Recent posts

#1

General Discussion / DNS Queries on my firewall fro...

Last post by MrLee - Today at 07:12:00 PM

I'm using OPNSense as a edge router on my network.
I have to permit most IP Traffic through to allow my devices inside to work.

In my firewall logs I see a lot of DNS Queries hitting my "inside" interface.
is there a way to specifically block this through rules?

my router is not a DNS Server for anything that I need.

#2

General Discussion / Re: Trouble with VLAN setup on...

Last post by pfry - Today at 06:24:11 PM

Forgive me if I fail to understand the setup but aren't these two ends only access ports in reality? What is marking the packets with a VLAN tag if there is no managed switch there to do it?

The endpoints/access ports. It's segregation with extra steps. Without virtual system or VRF support it's (almost*) entirely rule-based, but what the heck, it's a choice. The bridge adds a bit of a twist, but I can't think of anything really unique about it as described. Setting up VLANs might make insertion of a switch at some point easier.

In this case, it's a troubleshooting opportunity, so to speak.

And of course there may be aspects I'm missing.

* You could get into different Ethernet attributes, but again, I can't think of any real difference between VLAN segregation and none.

#3

German - Deutsch / Re: Wireguard VPN Verbindung a...

Last post by meyergru - Today at 06:22:27 PM

Hast Du Firewall-Regeln definiert, die den Zugriff erlauben? Die Eintragungen im Wireguard selbst reichen dafür nicht.

Damit kommst Du nur bis zur Tunnel-IP - damit kannst Du übrigens auch checken, ob die WG-Verbindung wirklich funktioniert.

#4

Zenarmor (Sensei) / Re: Zenarmor Packet Engine Not...

Last post by sy - Today at 05:32:42 PM

Hi,

"dev.netmap.ring_size" could be maximum 1024. Please chance it.

#5

German - Deutsch / Wireguard VPN Verbindung aufge...

Last post by BeTZe313 - Today at 04:20:44 PM

Hallo Zusammen,
ich habe bei mir auf der OPNsense WireguardVPN installiert und konfiguriert. Auf deinem Windwos PC habe ich jetzt den Client installiert und auch konfiguriert. Laut Log im Client wird eine Verbindung aufgebaut. In Status der OPNsense steht die Verbindung auf auf grün.

Leider habe ich aber das Problem, dass ich über den Windwos PC nicht auf der Netzwerk der OPNsense zgreifen kann. Wenn ich z.B. die OPNsense anpinge oder im Browser die Config öffnen will, klappt das nicht. Genauso auch nicht anders herum.

Meine Config sieht jetzt so aus:
OPNsense
Instance (WG1)
Public Key und private Key generiert
Listen port: 51820
Tunnel Address: 10.123.123.1/24
Peers: externer PC

Peer
Public Key vom Windows PC
Allowed IPs: 10.132.132.11/32
Endpoint address: feste ip Windows pc
Endpoint Port: 51820
Instance: WG1
Keepalive interval: 25

Windows PC
Interface
PrvateKey
Address = 10.123.123.11/32
DNS: 10.123.123.1

Peer
PublicKey: von der OPNsense
AllowedIPs: 10.123.123.0/24
Endpoint: feste ip OPNsense:51820

Log vom Windwos PC
2025-11-24 16:18:01.303913: [TUN] [WBR] Retrying handshake with peer 1 (feste ip OPNsense:51820) because we stopped hearing back after 15 seconds
2025-11-24 16:18:01.303913: [TUN] [WBR] Sending handshake initiation to peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:01.330953: [TUN] [WBR] Receiving handshake response from peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:01.330953: [TUN] [WBR] Keypair 2 created for peer 1
2025-11-24 16:18:01.330953: [TUN] [WBR] Sending keepalive packet to peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:01.351185: [TUN] [WBR] Receiving keepalive packet from peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:17.220642: [TUN] [WBR] Retrying handshake with peer 1 (feste ip OPNsense:51820) because we stopped hearing back after 15 seconds
2025-11-24 16:18:17.220642: [TUN] [WBR] Sending handshake initiation to peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:17.246537: [TUN] [WBR] Receiving handshake response from peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:17.246537: [TUN] [WBR] Keypair 1 destroyed for peer 1
2025-11-24 16:18:17.246537: [TUN] [WBR] Keypair 3 created for peer 1
2025-11-24 16:18:17.246537: [TUN] [WBR] Sending keepalive packet to peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:17.267705: [TUN] [WBR] Receiving keepalive packet from peer 1 (feste ip OPNsense:51820)

Hat jemand vielleicht eine Idee, woran das liegen kann, dass ich im anderen Netz nichts erreiche?

Danke im voraus.

#6

General Discussion / Re: Trouble with VLAN setup on...

Last post by cookiemonster - Today at 03:20:17 PM

Forgive me if I fail to understand the setup but aren't these two ends only access ports in reality? What is marking the packets with a VLAN tag if there is no managed switch there to do it?

#7

General Discussion / Weird DHCP Problem?

Last post by spetrillo - Today at 02:47:06 PM

Morning all,

I seem to be having a very weird DHCP problem with my wireless devices only. I am not sure if DHCP is the real problem or what is just showing up as the problem. Every 6 hours or so my wireless devices seem to lose connectivity, meaning they try to obtain an IP and cannot. It fails, so that is why I am saying DHCP. Now here comes the weird part. I reboot my OPNsense firewall and connectivity is restored.

What would you look at to determine what is happening? I see nothing obvious in the DHCP logs, but either my wireless subnet loses its gateway or DHCP is doiing something funny.

Thanks,
Steve

[32Gb ram + 1T ssd]

#8

Hardware and Performance / Re: N150 / N355 good fits?

Last post by Seimus - Today at 02:36:44 PM

IDK if zenarmor has finally made the jump to being multithreaded, there was a long ongoing discussion about that. If not, then an N355 will probably do nothing at all over an N150, because it only has more cores.

Any type of IDS/IPS will stress the CPU way more than pure routing. With an N150 and without IDS, you should get 10G routing throughput (or close to it, because most 82559-based devices cannot really reach full 10G speed.

I will added here the blanks to @meyergru response.

ZA still doesn't officially support multi-core. Its in development. Further more it seems they will really go with a pay wall for this feature.
You can read the following and make your own opinion > https://forum.opnsense.org/index.php?topic=41295.0

N355 Single core performance is bit better than the N150. So granted the performance on ZA should be bit better, but don't expect 10G throughput. I am currently unaware of any cheap low powered CPU that could handle this. And I would argue that not even the official DEC can do it. (Maybe the devs did test the enterprise classed DECs and can confirm? :))

If you don't use non-multicore based IDSes you have a chance to get 10G throughput. The N100/N150 can handle 2.5G throughput on single core without IDS.

I have listed these with 32Gb ram + 1T ssd:
N150 (+-450€)
N355 (+-560€)
N355 (+-704€) <- the one with 4x2.5G instead of 2x.
i5 1334U (850€) 4x2.5G, 20pci lanes vs 9.

These prices are crazy. I bought like last week for LAB a N355 2x10G AQC113 + 4x2.5G i226-V for way less providing my own RAM and NVME.

Regards,
S.

#9

German - Deutsch / Re: OPNSense Business 25.4.2 -...

Last post by viragomann - Today at 02:35:38 PM

Danke für den Hinweis. Das sollte man wissen.

Wäre wünschenswert, wenn die GUI nicht kompatible Zeichen nicht erlauben würde, bzw. wenn zumindest ein Hinweis vorhanden wäre. Aber leider nichts davon.
Ich habe Minus im Namen. Das macht kein Problem. Zufällig.

#10

German - Deutsch / Re: OPNSense Business 25.4.2 -...

Last post by Daniel.Hauptmann - Today at 01:37:06 PM

Habe das Problem lösen können. Es lag "nur" daran, das unter VPN -> IPSec -> Connections -> Pools: Im "Namensfeld" ein Eintrag mit dem Sonderzeichen "." "Punkt" vorhanden war. Habe diesen gelöscht und einen neuen erstellt ohne dieses Sonderzeichen und alles funktioniert wie gewollt!