Recent posts

#1

Development and Code Review / Re: What is the status of KEA ...

Last post by drosophila - Today at 01:49:46 AM

Hehe, looks like you didn't buy the Venus to show it off, given that I can barely make it out behind all those fans and heatsinks! :D Was that a NAS with all those harddrives?

No idea : Sold it for big €€€ to a collector in the U.K. a couple of years ago ^_^

Good call, plus it's good that at least these special editions get preserved that way. Win-win, it seems! :)

But I think it would because of the brand of the NICs : Broadcom or Marvell
I think those did not have any Nvidia parts involved.

Hmm, Marvell was one but the other was a Vitesse PHY that was fed from the nForce4 and thus would likely also have used the nVidia PXE boot... I think it used the "forcedeth" driver, anyway. Oh well. :)

#2

Development and Code Review / Re: What is the status of KEA ...

Last post by nero355 - Today at 12:57:09 AM

Ah, I see, these special set-ups aren't for me so I'm rather uninformed. :)

I am just geeking out a bit since that hardware era is precious to me ;)

My current question about this limited edition would of course be "does that one boot from the documented KEA PXE setup?" :)

No idea : Sold it for big €€€ to a collector in the U.K. a couple of years ago ^_^

But I think it would because of the brand of the NICs : Broadcom or Marvell
I think those did not have any Nvidia parts involved.

Having all-solid caps in that age certainly was quite the upgrade, even without the special sound!

I was not that special to be honest, but hey... Marketing Wizards !!! LOL!

The placement of the SB with it's little fan is kind of meh though: if the fan fails, how would you replace that special thing?

I had cooled every part of my PC with Thermalright heatsinks at the time combined with silent GLL series Papst fans on them so no issues there ;)

See here : https://forum.opnsense.org/index.php?topic=50878.msg260535#msg260535

However, I just checked the datasheet of the RTL8211BL and you were right: it indeed is a plain PHY, not a fully integrated NIC, so it makes sense that the nVidia chip contains the actual MAC, therefore having the nVidia PXE boot agent is reasonable.

Thought so :)

#3

General Discussion / Re: Upgrade dilemma - stay wit...

Last post by nero355 - Today at 12:46:39 AM

i5-2400

https://www.intel.com/content/www/us/en/products/sku/52207/intel-core-i52400-processor-6m-cache-up-to-3-40-ghz/specifications.html

J4105

https://www.intel.com/content/www/us/en/products/sku/128989/intel-celeron-j4105-processor-4m-cache-up-to-2-50-ghz/specifications.html

The J4105 is 6 years newer, but still very old these days, so I don't see the point in buying one to be honest...


Just buy a nice new cheapass 120/240 GB SSD for your current setup and use it until it implodes or something :)

#4

German - Deutsch / Re: OPNSense bekommt keine IPv...

Last post by drosophila - Today at 12:31:50 AM

Da hatte doch eben noch jemand ein ähnliches Problem, nur hinter einer Fritzbox. Vielleicht hilft hier ein mehrfacher refresh ja auch? Nicht, daß da auch radvd läuft...?

#5

General Discussion / Re: Flashing OPNSense .img.bz2

Last post by drosophila - Today at 12:01:48 AM

So, does the checksum match? sha256(sum in Linux) OPNsense-26.1.2-dvd-amd64.iso.bz2 would be the command to check. But it seems you're stuck with Windows, so the command there would IIRC be: certutil -hashfile OPNsense-26.1.2-dvd-amd64.iso.bz2 SHA256

#6

Development and Code Review / Re: What is the status of KEA ...

Last post by drosophila - April 23, 2026, 11:33:24 PM

Ah, I see, these special set-ups aren't for me so I'm rather uninformed. :) My current question about this limited edition would of course be "does that one boot from the documented KEA PXE setup?" :) Having all-solid caps in that age certainly was quite the upgrade, even without the special sound! The placement of the SB with it's little fan is kind of meh though: if the fan fails, how would you replace that special thing?

However, I just checked the datasheet of the RTL8211BL and you were right: it indeed is a plain PHY, not a fully integrated NIC, so it makes sense that the nVidia chip contains the actual MAC, therefore having the nVidia PXE boot agent is reasonable.

#7

26.1, 26,4 Series / Re: KeaDHCP dynamic DHCP quest...

Last post by stauf - April 23, 2026, 11:28:34 PM

In the spirit of testing, any idea why I am getting my address pool filled with these bogus entries?  Its happening again and I can confirm that I have Automatic Discovery disabled (at least that is what the UI is telling me).  Kea is giving away all my IP addresses (even those reserved for specific MAC addresses).  This means if the address has been given away before my device grabs it, there are no free addresses to give out and my device doesn't get an IP address at all.  This is causing big problems on my network.

All the bogus DHCP table entries in Kea have a lifetime of 86400 seconds (not the lifetime of my standard leases).  This is what I was seeing before but I thought we narrowed the problem down to Automatic Discovery being Enabled.  I don't mind enabling Automatic Discovery and helping test this (especially since it appears to be happening with Automatic Discovery disabled), it would be helpful to work with someone that was actively working in this area though.  Maybe I am doing something wrong?

Regardless of my setup, I would not expect Kea to dole out IP addresses without associating them with a MAC address or hostname.  What is the point of doing that other than gumming up the works of the DHCP server?

[can]

#8

General Discussion / Re: An old chestnut - mDNS/Bon...

Last post by OPNenthu - April 23, 2026, 11:24:45 PM

Why are there implicit deny rules (that cannot be seen from GUI) for other services but not mDNS?

Are you asking why there is no need for an mDNS-specific block rule?  The 'default deny' rule blocks all protocols already, including mDNS.  It's a catch all rule for anything which isn't explicitly allowed, so OPNsense doesn't have or need any deny rules just for specific protocols or services.  Everything is blocked- until and unless you allow it.

The catch: it only blocks what the firewall can see in the first place such as routed multicast or that which is reflected by mdns-repeater across interfaces.  In other words inter-VLAN mDNS is blocked by default.

In most cases (if you have clients behind a switch) the mDNS multicast stays link-local and is forwarded at the switching layer.   The firewall doesn't see it for clients that are on the same broadcast domain, so we can say intra-VLAN mDNS is not blocked.  That's why mDNS "just works" within a subnet.  Control over this would likely be on your managed switch or your wireless APs.  You might have some coarse options there.  For example, in UniFi settings I can block multicast (not just mDNS) for wireless SSIDs and enable it only for certain MACs.

Not sure if that's what you were asking but I hope this helps clarify when rules are / are not needed. 

I don't know what other implicit deny rules for services you're talking about (?) but the automatic rules can be seen in the GUI.  They're just in a separate category that you can expand in the Rules UI, or if you're using the "Rules [new]" UI then you can see them with the "Inspect" button.

Is this the right place to request basic features? If not, please direct me to the best (free) place. Every service that requires interfaces to be selected should include an option to auto add firewall rules

I think that would be a task for the plug-in's maintainer as most of the plugins are not maintained by the OPNsense devs.  You can try raising a request: https://github.com/opnsense/plugins

Not sure how successful that will be because it's not really an established norm that anything with selectable interfaces gets rules added.   It might seem that way but that's only done for Dnsmasq/Kea and ICMPv6 requirements because those are tough to configure manually and the network connectivity breaks without them.  Also the default "LAN" interface gets permissive rules that allow everything, so it gives a false impression maybe, but any additional interfaces you add would require you to supply rules for DNS, NTP, etc.

Note: if you have a managed switch with a built-in mDNS proxy then you can use that and avoid mdns-repeater and rules altogether.  That might also work for IPv6 whereas mdns-repeater doesn't.

Also why is logging disabled for newly created rules, and why is there no 'select all / batch' way to enable logging? Debugging issues is a fundamental process to learning.

Getting very off topic now, but I suspect admins keep logging disabled to reduce noise and processing.  They selectively enable what they need.

You can raise a request for the batch logging toggle on the opnsense/core repo.

--

Welcome to the forums.  Have fun learning.

#9

Q-Feeds (Threat intelligence) / Re: Upcoming major updates sne...

Last post by Patrick M. Hausen - April 23, 2026, 09:45:48 PM

🏆

#10

General Discussion / Re: Device Monitor - a tool fo...

Last post by pc44 - April 23, 2026, 09:42:44 PM

I have an older version of Device Monitor installed and working.  It is great !!!

I am happy with it, but is there a way to update to this new version, or do I need to fully uninstall/reinstall?

Thank you.

Figured it out.  Deleted the existing /tmp/opnsense-devicemonitor folder.  Then downloaded, unzipped, and copied over the new files.  Then just re-ran sh install.sh.

Now up-to-date. ☑️