Recent posts

#1
GRE does not have ports. It's its own protocol on top of IP independent of TCP and UDP. Port 0 might be a historical frontend abstraction of some product for not having port numbers at all.
#2
Wenn sie nicht auf dem aktuellen stand ist geht es nur über die Kommandozeile.

Z.b "pkg install os-dyndns".

Würde ich aber nicht machen wenn die opnsense version zu alt ist da abhängigkeiten fehlen können.
#3
General Discussion / Re: Why do I need to temporari...
Last post by tbk49 - Today at 09:28:01 PM
I can't tell whether you are having a joke here or not, but if not, you're telling me opnsense and neither freebsd have solved a 20 year old problem?...
#4
26.1, 26,4 Series / Re: When to migrate to new fir...
Last post by mlenje - Today at 08:47:31 PM
I migrated the rules this morning, and the process was surprisingly easy.  I took screenshots of all my exiting rules beforehand, followed the migration assistant making snapshot and downloading the configuration.  It went smoothly.  I was stressed for nothing!
#5
German - Deutsch / Re: [WON'T SOLVED] Plugin Inst...
Last post by fastboot - Today at 08:24:57 PM
Ich stehe hier gerade ein wenig auf dem Schlauch?!?

Es ist wirklich so, dass wenn die Sense nicht auf dem aktuellsten Stand ist, dass man keine Plugins installiert bekommt?! Vermutlich hatte ich diesen Status noch nicht, wirkt aber trotzdem ein wenig suspekt?
#6
26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...
Last post by meyergru - Today at 08:15:30 PM
AFAIK, MacOS does requests in parallel, Windows does a fallback and goes back to preferred order. Unbound uses a sophisticated model preferring the fastest server - which is what many clients also do via the "Happy Eyeballs" approach. Whatever the case, this scheme does stop eventually once you factor in IPv6: Because you can only supply DNS server IPs of "your own kind" in any type of IP protocol, you have independent settings. So, which one will be preferred in the presence of both IPv4 and IPv6 DNS servers?

Before you say: "IPv6 is always preferred" - just today I had a case where I had augmented a DynDNS entry for a CG-NAT connection with a fixed IPv4, which has a reverse proxy to make the IPv6-only connection work for IPv4, too. Thus, the DynDNS name now refers to both an IPv4 and an IPv6.

And guess what? That broke a Wireguard PC client, who just happens to prefer IPv4 and thus did not reach the real IPv6 backend, but the IPv4 proxy (which did not have a Wireguard service). So there,

What can we learn from this? Patrick is right: Do not rely on DNS server ordering for ANY client. RFC 2132 is not helpful, either, because it only covers what an IPv4 server SHOULD do - i.e., it does not say:

a. what the server MUST do.
b. what the client SHOULD or MUST do.
c. what the client SHOULD or MUST do when an additional IPv6 DNS server list is provided.
#7
26.1, 26,4 Series / Re: PPPoE Connection Issue
Last post by Liran - Today at 08:04:07 PM
Quote from: nero355 on Today at 07:29:35 PM
Quote from: Liran on Today at 09:17:14 AMFor some reason when the PPPoE connection is established, the device is getting an 10.x.x.x IP address instead of my public one.

According to the ISP, when this IP shows as connected they see a connection.
Sounds like my old ADSL connection back in 1999 or so :
- Client PC = 10.0.0.150
- ADSL Modem = 10.0.0.138
- PPTP Connection between the two.
- Actual WAN IP Address = 80.60.146.6

So my question here is : Do you have a working Internet Connection or not ?!

And what does something like https://whatismyipaddress.com/ show in the current situation ?

The output of tracert/traceroute would be nice to see too :)

In this case, "the device" = the WAN interface. So there's no internet I cannot ping anything except the 10.x.x.x WAN address or the local network (192.168.1.0/24).

The issue is that I seem to have no proper route outside. I'll post more data tomorrow to include logs, the gateways that are automatically created and other settings. In the meanwhile, anything I can try is welcome.
#8
26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...
Last post by nero355 - Today at 07:37:38 PM
Quote from: WiteWulf on Today at 04:35:37 PMRFC 2132 states that:
QuoteServers SHOULD be listed in order of preference
So yeah, it's down to the client whether or not it respects the preference/order.

I believe macOS, Windows and Linux all respect the order given by the DHCP server, trying them in order, not parallel.
I don't know about others, like iOS and Android.

My PiHole is an adblocker, for convenience, not for filtering/blocking/censoring any other content, so I'm happy with this.
Like I said earlier : Mixing DNS Servers is not something you want for your network.

So I fully agree with :
Quote from: meyergru on June 30, 2026, 07:04:32 PMAFAIK, this is a common misconception: There is no guaranteed order if you specify multiple DNS servers. A client may choose to send out the DNS queries in parallel and take the first answer. Thus, the order is arbitrary, so this is not a "fallback" in its strict sense. This exact behaviour can be detrimental for DNS blocking.
&
Quote from: Patrick M. Hausen on Today at 04:48:18 PMAs a firewall administrator you cannot rely on the client systems behaving in any particular manner nor can you force them to do so.

If I had a separate e.g. Pihole device I would hand that via DHCP to clients and that device only.
Then block all other DNS requests but from the named Pihole device.
:)

When it comes to this :
Quote from: Patrick M. Hausen on Today at 04:48:18 PMAll Unix like operating system's resolver libraries have historically used the entries in /etc/resolv.conf in round-robin fashion.
I don't know what current e.g. systemd based implementations do.
My understanding is that some operating systems check who replies faster and then stick with that DNS Server until something changes for whatever reason...
#9
26.1, 26,4 Series / Re: PPPoE Connection Issue
Last post by nero355 - Today at 07:29:35 PM
Quote from: Liran on Today at 09:17:14 AMFor some reason when the PPPoE connection is established, the device is getting an 10.x.x.x IP address instead of my public one.

According to the ISP, when this IP shows as connected they see a connection.
Sounds like my old ADSL connection back in 1999 or so :
- Client PC = 10.0.0.150
- ADSL Modem = 10.0.0.138
- PPTP Connection between the two.
- Actual WAN IP Address = 80.60.146.6

So my question here is : Do you have a working Internet Connection or not ?!

And what does something like https://whatismyipaddress.com/ show in the current situation ?

The output of tracert/traceroute would be nice to see too :)
#10
Caddy is not a general purpose ACME certificate tool.

The ACME capabilities of caddy without its reverse proxy core would be certmagic:
https://github.com/caddyserver/certmagic

CertMagic is designed to be embedded into Go applications, with certificate management tightly integrated into the application itself.

The whole framework is for packaging the ACME capabilities with the tools, not having a swiss army knife for any application like for example the acme.sh project.

All in all there is nothing we can or should do here, the generic tool for the job is acme.sh.