"Recent posts
#1
German - Deutsch / Re: Routing-Performance
Last post by sternchen45 - Today at 10:31:26 PMdanke Dir! Ich probiere das aus. Allerdings ist Zenarmor ganz neu, ich hatte ja vorher den n5105 - und da hatte ich dieselbe lausige Performance. Deshalb bin ich ein wenig skeptisch.
#2
General Discussion / Re: Missing Interfaces
Last post by pfry - Today at 10:10:55 PMWith the x710 (as with other Intel interfaces) it's a good idea to make sure your NVM is up to date (assuming you haven't already).
I can't comment on Dnsmasq; I only have 9 VLANs configured at the moment (on an x710); I do not use an IPS.
I can't comment on Dnsmasq; I only have 9 VLANs configured at the moment (on an x710); I do not use an IPS.
#3
German - Deutsch / Re: Kann curl nicht auf die im...
Last post by Patrick M. Hausen - Today at 09:54:12 PMProbier mal
auf der OPNsense auszuführen. Wir hatten das schon auf Standard FreeBSD, was du beschreibst, und das war die Lösung. Mach einen Snapshot vorher (wenn du ZFS benutzt) oder mindestens ein Config-Backup.
Code Select
certctl rehash
auf der OPNsense auszuführen. Wir hatten das schon auf Standard FreeBSD, was du beschreibst, und das war die Lösung. Mach einen Snapshot vorher (wenn du ZFS benutzt) oder mindestens ein Config-Backup.
#4
Web Proxy Filtering and Caching / Re: HAProxy to home server not...
Last post by satcomjimmy - Today at 09:43:03 PMFound the fix on the haproxy, the iphones stopped sending a hostname in the packet header so it didn't match any of my rules. I had to add a default backend server, and now iphones work again.
#5
General Discussion / Missing Interfaces
Last post by Unregistered Member - Today at 07:38:43 PMHello,
I'm new to OPNsense and have been really enjoying working with this firewall. However, I'm encountering a strange issue with my setup and am not sure whether it's a bug or something I've configured incorrectly.
I'm running OPNsense v25.7.7_4 and have a dozen VLANs configured with IPv4 Static IPs (except for the IPs themselves, the VLANs are all setup the same way with the LAN port as the parent). DHCP is being handled by Dnsmasq DNS & DHCP.
Here's where the issue comes in: when I go to the Leases section under Dnsmasq DNS & DHCP, the drop-down menu for interfaces is missing a few VLANs. However, I can confirm that the VLANs are configured correctly, as clients are able to connect and receive the correct IPs.
Strangely, two of the missing VLANs are showing up under the WAN interface in the lease list, with the correct IP addresses. These clients are functioning normally, with internet access and proper firewall rule enforcement. But there are still three other VLANs that are missing from the lease drop-down altogether.
My question is: Does the lease drop-down only show interfaces that have been assigned IPs? Could it be that if an interface doesn't register an IP, it doesn't show up in the list? And if that's the case, how do you explain the two VLANs that are showing up under WAN?
Additionally, I've noticed some errors in the console from time to time (the first set of numbers 015.xxxxxxx is different but the message about ixl0 full is consistent). Not sure if this is related or a separate issue related to netmap. On the WAN port (ixl0), I'm only running Suricata in IPS mode, and the error message I'm seeing is as follows:
015.030954 [4335] netmap_transmit ixl0 full hwcur 205 hwtail 645 qlen 583
I've been troubleshooting this issue with ChatGPT, and after working through a few tests, it was suggested that this might be a cosmetic bug in OPNsense, with no significant impact.
Has anyone encountered something similar? Any advice or thoughts on this issue would be greatly appreciated!
I'm new to OPNsense and have been really enjoying working with this firewall. However, I'm encountering a strange issue with my setup and am not sure whether it's a bug or something I've configured incorrectly.
I'm running OPNsense v25.7.7_4 and have a dozen VLANs configured with IPv4 Static IPs (except for the IPs themselves, the VLANs are all setup the same way with the LAN port as the parent). DHCP is being handled by Dnsmasq DNS & DHCP.
Here's where the issue comes in: when I go to the Leases section under Dnsmasq DNS & DHCP, the drop-down menu for interfaces is missing a few VLANs. However, I can confirm that the VLANs are configured correctly, as clients are able to connect and receive the correct IPs.
Strangely, two of the missing VLANs are showing up under the WAN interface in the lease list, with the correct IP addresses. These clients are functioning normally, with internet access and proper firewall rule enforcement. But there are still three other VLANs that are missing from the lease drop-down altogether.
My question is: Does the lease drop-down only show interfaces that have been assigned IPs? Could it be that if an interface doesn't register an IP, it doesn't show up in the list? And if that's the case, how do you explain the two VLANs that are showing up under WAN?
Additionally, I've noticed some errors in the console from time to time (the first set of numbers 015.xxxxxxx is different but the message about ixl0 full is consistent). Not sure if this is related or a separate issue related to netmap. On the WAN port (ixl0), I'm only running Suricata in IPS mode, and the error message I'm seeing is as follows:
015.030954 [4335] netmap_transmit ixl0 full hwcur 205 hwtail 645 qlen 583
I've been troubleshooting this issue with ChatGPT, and after working through a few tests, it was suggested that this might be a cosmetic bug in OPNsense, with no significant impact.
Has anyone encountered something similar? Any advice or thoughts on this issue would be greatly appreciated!
#6
Hardware and Performance / Re: Dec740 connected to a USW-...
Last post by meyergru - Today at 07:36:32 PMI have never encountered any compatibility problems with 10G DAC cables.
#7
German - Deutsch / Re: Kann curl nicht auf die im...
Last post by meyergru - Today at 07:34:30 PMAh, verstehe. Du verwendest gar nicht die OpnSense CA. Normalerweise sollte curl alle Zertifikate, die in System: Trust: Authorities eingetragen sind, akzeptieren. Bei mir tut es das, ich verwende auch eine eigene, externe CA.
#8
German - Deutsch / Re: Kann curl nicht auf die im...
Last post by u.n.known - Today at 07:15:14 PMOkay... Ich hab hier einen Vault, das ist ein Server, der Vault von Hashicorp laufen hat. Dies beinhaltet den ACME Endpunkt, den ich von der OpnSense mit dem ACME-Plugin erreichen will. Dieser Vault hat ein Zertifikat von einer Kompletten CA, die in OpnSense verfügbar ist, also im Trust gespeichert.
Wenn ich das ACME-Plugin daraufhin konfiguriere, von diesem Vault-Server (NICHT von der opnsense) zu holen, dann fliegt er auf die Nase, weil CURL das Zertifikat nicht validieren kann. Auf dem Vault-Server ist ein valides Zertifikat hinterlegt (Name, Gültigkeit etc). Die dazugehörige CA im OpnSense unter trust. Gibt es also in der OpnSense eine möglichkeit dem curl noch zusätzlich ein Zertifikat hinzuzufügen, damit er kein Problem mit dem Endpunkt hat?
Wenn ich das ACME-Plugin daraufhin konfiguriere, von diesem Vault-Server (NICHT von der opnsense) zu holen, dann fliegt er auf die Nase, weil CURL das Zertifikat nicht validieren kann. Auf dem Vault-Server ist ein valides Zertifikat hinterlegt (Name, Gültigkeit etc). Die dazugehörige CA im OpnSense unter trust. Gibt es also in der OpnSense eine möglichkeit dem curl noch zusätzlich ein Zertifikat hinzuzufügen, damit er kein Problem mit dem Endpunkt hat?
#9
German - Deutsch / Re: Routing-Performance
Last post by meyergru - Today at 06:33:24 PMIch denke, es ist Zenarmor - auch ohne Blocking. Die Hardware sollte locker 1 GBit/s schaffen, siehe meine Signatur.
#10
Hardware and Performance / Re: Dec740 connected to a USW-...
Last post by pfry - Today at 06:33:06 PMQuote from: DEC670airp414user on Today at 04:28:01 PMwhat in addition to [...]
For connecting the firewall to the switch, nothing at all. I wasn't critiquing your choice of cable - I was just attempting to avoid endorsing a particular length, as the only critical element is "long enough", and that's your choice.
Heh. Someone here must have an identical setup to your planned one. Just for the paranoia endorsement.
My own is random PC with Intel x710, with random TAA DACs to two servers, also with x710s. My (Netgear) switch uplink is fiber, as it's in another room - a bit far for a DAC. I had to get an Intel ID'd optic (I got genuine Intel, surplus) for the uplink; the DACs don't require any branding with the Intel cards. Not a concern with your setup as described.
