Recent posts

#1
26.1, 26,4 Series / OPNsense 26.1.8_5 Freezes Rand...
Last post by xenon2008 - Today at 03:06:16 AM
Hello everyone,
For several days now I've been having the issue that my OPNsense (OPNsense 26.1.8_5-amd64) completely freezes.
When it freezes, it is no longer pingable, and even if I manually assign an IP address to my client, I still cannot reach the firewall at all
So i couldnt reach the web interface, no ping, no Internet, nothing.
At first I thought it was due to my old hardware, so I bought a brand new CWWK mini Firewall, reinstalled OPNsense, and restored the backup file.
It ran fine for a few days, but today the exact same problem happened again, just like on the old hardware.

Does anyone have an idea what could be causing this? I can rule out a hardware issue since this is completely new hardware.
At this point I'm honestly starting to get really frustrated because I can't figure out what's causing it.

After a reboot everything works normally again, but the freeze keeps coming back after some time (Days).
Could somebody help me please?

Thanks & Kindly Regards
#2
I am using OPNsense 26.1.8_5 (the latest currently) and have turned on Intrusion Detection (Suricata). One of my network users wants to use Dropbox.  Great! Their computer already has a static IP for other reasons, so I want to create a rule that allows Dropbox access, but only on her machine.

So far, I have found ways to:
  • Enable Dropbox for everyone on the network by disabling the check - I don't want to let everyone do this
  • Completely turn off ALL rule checking on her machine - Not ideal as it's a Windows computer and I am afraid of viruses

So, what I really want to do is disable Dropbox from checking her destination IP (which is static).  I have not been able to find a way to do this, and while a policy editor is quite fancy, it seems to be missing an option to select a few rules and a Destination IP and convert a Drop to an Alert.

Is this just not possible or am I not looking at the right place?

Thanks. 
#3
Hardware and Performance / Re: CPU Recommendations?
Last post by rumshot - Today at 12:23:52 AM
Need to ask to the seller with the 10GB module comes together .

https://ebay.us/m/Hrxtgt



Quote from: XrayDoc88 on May 26, 2026, 07:06:57 PMThanks.  I hadn't heard of Silver Peak.  Looking on Ebay, I don't see any mention of 10G ports nor SFP+ ports however.
#4
German - Deutsch / HILFE... für FiSi Abschlussarb...
Last post by chrisfnf - May 26, 2026, 11:27:06 PM
Guten Abend zusammen,

ich mache eine Umschulung zum Fachinformatiker für Systemintegration und arbeite gerade an meiner Abschlussarbeit zum Thema "IPv4 Netzwerkerweiterung mit IPv6 und Integration eines Firewall Clusters" und brauche dazu dringend Unterstützung.

Ich möchte folgendes Szenario umsetzen:
- verschiedene VLANs die an einem Transfernetz (via HP-1810 Switch) angeschlossen sind
- davon ein VLAN (#264) mit dem Netzbereich 10.128.64.0/24; soll durch das Firewallcluster vom Rest abgeschirmt sein
- Drucker im VLAN #250 soll dennoch von VLAN #264 erreichbar sein; der Drucker ist im Netz 10.128.50.0/24 und druckt über eine mDNS Konfiguration

Bereits umgesetzt:
- OPNSense V 26.1.4 ist bereits auf zwei Einplatinenrechnern (Pokini F2) eingerichtet, alle LAN Adressen und Internet erreichbar
- KEA DHCP ist manuell (ohne Agent) eingerichtet, Vergabe von IPv4 Adressen funktioniert. Mir ist bewusst, dass KEA ein simpler DHCP Server ist.
  ich musste das Netz online bekommen, daher diese Zwischenlösung

Offen:
- DNS über mDNS konfigurieren, damit die Namen der Geräte aufgelöst werden und der Drucker im VLAN #250 erreichbar ist.
- IPv6 Einstellungen: ich habe verstanden, dass IPv6 spezielle Firewall Einstellungen benötigt, weil die Adressen aus dem Internet direkt erreichbar sind. Wie ich das genau einstellen muss habe ich nicht verstanden.

Es gibt viele Tutorials im Internet, leider werden aber die wichtigen Details nicht gezeigt bzw. habe ich kein Tutorial gefunden in dem VLAN, mDNS und IPv6 zusammen behandelt werden.

Netzplan:

https://my.hidrive.com/lnk/Hx3sjxYeX
(Bild aus Hidrive wird leider nicht eingefügt)

Hat jemand hilfreiche Tipps für mich oder wäre u.U. bereit mir das in einer Online Session zu zeigen?

Vielen Dank für eure Rückmeldung dafür vorab!

Gruß
Chris
#5
Virtual private networks / Re: Forcing Outbound VPN Conne...
Last post by FredFresh - May 26, 2026, 10:45:31 PM
Generally speaking (AFAIK) you can redirect flow going inside an interface, but not a flow that only exit (in this case originated by the firewall itself and leaving through the wan)
#6
Virtual private networks / Re: restart wireguard service
Last post by FredFresh - May 26, 2026, 10:21:43 PM
Posting here the solution found (while the cause will never be confirmed) for whoever could face the same problem:

- ssh the opnsense and create an script.sh (or the name you prefer). Thisperiodically verify the timing of the last handshake and if it older than 5 minutes, it disable the interface for 5 minutes and than it restores the interfaces (this way the handhsake is restored)

#!bin/sh

# --- CONFIGURAZIONE ---
INTERFACE="wg4"              # Nome della tua interfaccia WireGuard
PEER_IP="10.2.0.1"            # IP del peer da testare con traceroute
THRESHOLD=300                # Soggetto di timeout in secondi
DOWNTIME=360                 # Tempo di disattivazione (6 minuti = 360 secondi)
WAIT_AFTER_UP=60              # Secondi di attesa dopo riattivazione

# --- LOGICA ---

# 1. Recupera l'ultimo handshake (timestamp Unix)
# 'wg show' restituisce il timestamp dell'ultimo handshake riuscito
LATEST_HANDSHAKE=$(wg show "$INTERFACE" latest-handshakes | awk '{print $2}')

# 2. Calcola il tempo trascorso
CURRENT_TIME=$(date +%s)
ELAPSED=$((CURRENT_TIME - LATEST_HANDSHAKE))

# 3. Verifica se supera la soglia
if [ "$ELAPSED" -gt "$THRESHOLD" ]; then
   
    # Disattiva l'interfaccia
    sudo ifconfig "$INTERFACE" down
   
    sleep "$DOWNTIME"
   
    # Riattiva l'interfaccia
    sudo ifconfig "$INTERFACE" up
   
    sleep "$WAIT_AFTER_UP"

    # Esecuzione Traceroute
    traceroute -g 127.0.0.1 "$PEER_IP"

else

    exit 0
fi


After this, you have to allow the script to run using
chmod 755 script.sh
Next step is to create a dedicated cron job (for details you can search on this forum):
[START]
command:/usr/local/opnsense/service/conf/actions.d/SCRIPT_10_2_0_1_HANDSHAKE.sh
parameters:
type:script
message:Check WG handshake time and renew
description:Check WG handshake time and renew

Now the issue is that the script need to be executed by super user and the only workaround I found is to allow the two commands to be run without sudo - here I used visudo and added the following lines:

[put-your-user-here-without-brackets] ALL=(ALL) NOPASSWD: /sbin/ifconfig wg0 down
[put-your-user-here-without-brackets] ALL=(ALL) NOPASSWD: /sbin/ifconfig wg0 up

in my case wg0 is the involved wireguard interface

Because with my connections, sometime the gateway monitor does not bring back online the gateway, I also added a cron job that trace route to 10.2.0.1

This is running since 25 days and I had no more problems.
#7
Hardware and Performance / Re: cpu-microcode-intel: no ma...
Last post by BrandyWine - May 26, 2026, 07:51:10 PM
The fixed package looks good, it now has 06-9a-04.80

Just not sure the .80 is the fix for the issue in post #1.

Manually download/install the pkg, then lets see what happens.
#8
26.1, 26,4 Series / Re: FreeBSD 15.1 will be relea...
Last post by newsense - May 26, 2026, 07:23:58 PM
The bigger change might actually be openssl 3.5.x in 26.7 for the packages, and it can already be tested:

1) Take a snapshot

2) in Firmware Settings set the custom repository snapshots/openssl35

Check for updates and reboot at the end.

( There's no need to select development in Firmware settings, only set the custom repository )

I'm running on OpenSSL 3.5.6 for a week with what is essentially 26.1.8 (plus a handful of patches that will be officially released in 26.1.9) with WireGuard, OpenVPN and IPsec


P.S. If having mimugmail packages installed don't change the openssl version or those packages ( example Unifi) will be uninstalled.

AGH will be fine as it handles SSL without dependencies on OPNsense packages.
#9
Hardware and Performance / Re: CPU Recommendations?
Last post by XrayDoc88 - May 26, 2026, 07:06:57 PM
Thanks.  I hadn't heard of Silver Peak.  Looking on Ebay, I don't see any mention of 10G ports nor SFP+ ports however.
#10
26.1, 26,4 Series / Re: FreeBSD 15.1 will be relea...
Last post by sopex - May 26, 2026, 06:48:34 PM
Quote from: mooh on May 26, 2026, 06:19:59 PM
Quote from: Patrick M. Hausen on May 26, 2026, 04:02:40 PMOPNsense business editions are released in April and October.
Isn't the business edition always based on the preceding community edition? Say, the CE doesn't adopt FreeBSD 15.1 in July, then the BE won't be based on it either, right?

Something must seriously go wrong for CE not to get 15.1
But yes, if CE doesn't get it, BE won't get it