"Recent posts
#1
26.1 Series / Re: Firewall Rule after migrat...
Last post by t84a - Today at 02:26:15 PMThanks. Any idea why the upgrade would have disabled it? The same thing shows up under Firewall NAT Destination NAT.
#2
German - Deutsch / Re: HA mit CARP: LAN VIP wird ...
Last post by Patrick M. Hausen - Today at 02:19:52 PMQuote from: TheExpert on Today at 01:09:58 PMIch sehe nicht viel Mehrwert, für jedes VLAN eine eigene virtuelle Netzwerkkarte anzulegen,
Der Mehrwert ist, dass es funktioniert. Man macht das seit Jahrzehnten in Hypervisor-Umgebungen genau so. Wenn bei deinem geplanten Setup Probleme auftreten, wird dir wahrscheinlich niemand helfen können.
#3
Zenarmor (Sensei) / Zenarmor periodicals not worki...
Last post by Maginos - Today at 02:10:20 PMHi all,
I have a question concerning Zenarmor periodicals:
Every Day at 4:03 am I get the following message from Zabbix:
Problem: Lack of avail. memory on server OPNsense 2
Problem started at 04:03:13 on 2026.02.08
Problem name: Lack of avail. memory on server OPNsense 2
Host: OPNsense
Severity: Warning
Operational data: 3.45 GB
Original problem ID: 79101
The value at Operational data varies, it can be 450 MB or less.
My Opnsense (version 25.7_11 so far, I just upgraded atm to 26.1) has a total amount of 16 GB of RAM, which is plenty for only Zenarmor running and no Suricata.
I looked up in /var/log/system/latest.log and found NO Out-Of-Memory entry there, so I assume, the OOM error from Zabbix comes from the ARC of my ZFS array. I have two SSDs, which are configured in Z1.
The message from Zabbix I get after 3-4 days and then daily always at 4 am in the morning.
I looked up my cronjobs and only Zenarmor periodicals are running at that time.
After some research I found, that the file /usr/local/datastore/sqlite/conn_all.sqlite keeps growing in size up to some GB.
When this file reaches a certain size, I get the OOM error in zabbix. That's the reason why I see the error in Zabbix after some days.
If I reset the database of Zenarmor via GUI manually, the conn_all.sqlite file is reduced in size and the zabbix error message does not occur for some days.
After that it occurs again and I have to reset the database manually again.
In future, I would like to avoid this.
On a second OPNSense machine, everything works perfectly.
I have following settings on the OPNSense:
- Sqlite
- Reporting Period 2 days
- Memory Disk Size 300 MB
- Tracefs Partition Size 100 MB
Logs:
- Log Level Debug
- Rotation 1 Day
- Retire 3 Days
I already uninstalled and reinstalled Zenarmor (restore from backup), but that didn't help.
So my assumption is, that the database is not properly cleaned up by Zenarmor periodicals cronjob and therefore the conn_all.sqlite file keeps growing.
What can I do in this situation?
Thank you for your help.
Maginos
I have a question concerning Zenarmor periodicals:
Every Day at 4:03 am I get the following message from Zabbix:
Problem: Lack of avail. memory on server OPNsense 2
Problem started at 04:03:13 on 2026.02.08
Problem name: Lack of avail. memory on server OPNsense 2
Host: OPNsense
Severity: Warning
Operational data: 3.45 GB
Original problem ID: 79101
The value at Operational data varies, it can be 450 MB or less.
My Opnsense (version 25.7_11 so far, I just upgraded atm to 26.1) has a total amount of 16 GB of RAM, which is plenty for only Zenarmor running and no Suricata.
I looked up in /var/log/system/latest.log and found NO Out-Of-Memory entry there, so I assume, the OOM error from Zabbix comes from the ARC of my ZFS array. I have two SSDs, which are configured in Z1.
The message from Zabbix I get after 3-4 days and then daily always at 4 am in the morning.
I looked up my cronjobs and only Zenarmor periodicals are running at that time.
After some research I found, that the file /usr/local/datastore/sqlite/conn_all.sqlite keeps growing in size up to some GB.
When this file reaches a certain size, I get the OOM error in zabbix. That's the reason why I see the error in Zabbix after some days.
If I reset the database of Zenarmor via GUI manually, the conn_all.sqlite file is reduced in size and the zabbix error message does not occur for some days.
After that it occurs again and I have to reset the database manually again.
In future, I would like to avoid this.
On a second OPNSense machine, everything works perfectly.
I have following settings on the OPNSense:
- Sqlite
- Reporting Period 2 days
- Memory Disk Size 300 MB
- Tracefs Partition Size 100 MB
Logs:
- Log Level Debug
- Rotation 1 Day
- Retire 3 Days
I already uninstalled and reinstalled Zenarmor (restore from backup), but that didn't help.
So my assumption is, that the database is not properly cleaned up by Zenarmor periodicals cronjob and therefore the conn_all.sqlite file keeps growing.
What can I do in this situation?
Thank you for your help.
Maginos
#4
General Discussion / external ip was blocked by for...
Last post by DEC740airp414user - Today at 01:55:00 PMended up learning how to create alias hosts with a ton of websites. and sent them over a different gateway
brain got some new wrinkles this morning. thumbsup :)
brain got some new wrinkles this morning. thumbsup :)
#5
Web Proxy Filtering and Caching / Re: nginx Reverse Proxy locati...
Last post by meyergru - Today at 01:54:07 PMThe reverse proxy cannot handle all of what is needed when you want to present two websites via different URI paths.
Say, your backend server creates web pages containing embedded image links with the absolute path itself knows about, like, when server1.domain.internal shows a snippet of: <img src="/images/xyz.jpg">. Since the reverse proxy does not change the content of the html, it will then not reference https://myapps.domain.internal/app1/image/xyz.jpg, but https://myapps.domain.internal/image/xyz.jpg, which is wrong. Same goes for CSS and Javascript snippets.
And that does not even consider cases where your internal server creates absolute links like <img src="https://server1.domain.internal:8001/images/xyz.jpg">, like many applications do.
So, in order to make this work, the paths may not change unless you can configure your backend application to use either relative paths only or you can configure its "real" URL to be https://myapps.domain.internal/app1/.
An alternative remedy could be to use app1.domain.internal and app2.domain.internal, so your URI paths do not change (but that only addresses the "absolute path", not the "full URL" problem). The reverse proxy differentiates the backend "by name" instead of "by path" in that case.
Say, your backend server creates web pages containing embedded image links with the absolute path itself knows about, like, when server1.domain.internal shows a snippet of: <img src="/images/xyz.jpg">. Since the reverse proxy does not change the content of the html, it will then not reference https://myapps.domain.internal/app1/image/xyz.jpg, but https://myapps.domain.internal/image/xyz.jpg, which is wrong. Same goes for CSS and Javascript snippets.
And that does not even consider cases where your internal server creates absolute links like <img src="https://server1.domain.internal:8001/images/xyz.jpg">, like many applications do.
So, in order to make this work, the paths may not change unless you can configure your backend application to use either relative paths only or you can configure its "real" URL to be https://myapps.domain.internal/app1/.
An alternative remedy could be to use app1.domain.internal and app2.domain.internal, so your URI paths do not change (but that only addresses the "absolute path", not the "full URL" problem). The reverse proxy differentiates the backend "by name" instead of "by path" in that case.
#6
25.7, 25.10 Series / Re: python -- several vulnerab...
Last post by DEC740airp414user - Today at 01:49:03 PMi am far more concerned about the openssl ones:
Fetching vuln.xml.xz: .......... done
openssl-3.0.18,1 is vulnerable:
OpenSSL -- Multiple vulnerabilities
CVE: CVE-2026-22796
CVE: CVE-2026-22795
CVE: CVE-2025-69421
CVE: CVE-2025-69420
CVE: CVE-2025-69419
CVE: CVE-2025-69418
CVE: CVE-2025-68160
CVE: CVE-2025-66199
CVE: CVE-2025-15469
CVE: CVE-2025-15468
CVE: CVE-2025-15467
CVE: CVE-2025-11187
WWW: https://vuxml.freebsd.org/freebsd/4b824428-fb93-11f0-b194-8447094a420f.html
python311-3.11.14 is vulnerable:
python -- several vulnerabilities
CVE: CVE-2025-13836
CVE: CVE-2025-12084
WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html
python -- several security vulnerabilities
CVE: CVE-2026-0865
CVE: CVE-2026-1299
WWW: https://vuxml.freebsd.org/freebsd/bfe9adc8-0224-11f1-8790-c5fb948922ad.html
libsodium-1.0.19 is vulnerable:
security/libsodium -- crypto_core_ed25519_is_valid_point mishandles checks for whether an elliptic curve point is valid
CVE: CVE-2025-69277
WWW: https://vuxml.freebsd.org/freebsd/583b63f5-ebae-11f0-939f-47e3830276dd.html
4 problem(s) in 3 package(s) found.
Fetching vuln.xml.xz: .......... done
openssl-3.0.18,1 is vulnerable:
OpenSSL -- Multiple vulnerabilities
CVE: CVE-2026-22796
CVE: CVE-2026-22795
CVE: CVE-2025-69421
CVE: CVE-2025-69420
CVE: CVE-2025-69419
CVE: CVE-2025-69418
CVE: CVE-2025-68160
CVE: CVE-2025-66199
CVE: CVE-2025-15469
CVE: CVE-2025-15468
CVE: CVE-2025-15467
CVE: CVE-2025-11187
WWW: https://vuxml.freebsd.org/freebsd/4b824428-fb93-11f0-b194-8447094a420f.html
python311-3.11.14 is vulnerable:
python -- several vulnerabilities
CVE: CVE-2025-13836
CVE: CVE-2025-12084
WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html
python -- several security vulnerabilities
CVE: CVE-2026-0865
CVE: CVE-2026-1299
WWW: https://vuxml.freebsd.org/freebsd/bfe9adc8-0224-11f1-8790-c5fb948922ad.html
libsodium-1.0.19 is vulnerable:
security/libsodium -- crypto_core_ed25519_is_valid_point mishandles checks for whether an elliptic curve point is valid
CVE: CVE-2025-69277
WWW: https://vuxml.freebsd.org/freebsd/583b63f5-ebae-11f0-939f-47e3830276dd.html
4 problem(s) in 3 package(s) found.
#7
Web Proxy Filtering and Caching / nginx Reverse Proxy locations ...
Last post by Mks - Today at 01:28:04 PMDear all, I've a pretty simple use case but whatever I've tried it did not work.
Situation:
Two server with web-application served on different ports:
server1.domain.internal:8001
server2.domain.internal:8002
My goal is to setup a reverse proxy and serve the applications via different path, e.g
myapps.domain.internal/app1 --> server1.domain.internal:8001
myapps.domain.internal/app2 --> server2.domain.internal:8002
I know the basics about nginx, but even with the easiest application it doesn't work, either pictures are missing, wrong formatting, parts of the page are missing.
Config NGINX:
I did some research but no solution works, may someone has an idea, Thanks
Situation:
Two server with web-application served on different ports:
server1.domain.internal:8001
server2.domain.internal:8002
My goal is to setup a reverse proxy and serve the applications via different path, e.g
myapps.domain.internal/app1 --> server1.domain.internal:8001
myapps.domain.internal/app2 --> server2.domain.internal:8002
I know the basics about nginx, but even with the easiest application it doesn't work, either pictures are missing, wrong formatting, parts of the page are missing.
Config NGINX:
- Server: myapps.domain.internal with 2 Location
- Location1: URLPattern /app1
- Location2: URLPattern /app2
- Upstream Server and Upstream are defined
I did some research but no solution works, may someone has an idea, Thanks
#8
German - Deutsch / Re: HA mit CARP: LAN VIP wird ...
Last post by TheExpert - Today at 01:09:58 PMOK, danke.
Ich kann jetzt schon mal sagen, dass nun auch die CARP-VIP für LAN korrekt funktioniert, nachdem ich die redundanten physikalischen Netzwerkkarten aus dem Trunk für die Sophos entnommen, auf dem Switch die entsprechenden Ports auf "Tag all" gesetzt und in den ESXi-Hosts einen neuen vSwitch mit 2 Portgruppen erstellt habe:
1. Trunk-Portgruppe mit VLAN-ID 4.095
2. LAN-Portgruppe mit der VLAN meines LANs
Die virtuelle Netzwerkkarte für LAN der beiden OPNsense VMs habe ich dann mit jeweils mit der Trunk-Portgruppe verbunden und in OPNsense habe ich für das LAN ein VLAN eingerichtet und der LAN-Schnittstelle der OPNsense zugewiesen.
Den Failover und Faultback habe ich bereits erfolgreich testen können.
Nun werde ich in der OPNsense die weiteren VLANs einrichten und dafür die CARP-VIPs anlegen. Da es sich auch hier um LAN-Netzwerke handelt, packe ich diese ebenfalls auf die LAN-Schnittstelle der OPNsense. Dann gehen alle LAN-VLANs über eine Netzwerkkarte. Ich sehe nicht viel Mehrwert, für jedes VLAN eine eigene virtuelle Netzwerkkarte anzulegen, denn letztlich wird der Datenverkehr für die LANs immer über ein und die selbe Netzwerkverbindung geleitet.
Ich kann jetzt schon mal sagen, dass nun auch die CARP-VIP für LAN korrekt funktioniert, nachdem ich die redundanten physikalischen Netzwerkkarten aus dem Trunk für die Sophos entnommen, auf dem Switch die entsprechenden Ports auf "Tag all" gesetzt und in den ESXi-Hosts einen neuen vSwitch mit 2 Portgruppen erstellt habe:
1. Trunk-Portgruppe mit VLAN-ID 4.095
2. LAN-Portgruppe mit der VLAN meines LANs
Die virtuelle Netzwerkkarte für LAN der beiden OPNsense VMs habe ich dann mit jeweils mit der Trunk-Portgruppe verbunden und in OPNsense habe ich für das LAN ein VLAN eingerichtet und der LAN-Schnittstelle der OPNsense zugewiesen.
Den Failover und Faultback habe ich bereits erfolgreich testen können.
Nun werde ich in der OPNsense die weiteren VLANs einrichten und dafür die CARP-VIPs anlegen. Da es sich auch hier um LAN-Netzwerke handelt, packe ich diese ebenfalls auf die LAN-Schnittstelle der OPNsense. Dann gehen alle LAN-VLANs über eine Netzwerkkarte. Ich sehe nicht viel Mehrwert, für jedes VLAN eine eigene virtuelle Netzwerkkarte anzulegen, denn letztlich wird der Datenverkehr für die LANs immer über ein und die selbe Netzwerkverbindung geleitet.
#9
Italian - Italiano / Wifi sulla rete LAN
Last post by Bdevil - Today at 12:58:14 PMBuongiorno a tutti
Avrei bisogno di un aiuto a risolvere una scemata che non riesco ad arrivarne a capo.
Semplicemente ho un Hardware che, oltre alle classiche porte LAN, ha una scheda Wifi che vorrei sfruttare per crearci un Access point.
Il punto è che posso fare l'access point ma in rete separata con suo DHCP e annessi. IN realtà io vorrei fare la stessa cosa che farebbe il tuo router di casa, ovvero che quando ti colleghi alla WiFi ti stai collegando alla stessa rete LAN cablata con suo DHCP etc...
Mi potreste aiutare a fare questa cosa?
Vi ringrazio infinitamente :)
Avrei bisogno di un aiuto a risolvere una scemata che non riesco ad arrivarne a capo.
Semplicemente ho un Hardware che, oltre alle classiche porte LAN, ha una scheda Wifi che vorrei sfruttare per crearci un Access point.
Il punto è che posso fare l'access point ma in rete separata con suo DHCP e annessi. IN realtà io vorrei fare la stessa cosa che farebbe il tuo router di casa, ovvero che quando ti colleghi alla WiFi ti stai collegando alla stessa rete LAN cablata con suo DHCP etc...
Mi potreste aiutare a fare questa cosa?
Vi ringrazio infinitamente :)
#10
26.1 Series / Re: zfs and sqlite
Last post by Patrick M. Hausen - Today at 12:53:12 PMI run all my applications on ZFS and more than one use SQLite. Never had a single problem. But after looking closely none of them seems to use WAL.
