"Recent posts
#1
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by Monviech (Cedrik) - Today at 09:08:40 AMYou can do the same way simpler and lightweight with dnsmasq as alternative:
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
#2
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by bpill - Today at 08:34:12 AMNo one? :)
#3
25.7, 25.10 Series / Help Troubleshooting OPNsense ...
Last post by mb19 - Today at 08:30:33 AMHi everyone,
I'm trying to configure my OPNsense server (version OPNsense 25.7.7_4-amd64) as an NTP server for my LAN devices. My network layout looks like this:
Internet
│
│
┌─────────────────────────┐
│ Router ISP .│
│ 192.168.10.1 .│
└─────────────────────────┘
│
│ (192.168.10.0/24)
│
┌─────────────────────────┐
│ OPNsense .│
│ .│
│ WAN: igb0 .│
│ IP: 192.168.10.2/24 .│
│ .│
│ LAN: igb1 .│
│ IP: 192.168.45.1/24 .│
│ .│
│ OPT1: em0 ( empty ) .│
└─────────────────────────┘
│
│ (LAN 192.168.45.0/24)
│
┌─────────────────────────┐
│ LAN .│
│ (192.168.45.0/24) .│
└─────────────────────────┘
When I run the following command on a LAN computer and on OPNsense:
--> tcpdump -ni igb0 udp port 123
I get:
PC - LAN: 192.168.45.18.35966 > 5.250.184.159.123: NTPv4, Client, length 48
OpnSense: 192.168.10.2.21172 > 5.250.184.159.123: NTPv4, Client, length 48
OpnSense: 5.250.184.159.123 > 192.168.10.2.21172: NTPv4, Server, length 48
PC - LAN: 5.250.184.159.123 > 192.168.45.18.35966: NTPv4, Server, length 48
If I'm understanding this correctly:
1 - We can see NTP requests from the LAN reaching OPNsense
2 - OPNsense then forwards them to the router, which sends them out to the NTP pool server
3 - The NTP server replies
4 - The router forwards the reply back to OPNsense
5 - OPNsense performs the de-NAT and delivers the response to the LAN client
If this interpretation is correct, then I think I can rule out DNS issues or ISP-side blocking of NTP traffic.
However, in the OPNsense GUI the NTP service status is always shown as "pending", which makes me suspect that the issue is happening somewhere around this point in the network diagram:
Internet
│
│
┌─────────────────────────┐
│ Router ISP .│
│ 192.168.10.1 .│
└─────────────────────────┘
│
│ (192.168.10.0/24)
│<-----------------------------------HERE
┌─────────────────────────┐
│ OPNsense .│
│ .│
│ WAN: igb0 .│
│ IP: 192.168.10.2/24 .│
│ .│
│ LAN: igb1 .│
│ IP: 192.168.45.1/24 .│
│ .│
│ OPT1: em0 ( empty ) .│
└─────────────────────────┘
│
│ (LAN 192.168.45.0/24)
│
┌─────────────────────────┐
│ LAN .│
│ (192.168.45.0/24) .│
└─────────────────────────┘
I'm not sure whether I'm misunderstanding a concept (and therefore troubleshooting in the wrong direction), or if this is a technical issue I'm missing. The goal is simply to use OPNsense as an NTP server for the LAN.
Any help or guidance would be greatly appreciated.
Thanks!
I'm trying to configure my OPNsense server (version OPNsense 25.7.7_4-amd64) as an NTP server for my LAN devices. My network layout looks like this:
Internet
│
│
┌─────────────────────────┐
│ Router ISP .│
│ 192.168.10.1 .│
└─────────────────────────┘
│
│ (192.168.10.0/24)
│
┌─────────────────────────┐
│ OPNsense .│
│ .│
│ WAN: igb0 .│
│ IP: 192.168.10.2/24 .│
│ .│
│ LAN: igb1 .│
│ IP: 192.168.45.1/24 .│
│ .│
│ OPT1: em0 ( empty ) .│
└─────────────────────────┘
│
│ (LAN 192.168.45.0/24)
│
┌─────────────────────────┐
│ LAN .│
│ (192.168.45.0/24) .│
└─────────────────────────┘
When I run the following command on a LAN computer and on OPNsense:
--> tcpdump -ni igb0 udp port 123
I get:
PC - LAN: 192.168.45.18.35966 > 5.250.184.159.123: NTPv4, Client, length 48
OpnSense: 192.168.10.2.21172 > 5.250.184.159.123: NTPv4, Client, length 48
OpnSense: 5.250.184.159.123 > 192.168.10.2.21172: NTPv4, Server, length 48
PC - LAN: 5.250.184.159.123 > 192.168.45.18.35966: NTPv4, Server, length 48
If I'm understanding this correctly:
1 - We can see NTP requests from the LAN reaching OPNsense
2 - OPNsense then forwards them to the router, which sends them out to the NTP pool server
3 - The NTP server replies
4 - The router forwards the reply back to OPNsense
5 - OPNsense performs the de-NAT and delivers the response to the LAN client
If this interpretation is correct, then I think I can rule out DNS issues or ISP-side blocking of NTP traffic.
However, in the OPNsense GUI the NTP service status is always shown as "pending", which makes me suspect that the issue is happening somewhere around this point in the network diagram:
Internet
│
│
┌─────────────────────────┐
│ Router ISP .│
│ 192.168.10.1 .│
└─────────────────────────┘
│
│ (192.168.10.0/24)
│<-----------------------------------HERE
┌─────────────────────────┐
│ OPNsense .│
│ .│
│ WAN: igb0 .│
│ IP: 192.168.10.2/24 .│
│ .│
│ LAN: igb1 .│
│ IP: 192.168.45.1/24 .│
│ .│
│ OPT1: em0 ( empty ) .│
└─────────────────────────┘
│
│ (LAN 192.168.45.0/24)
│
┌─────────────────────────┐
│ LAN .│
│ (192.168.45.0/24) .│
└─────────────────────────┘
I'm not sure whether I'm misunderstanding a concept (and therefore troubleshooting in the wrong direction), or if this is a technical issue I'm missing. The goal is simply to use OPNsense as an NTP server for the LAN.
Any help or guidance would be greatly appreciated.
Thanks!
#4
Q-Feeds (Threat intelligence) / Re: q-feeds feedback
Last post by Monviech (Cedrik) - Today at 06:26:58 AMThe second point is normal and happens everywhere because there is no forced non-interactive redirect to the login page in general once the session timeout has been reached.
#5
25.7, 25.10 Series / Re: MIgrating IPsec Legacy to ...
Last post by Monviech (Cedrik) - Today at 06:23:46 AMYou posted no logs that show the issue. Without logs its impossible to help.
#6
25.7, 25.10 Series / Re: WebGUI isn't accessible. L...
Last post by Lymba_Sysm - Today at 06:12:29 AMNever mind I've fixed it!
#7
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by Monviech (Cedrik) - Today at 05:59:39 AMThats really weird mine stays at around below 10mb RAM used.
Here:
40886 nobody 1 20 0 17M 4920K select 2 36:51 0.00% dnsmasq
What kinda configuration do you run with it? If you share maybe we can see something.
/usr/local/etc/dnsmasq.conf
Also how many leases in total?
Here:
40886 nobody 1 20 0 17M 4920K select 2 36:51 0.00% dnsmasq
What kinda configuration do you run with it? If you share maybe we can see something.
/usr/local/etc/dnsmasq.conf
Also how many leases in total?
#8
25.7, 25.10 Series / WebGUI isn't accessible. Live ...
Last post by Lymba_Sysm - Today at 05:13:38 AMI'm new to setting up OPNsense and so far until I encountered this issue, I haven't had any. The live environment seemingly works fine (which I would expect) but whenever I try to access the Webgui, I'm hit with this. Now so far based off every video I've seen, this should work. I've done everything correctly as shown. I'm at a bit of a loss. I've tried both ports incase one of them was the assigned LAN instead of WAN, Checked the Starlink app for what DCHP assigned opnsense IP, that didn't work either. Changed my DNS settings in windows so it was using Google over cloudflare and viseversa.
I must be missing a diagnostic step here, what should I do next?
I must be missing a diagnostic step here, what should I do next?
#9
Virtual private networks / Re: WireGuard Exporter Tool
Last post by JMini - Today at 05:12:46 AMI don't understand why there isn't an export button for the conf files. If you don't copy/paste during peer creation, you're out of luck.
You can't even build the conf file from the information in the peer details. No access to the Private Key
You can't even build the conf file from the information in the peer details. No access to the Private Key
#10
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by neek - Today at 04:06:57 AMIt looks like when it tries to create the UDP bind on my openvpn interface, that fails (192.168.99.x, below). My guess is the system is bringing up adguardhome before openvpn has had a chance to start and create that interface. In my config, I only see interfaces where I want adguardhome to run. I don't see an option for disabling just UDP on one of the interfaces. When I temporarily disabled adguardhome on the whole VPN network, it did come up successfully.
Piece of the log from the failed launch at boot
Piece of the log from the failed launch at boot
Code Select
2025/12/10 18:54:33.531933 [info] dnsproxy: creating udp server socket addr=192.168.40.1:53
2025/12/10 18:54:33.531976 [info] dnsproxy: listening to udp addr=192.168.40.1:53
2025/12/10 18:54:33.531992 [info] dnsproxy: creating udp server socket addr=192.168.41.1:53
2025/12/10 18:54:33.532060 [info] dnsproxy: listening to udp addr=192.168.41.1:53
2025/12/10 18:54:33.532076 [info] dnsproxy: creating udp server socket addr=192.168.80.1:53
2025/12/10 18:54:33.532124 [info] dnsproxy: listening to udp addr=192.168.80.1:53
2025/12/10 18:54:33.532140 [info] dnsproxy: creating udp server socket addr=192.168.99.1:53
2025/12/10 18:54:33.532196 [info] dnsproxy: warning: binding attempt=1 err="listen udp 192.168.99.1:53: bind: can't assign requested address"
2025/12/10 18:54:33.533087 [error] closing query log: flushing log buffer: nothing to write to a file
2025/12/10 18:54:33.533120 [fatal] starting dns server: configuring listeners: listening on udp addr 192.168.99.1:53: listening to udp socket: listen udp 192.168.99.1:53: bind: can't assign requested address
