Recent posts

#1
General Discussion / Re: Crowdsec & floating rules ...
Last post by cyb_tachyon - Today at 10:18:15 PM
Mods please delete, apparently the form got submitted twice.
#2
General Discussion / Crowdsec & floating rules appe...
Last post by cyb_tachyon - Today at 10:16:56 PM
Crowdsec and floating rules appear as "Default deny / state violation" in 26.1 logs. This makes it incredibly difficult to troubleshoot.

  • To reproduce, enable Crowdsec plugin and defaults.
  • Whitelist your local host IPs (192.168.1.0/24).
  • Start docker instances that use port forwarding for a range of port connections.
  • Note that the docker instances will be blocked from outgoing traffic on those ports after Crowdsec makes a decision to block.
  • Note that the logs do NOT indicate this, and instead treat all Crowdsec decision floating rules as "Default deny / state violation".

Desired result: Floating rules are logged by their origin (plugin name or automatic), or if not possible, floating rules appear as "Floating Rule".
Workaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).

Related threads:

Network Setup:
  • OPNSense 26.1.6_2 latest on a AMD SoC, 3 Intel NICs.
  • NIC 0 to Cable Modem (WAN).
  • NIC 1 to 10G home network, 10G dumb switches no other routing equipment (LAN).
  • No VLANs or anything yet. Still haven't graduated from basic networking.
  • Debian 13 on an Intel NIC large host.
  • Multiple other PCs wired in.

OPNsense Setup:
  • IPV6 disabled (some of the PCs and apps have a fit and refuse to work on IPV6).
  • Unbound DNS installed, enabled, and set up with overrides that match aliases.
  • Aliases set up for IPV4 for Debain 13 PCs.
  • ACME Client installed and configured.
  • CrowdSec installed and configured with whitelist for 192.168.1.106.
  • ISC DECHPv4 migrated from 25.
  • NAT (New) migrated from 25, old rules removed.

Debian 13 Setup:
  • Default settings for the NIC.
  • Default settings for Docker install (bridge mode NAT).
  • Using a docker instance to start port scanning-like activity.
#3
General Discussion / Crowdsec & floating rules appe...
Last post by cyb_tachyon - Today at 10:16:41 PM
Crowdsec and floating rules appear as "Default deny / state violation" in 26.1 logs. This makes it incredibly difficult to troubleshoot.

  • To reproduce, enable Crowdsec plugin and defaults.
  • Whitelist your local host IPs (192.168.1.0/24).
  • Start docker instances that use port forwarding for a range of port connections.
  • Note that the docker instances will be blocked from outgoing traffic on those ports after Crowdsec makes a decision to block.
  • Note that the logs do NOT indicate this, and instead treat all Crowdsec decision floating rules as "Default deny / state violation".

Desired result: Floating rules are logged by their origin (plugin name or automatic), or if not possible, floating rules appear as "Floating Rule".
Workaround: Whitelist Docker IP subnets in Crowdsec, and add Firewall Rules (New) specific for Docker IP subnets (172.15-20.0.0/16).

Related threads:

Network Setup:
  • OPNSense 26.1.6_2 latest on a AMD SoC, 3 Intel NICs.
  • NIC 0 to Cable Modem (WAN).
  • NIC 1 to 10G home network, 10G dumb switches no other routing equipment (LAN).
  • No VLANs or anything yet. Still haven't graduated from basic networking.
  • Debian 13 on an Intel NIC large host.
  • Multiple other PCs wired in.

OPNsense Setup:
  • IPV6 disabled (some of the PCs and apps have a fit and refuse to work on IPV6).
  • Unbound DNS installed, enabled, and set up with overrides that match aliases.
  • Aliases set up for IPV4 for Debain 13 PCs.
  • ACME Client installed and configured.
  • CrowdSec installed and configured with whitelist for 192.168.1.106.
  • ISC DECHPv4 migrated from 25.
  • NAT (New) migrated from 25, old rules removed.

Debian 13 Setup:
  • Default settings for the NIC.
  • Default settings for Docker install (bridge mode NAT).
  • Using a docker instance to start port scanning-like activity.
#4
Virtual private networks / Re: Wireguard Logging
Last post by Charger93 - Today at 10:07:48 PM
Quote from: mtchetch on March 13, 2026, 01:20:05 PMBecause of the acute lack of solutions I decided to roll my own and share it.

An easy way of doing this with minimal modifications is to use userscripts.

The scipt has been tested on OPNsense 26.1.1-amd64

Steps to implement:

Log into the firewall shell with SSH and create the script file:

vi /usr/local/opnsense/service/conf/actions.d/actions_wireguardlogger.conf
Add the content (if not familiar with VI press i and then paste content and press esc and :wq and enter)

[restart]
command: /bin/sh -c 'S=/var/db/wg-peer-cron.state; T=$(mktemp /tmp/wg-peer-cron.XXXXXX) || exit 1; M=$(mktemp /tmp/wg-peer-map.XXXXXX) || exit 1; N=$(date +%s); mkdir -p /var/db; python3 -c '\''import xml.etree.ElementTree as ET; root=ET.parse("/conf/config.xml").getroot(); [print(((c.findtext("pubkey") or "").strip())+"|"+((c.findtext("name") or "").strip())) for c in root.findall("./OPNsense/wireguard/client/clients/client")]'\'' > "$M"; /usr/bin/wg show all dump | awk -F "\t" -v now="$N" '\''NF==9{hs=$6+0; age=(hs>0?now-hs:999999999); st=(hs>0&&age<=300?"connected":"disconnected"); print $1 "|" $2 "|" st "|" hs "|" $4 "|" $5 "|" age}'\'' > "$T" && [ -s "$T" ] || { rm -f "$T" "$M"; exit 0; }; [ -f "$S" ] || : > "$S"; while IFS="|" read -r IF PK ST HS EP AL AGE; do O=$(awk -F "|" -v i="$IF" -v p="$PK" '\''$1==i && $2==p {print; exit}'\'' "$S"); OS=$(printf "%s" "$O" | awk -F "|" '\''{print $3}'\''); [ -n "$OS" ] || OS=unknown; PN=$(awk -F "|" -v p="$PK" '\''$1==p {print $2; exit}'\'' "$M"); [ -n "$PN" ] || PN=unknown; [ -n "$EP" ] && [ "$EP" != "(none)" ] || EP=unknown; [ "$ST" = connected ] && [ "$OS" != connected ] && logger -t wireguard -p auth.notice "wireguard peer connected: instance=$IF, peer_name=$PN, peer_pubkey=$PK, endpoint=$EP, allowed_ips=$AL, handshake_age=${AGE}s"; [ "$ST" = disconnected ] && [ "$OS" != disconnected ] && logger -t wireguard -p auth.notice "wireguard peer disconnected: instance=$IF, peer_name=$PN, peer_pubkey=$PK, endpoint=$EP, allowed_ips=$AL, handshake_age=${AGE}s"; done < "$T"; cut -d"|" -f1-6 "$T" > "$S"; rm -f "$T" "$M"'
parameters:
type: script
message: checking wireguard connections
description: Wireguard connection monitor and logger

Pay attention to the command parameter, the whole long command needs to be one line.

Restart the configd service to see the new script:
service configd restart
Log into web management and go to system -> settings -> cron

Create a new job and set it to run every minute


If you did everything correctly the Wireguard log will start logging events every minute. These are accessible directly in the wireguard VPN log menu.

2026-03-13T14:04:00    Notice    wireguard     wireguard peer connected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=56s
2026-03-13T14:03:00    Notice    wireguard     wireguard peer disconnected: instance=wg0, peer_name=laptop, peer_pubkey=9V3VB9ALJtB0lgvhpCetVVEbZW6YH6Rnk=, endpoint=192.168.11.228:54553, allowed_ips=192.168.12.3/32, handshake_age=513s
2026-03-13T13:58:12    Notice    wireguard     wireguard peer disconnected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=381s
2026-03-13T13:54:36    Notice    wireguard     wireguard peer connected: instance=wg0, peer_name=laptop, peer_pubkey=9V3VB9ALJtB0lgvhpCetVVEbZW6YH6Rnk=, endpoint=192.168.11.228:54553, allowed_ips=192.168.12.3/32, handshake_age=9s
2026-03-13T13:51:57    Notice    wireguard     wireguard peer connected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=6s

Peers are marked disconnected when they have not handshaked in 300 seconds / 5 min.

For the life of me I do not understand why this simple logging is not part of the Wireguard implementation on every firewall, since it is essential to know who is accessing your firewall and from where.




That scripts runs perfectly fine, thank you so much!
At least a bit of information in the logs.
#5
QuoteThe service-sockets-require-all option... (Default is false).

It already is false in out default setup, if an IP address is unavailable it still fails. It will only not fail if an interface is down, that is retried.

I wonder how big the problem you describe actually is because you have the first report. There are lots of big HA setups out there that run this just fine it seems even if there is the potential for a race condition in lease assignment.

If you want to discuss it please open a github ticket, and if you are AI assisted please disclose it.

EDIT:

You can also use only a CARP IP on an interface as sole IP without attaching more IP addresses to it, then you wont have multi IP interfaces either. That solution is quite common eg for WAN interfaces that only have one free IP available in HA that both firewalls should share.
#6
Italian - Italiano / Re: VPN IPsec con Nat Before I...
Last post by TDSOTB - Today at 09:33:23 PM
Ciao,

Eh, come scusa?

Questa guida é su un altro aspetto specifico ovvero come creare una VPN IPsec con Nat Before IPsec.
Gli alias servono per creare appunto degli alias, sia per singoli oggetti di rete sia per ragrupparne alcuni e rendere più leggibile e più semplice l'aggregazione di risorse con una stessa peculiarità nelle varie configurazioni.

Perdonami ma non ho capito quale sia il punto che intendi. Se ti spieghi meglio si può estendere e/o correggere alcuni aspetti di questo mio post.

Grazie.

Ciao
#7
26.1, 26,4 Series / Re: UI/UX: The "moving" Apply ...
Last post by franco - Today at 09:24:06 PM
Thanks, it's actually a bit of a rabbit hole.  I ended up improving the IPsec connections page as it needed more attention for this particular topic and in general. Maybe someone will find it useful too.  :)


Cheers,
Franco
#8
Virtual private networks / Re: wireguard not working afte...
Last post by iorx - Today at 09:17:03 PM
Hi on my self and others!

Still got this problem it looks like. I resorted to IP-adress, but it would be really nice if it is possible to get it working with a peer hostname instead.
Any way to resolve this?
Make WireGuard wait for DNS-service and maybe be a bit more stubborn on resolving the the name? Make it wait for a while before starting?

from the log:
/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `my-very-nice-dyn-hostname:55120' Configuration parsing error"


Brgs,
#9
German - Deutsch / Re: OPNSense bekommt keine IPv...
Last post by gothbert - Today at 08:20:32 PM
Danke.

Ich habe heute noch eine lange Trennung (über ein Stunde) versucht, und siehe da, danach hatte ich auch wieder IPv6-Konnektivität.

Und zwar mit und ohne "Request prefix only".

Ich bedanke mich ganz herzlich für eure Unterstützung!
#10
High availability / Re: Kea DHCP duplicating respo...
Last post by badyusuke - Today at 07:55:57 PM
Thank you for the detailed explanation and for the GitHub references. I completely understand the design priority: startup resilience is paramount, and a service that fails to start because an IP is missing is indeed a major stability risk.

It seems we are looking at a side effect of that resilience in HA/CARP environments. While binding to the interface name ensures Kea always starts, the Kea 3.0.2 documentation (Section 9.2.4) explains why this leads to the duplication I'm seeing:

Quote'Caution should be taken when configuring the server to open multiple raw sockets on the interface with several IPv4 addresses assigned... all sockets on this link will receive this message and multiple responses will be sent to the client. ... the configuration with multiple IPv4 addresses assigned should not be used when the directly connected clients are operating on that link.'

This matches my findings: even with thread-pool-size: 1, Kea processes the same request twice because it has two active BPF sockets (one for the Physical IP and one for the CARP). This leads to lease inconsistencies (potential IP conflicts) and log exhaustion.

To help improve the Kea implementation for complex HA setups without risking current startup stability, could we perhaps consider a 'middle ground' solution for Kea on OPNsense? Would it be possible to add an optional checkbox in the GUI for 'Strict HA Binding'? This would allow advanced users to manually enable the 'interface/address' notation. This way, the default behavior remains 'safe' for everyone, but administrators of HA clusters could opt-in to the binding method recommended by the Kea manual to prevent sequential duplication.

In my view, offering an 'opt-in' method for address-specific binding would greatly enhance Kea's reliability for production-grade HA environments while respecting OPNsense's startup stability goals. I'm happy to perform more tests if needed!

Update Note:

Section 9.2.4 of the Kea manual provides built-in parameters to handle startup resilience:

QuoteThe service-sockets-require-all option makes Kea require all sockets to be successfully bound. If any opening fails, Kea interrupts the initialization and exits with a non-zero status. (Default is false).

"The port can be unavailable only temporary. In this case, retrying the opening may resolve the problem. Kea provides two options to specify the retrying: service-sockets-max-retries and service-sockets-retry-wait-time."

By setting service-sockets-max-retries to a non-zero value and keeping service-sockets-require-all as false, Kea will retry opening missing sockets for a defined period and will not fail to start even if some sockets remain unopened.