not go over the right end? Jumping to the beginning and end of a line is removed, I assume because it's hardly necessary since the view is already very compact?
Jumping to the beginning/end would require checking the view length on every render, and with such a compact view it's just not worth it. Preventing scrolling past the right edge has the same issue. I looked at how less handles it to get an idea, and even there you can scroll infinitely, so in my opinion it's fine to do the same here, especially now that horizontal scrolling is rarely needed.
Quote from: patient0 on December 28, 2025, 02:15:25 PMThe scenario when filtering for protocols with ports I think the view is not easy to read in regards to spotting the source port, with IPv4 and IPv6 address.
If filtering for one or the other it's a lot better.
Though I still think it could help to place the '>' in 'Source > Destination' at the same position for all columns.
Yes, as plain text that view isn't very easy to read. Does your terminal support formatting/colors? I haven't updated the screenshot in the repo yet since the view may still change a bit, but I've added formatting that makes it easy to see the difference between IPs and ports:
You cannot view this attachment.
If I make the ">" line up at the same position for all lines, we basically end up with the old view again.
#5
German - Deutsch / Re: Hetzner Cloud Server Wire...
Last post by Peter68 - Today at 12:25:22 PMJa es ist meine IP, wenn man aber auf diese IP einen Scan macht, geht es nicht direkt auf meine echte IP. Also habe ich einen gewissen Schutz?
You cannot view this attachment.
Mit der Einstellung läuft es über meinen Adguard, da ich bei meinem Client die echte IP hinterlegt habe.
Wireguard Software auf dem Mac. OPNsense >>> WG-Tunnel >>> Hetzner_Cloud >>>>> Internet
<<<<<<<< DNS OPNsense
You cannot view this attachment.
Mit der Einstellung läuft es über meinen Adguard, da ich bei meinem Client die echte IP hinterlegt habe.
Wireguard Software auf dem Mac. OPNsense >>> WG-Tunnel >>> Hetzner_Cloud >>>>> Internet
<<<<<<<< DNS OPNsense
#6
25.1, 25.4 Series / Re: RSS Error on Intel E810-XX...
Last post by bugacha - Today at 12:25:00 PMQuote from: pikachu937 on June 01, 2025, 06:49:09 PMHello,
I'm encountering an issue on OPNsense 25.1.7_4 (FreeBSD 14.2-RELEASE-p3) with an Intel E810-XXV network adapter. The following error appears in logs for both ice0 and ice1 interfaces:
ice0: ice_add_rss_cfg on VSI 0 could not configure every requested hash type
ice1: ice_add_rss_cfg on VSI 0 could not configure every requested hash type
Configuration:
OPNsense: 25.1.7_4 (FreeBSD 14.2-RELEASE-p3)
Network adapter: Intel E810-XXV
Driver: ICE 1.43.2-k (dev.ice.0.iflib.driver_version: 1.43.2-k)
Firmware: NVM 4.80 (dev.ice.0.fw_version: fw 7.8.2 api 1.7 nvm 4.80 etid 8002053c netlist 4.4.5000-1.16.0.fb344039 oem 1.3805.0)
DDP: ICE OS Default Package 1.3.41.0 (dev.ice.0.ddp_version: ICE OS Default Package version 1.3.41.0, track id 0xc0000001)
Settings: 32 Rx/Tx queues (dev.ice.0.iflib.override_nrxqs=32, dev.ice.0.iflib.override_ntxqs=32), IPv6 disabled on interfaces.
Traffic: 99% is UDP (RTP/RTCP).
Issue: The RSS error prevents even distribution of network queues across CPU cores, reducing performance. The issue affects both ice0 and ice1 interfaces. Since 99% of traffic is UDP (RTP/RTCP), filtering UDP is not an option.
Steps Taken:
Attempted to load DDP 1.3.53.0 by placing ice.pkg in /lib/firmware/intel/ice/ddp/ and adding hw.ice.ddp_override="1" to /boot/loader.conf.local. However, DDP 1.3.53.0 does not load; the system uses 1.3.41.0 (log: ice1: DDP package already present on device).
Tried updating NVM firmware using Intel NVM Update Utility, but the version remains 4.80.
Disabled IPv6 on interfaces via ifconfig ice0 inet6 -accept_rtadv and OPNsense web interface.
Tested reducing queues to 16 (override_nrxqs=16, override_ntxqs=16), but the error persists.
Attempted filtering UDP/SCTP via firewall rules, with no effect, as UDP (RTP/RTCP) constitutes 99% of traffic.
Compiling a new driver is not possible due to missing kernel source in OPNsense.
dmesg | grep DDP
ice0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.41.0, track id 0xc0000001.
ice1: DDP package already present on device: ICE OS Default Package version 1.3.41.0, track id 0xc0000001.
dmesg | grep ice | grep rss
ice0: ice_add_rss_cfg on VSI 0 could not configure every requested hash type
ice1: ice_add_rss_cfg on VSI 0 could not configure every requested hash type
Questions:
How can I resolve the RSS error, given that 99% of traffic is UDP (RTP/RTCP)? Is it related to the driver or DDP 1.3.41.0?
Why does DDP 1.3.53.0 fail to load despite hw.ice.ddp_override="1"?
Is there a way to configure RSS hash functions for UDP without sysctl dev.ice.0.rss_hash_config?
Could upgrading OPNsense resolve the issue?
Any suggestions or insights would be greatly appreciated! I can provide additional logs if needed.
your issue is in firmware version
Firmware: NVM 4.80 (dev.ice.0.fw_version: fw 7.8.2 api 1.7 nvm 4.80 etid 8002053c netlist 4.4.5000-1.16.0.fb344039 oem 1.3805.0)
4.80 isnt supported by FreeBSD 1.43.3-k driver
#7
25.7, 25.10 Series / loss of connectivity after run...
Last post by Tupsi - Today at 12:17:43 PMSince upgrading to the 2.7.x track I suffer from a loss of connectivity whenever my opnsense is running for a few days. The issues always presents itself in the same way that part of the internet is no longer reachable, even though dns resolution still works. The problem is "fixable" with a simple reboot of opnsense.
Can someone point me to a place of logs where I might find the source of the problem? Currently I feel a bit helpless to pinpoint what the problem is.
My opnsense is configured to use both v4/v6 dynamic IP from the provider. That worked flawless so far until I switched to the 2.7.x track. I am using the unbound dns server instead of dnsmasq. Tried disabling the blocking sites feature there, because it felt like a bit of a misguided blocking of unbound, but the problem returned nonetheless.
Any help pinpointing that down what be much appreciated. Until then, no biggie and I restart the router whenever my wife shouts "Internet geht nett!!!" ;-)
Hope you all had a great christmas and wish you a great start in 2026!
Markus
Can someone point me to a place of logs where I might find the source of the problem? Currently I feel a bit helpless to pinpoint what the problem is.
My opnsense is configured to use both v4/v6 dynamic IP from the provider. That worked flawless so far until I switched to the 2.7.x track. I am using the unbound dns server instead of dnsmasq. Tried disabling the blocking sites feature there, because it felt like a bit of a misguided blocking of unbound, but the problem returned nonetheless.
Any help pinpointing that down what be much appreciated. Until then, no biggie and I restart the router whenever my wife shouts "Internet geht nett!!!" ;-)
Hope you all had a great christmas and wish you a great start in 2026!
Markus
#8
25.7, 25.10 Series / ice driver (ddp) / latest NVM ...
Last post by bugacha - Today at 12:15:22 PME810 here
Tried to update to 4.91 from https://www.intel.com/content/www/us/en/download/19625/non-volatile-memory-nvm-update-utility-for-intel-ethernet-network-adapters-e810-series-windows.html
And it is such a PITA, wasted 3 hrs trying to make it work.
Long story short, the latest firmware that Opnsense 25.7.8 ice driver supports is 4.50
[1] ice0: fw 7.5.4 api 1.7 nvm 4.50 etid 8001d8ba netlist 4.3.5000-1.14.0.99840ef4 oem 1.3597.0
Tried to update to 4.91 from https://www.intel.com/content/www/us/en/download/19625/non-volatile-memory-nvm-update-utility-for-intel-ethernet-network-adapters-e810-series-windows.html
And it is such a PITA, wasted 3 hrs trying to make it work.
Long story short, the latest firmware that Opnsense 25.7.8 ice driver supports is 4.50
[1] ice0: fw 7.5.4 api 1.7 nvm 4.50 etid 8001d8ba netlist 4.3.5000-1.14.0.99840ef4 oem 1.3597.0
#9
German - Deutsch / Re: Caddy Wildcard-Zertifikat ...
Last post by observing0436 - Today at 12:11:08 PMVielen Dank an euch für die Hinweise und Links! Sehr interessant!
Einen guten Rutsch nach 2026 wünsche ich!
Viele liebe Grüße
Mike
Einen guten Rutsch nach 2026 wünsche ich!
Viele liebe Grüße
Mike
#10
25.7, 25.10 Series / Re: NDP proxy in an HA setup?
Last post by Patrick M. Hausen - Today at 11:57:42 AMI do not have a lab HA setup (yet), only production. I will discuss with the customer in January if we go that route or use CARP and port forwarding. But thank you very much for all your work!
