"Recent posts
#1
26.1 Series / Re: internet stops! pf_test: ...
Last post by franco - Today at 08:15:28 PMTook a quick look. Nothing around this code changed in the last 3 years. I'm assuming this is one of those teardown races which PPPoE is especially prone to (mpd5 removes and recreates devices on a restart). If it's not crashing it's good.
Cheers,
Franco
Cheers,
Franco
#2
26.1 Series / Nothing happens when importing...
Last post by Odjuret - Today at 08:04:09 PMI download my old rules
they looks find in excel, I don't save them.
I choose import, press the button.
Nothing happens.
I have 72 lines in my download_rules.csv
they looks find in excel, I don't save them.
I choose import, press the button.
Nothing happens.
I have 72 lines in my download_rules.csv
#3
26.1 Series / internet stops! pf_test: kif ...
Last post by RamSense - Today at 08:03:18 PMI just took the jump also,
Upgraded and after reboot i have internet connection for a little while. And that stops,
I am not able to get it back up.
After another reboot the same.
I noticed the wan interface was down.
In the log I noticed this:
[357] pf_test: kif == NULL, if_xname pppoe0
Is this the reason?
What can i do?
Thanks for the help in advance!
Upgraded and after reboot i have internet connection for a little while. And that stops,
I am not able to get it back up.
After another reboot the same.
I noticed the wan interface was down.
In the log I noticed this:
[357] pf_test: kif == NULL, if_xname pppoe0
Is this the reason?
What can i do?
Thanks for the help in advance!
#4
German - Deutsch / Re: "Sicheres" betreiben eines...
Last post by meyergru - Today at 07:38:47 PMDas kannst Du so machen, wenn es auch eine sehr eingeschränkte Nutzung für OpnSense ist, bei der ggf. Blocklisten oder GeoIP erst nach der Fritzbox wirken. Wie Du weisst, sollte man die Angriffsfläche möglichst minimieren. Auch wird das alles in Bezug auf IPv6 schwierig - ich habe keine Ahnung, ob/wie man die IPv6-Präfixe delegieren kann oder ob Du das brauchst/willst.
Ich würde aus pragmatischen Gründen auch das Port-Forwarding nur auf der Fritzbox machen und auf der OpnSense anstelle von Port-Forwards oder Firewall-Regeln lieber einen Reverse-Proxy einsetzen, aber das hast Du ja schon gelesen. Eins davon musst Du auf jeden Fall tun, weil auf einem typischen "WAN" Interface per Default kein eingehender Traffic zugelassen ist (NAT musst Du dort dann auch abschalten).
Was die Subnetze angeht, solltest Du vielleicht noch dies lesen. Ohne Not würde ich weder ein /16 definieren noch 192.168.0.x/24 nutzen.
Richtig ist, dass Du damit eine DMZ schaffen kannst, die nur ins Internet kommt und keinen Zugriff auf interne Geräte hat. Das wäre aber eleganter auch mit einer OpnSense "vorne" möglich.
Ich würde aus pragmatischen Gründen auch das Port-Forwarding nur auf der Fritzbox machen und auf der OpnSense anstelle von Port-Forwards oder Firewall-Regeln lieber einen Reverse-Proxy einsetzen, aber das hast Du ja schon gelesen. Eins davon musst Du auf jeden Fall tun, weil auf einem typischen "WAN" Interface per Default kein eingehender Traffic zugelassen ist (NAT musst Du dort dann auch abschalten).
Was die Subnetze angeht, solltest Du vielleicht noch dies lesen. Ohne Not würde ich weder ein /16 definieren noch 192.168.0.x/24 nutzen.
Richtig ist, dass Du damit eine DMZ schaffen kannst, die nur ins Internet kommt und keinen Zugriff auf interne Geräte hat. Das wäre aber eleganter auch mit einer OpnSense "vorne" möglich.
#5
26.1 Series / Re: 26.1 is out!!!
Last post by amw-tue - Today at 07:32:04 PMQuote from: donks on Today at 12:54:29 PMAppears to be a bug when trying to create a rule in the new FW GUI that uses the q-feed blocklist alias.
I installed the Q-feed plugin as per the documentation and confirmed the API key is working and downloads the IP and DNS feed.
The alias is also populated with 200K odd entries.
The error when trying to save the rule is "__qfeeds_malware_ip is not a valid source IP address or alias"
When I create the rule using the old FW GUI, the rule is created without any issues.
I experienced the same problem as donks described. Before that, I migrated the old rules to the new ones (via migration assistant and according to the process described there).
Later on that day I tried to setup q-feeds as written in their setup guide for opnsense.
I can confirm that it works in the old fw rules section, but not in the new one. As workaround I created this as an old rule and imported it within the new rules section.
Cheers, Mario
#6
26.1 Series / Re: DNAT auto firewall [Regist...
Last post by franco - Today at 07:16:56 PMCan you raise a ticket on GitHub about this? This may require a bit of discussion.
Thanks,
Franco
Thanks,
Franco
#7
25.7, 25.10 Series / Will 25.7.11_9 fix the memory/...
Last post by allenlook - Today at 06:52:25 PMAs it says on the tin, will 25.7.11_9 fix the memory/swap consumption issue?
I see a line item for "dnsmasq: fix log conditions", but I'm not sure if that's what that means?
I see a line item for "dnsmasq: fix log conditions", but I'm not sure if that's what that means?
#8
26.1 Series / Re: Old rules deprecation
Last post by Seimus - Today at 06:48:34 PMQuote from: Monviech (Cedrik) on Today at 02:15:29 PMThe funny thing is, once the separators were implemented the people who cried for them never gave any feedback anymore.
Alright so that you don't feel sad about this I have one complain :)
Would it be possible to have the Statistic section in a single row if I expand its section?
It drives me nuts that its in two rows even tough I have a lot of space...
Regards,
S.
#9
25.7, 25.10 Series / Re: Caddy | HTTP2 Error on Chr...
Last post by wilddev - Today at 06:29:34 PMI am seeing this same error with Caddy on 25.7.11_2. This is the error from the debug log:
"debug","ts":"2026-01-29T16:51:05Z","logger":"http.log.error.default","msg":"TLS handshake not complete, remote IP cannot be verified","request":{"remote_ip":"192.168.1.1","remote_port":"39822","client_ip":"192.168.1.1","proto":"HTTP/1.1","method":"GET","host":"bonob.wilddev.net","uri":"/","headers":{"Accept":["*/*"],"User-Agent":["curl/8.17.0"]},"tls":{"resumed":false,"version":0,"cipher_suite":0,"proto":"","server_name":""}},"duration":0.00002967,"status":425,"err_id":"a2jmx8j74","err_trace":"caddyhttp.MatchClientIP.MatchWithError (ip_matchers.go:268)"}
I opened an issue with Caddy to see if I can find out more. I did tests using curl and openssl and could not figure out why the 425 is coming back even when using tls 1.2.
"debug","ts":"2026-01-29T16:51:05Z","logger":"http.log.error.default","msg":"TLS handshake not complete, remote IP cannot be verified","request":{"remote_ip":"192.168.1.1","remote_port":"39822","client_ip":"192.168.1.1","proto":"HTTP/1.1","method":"GET","host":"bonob.wilddev.net","uri":"/","headers":{"Accept":["*/*"],"User-Agent":["curl/8.17.0"]},"tls":{"resumed":false,"version":0,"cipher_suite":0,"proto":"","server_name":""}},"duration":0.00002967,"status":425,"err_id":"a2jmx8j74","err_trace":"caddyhttp.MatchClientIP.MatchWithError (ip_matchers.go:268)"}
I opened an issue with Caddy to see if I can find out more. I did tests using curl and openssl and could not figure out why the 425 is coming back even when using tls 1.2.
#10
26.1 Series / Re: Fresh install of 26.1 with...
Last post by jp0469 - Today at 06:19:57 PMQuote from: franco on Today at 04:26:23 PMJust make sure you have a config.xml downloaded somewhere so you are prepared. :)Oh yeah, if I forget that part, it's time to throw all the networking gear in a box and find a new hobby.
Cheers,
Franco
