Recent posts

#1
26.1, 26,4 Series / Re: 26.1.6_2 - All traffic blo...
Last post by thormir84 - April 27, 2026, 11:49:57 PM
Quote from: nero355 on April 27, 2026, 05:53:06 PM
Quote from: thormir84 on April 27, 2026, 04:18:34 PMI did further tests and took a look at the configuration options of Kea DHCP, and i confirm that the crash occurs when i activate the service.
What kind of crash ?!

This topic started with a Firewall Rule issue and now there is something crashing ?!

QuoteI saw that there is a section related to DDNS, but in my case everything is managed via Docker with Nginx Proxy Manager;
even on ISC DHCP there is an option related to DDNS, but i have never enabled it.
KEA DDNS is meant for Hostname DNS Registration in combination with Unbound as the DNS Server because initially it only worked for a Static DHCP IP Address Mapping based on the MAC Address and not for a regular Dynamic DHCP IP Address.

Is there any chance that some of your Docker stuff got upgraded too within the same timeframe and is causing issues now ?
Reason I am asking : A lot of people let something like WatchTower update/upgrade their Docker Containers completely automatically.


Ahahah sorry, i made a copy and paste mistake from another forum!

I see that you are talking about static assignments and Unbound; since i use both, it could be a configuration issue on my side. 
With ISC DHCP, i used static assignments even for devices with fixed IPs, so that the name would be visible on Unbound; since when migrating to KEA i exported the assignments to CSV and imported them, maybe the problem is there.

I rule out a problem with Docker or updated containers, because the problem occurs only with KEA and only shortly after its activation; as long as i use ICS there are no problems.
#2
Hardware and Performance / Re: "Intel CPU microcode updat...
Last post by BrandyWine - April 27, 2026, 11:14:50 PM
Sorry, my bad, Patrick is correct. uCode is lost during cpu boots.
It would however be better to have uCode in UEFI area, vs via OS.

That said, IIRC, in the past the plugin was constantly looking for uCode updates and would apply anything new. If my IIRC is correct than that feature should still be a manual check from GUI allowing end-user to decide when to allow new uCode to install.
#3
General Discussion / Re: OpnSense with 802.11 b/g/...
Last post by BrandyWine - April 27, 2026, 11:05:11 PM
What would be the issue?
Use gateway monitoring to do wan switching. This does however suggest the radio on OPNsense is STA mode, not AP mode.

If not STA mode then you could run it as AP for wifi clients to connect to, but lose wan switching ability.

That said, it's doable on some radios to have a STA_AP mode (like we can do on ESP32), but having it hairpin the clients on the AP through FW based on .1q traffic then back out via STA when the gateway monitoring wants wifi as DFG, is something you would have to investigate.

If you're using a wifi radio to connect a 2nd wan, what's the actual 2nd wan, is it another ISP?
#4
Quote from: BrandyWine on April 27, 2026, 10:22:51 PMcpu uCode should only need to be run once, when new uCode is available. Most times new uCode is for security reasons.

A BIOS or OS microcode update will be lost after each power cycle and needs to be loaded at each boot - either by the BIOS (best) or by the operating system.

The OPNsense plugin provides an OS microcode update. No permanent changes to the CPU are done.

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/microcode-update-guidance.html
#5
Hardware and Performance / Re: TopTon Intel N150 with Int...
Last post by BrandyWine - April 27, 2026, 10:47:16 PM
What do you mean by "throttled"? You get a pop of speed and then the download slows well below 500Mb? Or you get way less than 500Mb immediately after the FW is connected?

Some basic troubleshooting 1st.

What link speed does your OPNsense show when connected to the ISP mux? Did it fall back to 100Mb ?

OPNsense directly after an initial install (with basic config) on very small hardware with 1G ports, will handle 500Mb easily. I suspect not a OPNsense issue here.
#6
Hardware and Performance / Re: Disk Memory Settings
Last post by BrandyWine - April 27, 2026, 10:39:00 PM
103% ?
What does that tell you about swap usage. Probably means "non-optimal behavior".

If you dont need much history in the logs, then create a cron that runs every 15min or so (or whenever you need it) to prune or truncate the logs (if possible). Kinda depends on what the logs files are being used for.

Zenarmor Database has it's own RAM disk settings in gui, no?

#7
Hardware and Performance / Re: "Intel CPU microcode updat...
Last post by BrandyWine - April 27, 2026, 10:22:51 PM
cpu uCode should only need to be run once, when new uCode is available. Most times new uCode is for security reasons.

Having a system that always wants to install something on every boot, especially new uCode for cpu, does seem a bit dicey for my liking.

It would be better to have this feature as a manual check in the webgui, and if the user wants to the update can do uCode update and then system reboots.
#8
General Discussion / Re: Shadowsocks with mullvad?
Last post by catnap4048 - April 27, 2026, 09:56:24 PM
There is actually a shadowsocks plugin for opnsense, I just can't figure out how I would make the network use it.
#9
General Discussion / Re: No IP from DuckDNS and Ded...
Last post by cookiemonster - April 27, 2026, 09:17:59 PM
Quote from: JamesFrisch on April 23, 2026, 11:22:06 AMYou have to make a distinction between two different things.

The official OPNsense plugin uses ddclient.net. The catch with ddclient is that there is no official support yet for deSEC.io.


The Github link on the other hand, links to a bash script that I wrote. It was written solely for deSEC.io
How to install it on OPNsense is here: https://github.com/jameskimmel/deSEC_DynDNS#prepare-on-opnsense

the ddclient might not have official support (I don't know if it does or not) but I moved my deSEC account from the legacy a while ago, and it works fine. I can share my settings of it if wanted.
#10
Intrusion Detection and Prevention / Get "telemetry token missing i...
Last post by mrzaz - April 27, 2026, 09:04:41 PM
Hello,
I have ordered and received the token for ETPRO Telemetry edition and has added the token on
the Download page and have saved and then press Download.

But constantly seeing some issues in OpnSense General log hat I could not figure out.

I have added the token and pressed SAVE and done Donwload and Update again but still the same. Not sure if it is a bug?

2026-04-27T20:37:00        Error                  send_telemetry.py                telemetry token missing in /usr/local/etc/suricata/rule-updater.config
.
.
2026-04-27T20:36:00        Error                  send_telemetry.py                telemetry token missing in /usr/local/etc/suricata/rule-updater.config
2026-04-27T20:35:00        Error                  send_telemetry.py                telemetry token missing in /usr/local/etc/suricata/rule-updater.config
2026-04-27T20:34:00        Error                  send_telemetry.py                telemetry token missing in /usr/local/etc/suricata/rule-updater.config
2026-04-27T20:33:00        Error                  send_telemetry.py                telemetry token missing in /usr/local/etc/suricata/rule-updater.config

Also, here is a snippet of /usr/local/etc/suricata/rule-updater.config as well. The token match the one I received in the email.

Best regards
Dan Lundqvist
Stockholm, Sweden