Recent posts

#1
25.1, 25.4 Series / Re: WireGuard Kill Switch Fail...
Last post by Majx - Today at 02:48:13 AM
I can confirm almost the exact same behavior on my end.

The issue is that when a connection state already exists before the killswitch rule is enabled, traffic continues to follow the previously created state. As a result, the killswitch rule is bypassed until those states are cleared. Manually clearing the relevant states forces the firewall to create new ones that will then be evaluated and blocked by the killswitch rule as intended.

The larger problem is that you need to clear all connection states for hosts in the subnet (10.0.10.0/24). Doing so will kill all active connections (gaming, downloads, streaming, etc.), since every existing state for that subnet will be dropped, which is very bad.

The alternative would be to disable state tracking completely, but that will result in reduced performance (and might break other features?).

The most reliable solution is still to clear the states, even though it will impact the entire 10.0.10.0/24 network. Fortunately, this state reset is typically required only once (when you first apply the killswitch rule). VPN clients (PC or mobile) do the same thing on connection, the difference is that they affect only a single device rather than the whole subnet.
#2
25.7, 25.10 Series / Routing for Wireguard appears ...
Last post by grimelog - Today at 01:50:14 AM
Recently, I needed to enable my VPN again, and enabling the gateway for it no longer works. I have confirmed that I am successfully handshaking with wireguard. So, that is not the issue.

How I have my DNS setup is Unbound forwards specific queries to DNSMasq, and connecting to those websites works successfully. However, connecting to the websites intended for Unbound does not work if my Wireguard gateway is up. Previously, this behavior worked as expected. Even rolling back to a known working configuration did not work. Is anyone able to help?

In /usr/local/etc/dnsmasq.conf.d/dnsmasq-ipset.conf:
# Add the response for certain A/AAAA lookups to an opnsense alias
ipset=/example_website.com/dont_go_over_vpn


# Uncomment these if Unbound is still your primary DNS server; otherwise you'll have a loop
no-resolv
server=1.1.1.1


The above works for all sites not intended for the vpn. However, the sites intended for the VPN no longer work. I'm guessing this has something to do with the recent changes to DNSMasq and Unbound. In the Unbound gui I forward all example_website.com domains to DNSMasq.

Once I turn "Go out over VPN" to WAN_Mullvad I stop resolving addresses going out over the VPN. Previously, the VPN DNS would go out over the non-VPN tunnel to get the addresses for the VPN, and it no longer seems to be doing that at all.


#3
Sorry to bring the topic back, I have been trying to order the etpro telemetry for couple time with different account, and send multiple email to contact@opnsense.org or sales@opnsense.org, but nothing happen, the order are always declined with no reason. well, the reply email said:
Your order has been declined due to inconsistencies in your application,
but I don't get the point.

anybody successful get the valid token recently?
#4
Hello,

I noticed a weird behavior on a proxmox VPS. A running wireguard tunnel with one peer suddenly stopped working. After checking settings in web interface and even rebooting several times i found no configuration problems and ssh-ed to the router. It turned the peer endpoint port does not match the one set in web UI and restarting interface or router just changes it to a different random one. If i change the port to another, save/apply, then back to the actual one and save/apply again both changes are correctly applied. However if i press apply again, disable/enable interface or reboot the remote port is changed to random one again. Web UI however continues to show the one i set in it.

Until now each time i used wireguard on OPNSense it was on the receiving connections end so i have no idea if what i see is unique bug or a known "feature". This time however the router is behind two layers of NAT, one of them not controllable by me, so there is no way to rely on incoming connection. It has to be initiated by the router.

Any idea what can be happening and how to debug the issue?
#5
Zenarmor (Sensei) / Re: Zenarmor Packet Engine Not...
Last post by GuruLee - Today at 01:11:20 AM
Quote from: sy on November 24, 2025, 05:32:42 PMHi,

"dev.netmap.ring_size" could be maximum 1024. Please chance it.

I changed this tunable value and it appears to have resolved the issue:

`dev.netmap.ring_num: 1024`

Thank you!
#6
25.7, 25.10 Series / Using Adguard Home and DNSMasq...
Last post by JMini - Today at 12:34:34 AM
I have Adguard Home set up to receive DNS on 53 from all internal networks and DNSMasq listening on 53053.
For forwarders in Adguard Home I have
[/internal/]127.0.0.1:53053
[//]127.0.0.1:53053
h3://cloudflare-dns.com/dns-query
https://dns.google/dns-query

So internal queries are forwarded the DNSMasq since it assigns DHCP and registers those hosts in its DNS.
And for Private reverse DNS in Adguard I have
127.0.0.1:53053

So config guides I see have Unbound DNS in the mix between Adguard Home and DNSMasq.
Is there any real need for Unbound since Adguard Home does DNS/DOH and can forward internal requests to DNSMasq?

Am I missing something?
#7
We could do with the context. Please provide a screenshot of the rules, which interface and what is that you are trying to do (pass or block) from where to where.
#8
General Discussion / Re: GUI/Shell crashing
Last post by meyergru - November 24, 2025, 11:25:35 PM
Quote from: Mattps on November 24, 2025, 09:32:15 PMMicrocode updates are applied via a BIOS update, there aren't any separate updates. It's running the lasted BIOS L43 1.16.

Some things to clear up here:

1. I am not saying that there is a newer microcode update - what I do say is that IMHO, manufacturers are slow to adapt the newest microcode updates.

2. The BIOS you are using is at least 3 years old: https://h30434.www3.hp.com/t5/Desktop-Operating-Systems-and-Recovery/HP-T730-Bios-update-failed/td-p/8453495

3. Yes, the microcode updates delivered as OS packages are separate updates, which can be significantly newer than those delivered in your BIOS. And they are needed for some platforms, like the N1x0 and other 12th gen Intel chips with OpnSense from 25.7. upwards, see: https://forum.opnsense.org/index.php?topic=42985.0, point 23.

That being said, IDK if there actually are any updates available or if they change anything for your symptoms. I just would not shrug this off if I were you.
#9
General Discussion / Re: Proxmox & Opnsense VLAN Co...
Last post by viragomann - November 24, 2025, 10:43:13 PM
Quote from: user2311 on November 23, 2025, 06:51:25 PM1. Why am I able to connect to the firewall and proxmox when my PC on switch port 5 is VLAN 10 untagged but the port 2 (Switch -> proxmox) is tagged VLAN 10?
This is how VLANs work.
The switch port 5, which your PC is connected to, is assigned to VLAN 10 as untagged. Means, it tags incoming packets and removes the tag of outgoing ones.

The switch port 2 hands out the VLAN 10 packets as tagged. It doesn't tag incoming packets.
Proxmox is configured to remove the VLAN tags of incoming packets and add tags to outgoing. To this VLAN the virtual bridge is connected and Proxmox has an IP on it and OPNsense is connected to. So you can reach both devices.

Quote from: user2311 on November 23, 2025, 06:51:25 PM2. When I put VLAN 10 untagged on port 2 and tagged vlan 20 & 30, I can't connect to the firewall or proxmox anymore.
Proxmox only expects tagged packets on this interface.

Quote from: user2311 on November 23, 2025, 06:51:25 PM3. I want to add new WLAN SSIDs called Users (e.g VLAN 11) and Guest (VLAN 12) on the access point. Do I need to add new linux bridges and linux VLANs? If so, do I need to make the bridge vlan aware? And on the opnsense VM: I would have to add the bridges to the network settings and add a VLAN tag (VLAN tag 11 and 12) to them right?
First of all you should reconsider you setup.

When configuring VLANs for a virtualized router, there are two way to do this:
  • Either you can do all the VLAN terminations, tagging and untagging on Proxmox. In this case you have to add all VLANs on Proxmox and connect separate virtual bridge to each.
    Then add a virtual interface to the router VM for each VLAN and connect it to the respective bridge.
  • The other way is to terminate all VLANs in the router VM.
    In this case you need only a single bridge for all in Proxmox, with "VLAN awareness" enabled. And as well you only need a single interface for all VLANs for the router VM, and configure the VLANs inside the router.
#10
General Discussion / Hunting a boot sector malware
Last post by lorem - November 24, 2025, 10:15:45 PM
I have a Windows host with a malware problem. The malware is installed in the boot sector. The malware "calls home" to enable external exfiltration. I know when the malware is installed because it blue screens the computer often, causing me to reboot often. I suspect that malware gets installed when an unknown file is read. I can remove it by reinstalling the MBR. It gets reinstalled when I browse a certain archive directory. Two malware scanners I tried did not found it.

I want to block outgoing IPs and watch Firewall Live View to see if an unknown IP is calling home, but without allowing it to connect. If that is confirmed I will enable the connection and record packets both ways with Wireshark.

For the first step I want normal network functions to work such as DNS, but block everything else.

My first rule is: Allow, DMZ net, *, DMZ address, 53(DNS)
My second rules is: Block, DMZ net, *, *, *

This seems to work. Any comments?