Recent posts

#1
Quote from: nero355 on June 27, 2026, 10:27:54 PMWhy not boot the system with the Live Image of OPNsense and see how that performs with a very basic setup just good enough to get your WAN working ?

Perhaps you made some weird loop somewhere or something got corrupted over time ?!

Yeah, thats a possibility, but if even i can do that test i need a way how to profile the rules, so this will only indicate no implementation problem in opnsense/BSD

by the way, remember that when the FW is disabled everythings works good.

Quote from: nero355 on June 27, 2026, 10:27:54 PMAnother thing to keep in mind is this : https://www.tomshardware.com/news/intel-apollo-lake-refresh-degradation-cpu-failure,40362.html
Your CPU might be affected by something like that too IIRC from a very long time ago, but I could be wrong...

ummm, I dont think this is the problem, If the CPU were dying or having problems i would see strange behaviours in all options and not only with a specific interface in a specific protocol.

In any case thanks for the answers
#2
If the mode is automatic any manual rules should be skipped by this condition:

https://github.com/opnsense/core/blob/fbbc4ade70527a60be7b66790ae7cd6816f98aea/src/etc/inc/filter.inc#L196

If they aren't there is either something wrong with this condition or the new SNAT rules use a different pipeline for their rule register?
#3
1. The reason why iperf probably shows a higher performance is that it is able to use multiple TCP streams, which you may have selected by using -Px (see https://forum.opnsense.org/index.php?topic=42985.0, point 10).

2. wget, curl rsync and scp use a signle TCP stream, where problems induced that can be induced by double NAT and the Proxmox virtualisation layer come into play. The fact that the rsync starts out fast and then drops speaks for buffer overruns.

I would try to further reduce the MTU size to 1360 on both sides first, regardless of if the pings work with your current settings.

Did you use virtio networking on the OpnSense VM with the settings depicted here, including RSS in OpnSense and on the VM NIC settings? In this specific case, multiqueue on the VM's NIC might be harmful, as it can cause out-of-order packets.

If you passthru the NIC, the VM might not get all interrupts in due time.

If you have to option, try to use a bare metal OpnSense in site B to isolate virtualisation issues.

Wireguard uses UDP and does not benefit from TCP buffer algorithms, so you might also try to use traffic shaping to ensure that buffers are not overrun.
#4
General Discussion / Re: Cannot access web UI after...
Last post by patient0 - Today at 07:53:34 AM
Quote from: Remedy_plz on Today at 07:11:28 AMHello - is there a way to perform a reset when you make a change from the default IP address to a new one, and then you are not able to access the web UI anymore?  When I type in the new IP address it reads "The site can't be reached", "is unreachable", "connection failed" and "network disconnected".  I also typed in the original default IP address, but it too no longer works...  How do I restore my unit back to the original settings?  Thank you in advance for any assistance.

If you have console (video or serial) access you can reset OPNsense in the console menu, point 4 "Reset to factory default".

But: have asked your computer to get a new IP address from the new IP range? Or you can assign you computer manually an IP in the new IP range and access the webGUI that way. (what OS are you running on your client?)
#5
General Discussion / Cannot access web UI after cha...
Last post by Remedy_plz - Today at 07:11:28 AM
Hello - is there a way to perform a reset when you make a change from the default IP address to a new one, and then you are not able to access the web UI anymore?  When I type in the new IP address it reads "The site can't be reached", "is unreachable", "connection failed" and "network disconnected".  I also typed in the original default IP address, but it too no longer works...  How do I restore my unit back to the original settings?  Thank you in advance for any assistance.
#6
26.1, 26,4 Series / Re: Problem with Firewall Live...
Last post by lmoore - Today at 06:05:23 AM
Quote from: franco on June 26, 2026, 06:48:11 AMAnd is there an apply happening in this flow as well? Are you waiting to reopen the live log until this particular apply for the rules is complete?

@franco In my case I don't see this as a real problem as I run multiple tabs in the browser. Changes are made in one and Live View is running in another. After a rule has had logging disabled I would refresh the Live View tab.

On a separate note regarding unexpected entries in Live View, I updated to OPNsense 26.1.10 on or around the 18th of June. On the 20th of June, I added a new VLAN and enabled legacy ISC DHCP on this interface. The interface was then added to an existing Firewall Group. In addition, a rule in this group was updated to include the new interface address. Another change was made later. This was to include network aliases for Cortex Xpanse PAN probes (https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity) and to create firewall rules (IPv4 & IPv6) so they could be explicitly logged. Later on, I observed in Live View that when a pass rule was logged, another entry would be listed immediately after, however, it had different firewall description field.

Refreshing the browser did not overcome the display issue, so OPNsense was rebooted and the issue went away. I didn't keep the screen shots of this anomaly, however, I can still view the logs in question using TUI (https://forum.opnsense.org/index.php?topic=49879.msg268998#msg268998). Viewing the details of a duplicated entry reveals a different Label value.

First entry:

Details
Time:             Sun, 21 Jun 2026 07:02:49 +0800
Label:            608f5cdb-014b-4ed2-a3db-543251331847
Action:           pass
Reason:           match
Direction:        in
Interface:        re0
IPVersion:        4
ProtocolName:     udp
Source:           aaa.aaa.aaa.aaa
SourcePort:       37882
Destination:      ddd.ddd.ddd.ddd
DestinationPort:  9002
Length:           176
DSCP:             0x0
Flags:            none
ID:               5096
Offset:           0
TTL:              116
DataLength:       156

Duplicated entry with erroneous Label field:

Details
Time:             Sun, 21 Jun 2026 07:02:49 +0800
Label:            e6beac25-38ef-44ce-92ac-cc068b3a066c
Action:           pass
Reason:           match
Direction:        in
Interface:        re0
IPVersion:        4
ProtocolName:     udp
Source:           aaa.aaa.aaa.aaa
SourcePort:       37882
Destination:      ddd.ddd.ddd.ddd
DestinationPort:  9002
Length:           176
DSCP:             0x0
Flags:            none
ID:               5096
Offset:           0
TTL:              116
DataLength:       156


Firewall rule from /tmp/rules.debug with label "e6beac25-38ef-44ce-92ac-cc068b3a066c". Note: this is an outbound rule:

block return out log quick on EGRESS inet from {any} to $bitwire_it_outbound_blocklist label "e6beac25-38ef-44ce-92ac-cc068b3a066c" # Outbound Bitwire-IT Block List

I can't come up with an explanation for the duplicated, but erroneously labelled log entries.

I'm not saying this is related to 26.1.10, however, the previous time I added a new interface and rules to OPNsense would have been around February/March this year.

Cheers,

Larry.
#7
Virtual private networks / Wireguard site to site file tr...
Last post by ditch9 - June 27, 2026, 11:56:55 PM
I have two sites. Site A and site B.

On site A OPNsense is the edge device. It has a DHCP WAN cable connection and MTU ping testing has verified my MTU settings of 1420 and MSS settings of 1380 are what I need. The WAN speed is 1gbit down 300mbits up. I have multiple remote access Wireguard tunnels in addition to the site to site on this device and there are no issues.

On site B OPNsense sites behind a DD WRT router which is the edge device. DD WRT has a DHCP WAN fiber connection which has the same MTU/MSS as site A. The WAN speed is 300mbit both ways. OPNsense in visualized in Proxmox on this site.

My issue is that file transfers using, wget, curl, rsync, and scp are very slow. Less than 1 megabyte a second. If I run rsync with -ahP the speed will be 100MB/s + for a short time then drop to sub 500kB/s and stay there. This happens across any host in any direction.

However, I can run iperf3 test in both directions and get speed around 200mbit/sec. If I run an iperf3 test while transferring files at sub 500kB/s speed, the iperf3 test is slower. Around 50mbit/sec ish.

Any ideas on how to figure out whats going on here? I'm lost.
#8
Zenarmor (Sensei) / Latest upgrade causes Zenarmou...
Last post by lilsense - June 27, 2026, 11:47:47 PM
After upgrading from 26.1.9 to 10 Zenarmour no longer is able to recognize any connections
#9
26.7 Development Series / Re: OPNsense 26.7-BETA images
Last post by patient0 - June 27, 2026, 11:28:41 PM
@franco: Installing a fresh 26.7-BETA, appying the patch and importing the config shows the same error. 'opnsense-patch -l' shows the patch installed.

For testing I deleted the outbound rules and re-created a IPv6 NAT rule in the source NAT section. That works as it should but that leaves me with another question: the mode was set to 'Hybrid Source NAT rule generation' and the IPv6 NAT rule works fine. I then set the mode to 'Automatic Source NAT rule generation', my created rule disappears as expected but it seems the rule is still active, the IPv6 NAT-ting is still working. All the automatic rules are IPv4 only. Is that expected?
#10
Virtual private networks / Re: OPNsense with Express VPN ...
Last post by bennymundz - June 27, 2026, 11:00:56 PM
Anyone coming here looking for a solution. You have to download the legacy openvpn pluginin the community applications (Firmware>Plugins>CommunityPlugins>os-openvpn-legacy) Install that package

Setup CA
Trust > Authorities > Import Existing Authority > Paste your CA section from your .ovpn file > Save

Setup Client Cert
Trust > Cert > Inport Existing Certificate > Paste your CERT section from your .ovpn file > Paste your Key from the KEY section > Save

Setup VPN Client
VPN > CLients [Legacy] > Protocol UDP4 > Remote address + port from your .ovpn file 
TLS Auth > Enabled Authentication only
TLS Shared Key untick > Enter Static key from your .ovpn file
Peer Certificate Auth > Name of the CA you created above
Client certificate > Name of the cert you created above
Auth Digest - SHA512 from your .ovpn file

This worked for me. The rest is up to you with how you deal with the interface once it is established.