Recent posts

#1
German - Deutsch / Re: Kann DMZ aus LAN nicht err...
Last post by SMG - Today at 12:21:48 AM
Interfaces to capture - select all
gc0 [LAN]
igc1 [WAN]
re0 [DMZ]
lo0 [Loopback]
enc0
pflog0
pfsync0
wg0 [HedwigWireGuard]


DMZ
re0 2026-01-29
00:13:57.571658 68:84:7e:xxxxxx 00:e0:4c:xxxxxx IPv4, length 98: 192.168.0.48 > 192.168.10.4: ICMP echo request, id 5, seq 963, length 64
DMZ
re0 2026-01-29
00:13:58.591672 68:84:7e:xxxxxx 00:e0:4c:xxxxxx IPv4, length 98: 192.168.0.48 > 192.168.10.4: ICMP echo request, id 5, seq 964, length 64
LAN
igc0 2026-01-29
00:13:57.571638 44:37:e6:xxxxxx 02:76:c6:xxxxxx IPv4, length 98: 192.168.0.48 > 192.168.10.4: ICMP echo request, id 5, seq 963, length 64
LAN
igc0 2026-01-29
00:13:57.972811 02:76:c6:xxxxxx d8:47:32:xxxxxx IPv4, length 118: 192.168.0.1 > 192.168.0.71: ICMP 132.163.96.6 udp port 123 unreachable, length 84
LAN
igc0 2026-01-29
00:13:58.591649 44:37:e6:xxxxxx 02:76:c6:xxxxxx IPv4, length 98: 192.168.0.48 > 192.168.10.4: ICMP echo request, id 5, seq 964, length 64


Sieht so aus als würde alles nur auf LAN und DMZ landen

"Ich nehme an, re0 ist das DMZ-Interface."
-ja
#2
General Discussion / Re: Device Monitor - a tool fo...
Last post by xXHelperXx - Today at 12:14:04 AM
Wow this is amazing!
thanks for creating and sharing this tool. I'll Give it a try.
#3
General Discussion / Re: DNSmasq RA MTU
Last post by Boxer - Today at 12:02:47 AM
Thanks very much for the pointers, I will go through it thoroughly tomorrow.
#4
General Discussion / Re: DNSmasq RA MTU
Last post by meyergru - January 28, 2026, 11:51:48 PM
Ah, so you only got problems because of PPPoE. Yes, you should use the same MTU as on WAN, because if you do not clamp your MSS, you may experience problems with sites that have defect PMTUD.

You can also try this - but only if your ISP supports mini jumbo frames... if that works, you can use the "usual" 1500 byte MTU and problems as this will be resolved. There is no 100% guarantee, though.
#5
General Discussion / Re: Securing interactive hospi...
Last post by nero355 - January 28, 2026, 11:44:00 PM
Quote from: meyergru on January 28, 2026, 10:52:34 AMBecause that would be just as bad...
Just like someone working in an environment that's apparently above his level if he needs to ask about Firewall Rules advise for it on a forum... -_-
#6
German - Deutsch / Re: Kann DMZ aus LAN nicht err...
Last post by Patrick M. Hausen - January 28, 2026, 11:43:46 PM
Ich hatte den Verdacht, dass du evtl. 192.168.10.0 falsch routest, z.B. weil du es bei WireGuard in die "AllowedIPs" eingetragen hast. Das ist aber nicht der Fall. Ich nehme an, re0 ist das DMZ-Interface.

Dann mach doch mal einen Paket-Trace auf allen anderen Interfaces (WAN, WireGuard), während du den Ping vom LAN in die DMZ absetzt. Irgendwo müssen die Pakete ja landen. Wenn wir wissen, wo, können wir gucken, weshalb.
#7
German - Deutsch / Re: Kann DMZ aus LAN nicht err...
Last post by SMG - January 28, 2026, 11:18:11 PM
Routing tables

Internet:
Destination        Gateway            Flags         Netif Expire
default            178.201.166.1      UGS            igc1
10.10.10.0/24      link#8             U               wg0
10.10.10.1         link#4             UHS             lo0
10.10.10.2         link#8             UHS             wg0
10.10.10.3         link#8             UHS             wg0
10.10.10.4         link#8             UHS             wg0
10.10.10.5         link#8             UHS             wg0
80.69.96.12        178.201.166.1      UGHS           igc1
81.210.129.4       178.201.166.1      UGHS           igc1
127.0.0.1          link#4             UH              lo0
178.201.166.0/23   link#2             U              igc1
178.201.167.223    link#4             UHS             lo0
192.168.0.0/24     link#1             U              igc0
192.168.0.1        link#4             UHS             lo0
192.168.10.0/24    link#3             U               re0
192.168.10.1       link#4             UHS             lo0

Internet6:
Destination                       Gateway                       Flags         Netif Expire
default                           fe80::201:5cff:fe77:4a46%igc1 UGS            igc1
::1                               link#4                        UHS             lo0
2a02:908:2:a::1                   fe80::201:5cff:fe77:4a46%igc1 UGHS           igc1
2a02:908:2:b::1                   fe80::201:5cff:fe77:4a46%igc1 UGHS           igc1
2a02:908:1900:6::1bee             link#4                        UHS             lo0
2a02:908:1900:8::/64              link#2                        U              igc1
2a02:908:1960:e5a0::/64           link#1                        U              igc0
2a02:908:1960:e5a0::/59           link#4                        USB             lo0
2a02:908:1960:e5a0:76:c6ff:fe01:6d6d link#4                     UHS             lo0
2a02:3102:8001:d7::/64            link#2                        U              igc1
2a02:3102:8001:80d7::/64          link#2                        U              igc1
fd00::/64                         link#2                        U              igc1
fe80::%igc0/64                    link#1                        U              igc0
fe80::76:c6ff:fe01:6d6d%lo0       link#4                        UHS             lo0
fe80::%igc1/64                    link#2                        U              igc1
fe80::76:c6ff:fe01:7154%lo0       link#4                        UHS             lo0
fe80::%lo0/64                     link#4                        U               lo0
fe80::1%lo0                       link#4                        UHS             lo0

#8
26.1 Series / Re: radvd warnings
Last post by OPNenthu - January 28, 2026, 11:15:52 PM
Quote from: Incogni on January 28, 2026, 07:50:07 PMI had the same issue but then I noticed I used router advertisements from DNSmasq and forgot to disable the RAs under Services->Router Advertisements.

I had a little bit of weirdness after upgrade to -RC2 which franco pointed out to me might have been caused by past options I was using.

IMO, it doesn't hurt for folks upgrading from an older install to check once under Service->Router Advertisements afterward just to make sure everything is still as expected.  Especially if you maybe once used radvd with "Allow manual adjustment of DHCPv6 and Router Advertisements" but are now using Dnsmasq RAs.
#9
General Discussion / Re: DNSmasq RA MTU
Last post by Boxer - January 28, 2026, 11:08:07 PM
Ok, thanks meyergru. Leaving it blank (default) gives me issues with Microsoft websites. I would be interested in knowing what the default MTU value is but I'm unable to find any such documentation.

And since dnsmasq dhcp will be the default option for most home networks going forward I think it would be helpful if there was at least a note in the opnsense docs regarding this. Unless I've just run into a bug.
#10
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by ligand - January 28, 2026, 11:05:53 PM
All patched and logging turned on. :-). I also turned on RA in dnsmasq and turned off radvd.

Patching file opnsense/service/templates/OPNsense/Dnsmasq/dnsmasq.conf using Plan A...
Hunk #1 succeeded at 152.
No such line 354 in input file, ignoring
Hunk #2 succeeded at 347 (offset -8 lines).
done
All patches have been applied successfully.  Have a nice day.