"Recent posts
#1
26.1, 26,4 Series / Re: dhclient errors cause netw...
Last post by scopecat - Today at 12:53:39 AMI narrowed it down to Unbound. Restarting the unbound service fixes the issue.
In trying to diagnose this issue further, I ran into the following error message:
Setting kern.ipc.maxsockbuf=8388608 seems to fix the failure. Does anyone know why unbound is asking for more buffer space than OPNSense is configured by default to give?
In trying to diagnose this issue further, I ran into the following error message:
Code Select
[1779057884] unbound[8483:0] warning: setsockopt(..., SO_SNDBUF, ...) was not granted: No buffer space available
[1779057884] unbound[8483:0] warning: so-sndbuf 4194304 was not granted. Got 57344. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 0 (use system value).Setting kern.ipc.maxsockbuf=8388608 seems to fix the failure. Does anyone know why unbound is asking for more buffer space than OPNSense is configured by default to give?
#2
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by nero355 - Today at 12:27:56 AMQuote from: BrandyWine on May 16, 2026, 05:37:09 PMI am more curious as to why the vendors do not have readily available updates for download.Agreed! :)
There maybe a mix/match issue with driver vs nvm, but a newer nvm should be a-ok to run with "not the latest driver", which usually means kernel build.
QuoteThank you! :)Quote from: ajohn on May 17, 2026, 02:24:32 PMI am curious :I didn't ask them.
Did you contact Protectli first and tried to get the update from them directly ?
If so : What did they say ?
#3
Web Proxy Filtering and Caching / Re: Allowing Steam through Fir...
Last post by nero355 - Today at 12:25:32 AMStuff related to Gaming Online should only need 1:1 Port Mapping in your NAT a.k.a. Static-Port in OPNsense Outbound NAT Rules : https://docs.opnsense.org/manual/nat.html#outbound
Only when you want to Host Servers you will need to actually Port Forward some ports, but I am guessing that's not your problem :)
Even NAT-behind-NAT should not be an issue, but I don't know what kind of stuff your other Router does with the connection so you will have to figure that out on your own...
Only when you want to Host Servers you will need to actually Port Forward some ports, but I am guessing that's not your problem :)
Even NAT-behind-NAT should not be an issue, but I don't know what kind of stuff your other Router does with the connection so you will have to figure that out on your own...
#4
Web Proxy Filtering and Caching / Re: Allowing Steam through Fir...
Last post by meyergru - May 17, 2026, 10:43:00 PMThe RFC1918 WAN IP address suggests that OpnSense is already behind another, maybe ISP-provided router, so you are operating under double-NAT conditions. At least you should be, because if you set up OpnSense without outbound NAT, you would have to provide a route to 192.168.2.0/24 on your front router.
As Steam needs to have opened ports, you will also have to create inbound NAT rules on both OpnSense and your ISP router.
As Steam needs to have opened ports, you will also have to create inbound NAT rules on both OpnSense and your ISP router.
#5
Hardware and Performance / Re: cpu-microcode-intel: no ma...
Last post by meyergru - May 17, 2026, 10:34:36 PMI am not with Deciso, in case you missed it. ;-)
I only happen to know a bit about microcode updates in general. It was obvious that it was a packaging error in FreeBSD, because I happen to have a system based on an i5-1235U from the same family and I know that the current firmware version for that family is 0x43a when updated under Linux.
I guess that @franco will include any current upstream package updates into the next OpnSense releases.
I only happen to know a bit about microcode updates in general. It was obvious that it was a packaging error in FreeBSD, because I happen to have a system based on an i5-1235U from the same family and I know that the current firmware version for that family is 0x43a when updated under Linux.
I guess that @franco will include any current upstream package updates into the next OpnSense releases.
#6
General Discussion / Re: Chromecast cannot connect ...
Last post by Patrick M. Hausen - May 17, 2026, 10:03:45 PMQuote from: MrHappyHippo on May 17, 2026, 09:38:16 PMWould it be possible to use the Alias "This Firewall" as the redirect target instead of the ULA address?
No.
Define an arbitrary ULA, assign to lo0 with /128 netmask, use that.
#7
General Discussion / Re: Chromecast cannot connect ...
Last post by MrHappyHippo - May 17, 2026, 09:38:16 PMWould it be possible to use the Alias "This Firewall" as the redirect target instead of the ULA address? I guess not since its also a set of addresses and not a single address. My issue is that I think it behaves dynamically, meaning its value may depend on where it is used.
#8
Hardware and Performance / Re: cpu-microcode-intel: no ma...
Last post by fastboot - May 17, 2026, 09:27:24 PMUpstream FreeBSD identified the issue and already proposed a fix:
https://reviews.freebsd.org/D57046
The problem was not actually a missing .80 blob specifically, but a bug in ucode-split. Extended signature tables inside Intel microcode blobs were ignored, which caused missing split files for a number of CPUs and therefore:
dmesg:
"CPU microcode: no matching update found"
This affected multiple Intel CPU families, including Alder/Raptor/Arrow Lake and others.
The fix is already linked to the FreeBSD PR:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295351
So this does appear to have been a real upstream FreeBSD microcode packaging/splitting issue.
@Franco, meyergru: It would probably be good to pick this up once it lands upstream, since affected OPNsense systems currently appear to stay on older firmware-provided microcode revisions.
https://reviews.freebsd.org/D57046
The problem was not actually a missing .80 blob specifically, but a bug in ucode-split. Extended signature tables inside Intel microcode blobs were ignored, which caused missing split files for a number of CPUs and therefore:
dmesg:
"CPU microcode: no matching update found"
This affected multiple Intel CPU families, including Alder/Raptor/Arrow Lake and others.
The fix is already linked to the FreeBSD PR:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295351
So this does appear to have been a real upstream FreeBSD microcode packaging/splitting issue.
@Franco, meyergru: It would probably be good to pick this up once it lands upstream, since affected OPNsense systems currently appear to stay on older firmware-provided microcode revisions.
#9
General Discussion / Re: Chromecast cannot connect ...
Last post by Patrick M. Hausen - May 17, 2026, 09:16:58 PMIf you use destination NAT with 127.0.0.1 whatever the service and completely independent of OPNsense, the reply packets are generated with a source address of 127.0.0.1, which is then source NATed back to the public address to achieve bidirectional flow.
In the case of ::1 the relevant RFC explicitly forbids ("MUST NOT") a packet with a source of ::1 ever leaving a conpliant system. So the FreeBSD network stack drops every IPv6 packet with a loopback source that does not also have a loopback destination.
That's why it does not work with IPv6.
In the case of ::1 the relevant RFC explicitly forbids ("MUST NOT") a packet with a source of ::1 ever leaving a conpliant system. So the FreeBSD network stack drops every IPv6 packet with a loopback source that does not also have a loopback destination.
That's why it does not work with IPv6.
#10
Web Proxy Filtering and Caching / Allowing Steam through Firewal...
Last post by PANZER - May 17, 2026, 09:08:12 PMHello there, I´m kinda new to the OPNSense and general firewall topic. Im currently having issues with allowing Steam to authenticate my user.
I have two interfaces:
WAN (192.168.2.236)
LAN (192.168.0.1)
On the LAN I have configured the following rules as stated in the Steam firewall configuration guide (https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB)
If I now open Steam I run into an timeout. The connection log from Steam says the following in the .txt file.
I can´t see any blocking on the LAN side, so I think I setup everything correctly there. Even any LAN-Any-Allow rule won´t do it.
On the WAN site I can see alot of blockings from the default deny / state violation. I assume that Steam is sending their authentication over an CDN. This has a different IP and port, so the firewall thinks its a random packet and denys it.
How can I fix this problem?
I have two interfaces:
WAN (192.168.2.236)
LAN (192.168.0.1)
On the LAN I have configured the following rules as stated in the Steam firewall configuration guide (https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB)
If I now open Steam I run into an timeout. The connection log from Steam says the following in the .txt file.
I can´t see any blocking on the LAN side, so I think I setup everything correctly there. Even any LAN-Any-Allow rule won´t do it.
On the WAN site I can see alot of blockings from the default deny / state violation. I assume that Steam is sending their authentication over an CDN. This has a different IP and port, so the firewall thinks its a random packet and denys it.
How can I fix this problem?
