"Recent posts
#1
General Discussion / Re: Unifi VLANs with new OPNse...
Last post by Yosh1 - Today at 02:26:29 AMOk, thanks for the tips. I tore-down the whole system and rebuilt it - it's better, but it's not working yet.
Now, I can connect to the Unifi APs, and am given a valid IP address from DHCP... but no internet access. I am given the firewall IP (192.168.1.1) for the DNS, which is correct since I'm using Unbound. Again, using the other NIC port setup on my OPNsense box as "DEBUG" with a different IP range works and has internet access.
Everything looks much better in my Unifi Network now (Dream Machine Pro) - none of the devices are dropping in/out and all switches and APs are identified - though I set them to use unique static IPs as they kept falling back to the 192.168.1.20 default which was causing chaos. They didn't appear to get their static ARP addresses from the DHCP server in OPNsense.
I believe that it must still be something with the tagging/trunking on my Unifi chain, if you could take a look - I made a picture to make it easier to follow, this is what I have now:
You cannot view this attachment.
Now, I can connect to the Unifi APs, and am given a valid IP address from DHCP... but no internet access. I am given the firewall IP (192.168.1.1) for the DNS, which is correct since I'm using Unbound. Again, using the other NIC port setup on my OPNsense box as "DEBUG" with a different IP range works and has internet access.
Everything looks much better in my Unifi Network now (Dream Machine Pro) - none of the devices are dropping in/out and all switches and APs are identified - though I set them to use unique static IPs as they kept falling back to the 192.168.1.20 default which was causing chaos. They didn't appear to get their static ARP addresses from the DHCP server in OPNsense.
I believe that it must still be something with the tagging/trunking on my Unifi chain, if you could take a look - I made a picture to make it easier to follow, this is what I have now:
You cannot view this attachment.
#2
Hardware and Performance / UI performance with large numb...
Last post by multazimd - Today at 02:17:14 AMHi All,
We are currently have 60+ tunnels in our existing VPN software which we want to migrate to opnsense.
1) How many maximum number of VTIs can opnsense handle without performance issues in UI?
2) Is there a way to arrange the interfaces in groups so as make them not appear as a long list in UI?
3) How does search option at top right perform if i search an interface when count is 100+ ?
We are currently have 60+ tunnels in our existing VPN software which we want to migrate to opnsense.
1) How many maximum number of VTIs can opnsense handle without performance issues in UI?
2) Is there a way to arrange the interfaces in groups so as make them not appear as a long list in UI?
3) How does search option at top right perform if i search an interface when count is 100+ ?
#3
26.1 Series / Re: Destination NAT port range...
Last post by shagnome - Today at 12:35:29 AMThanks. Changing to a dash worked.
#4
German - Deutsch / Re: Business OPNWAF - Fragen /...
Last post by sim_on - March 02, 2026, 11:32:29 PMDanke für die schnelle Rückmeldung!
Punkt 2) habe ich dann jetzt einfach wie folgt gelöst:
Zertifikat erstellen:
000-default.conf erstellen unter "/usr/local/etc/apache24/Includes":
Punkt 2) habe ich dann jetzt einfach wie folgt gelöst:
Zertifikat erstellen:
Code Select
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /usr/local/etc/ssl/catch-all.key \
-out /usr/local/etc/ssl/catch-all.crt \
-subj "/CN=catch-all.invalid"
000-default.conf erstellen unter "/usr/local/etc/apache24/Includes":
Code Select
# Default VirtualHost
SSLStrictSNIVHostCheck On
<VirtualHost *:80>
ServerName catch-all.invalid
<Location />
Require all denied
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerName catch-all.invalid
SSLEngine on
SSLCertificateFile "/usr/local/etc/ssl/catch-all.crt"
SSLCertificateKeyFile "/usr/local/etc/ssl/catch-all.key"
<Location />
Require all denied
</Location>
</VirtualHost> #5
German - Deutsch / Re: OpenVPN: User oder Group -...
Last post by sashak - March 02, 2026, 11:12:44 PMQuote from: stefanpf on March 02, 2026, 06:28:25 PMIch habe es nie probiert
Ich habe es ausprobiert und das erfüllt meine Aufgabe. Vielen Dank!
#6
Tutorials and FAQs / Re: How to enable automatic mi...
Last post by Flynn84 - March 02, 2026, 11:01:33 PMFor anyone not being able to display the microcode level after using
and getting
Enter the following:
The microcode level should now display successfully.
If you want to make this persistent add
Code Select
x86info -a | grep -i microand getting
Code Select
/dev/cpuctl0: No such file or directory
/dev/cpuctl0: No such file or directory
Enter the following:
Code Select
kldload cpuctlThe microcode level should now display successfully.
If you want to make this persistent add
Code Select
cpuctl_load="YES"to Code Select
/boot/loader.conf #7
26.1 Series / Re: Destination NAT port range...
Last post by falken - March 02, 2026, 10:26:54 PMPort range needs to be specified with "-" and not ":" so you would use 4500-65535
#8
26.1 Series / Re: Upgrade Failed, signature ...
Last post by LineF - March 02, 2026, 09:14:23 PMQuote from: LineF on March 02, 2026, 05:56:33 PMFor me the same. No LTE connection but standard DSL connection. signature invalid
Problem solved - mirror probably has incomplete files. Changing mirror to "default" solved the problem. All files were downloaded witout problems.
#9
German - Deutsch / Re: Captive Portal: Diverse Fr...
Last post by viragomann - March 02, 2026, 08:59:55 PMQuote from: TheExpert on March 02, 2026, 06:17:26 PMDu meinst vermutlich das Captive Portal und nicht CARP Service, oder?Ja, sorry.
Quote from: TheExpert on March 02, 2026, 06:17:26 PMWenn man die URL des Captive Portal mit http://<CARP-IP-Adresse>:8000/ aufruft, kommt ein Timeout. Wenn man http://<IP-Adresse des HA-Knotens>:8000/ aufruft, dann erscheint das Captive Portal.Eigentlich sollte nichts davon funktionieren. Der Port 8000 ist für https gedacht. Mit http müsste der Aufruf fehlschlagen.
Wenn das aber ein Schreibfehler ist oder der Browser automatisch unbemerkt auf https gewechselt ist, würde das heißen, die Webseite ist nur an die Interface-Adresse gebunden.
Ich verstehe aber immer noch nicht, weswegen es die CARP IP sein muss. Ebenso gut kannst du die IP der Backup-Node in den URL reinsetzen und die Webseite sollte auch aufgehen.
Wie oben geschrieben, wenn CP synchronisiert wird, sollte auf der Backup die Loginseite ebenso auf der Interface IP bereitstehen.
Also wenn diese Master ist, macht sie eben die Umleitung auf ihre Interface IP. Dem Client sollte das egal sein.
Wenn du es aber dennoch auf der CARP VIP haben möchtest, dann leite die Anfragen eben auf die Interface-Adresse weiter.
Also eine Destination NAT Regel am jeweiligen Interface erstellen mit der CARP VIP als Destination und Port 8000 (f. Zone 0) und als Redirect Target die Interface Adresse (die vordefinierte Variable, damit die Regel auch auf der Backup funktioniert) und Port 8000.
Dies ist für https. Für http wäre noch eine Regel mit Zielport 9000 nötig.
#10
26.1 Series / Re: list_hosts.py -n (python3....
Last post by qballcow - March 02, 2026, 06:33:30 PMI had the same things, and tons and tons of I/O during it.
Turned out my hosts.db-wal was very large.
On every run it would read for 10s of seconds and re-create hosts.db-shm that each time grew to 100s of mbytes.
-rw-r--r-- 1 hostd hostd 4.0M Mar 2 17:14 hosts.db
-rw-r--r-- 1 hostd hostd 197M Mar 2 17:13 hosts.db-shm
-rw-r--r-- 1 hostd hostd 99G Mar 2 17:14 hosts.db-wal
After executing a checkpoint with truncate and vacuuming it now runs pretty normal again, still keeping an eye on it.
(Not sure if that was a safe action to do, but current state was not sustainable).
Turned out my hosts.db-wal was very large.
On every run it would read for 10s of seconds and re-create hosts.db-shm that each time grew to 100s of mbytes.
-rw-r--r-- 1 hostd hostd 4.0M Mar 2 17:14 hosts.db
-rw-r--r-- 1 hostd hostd 197M Mar 2 17:13 hosts.db-shm
-rw-r--r-- 1 hostd hostd 99G Mar 2 17:14 hosts.db-wal
After executing a checkpoint with truncate and vacuuming it now runs pretty normal again, still keeping an eye on it.
(Not sure if that was a safe action to do, but current state was not sustainable).
