Recent posts

#1
In post 221, that protectli link does read a bit wonky, but I guess it can work for the 700 nic. No fault of theirs, but following the Intel links from there leads to some odd reading. Follow the release notes on the intel page, it opens a PDF, which is basically blank, just says "the release notes are here" with a link. Why even bother linking to the PDF to start with? Then when you get to the Release Notes page, the latest is 31.1, but dated months after the 9.56 utility page. They seem to mix linked files, why does release notes for nvm utility link over to the release notes for the various series of NICs?

Anyways, that protectli link only covers 700 series NIC, not the i226.
Why cant the i226 bins be available just like the bin's for 700 series, the bin's are coming from Intel, not Protectli site.

QuoteYou may be wondering how to perform similar firmware updates on other Intel NICs (specifically the Intel i226-V).

The challenge with the i226-V is that Intel does not publicly distribute the .bin NVM firmware images required by the Intel NVM Update Utility. The .bin files are required in order to update i226-V firmware, but they typically must be obtained directly from Intel, such as through Intel RDC or Intel DevZone, or provided under the appropriate terms.

We (Protectli) cannot directly redistribute those .bin files.
#2
26.1, 26,4 Series / Re: A firewalll rule pattern t...
Last post by opnseeker - Today at 04:01:06 AM

Quote from: lmoore on May 20, 2026, 11:37:22 PMWhat happens when you set the Gateway in these two rules to None?

First rule, gateway is None. I said default which is the same behavior as it uses the default gateway.

For second rule, setting gateway to None defeats the purpose but I will try and see what happens.

You will also have rules for your outbound traffic - what do they look like?

I have one outbound rule on the WAN interface which is a killswitch when a tag is set. The tags are not used in these two rules.

With your first rule, you could set the source to WGP1 and enable the Invert Source option. In addition, you could also enable Quick.

I can. But I use interface groups to reduce number of rules. In this case this group is to allow internet traffic over default gateway.

I will have do it as a resort if nothing else solves the issue - have separate rules for WG1 interface and remove it from the interface group. I can give it a try.

Which rules appear in the logs that are blocking these connections?

I haven't checked the logs as this issue occurs when I am connecting to home while I am away. I will simulate it and check the logs.


#3
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by cottec - Today at 01:10:35 AM
Quote from: nero355 on May 16, 2026, 03:58:48 PMDid you contact Protectli first and tried to get the update from them directly ?
If so : What did they say ?


https://kb.protectli.com/kb/how-to-update-intel-nic-nvm-firmware-on-protectli-vaults/
QuoteConclusion and Related Notes
You may be wondering how to perform similar firmware updates on other Intel NICs (specifically the Intel i226-V).

The challenge with the i226-V is that Intel does not publicly distribute the .bin NVM firmware images required by the Intel NVM Update Utility. The .bin files are required in order to update i226-V firmware, but they typically must be obtained directly from Intel, such as through Intel RDC or Intel DevZone, or provided under the appropriate terms.

We (Protectli) cannot directly redistribute those .bin files.

Stock firmware on Vault platforms that include the i226-V NIC is typically around NVM 2.17. We have successfully validated updates to NVM 2.27+.

We are currently investigating the proper and compliant way to provide updated firmware images (or tools) to customers.

In the meantime, this OPNsense community forum post contains useful real-world context and discussion that should get you in the right direction, but use at your own risk.
#4
26.1, 26,4 Series / Re: Can I steer hosts to a par...
Last post by meyergru - Today at 12:44:25 AM
Normally, that would be a scenario for VLANs and different subnets, not ranges.

When you use static mappings for affected clients, you might as well send a specific DNS server IP with the DHCP option response that is different from the default. So strictly speaking, there does not even have to be a "range" for this purpose.
#5
German - Deutsch / Re: "Lahmes" Internet seit Upd...
Last post by meyergru - Today at 12:38:00 AM
Falls es an der MTU liegt, dann kann es auch sein, dass die Gegenseite nicht mit TCP-Fragmentierung klarkommt oder dass UDP verwendet wird.

Dein Skript läuft ja vermutlich auf irgendeinem Client, nicht auf OpnSense selbst. Kannst Du dort die MTU kleiner machen? Vielleicht funktioniert ja das MSS-Clamping auf OpnSense nicht korrekt. Tatsächlich weiß ich, dass das ganze MTU/MSS-Handling für IPv6 seit einiger Zeit nicht ganz wie erwartet arbeitet. Und visualizer.coffee hat auch IPv6-Adressen, die ggf. bevorzugt genutzt werden. Falls dort die PMTUD kaputt ist, müssen dann die Pakete schon an der Quelle längenbegrenzt werden. Ich würde sicherheitshalber mal mit 1400 Bytes probieren.
#6
German - Deutsch / Re: "Lahmes" Internet seit Upd...
Last post by cottec - Today at 12:23:53 AM
Fehler bleiben leider bestehen
You cannot view this attachment.
#7
26.1, 26,4 Series / Re: Can I steer hosts to a par...
Last post by nero355 - Today at 12:15:37 AM
Quote from: endurium on May 20, 2026, 12:41:57 PMIs there a way to "direct" a host to get it's IP address from a specific DNSMasq address pool (DHCP range)?
Can't you just use 'Static DHCP Mappings based on the MAC Address' for those hosts with the specific 'DNS Server IP Address' configured in the mapping ?!
#8
26.1, 26,4 Series / Re: A firewalll rule pattern t...
Last post by lmoore - May 20, 2026, 11:37:22 PM
What happens when you set the Gateway in these two rules to None?

You will also have rules for your outbound traffic - what do they look like?

With your first rule, you could set the source to WGP1 and enable the Invert Source option. In addition, you could also enable Quick.

Which rules appear in the logs that are blocking these connections?
#9
German - Deutsch / Re: LogIn-Seite vor Captive Po...
Last post by viragomann - May 20, 2026, 11:07:12 PM
Quote from: NausB on May 19, 2026, 11:21:09 PMKernfrage aus meinen ersten Punkten wäre wohl eher:
**Wie bekommt man unter OPNsense 26.1.2 einen internen Webserver zuverlässig als Walled-Garden-/Pre-Auth-Ziel vor dem Captive-Portal-Login erreichbar?**
Das habe ich auch noch nicht umgesetzt.
Aber ich könnte mir vorstellen, dass du den Zugriff für nicht angemeldete erst mal erlauben müsstest.

Quote from: NausB on May 19, 2026, 11:21:09 PMSind die **Allowed Addresses** im Captive Portal dafür der richtige Weg, oder braucht es zusätzlich eine andere Konfiguration?
Ich denke nicht. Ich hätte die Option so verstanden, dass die genannten Quell-IPs /-Subnetze nicht blockiert würden. Dasselbe wie "Allowed MAC addresses" für MAC-Adressen.

QuoteUnd gibt es bekannte Besonderheiten, wenn das Ziel in einem anderen internen Netz liegt, also z. B.:
Ich vermute es.
Jedenfalls musst du den Zugriff erlauben, ehe er durch die Captive Portal-Regel blockiert wird. Und das ist eine automatisch generierte Regel, die im Regelset oberhalb der Nutzerregeln steht.

Sieh dir die Regeln an. Wähle das CP-Interface und aktiviere "Inspect", um die autom. generierten  Regeln anzuzeigen.

Damit deine Seite nicht blockiert wird, musst du die Regeln wahrscheinlich manuell erstellen. Dazu musst du in Captive Portal "Disable firewall rules" anhaken (advanced mode).
Sieh dir aber vorher die originale Regel genau an, damit du die nachher nachbauen kannst. Der Alias __captiveportal_zone_x steht dir dabei dennoch zur Verfügung.
Die Regel, die den Zugriff auf deine Seite erlaubt, musst du dann vor die Block-Regel setzen, also auf die 1. Position. Die Block-Regel auf die 2.

Bei deinem speziellen Port könnte es aber auch sein, dass manche Geräte diesen nicht aufrufen mögen. Das kenne ich jedenfalls von Webbrowsern.

Außerdem solltest du die DHCP Option 114 konfigurieren.
Nachdem du es nicht erwähnt hast, vermute ich, dass es noch nicht gemacht wurde. Einige moderne Geräte erfordern das aber, um die CP-Seite anzuzeigen.
#10
Hardware and Performance / Re: quad interface fierwall PC...
Last post by qarkhs - May 20, 2026, 10:47:30 PM
Quote from: passeri on May 12, 2026, 02:24:12 AMJust pausing to mention existence of other places on the planet at which point simplicity is down the gurgler, decisions need to be made.

Yes, I started out with a Fitlet2 and then moved to a GigaIPC box. The latter company is the industrial PC division of Gigabyte. There are lots of options. There's also AAEON which is the industrial PC division of ASUS. AAEON also now owns Jetway, another IPC maker. There's also Lanner, which have at various times made boxes for certain firewall companies. They don't sell directly to consumers but you can get their stuff used, with their name or another name on the box. And, of course there's Supermicro.