Recent posts

#1
Кастомные конфиги залиты на гитхаб
#2
Virtual private networks / Re: WireGuard ProtonVPN connec...
Last post by ctrom - Today at 06:30:10 PM
Quote from: DEC740airp414user on Today at 05:51:29 PMopnsense manual says mss needs to be 40 below MTU.
yours seems way too low

better link:  https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I started with a higher value and decreased it as part of my experimentation. Setting it to 1380 or 1360 doesn't improve the behavior. I was under the impression that setting a lower max mss would reduce network performance, but otherwise not affect the behavior of the packets, so even if it was lower than necessary, I should be able to get packets across the network. Is that inaccurate?
#3
Quote from: ctrom on Today at 02:26:35 PM
Quote from: DEC740airp414user on Today at 10:49:39 AMdid you set the MTU on the interface you created for the wireguard tunnel? 

1400 seems to work good for my needs.

then  "Go to Firewall ‣ Settings ‣ Normalization and add a new rule to prevent fragmentation of traffic going through the wireguard tunnel." https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html  clamp MSS to 1360

I have edited my earlier reply with my configuration details to include my current settings for normalization.

opnsense manual says mss needs to be 40 below MTU.
yours seems way too low

better link:  https://docs.opnsense.org/manual/how-tos/wireguard-client.html

#4
26.1 Series / Re: KeaDHCP dynamic DHCP quest...
Last post by Monviech (Cedrik) - Today at 05:50:18 PM
A trick, you can leave the pool in a subnet empty (dont specify a range in it), then you can work reservation only.
#5
French - Français / Installation de Battle.net blo...
Last post by Eldritch96 - Today at 05:33:57 PM
Bonjour,

Je n'arrive pas à installer Battle.net derrière OPNsense 26. L'installeur se bloque systématiquement à 5% sur toutes mes machines Windows.

Configuration:
- OPNsense 26 sur Lenovo M70s (Intel Core 8th gen, 8 Go RAM)
- Freebox Pop en mode bridge
- WireGuard actif pour accès RDP à distance
- HAProxy pour accès Home Assistant et autres services
- NAT outbound en mode automatique
- Pas de règles de blocage DNS, Suricata désactivé

Ce que j'ai vérifié et éliminé :
- Suricata/IDS: désactivé, aucun changement
- DNS blocklist: vide, aucun domaine bloqué
- MTU/MSS: testé plusieurs valeurs, aucun changement
- Règles firewall LAN: allow all any en place + règle explicite port 1119
- HAProxy : désactivé pour test, aucun changement
- WireGuard : Peut-être lui mais je suis à distance, si je le coupe je perd la mains
- Double NAT: IP publique directe sur WAN, pas de double NAT
- Hardware offloading: désactivé sur WAN et LAN, aucun changement
- IPv6: désactivé sur le PC pour test, aucun changement
- DNS64: désactivé

Diagnostic Wireshark:

Capture côté LAN - le PC envoie correctement :
```
SYN Win=65535 MSS=1460 WS=256 SACK_PERM
```

Le serveur Blizzard répond :
```
SYN-ACK Win=0 MSS=1460 (pas de SACK_PERM)
```

Capture côté WAN - le SYN NATé sort avec:
```
SYN Win=0 MSS=1460 (sans WS, sans SACK_PERM)
```

Fait crucial: en faisant `fetch -o /dev/null http://us.patch.battle.net:1119/bts/versions` directement depuis OPNsense en SSH, ça fonctionne parfaitement (3515 bytes reçus). Le SYN d'OPNsense sort avec `Win=65228 WS=128 SACK_PERM TSval=xxxx` et le serveur répond normalement avec `Win=65228 SACK_PERM`.

En résumé: le serveur Blizzard répond `Win=0` aux connexions Windows NATées, mais répond normalement aux connexions directes depuis OPNsense (FreeBSD). Cela ressemble à du TCP fingerprinting côté Blizzard qui traite différemment les connexions FreeBSD vs Windows NATées.

Est-ce que quelqu'un a déjà rencontré ce problème et trouvé une solution? J'arrive au bout et ça fait des heures que j'essaie de régler ce problème...
Je vais réinitialiser l'opnsense ce soir afin de voir ce qu'il en est sortie de boite et je reposterais le résultat ici

Merci d'avance.
#6
26.1 Series / Re: turnserver (coturn) plugin...
Last post by ikkeT - Today at 05:12:44 PM
I found a test utility. It hangs like this from LAN:

turnutils_uclient -p 5439 -w long_thing -v -y my.example.com
0: (1158733): INFO: IPv4. Connected from: 192.168.1.59:50155
0: (1158733): INFO: IPv4. Connected to: 1.2.3.4:5439
0: (1158733): INFO: allocate sent
#7
26.1 Series / Re: Restore config.xml in 26.1...
Last post by nero355 - Today at 05:06:39 PM
Quote from: Mr_Flibble on March 17, 2026, 10:34:47 PMthe original static DHCP listings
Small TIP for when you get everything working again :

You can Export all Static DHCP Mappings from ISC/KEA/DNSmasqd to a .CSV file and Import it back into ISC/KEA/DNSmasqd again.

So switching between any of those DHCP Services has been made very easy and without any issues too! :)
#8
26.1 Series / Re: RAM usage changed
Last post by nero355 - Today at 04:55:31 PM
Why is everyone talking about increased RAM useage while that is not the case here :
Quote from: Tubs on March 15, 2026, 08:46:10 PMThe new system has double amount of RAM but still is using less: 4,5 GB instead of 6,5 GB. This somehow I cannot explain.
And IMHO that is a good thing!

A lot of software has become a resources hog while OPNsense apparently got more efficient! :)
#9
26.1 Series / Re: KeaDHCP dynamic DHCP quest...
Last post by stauf - Today at 04:51:45 PM
Sorry for so many spam messages here.  I believe I figured out part of the issue.  On the Leases DHCPv4 tab, it is showing that KeaDHCP has dolled out all addresses in the pool.  I guess it makes sense why it can't doll out any new ones.  I am confused what these leases are though.  One of them appears to be valid and has a hostname associated with my wife's phone (and a lifetime of 4000, the configured value of "valid lifetime").  The rest all have a large lifetime of 86400 and no hostnames or MAC addresses associated with any of them.  Why would KeaDHCP doll out an address to a device without a MAC address?
#10
General Discussion / Re: Importer not importing con...
Last post by nero355 - Today at 04:49:18 PM
IMHO the whole procedure with two USB Sticks of which one just holds the config.xml in a directory called /conf/ is just weird...

Why can't I just create that same directory on the USB Stick that holds the OPNsense installation and be done with it ?!


So yeah...


A fresh install and the assistance of the webGUI to restore everything is a lot easier and more convenient :)