"Recent posts
#1
26.1 Series / Re: Disk 0%
Last post by Karla - Today at 08:42:15 PMCan you post a screenshot of the dashboard ?
#2
26.1 Series / Re: Unbound won't start 26.1.1...
Last post by iddqd - Today at 08:38:28 PMInstalled and rebooted but the problem persist. Same error messages.
root@OPNsense:~ # pkg install -f unbound
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be REINSTALLED:
unbound-1.24.2_1
Number of packages to be reinstalled: 1
2 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching unbound-1.24.2_1.pkg: 100% 2 MiB 1.6MB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Reinstalling unbound-1.24.2_1...
===> Creating groups
Using existing group 'unbound'
===> Creating users
Using existing user 'unbound'
[1/1] Extracting unbound-1.24.2_1: 100%
root@OPNsense:~ #
root@OPNsense:~ # pkg install -f unbound
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be REINSTALLED:
unbound-1.24.2_1
Number of packages to be reinstalled: 1
2 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching unbound-1.24.2_1.pkg: 100% 2 MiB 1.6MB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Reinstalling unbound-1.24.2_1...
===> Creating groups
Using existing group 'unbound'
===> Creating users
Using existing user 'unbound'
[1/1] Extracting unbound-1.24.2_1: 100%
root@OPNsense:~ #
#3
Intrusion Detection and Prevention / Suricata custom.yaml and OPNSe...
Last post by jonny5 - Today at 08:25:33 PMWanted to start with a thank you, the /usr/local/etc/suricata/conf.d/custom.yaml appears persistent and this allows us to further customize Suricata, thank you OPNSense!! We have had difficulty customizing and having it persist until now.
The issue found appears to be that BPF Filtering via netmap in the Suricata config does not appear to work, hosts/networks filtered still show up in the Suricata alerts. The netmap area of suricata.yaml from OPNSense 25.x to OPNSense 26.x appears to have gone through a lot of changes.
The new divert feature being one of the new elements I have not had a chance to explore, I'm still using netmap and while it seems OPNSense hardcodes (you can select IDS and it still puts netmap into IPS mode(copy-mode: ips)) IPS mode for Suricata's netmap, I have using the custom.yaml set it to "copy-mode: tap".
The documentation for BPF-Filtering within Suricata shows this as an example:
A most desired filter is between a subnet and one or more other subnets, and I've tried this in several methods. So far none of the BPF filters work with Suricata - does anyone use this and/or have experience?
The issue found appears to be that BPF Filtering via netmap in the Suricata config does not appear to work, hosts/networks filtered still show up in the Suricata alerts. The netmap area of suricata.yaml from OPNSense 25.x to OPNSense 26.x appears to have gone through a lot of changes.
The new divert feature being one of the new elements I have not had a chance to explore, I'm still using netmap and while it seems OPNSense hardcodes (you can select IDS and it still puts netmap into IPS mode(copy-mode: ips)) IPS mode for Suricata's netmap, I have using the custom.yaml set it to "copy-mode: tap".
The documentation for BPF-Filtering within Suricata shows this as an example:
Code Select
not (host IP1 or IP2 or IP3 or net NET/24)A most desired filter is between a subnet and one or more other subnets, and I've tried this in several methods. So far none of the BPF filters work with Suricata - does anyone use this and/or have experience?
#4
26.1 Series / Re: Unbound won't start 26.1.1...
Last post by newsense - Today at 08:24:04 PMCode Select
pkg install -f unbound See if unbound starts after, and please post the full output from the reinstall command above
#5
26.1 Series / Disk 0%
Last post by FredFresh - Today at 08:20:14 PMRecently I did a clean install using ZFS system, but now the disk usage widget always shows 0% , any help about I can fix this?
Thanks
Thanks
#6
26.1 Series / [SOLVED] API Unavailable for P...
Last post by jonny5 - Today at 08:00:49 PMDid the upgrade to 26.1.3, everything so far was working, except a home grown automation to sync stuff gathered from the OPNSense API, Portainer, and kept in a Redis Cache to my BIND setup. This is done by a Python script.
In a most strangest interaction, use case testing Python using requests, http, or httpx and was not able to reach and more correctly connect to OPNSense's API, but Postman/CURL both could - and got valid responses back. Tested the HTTP/1.1 or HTTP/2 nature, always worked for Postman and CURL, never worked for Python.
So I went back to the OPNSense, maybe I could re-reset some stuff, started simple - restarted the System Configuration Daemon and then Web GUI services from the Web GUI, suddenly Python is working again.
Also did a another restart of the OPNSense (it restart initially after the upgrade), and the issue did not present itself again. So this is just a heads up to any that might hit whatever edge case I did, restart services and/or host, should work again.
In a most strangest interaction, use case testing Python using requests, http, or httpx and was not able to reach and more correctly connect to OPNSense's API, but Postman/CURL both could - and got valid responses back. Tested the HTTP/1.1 or HTTP/2 nature, always worked for Postman and CURL, never worked for Python.
So I went back to the OPNSense, maybe I could re-reset some stuff, started simple - restarted the System Configuration Daemon and then Web GUI services from the Web GUI, suddenly Python is working again.
Also did a another restart of the OPNSense (it restart initially after the upgrade), and the issue did not present itself again. So this is just a heads up to any that might hit whatever edge case I did, restart services and/or host, should work again.
#7
26.1 Series / Re: Unbound won't start 26.1.1...
Last post by iddqd - Today at 07:54:23 PMroot@OPNsense:~ # opnsense-update -p
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (74 candidates): 100%
Processing candidates (74 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
Nothing to do.
Flushing temporary package files... done
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (74 candidates): 100%
Processing candidates (74 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: 100%
Nothing to do.
Flushing temporary package files... done
#8
26.1 Series / Re: What to do with "Rules" no...
Last post by senseOPN - Today at 07:54:16 PMThinking again about this, it just feels like a bad idea to define "floating" rules by the number of affected interfaces.
Floating rules need to be a separate group, executed before all other rules - but they should also be possible for just one interface - they just have a generic character.
And on the other hand, regular interface rules should be definable for multiple interface without affecting the sequence.
There are plenty of reasons to allow or block something at a certain points of the rules and being able to do this for more than one interface.
Disallowing this just makes the rules more messy and I need now to add any such rule for each of the required interfaces!
Floating rules need to be a separate group, executed before all other rules - but they should also be possible for just one interface - they just have a generic character.
And on the other hand, regular interface rules should be definable for multiple interface without affecting the sequence.
There are plenty of reasons to allow or block something at a certain points of the rules and being able to do this for more than one interface.
Disallowing this just makes the rules more messy and I need now to add any such rule for each of the required interfaces!
#9
26.1 Series / Re: What to do with "Rules" no...
Last post by Patrick M. Hausen - Today at 07:49:07 PMQuote from: NEOSA on Today at 05:53:09 PMBelow the rules shown in the legacy rules setup :
https://imgur.com/a/7JU9MP9
Could you please attach that image to a post on this forum. I cannot see that since I block imgur.
#10
26.1 Series / Re: What to do with "Rules" no...
Last post by senseOPN - Today at 07:46:34 PMQuote from: OPNenthu on March 03, 2026, 10:20:02 PMNot sure I understand this, but I'm interested. Can you elaborate on what you mean by "late" rule?
See below
Quote from: OPNenthu on March 03, 2026, 10:20:02 PMThere's a kind of open challenge from the devs to come up with cases that no longer work in the new Floating system:
https://github.com/opnsense/core/issues/9652
That's great, going to check this!
For example:
I could have allowed some port from interface A to interfaces B an C, only.
And this rule, add a generic block for this port for all local interfaces and all remotes IP (on WAN).
But adding this "late" rule, will now move it to the top, to the floating rules, as I need to add all interfaces.
So, now it blocks this port everywhere and the original rules cannot be reach anymore.
That is ... stupid, or? ;-)
Yes, I still can add ALL interfaces one by one, so that the late rules don't get moved to the top - but that's also stupid, right?
Quote from: OPNenthu on March 03, 2026, 10:20:02 PMI think so far the devs are winning with the caveat that you have to use a dummy or loopback interface to avoid splitting related Floating rules across interfaces :P
I don't understand.
Could you elaborate?
