Recent posts

#1
26.7 Series / Re: Unable to sync zenarmor re...
Last post by Lukas L. - Today at 10:54:09 PM
ok - I swear to the sacred master boot record, I will check forum right before I fire up any upgrade other than minor version. Big thanks to the ZA team (https://forum.opnsense.org/index.php?topic=52385.0)
#2
26.7 Series / Re: Zenarmor and ET Pro Teleme...
Last post by opnsense-5185 - Today at 10:38:28 PM
Hi, it was the same here this morning here after upgrading to 26.7. ET Pro and dashboard widget was not working.

I solved it by disabling IDS service, then reapplying the et_telemetry.token, and then redownloaded all ET Pro rules. Then turned on IDS service. The widget now works.

FYI,

Regards.
#3
General Discussion / Re: Problem with local LAN add...
Last post by mrzaz - Today at 10:13:51 PM
Quote from: Patrick M. Hausen on Today at 10:08:43 PMThese packets should not go through the firewall at all if 192.168.x is the same x for both systems. I'd first check the netmasks/prefix-lengths of both systems.

Both OpnSense (.20 LAN) and NAS (.64) is in same net and do have same netmask in both machines.
Also the NAS has .20 as default GW and it is working. Running both from outside in to webserver (NAT) but also from inside to other Synology NAS remote.

//Dan
#4
These packets should not go through the firewall at all if 192.168.x is the same x for both systems. I'd first check the netmasks/prefix-lengths of both systems.
#5
General Discussion / Re: Problem with local LAN add...
Last post by mrzaz - Today at 10:05:09 PM
Quote from: Patrick M. Hausen on Today at 09:58:38 PMCould you post the details of a blocked packet?

Sure. But see my updated comments as well in main thread.

__timestamp__   2026-07-15T22:01:22
ack   3617553731
action   [block]
anchorname   
datalen   0
dir   [in]
dst   192.168.x.20
dsthostname   
dstport   80
ecn   
id   13194
interface   em1
ipflags   none
ipversion   4
label   Default deny / state violation rule
length   40
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   5
seq   
src   192.168.x.64
srchostname   
srcport   47713
status   2
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   44
urp   1024

//Danne
#6
26.7 Series / Re: 26.7 hanging on boot
Last post by Patrick M. Hausen - Today at 10:04:49 PM
@franco is there an official method to select early or late loading of the microcode updates when using the plugin?
#7
Could you post the details of a blocked packet?
#8
General Discussion / Problem with local LAN address...
Last post by mrzaz - Today at 09:53:58 PM
Hello,
I have an issue that I could not find the culprit to that is driving me crazy.

In the live log I get a "Default deny / state violation rule" from a my local NAS that
is on my LAN network and should not block this port.
64 = NAS
20 = OpnSense LAN interface

LAN  In  2026-07-15T21:40:22  TCP  192.168.x.64:56672  192.168.x.20:80  block  Default deny / state violation rule

Other IPs in my LAN does not have any issues accessing port 80 on .20

I am using the latest OPNsense 26.1.11_10-amd64 and is using the new upgraded style rules.

I even have a "Default allow LAN to any rule" enabled but also tried a separate LAN_HOME to LAN_HOME alias firewall for both in and out.
And have also made a specific to .64 but still same issue.

Is there anyone that could point me in the right direction why this only happens from one device and not all ?

I do have CrowdSec and Q-Feed plus a few others but have tested to switch off Intrusion Detection (suricata)

I have talked a bit with ChatGPT and it gave me some hints.
As the entry in the live log contains only A (ACK) it could be:
An ACK packet means:
It is not the start of a TCP connection (which would be a SYN packet).
It is trying to continue an existing TCP session.
OPNsense/PF is saying: "I don't have a state for this connection," so it logs Default deny / state violation rule and drops the packet.
1. The state expired.  This is very common with browsers that reuse keep-alive connections.
2. NAS kept the connection alive - Many NAS devices (especially Synology and QNAP) maintain persistent HTTP/HTTPS sessions.

This is most likely the culprit.

In other words, PF expected a state entry that no longer exists.

//Dan Lundqvist
Stockholm, Sweden
#9

I though i explained that in my post :(

Quote from: franco on Today at 09:03:26 PMMaybe I missed this several times but what messages are we talking about exactly? Is this normalized to the point where we just assume "these messages" are a given and we need to fix the console accordingly? Why not chase these messages and mute them, or find the root cause?


Cheers,
Franco

the messages are regular pf messages about the status of the incoming packet, or when a new entry is inserted in the connections table, you can see some excerpts of the messages here:

https://forum.opnsense.org/index.php?action=dlattach;attach=56244

The root cause is just some packets with some problems in the wire, as u can see in the link, they are the typical status messages, nothing out of the ordinary, just a FW doing its job. The problem is when those messages are beyond some threshold and then start consuming cpu cycles because the default config push them into the serial console.

And this is when i would like to know if this serial output could be disabled because is taking a lot of cycles for almost nothing, because the dmesg buffer is still getting the status output.



#10
26.7 Series / Re: [Solved by reboot] 26.7 Up...
Last post by Cableguy_ - Today at 09:44:40 PM
Quote from: newsense on Today at 09:36:51 PMTry another mirror
That led me into this in the first place (changing & testing mirrors via browser GUI). How to change mirrors in console, and which one should work?