Recent posts

#1
26.1, 26,4 Series / Re: NAT Migration Tool
Last post by meyergru - Today at 04:06:42 PM
Where do you want to migrate the destination NAT rules to?

The only reason to migrate "Outbound NAT" to "SNAT" (aka "source NAT") was that this is the more common term. "Destination NAT" is already called correctly.
#2
26.1, 26,4 Series / Re: NAT Migration Tool
Last post by mschaeffler - Today at 03:54:52 PM
Hi,

Is this only for the Outbound NAT?
What is with Destination NAT?

Thank you
#3
High availability / Re: HA Cluster with a /30 CIDR...
Last post by viragomann - Today at 02:39:18 PM
As far as I know, the CARP VIP does not necessarily need to be within the same subnet as the interface addresses.

With this setup as it is, the backup node will have no internet access, e.g. for updates.
To enable internet you have to route its upstream traffic over the master node.
#4
Announcements / Re: OPNsense 26.4.1 business e...
Last post by franco - Today at 02:37:55 PM
26.4.1p1_3:

o openvpn: further fix validation for auth token secret and static key
#5
Announcements / Re: OPNsense 26.1.11 released
Last post by franco - Today at 02:37:08 PM
A hotfix release was issued as 26.1.11_6:

o openvpn: further fix validation for auth token secret and static key
#6
Tutorials and FAQs / Re: [HOWTO] NordVPN Wireguard ...
Last post by newsense - Today at 12:17:20 PM
The added benefit after completing this tutorial is that it opens the door for policy based routing
#7
General Discussion / Re: firewall is toast
Last post by newsense - Today at 12:01:15 PM
You'll have to do a better job explaining your issue.

"Firewall toast" doesn't fit any SW or HW descriptions we can troubleshoot.

For a HW failure of anything other than the m.2 you can simply move the drive to another FW and boot it up as described above.

Data recovery is possible but complicated depending on the file system used and whether the m.2 partially failed or not.

Lastly, there's not much to recover. Mainly the config.xml and any third party configuration files such as the one used by adguardhome
#8
26.1, 26,4 Series / OPNsense 26.1.11_5
Last post by MoonbeamFrame - Today at 11:52:00 AM
Since upgrading to 26.1.11_5 (I don't think this behavior occurred with 26.1.11/26.1.11_3) my Realtek RTL8125 port was exhibiting an odd behavior.

My management LAN disappeared in the early hours of Friday. From another LAN I could see the firewall, but nothing else on the management network. In the Kea logs re0 was reported as not running and so was not servicing DHCP renewals.


Quote2026-07-04T00:04:55
Warning kea-dhcp4 WARN [kea-dhcp4.dhcpsrv.0x4fe545a5c008] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: the interface re0 is not running


Initially rebooted and the management LAN was running again.

The management LAN went down again around 18:00. This time I disabled/enabled the interface.

Just before midnight and the management LAN went down again. This time I've moved it to another device [Intel I226-V].

Now into Saturday morning and the management LAN has disappeared again. So it looks less likely to be a NIC issue. I think the DHCP renewal process is failing as a consequence of whatever the trigger is for this behavior.

I could do with some pointers on where to look to get useful debugging information, and for completeness the only other activity on this firewall was on Thursday night I did the Outbound to SNAT migration.

Thanks
#9
French - Français / Gérer la facture électronique ...
Last post by Ioan - Today at 11:30:54 AM
Salut la team, Je suis en train de monter une petite infra pour une TPE (trois postes, un NAS, rien de foufou) et on passe à la facturation électronique obligatoire d'ici quelques mois. Le truc c'est que certaines plateformes de dépôt de facture électronique passent par des API en HTTPS avec des certificats clients et j'arrive pas à stabiliser le flux sortant depuis OPNsense. J'ai activé l'inspection TLS sur le pare-feu et j'ai l'impression que ça casse les échanges avec au moins un portail (Chorus Pro pour être précis). J'ai désactivé l'inspection sur la règle correspondante, ça passe mieux, mais j'ai pas l'impression d'avoir une config propre pour autant. Est-ce que quelqu'un a déjà mis en place un truc solide pour laisser passer ce genre de flux sans tout désactiver ? Une alias avec les plages IP du portail, une règle dédiée... je sais pas trop par où attaquer. Merci d'avance si vous avez des retours concrets là-dessus.
#10
General Discussion / Re: firewall is toast
Last post by robertkwild - Today at 11:23:42 AM
I have an external m2 ssd enclosure, can I put it in there and pull data off