"Recent posts
#1
26.1, 26,4 Series / Re: Wake on Lan
Last post by franco - Today at 12:50:52 PM #2
Zenarmor (Sensei) / Re: Install/Deinstall Loop (li...
Last post by franco - Today at 12:49:01 PMZenarmor repo may need a rebuild for pkg to stop trying to cope with what it thinks are update-requiring package versions.
Cheers,
Franco
Cheers,
Franco
#3
26.1, 26,4 Series / Re: cve nginx
Last post by franco - Today at 11:39:36 AMWhen FreeBSD updates their vuxml database you can see it pop up in the audit until it's fixed.
If you don't see it there it's better to double-check yourself.
Cheers,
Franco
If you don't see it there it's better to double-check yourself.
Cheers,
Franco
#4
General Discussion / Re: Help with what I did wrong...
Last post by meyergru - Today at 08:54:57 AMThe first rule is an "in" rule for your mediaserver interface, yet it applies only to source adresses in the LAN network, so it probably never applies. More often than not, you will specify either the interface network or even "any" as source address. Remember, the source adresses will probably be from the interface network range - but that is implicitely given by the fact that the interface they arrive on is specified anyway.
The second rule blocks anything from the mediaserver interface to anywhere. If there is no preceeding rule, it will block any traffic passing the firewall.
Essentially, these rules would allow only level 2 traffic on the mediaserver network that does not pass the firewall. Also, order is usually important (well, not if the rules do not work out, such as these).
You should familiarize yourself with the basic concepts of OpnSense firewalling, especially with how rules are applied (packets going "in" on an interface), rule precedence and network coverage. If you want to block access to "the internet" (which is destination "any"), you may still need rules preceeding the block rule that in turn allow your other VLANs (like allow to "RFC1918").
If you want to analyse what really happens, just imagine a packet with source and destination adresses and ports and apply the set rules in order.
The second rule blocks anything from the mediaserver interface to anywhere. If there is no preceeding rule, it will block any traffic passing the firewall.
Essentially, these rules would allow only level 2 traffic on the mediaserver network that does not pass the firewall. Also, order is usually important (well, not if the rules do not work out, such as these).
You should familiarize yourself with the basic concepts of OpnSense firewalling, especially with how rules are applied (packets going "in" on an interface), rule precedence and network coverage. If you want to block access to "the internet" (which is destination "any"), you may still need rules preceeding the block rule that in turn allow your other VLANs (like allow to "RFC1918").
If you want to analyse what really happens, just imagine a packet with source and destination adresses and ports and apply the set rules in order.
#5
Web Proxy Filtering and Caching / Re: Help needed: Connecting a ...
Last post by wincent - Today at 08:04:02 AMLooks like your proxy requires authentication
#6
Chinese - 中文 / OPNsense 增加阿里云和腾讯云动态域名解析支持
Last post by opnwall - Today at 07:57:06 AMOPNsense 自带了不少国外 DNS 服务商支持,例如 Cloudflare、GoDaddy、Route53 等,但国内常用的阿里云 DNS 和腾讯云 DNSPod 支持并不完整。为了方便国内用户使用,制作了DDNS补丁,在官方插件中增加了以下国内提供商:
aliyun:Aliyun DNS
tencentcloud:Tencent Cloud DNS
dnspodcn:保留原 DNSPod 中国服务名,并增强为支持自动新增记录
补丁安装后,可以在 Web 管理界面的 Dynamic DNS 页面中直接选择阿里云或腾讯云服务,填写 API 密钥、域名和主机记录,自动更新解析。
项目地址:
DDNS Patch for OPNsense
aliyun:Aliyun DNS
tencentcloud:Tencent Cloud DNS
dnspodcn:保留原 DNSPod 中国服务名,并增强为支持自动新增记录
补丁安装后,可以在 Web 管理界面的 Dynamic DNS 页面中直接选择阿里云或腾讯云服务,填写 API 密钥、域名和主机记录,自动更新解析。
项目地址:
DDNS Patch for OPNsense
#7
General Discussion / Help with what I did wrong in ...
Last post by Plus0974 - Today at 07:27:13 AMI created a vlan network for my home server which is meant to not allow devices on it to access the internet. After creating the no internet access firewall rule I then created a second rule to allow devices from my regular LAN network to access it on top of the block access rule but it doesn't seem to be working. Below are screenshots of the Pass and Block firewall rules. mediaserver is the new network with no internet access for the devices virtual machine servers that will be in it. I'll put this in here if it matters as well but so far I've only put a Home Assistant virtual machine in here and set the gateway and domain as 192.168.6.1 since the mediaserver vlan does use that as the gateway and I set the static IP as 192.168.6.2 and left the netmask at the default 255.255.255.0. This was done in the Home assistant settings since I was able to set it in there.
#8
Zenarmor (Sensei) / Install/Deinstall Loop (libdef...
Last post by mlenje - Today at 07:14:41 AMHello OPNsense Community & Developers,
I am experiencing a persistent update loop with two minor upstream shared libraries: graphite2 (v1.3.14) and libdeflate (v1.25). The WebGUI firmware status page continually prompts that these updates are available. When the update is triggered, pkg successfully fetches and extracts the files, but immediately removes them during the automatic post-install cleanup phase. Consequently, the packages reappear as missing "New" (N/A) entries on the next update check.
Environment Details:
OPNsense Version: 26.1.10-amd64
OS: FreeBSD 14.3-RELEASE-p4
OpenSSL: 3.0.18
Plugins Active: Zenarmor (Home Subscription) using a Local Elasticsearch 8.11.3 reporting database instance, running alongside Java (openjdk17).
The Behavior / Update Log CLI Output:
When running the update via the root shell, the package manager successfully pulls the files, but then explicitly lists them under Installed packages to be REMOVED directly afterward:
Processing candidates (6 candidates): .... done
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
graphite2: 1.3.14 [OPNsense]
libdeflate: 1.25 [OPNsense]
Number of packages to be installed: 2
181 KiB to be downloaded.
[1/2] Fetching libdeflate-1.25.pkg: ....... done
[2/2] Fetching graphite2-1.3.14.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/2] Installing graphite2-1.3.14...
[1/2] Extracting graphite2-1.3.14: .......... done
[2/2] Installing libdeflate-1.25...
[2/2] Extracting libdeflate-1.25: .......... done
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages:
Installed packages to be REMOVED:
graphite2: 1.3.14
libdeflate: 1.25
Number of packages to be removed: 2
[1/2] Deinstalling graphite2-1.3.14...
[1/2] Deleting files for graphite2-1.3.14: .......... done
[2/2] Deinstalling libdeflate-1.25...
[2/2] Deleting files for libdeflate-1.25: .......... done
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/openjdk17-17.0.10+7.1_1.pkg
/var/cache/pkg/elasticsearch8-8.11.3~ff6f5709d3.pkg
/var/cache/pkg/libdeflate-1.25.pkg
/var/cache/pkg/graphite2-1.3.14.pkg
/var/cache/pkg/elasticsearch8-8.11.3.pkg
...
The cleanup will free 295 MiB
Deleting files: .......... done
Nothing to do.
Flushing temporary package files... done
***DONE***
Has anyone else utilizing local Elasticsearch deployments run into this package manager looping pattern? Is there an upcoming repository metadata sync planned to align the Java/Elasticsearch dependency tags with these specific library versions on the FreeBSD 14.3 base?
Thank you for your time and continued incredible work on the OPNsense ecosystem!
I am experiencing a persistent update loop with two minor upstream shared libraries: graphite2 (v1.3.14) and libdeflate (v1.25). The WebGUI firmware status page continually prompts that these updates are available. When the update is triggered, pkg successfully fetches and extracts the files, but immediately removes them during the automatic post-install cleanup phase. Consequently, the packages reappear as missing "New" (N/A) entries on the next update check.
Environment Details:
OPNsense Version: 26.1.10-amd64
OS: FreeBSD 14.3-RELEASE-p4
OpenSSL: 3.0.18
Plugins Active: Zenarmor (Home Subscription) using a Local Elasticsearch 8.11.3 reporting database instance, running alongside Java (openjdk17).
The Behavior / Update Log CLI Output:
When running the update via the root shell, the package manager successfully pulls the files, but then explicitly lists them under Installed packages to be REMOVED directly afterward:
Processing candidates (6 candidates): .... done
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
graphite2: 1.3.14 [OPNsense]
libdeflate: 1.25 [OPNsense]
Number of packages to be installed: 2
181 KiB to be downloaded.
[1/2] Fetching libdeflate-1.25.pkg: ....... done
[2/2] Fetching graphite2-1.3.14.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/2] Installing graphite2-1.3.14...
[1/2] Extracting graphite2-1.3.14: .......... done
[2/2] Installing libdeflate-1.25...
[2/2] Extracting libdeflate-1.25: .......... done
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages:
Installed packages to be REMOVED:
graphite2: 1.3.14
libdeflate: 1.25
Number of packages to be removed: 2
[1/2] Deinstalling graphite2-1.3.14...
[1/2] Deleting files for graphite2-1.3.14: .......... done
[2/2] Deinstalling libdeflate-1.25...
[2/2] Deleting files for libdeflate-1.25: .......... done
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/openjdk17-17.0.10+7.1_1.pkg
/var/cache/pkg/elasticsearch8-8.11.3~ff6f5709d3.pkg
/var/cache/pkg/libdeflate-1.25.pkg
/var/cache/pkg/graphite2-1.3.14.pkg
/var/cache/pkg/elasticsearch8-8.11.3.pkg
...
The cleanup will free 295 MiB
Deleting files: .......... done
Nothing to do.
Flushing temporary package files... done
***DONE***
Has anyone else utilizing local Elasticsearch deployments run into this package manager looping pattern? Is there an upcoming repository metadata sync planned to align the Java/Elasticsearch dependency tags with these specific library versions on the FreeBSD 14.3 base?
Thank you for your time and continued incredible work on the OPNsense ecosystem!
#9
General Discussion / Native DDNS Client for Porkbun
Last post by zaphod80013 - Today at 04:39:01 AMHello
Hope I'm posting this is the right place, only joined the forum to drop this piece of code for anybody to use. While evaluating OPNsense as a replacement for PFSense I couldn't find a native DDNS plug-in for Porkbun so I rolled my own; code at https://github.com/zaphod80013/opnsense-ddns-porkbun)or search github zaphod80013 opnsense-ddns-porkbun. Since OPNsense didn't solve the network prefix translation issue I was seeing in PFSense I've no reason to switch at this time but the code may be useful to someone.
Hope I'm posting this is the right place, only joined the forum to drop this piece of code for anybody to use. While evaluating OPNsense as a replacement for PFSense I couldn't find a native DDNS plug-in for Porkbun so I rolled my own; code at https://github.com/zaphod80013/opnsense-ddns-porkbun)or search github zaphod80013 opnsense-ddns-porkbun. Since OPNsense didn't solve the network prefix translation issue I was seeing in PFSense I've no reason to switch at this time but the code may be useful to someone.
#10
Web Proxy Filtering and Caching / Re: Squid proxy blocking socke...
Last post by wincent - Today at 04:15:13 AMNeed to take a look at your squid configuration file: /usr/local/etc/squid/squid.conf
Could you post it on the forum?
Could you post it on the forum?
