"Recent posts
#1
26.1, 26,4 Series / OIDC and Automatic User Creati...
Last post by Al Muckart - Today at 05:25:03 AMWhen using OIDC and wanting to automatically create users, is it possible to make user creation require the existence of a specific group returned by the OIDC server?
As far as I can tell at the moment the user will be created if authorisation succeeds regardless of group configuration, leaving no way to restrict access to a specific set of users without putting an auth proxy in front of the firewall.
If OPNsense could check for the existence of a group and deny authorisation if the user is not a member of that group it would make OIDC quite a lot easier to use in situations where there are multiple people/teams who require access.
Thanks.
As far as I can tell at the moment the user will be created if authorisation succeeds regardless of group configuration, leaving no way to restrict access to a specific set of users without putting an auth proxy in front of the firewall.
If OPNsense could check for the existence of a group and deny authorisation if the user is not a member of that group it would make OIDC quite a lot easier to use in situations where there are multiple people/teams who require access.
Thanks.
#2
26.1, 26,4 Series / Re: Redirect URL After Success...
Last post by Al Muckart - Today at 05:05:02 AMThank you Marco & Franco.
If I have time to create the feature request I'll let you know here.
If I have time to create the feature request I'll let you know here.
#3
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by wincent - Today at 04:49:46 AMQuote from: bpill on November 27, 2025, 08:59:49 AMHello there!
i im trying to configure the squid web proxy to achieve the following goals:
- Transparent proxy (Gateway on the Clients is set to the opnesense ip)
- Block everything by default (HTTPS/HTTP)
- Allow specific domains only (HTTPS/HTTP)
I managed to configure the system
- "Enable Transparent HTTP proxy" -> true
- "Enable SSL inspection" -> true
- "Log SNI Information only" -> true
- "Ca to use" -> created and imported on th eclients
- "SSL no bump sites" currently empty
- NAT Rules to the proxy are created
- ACL: "Whitelist" contains only "nuget.org"
- ACL: "Blacklist" contains ".*" to block everything
The Problem:
If i open https://nuget.org i will get the message:
"The following error was encountered while trying to retrieve the URL: https://172.183.192.203/* Access Denied."
I do not understand why it would ?redirect? to the ip instead the hostname?
If i remove the ".*" from the blacklist it works.
What am i doing wrong? Is there another better way?
Thanks!
Benjamin
Please try this:
Whitelist: guget.org
Blacklist: ^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$
#4
26.1, 26,4 Series / Re: WireGuard does not start a...
Last post by Lucid1010 - Today at 04:38:47 AMThe issue also occurred in version v26.1.9
#5
26.1, 26,4 Series / Re: picky DHCP on WAN
Last post by lmoore - Today at 04:20:55 AMQuote from: TheSHAD0W on June 17, 2026, 05:16:07 PMThing is, as I said, other devices and OSes are able to do a much better job at connecting and keeping the lease up, and there's no reason for opnsense to be more fragile.
Looking at the requests the notable differences are;
- OPNsense TOS field is set to 0x10 whereas in the other it is 0x0
- The initial time interval for OPNsense re-transismission is 13 seconds, where as the other is 3 seconds
I have experienced similar issues a long time ago but I think they were ISP related and may have been when the connection to the primary server failed, hence it was directed to their back-up system.
I have a minimal DHCP client configuration on my firewall and rely on internal DNS servers.
This is my dhclient configuration file.
Code Select
interface "re0" {
# timing values
# custom options
request subnet-mask, routers;
require subnet-mask, routers;
send dhcp-lease-time 3600;
# standard settings
script "/usr/local/opnsense/scripts/interfaces/dhclient-script";
supersede interface-mtu 0;
}Looking at the DHCP request to my ISP on OPNsense 26.1.10, the first two requests go within the same second and the response is immediate.
Quotetcpdump: listening on re0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:03:41.409243 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xa7f96e94, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Requested-IP (50), length 4: aaa.bbb.ccc.ddd
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
09:03:41.409292 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:aa:6b:89:ef, length 300, xid 0xa7f96e94, Flags [none]
Client-Ethernet-Address 00:1d:aa:6b:89:ef
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Lease-Time (51), length 4: 3600
Requested-IP (50), length 4: aaa.bbb.ccc.ddd
Client-ID (61), length 7: ether 00:1d:aa:6b:89:ef
Hostname (12), length 6: "vpn-gw"
Parameter-Request (55), length 2:
Subnet-Mask (1), Default-Gateway (3)
#6
26.1, 26,4 Series / Re: WireGuard does not start a...
Last post by trumee - Today at 03:56:44 AMI am facing the same issue after upgrading to latest patch OPNsense 26.1.10-amd64.
#7
26.1, 26,4 Series / Re: Priority Settings (advance...
Last post by lmoore - Today at 03:30:20 AMI hit this problem too when I first set up my OPNsense firewall whilst configuring VoIP rules. The settings relate to the PCP of a VLAN interface - see Advanced in https://docs.opnsense.org/manual/firewall.html#id3
Perhaps the reason the rules worked on the "sibling" could be due to the interface being a VLAN, whereas on this one it isn't.
Quote from: xtom42x on June 17, 2026, 03:50:24 PMthe thing is I imported the firewall settings from an older "silbling" OPNsense where these settings worked (let traffic pass)
so the settings that worked before stopped working silently (was a hell to figure out the reason). Don't think that's how it should be (esp. if you use these options for what they are intended to do)
Perhaps the reason the rules worked on the "sibling" could be due to the interface being a VLAN, whereas on this one it isn't.
#8
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by Maurice - Today at 02:16:52 AMOPNsense 26.1.10 aarch64 packages and sets released.
#9
26.1, 26,4 Series / Re: WAN Interface speed duplex...
Last post by stumper - Today at 01:25:21 AMUnshielded cables only used. I had heard about the shielded cable issues previously as well. Protectli support is stumped as well, but have offered to send a replacement unit which is encouraging.
#10
General Discussion / Re: Connecting to DHCP managed...
Last post by cookiemonster - Today at 12:42:55 AMI would start looking for clues in two places: message buffer and system log which is /var/log/system/latest.log
Perhaps a live tail (tail -f) whilst renewing the dhcp lease from the ISP.
Perhaps a live tail (tail -f) whilst renewing the dhcp lease from the ISP.
