Recent posts

#1
Hardware and Performance / Re: Transparant bridge with 2 ...
Last post by pfry - Today at 03:50:56 AM
Quote from: BrandyWine on July 01, 2026, 10:44:02 PM[...]I believe in OPNsense we can do 2+ ports for a single bridge.[...]

I have... 6 physical interfaces on my (current) firewall, with another 9 via a 10-port switch (acting as a port expander, where ports 1-9 are assigned unique port VLANs and 10 is a tagged uplink plugged into the firewall). So 14 available interfaces, each assigned to one of four (non-transparent) bridges. Works great. Most folks here think it would give their network the plague. (Who knows? They might be right.)

Quote from: Jaapaap on July 01, 2026, 10:55:34 PM[...]It's pure hobby, but it does have to be functional. So please just tell me to drop the stupid project  if that you pros opinions[...]

Nah, try it out. You can have a good old time trying different stuff. Never can tell. Could fix your back in short order.

Quote from: BrandyWine on Today at 12:50:56 AMI know what she meant, but in technical terms she stated it incorrectly.[...]

Heh. Heck, grab her book - it's not bad. Or Rich Seifert's.
#2
26.1, 26,4 Series / Re: Problem with shutdown/rebo...
Last post by wincent - Today at 03:41:51 AM
If you need a temporary solution, I have a suggestion. Add a timeout in the Suricata service script:
sed -i '' 's|command:/usr/local/etc/rc.d/suricata stop|command:/usr/local/etc/rc.d/suricata stop \|\| (sleep 10 \&\& killall -9 suricata)|' /usr/local/opnsense/service/conf/actions.d/actions_ids.conf
#3
26.1, 26,4 Series / Re: Lost outbound NAT rules on...
Last post by OPNenthu - Today at 02:05:12 AM
Marking as solved because I got my manual rules added back and everything's working, but I'm still not sure why some of the automatic rules aren't reflected in the SNAT UI.  Going to leave the automatic rules alone for now.

Thanks all!
#4
26.1, 26,4 Series / Re: Upgrade to 26.1.11 Stuck a...
Last post by burre90 - Today at 02:00:33 AM
Same issue, stuck on "Starting web GUI...done."

Update: Waiting about 15-20 minutes and it finally completed.
#5
Quote from: Patrick M. Hausen on Today at 12:31:33 AMRadia Perlman is incorrect. OK. I'm out.
I know what she meant, but in technical terms she stated it incorrectly.

If I use the literal definition of forwarding ethernet frames, yes, she is wrong. There is no "forwarding" decisions being done at L3. There's only next-hop decision at L3, which is not "forwarding".

"Forwarding" is literally originates at L1 Tx. This is the only way a frame can move.

Take for example a router with two ifaces, packet comes in on A and routing table says next-hop is an IP on the B side. However, that next-hop has no arp entry, and a search for next-hop IP MAC (arp) is negative, no such next-hop IP exists. The router made a next-hop decision, and handed that off to L2, yet no forwarding was done, no positive forwarding decision made, etc.

A device (the logical process) that makes L3 next-hop decisions, is a router.
L3 decides next-hop, L2 decides how to forward.


L3 --> L2 (arp/cam) --> L1
                                        ^
                                     fwd'ing
#6
Quote from: Patrick M. Hausen on July 01, 2026, 10:59:01 PM@Jaapaap Do you control the router you have and seem to like? Not your ISP? Do you trust it? If the answer to all these is "yes", you won't gain much but an incredible amount of complexity by adding a bridging firewall.
There's also broadcast MAC issue, DHCP. Initial broadcast FFFFFF will pass right through the fw, ISP modem will try and reply, but that reply can be blocked by fw. But then I wonder if the ISP modem logs a lease? Some ISPs only allow x# of WAN leases.

Not sure of the actual setup OP has, could buffer ISP & fw with a router that has no features turned on (except NAT), just a simple dummy L3, WAN for getting dhcp for router, and LAN on router for DFG. Adds a buffer, but make sure the router denies all inbound to it's WAN iface, etc. Then bridge between router and internal subnet(s). Technically not a bad setup, places a little buffer (dmz) between ISP modem and fw.
#7
Radia Perlman is incorrect. OK. I'm out.
#8
Quote from: Patrick M. Hausen on July 01, 2026, 10:57:25 PM- a device making forwarding decisions based on layer 3 addresses is a router

That's technically not correct, she is incorrect. L3 decision simply decides next-hop IP (talking strictly tcp/ip), not any forwarding. Forwarding always (always) happens at L2, 100% just a MAC-Port thing down to Tx on L1. ;)
ARP sits between L3 and L2. L3 is the IP-MAC table, L2 is the MAC-Port table. There is no frame forwarding on ethernet at L3.

It's a play on words mostly. "Forwarding" is a L1 frame thing. L2 on the receiver is logically processed only after the frame has been forwarded. The IP-MAC and MAC-Port things are just matrix tables stored in device memory.

And to boot - no router is a switch, and no switch is a router, but all routers have a switcher, otherwise the frames could never Tx or Rx.
#9
26.1, 26,4 Series / Re: Upgrade to 26.1.11 Stuck a...
Last post by muchacha_grande - July 01, 2026, 11:27:06 PM
I think the problem is that the kernel is downloading but you can't see the progress.

It happened to me and I waited until it started to download the base package and it didn't either showed the download progress until it finished and the the update finished normally with the reboot
#10
Hardware and Performance / Re: Transparant bridge with 2 ...
Last post by Jaapaap - July 01, 2026, 11:25:51 PM
I trust my router (Asus expertwifi business line) and my isp enough.
I don't use port forwarding and got a openvpn connection on the router for when needed.
I am planning on setting up Cloudflare for outdoor home assistant use, so I think I am safe enough for a home user.

Given your reply I guess I had a fun ride exploring opnsense, but I probably use the machine for Adguard (completely new to that to, but it keeps me occupied 😄).
Thanks for the quick course and the adventure in opnsense.