"Recent posts
#1
Virtual private networks / Re: Installing and configuring...
Last post by HiTekRedNek - Today at 01:26:33 AMEvery time I restart my OpnSense router, I have to reauthorize my tailscale VPN through the web GUI.
Every.
Single.
Time.
And it's *seriously* annoying me.
Every.
Single.
Time.
And it's *seriously* annoying me.
#2
25.7 Series / Re: upgrade to 25.7.2 from 25....
Last post by lebowski - Today at 01:16:17 AMWell, this was a LOT of work. Upgrading the firmware on linux was too hard, i didn't understand that. So i created a windows to go live usb stick (which took a LONG time), booted from it (which also took a LONG time), and started the windows firmware upgrade package.
And then.... nothing 😔. The tool showed my two i210-at nics, with the message that there werent any updates available. According to the tool, my nics are on fw 3.22 now.
What i did find was other folks asking for firmware for their intel nics on the intel boards, which then got replied by the intel folks by stating that for in order to get access to the firmware for a intel nic, you have to sign a NDA approval (!) to even get possibly access to the firmware. This is not a matter of just downloading the fw.
An other thing is that sometimes the hardware vendor for the appliance can provide nic firmwares, but in my case, there is no such update package on the supermicro website for my appliance, so that too is a dead end.
But today it seems is the day of miracles. Because i did not touch any network cable, i only tried updating the nic firmwares, but i did reboot the opnsense appliance a couple of times and now miraculously my wan port negotiated at 1000baset and my network internet throughput is passing the 100mbit mark again. My subscription is for 125/25 and my actual speed is now 128.2 / 25.78 . Nice. Let's hope and pray it stays this way.
-edit: my tinypic screenshot isn't loading, don't know how or why...
And then.... nothing 😔. The tool showed my two i210-at nics, with the message that there werent any updates available. According to the tool, my nics are on fw 3.22 now.
What i did find was other folks asking for firmware for their intel nics on the intel boards, which then got replied by the intel folks by stating that for in order to get access to the firmware for a intel nic, you have to sign a NDA approval (!) to even get possibly access to the firmware. This is not a matter of just downloading the fw.
An other thing is that sometimes the hardware vendor for the appliance can provide nic firmwares, but in my case, there is no such update package on the supermicro website for my appliance, so that too is a dead end.
But today it seems is the day of miracles. Because i did not touch any network cable, i only tried updating the nic firmwares, but i did reboot the opnsense appliance a couple of times and now miraculously my wan port negotiated at 1000baset and my network internet throughput is passing the 100mbit mark again. My subscription is for 125/25 and my actual speed is now 128.2 / 25.78 . Nice. Let's hope and pray it stays this way.
-edit: my tinypic screenshot isn't loading, don't know how or why...
#3
General Discussion / Re: Mixed untagged and vlan ta...
Last post by OPNenthu - August 30, 2025, 11:32:36 PMJFYI - I noticed some interesting wording in the "Client Device Isolation" help text in UniFi. It seems the isolation is per-AP only.
Exact wording is "on the same AP [...]"
You cannot view this attachment.
I interpret that as meaning clients on the same WLAN but on different APs can reach each other.
Still fine in @wiggler's use case though.
Exact wording is "on the same AP [...]"
You cannot view this attachment.
I interpret that as meaning clients on the same WLAN but on different APs can reach each other.
Still fine in @wiggler's use case though.
#4
General Discussion / Re: Hello from a pfSense user
Last post by mer - August 30, 2025, 10:19:48 PMI'm in a similar position, as for import, what I've found is manual is best.
Browser with pfSense gui up, Browser with OpnSense gui up.
Walk through the sections and configure things.
The OpnSense GUI is different from pfSense but after using, I think the layout is more logical on OpnSense.
The biggest problem I had was enabling DHCP Server on LAN interface; I couldn't get the DnsMasq/KEA working, but ISC DHCP worked fine. I know the problem is "me" not the software, so grain of salt.
I'd like logout to be a bit more global, but there are a few threads here that imply future versions of OpnSense will have it changed, so I can wait.
One of the items on my "to try" list is OpnSense on NetGate hardware.
Browser with pfSense gui up, Browser with OpnSense gui up.
Walk through the sections and configure things.
The OpnSense GUI is different from pfSense but after using, I think the layout is more logical on OpnSense.
The biggest problem I had was enabling DHCP Server on LAN interface; I couldn't get the DnsMasq/KEA working, but ISC DHCP worked fine. I know the problem is "me" not the software, so grain of salt.
I'd like logout to be a bit more global, but there are a few threads here that imply future versions of OpnSense will have it changed, so I can wait.
One of the items on my "to try" list is OpnSense on NetGate hardware.
#5
25.1, 25.4 Series / Re: Why is this connection blo...
Last post by gctwnl - August 30, 2025, 10:10:25 PMProblem solved and it is not a bug.
It turns out the Geolocation was at least one of the issues. There was a pass on a (pretty wide) source alias of countries for the NAT rule and it turns out an IP-address that all systems I checked tell me is in Germany wasn't seen that way by recent Geolocation by OPNsense. Geolocation is of course by definition not perfectly reliable, so this was technically my own fault.
It turns out the Geolocation was at least one of the issues. There was a pass on a (pretty wide) source alias of countries for the NAT rule and it turns out an IP-address that all systems I checked tell me is in Germany wasn't seen that way by recent Geolocation by OPNsense. Geolocation is of course by definition not perfectly reliable, so this was technically my own fault.
#6
Intrusion Detection and Prevention / Re: How Do I Read This?
Last post by meyergru - August 30, 2025, 08:54:12 PMGoes to show why I do not use Suricata: Just because you query a .CC domains does not neccessarily mean there is something wrong.
If I needed a new hobby to fill my days, I would turn to selecting and fine-tuning all of those rules... ;-)
If I needed a new hobby to fill my days, I would turn to selecting and fine-tuning all of those rules... ;-)
#7
Intrusion Detection and Prevention / How Do I Read This?
Last post by spetrillo - August 30, 2025, 08:50:21 PMHello all,
Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??
Content match Service Suricata_alert
Date: Sat, 30 Aug 2025 14:41:04
Action: alert
Host: opnsfwpr01.petrillo.home
Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...
Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??
Content match Service Suricata_alert
Date: Sat, 30 Aug 2025 14:41:04
Action: alert
Host: opnsfwpr01.petrillo.home
Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...
#8
24.7, 24.10 Series / Re: OPNsense DEC2750 [24.10.2]...
Last post by VA0oOsPTZBJ - August 30, 2025, 08:14:38 PMHey!
I have stumbled upon this issue a few times in the last ~5 years.
On some OPNsense machines I did never run into this issue and on some I can't get it to not happen.
I currently have one VM on OPNsense 25.7.1_1-amd64 that runs into this issue. Sometimes it works for a few weeks without any problems and sometimes Unbound crashes a few times in a few hours (~9 times yesterday).
I have setup a monit script that checks for the PID File and starts unbound if it is missing. Works for me, but it's super ugly.
I do not use GeoIP whatsoever, so that shouldn't be related.
If I can test or help in any way, hit me up.
I have stumbled upon this issue a few times in the last ~5 years.
On some OPNsense machines I did never run into this issue and on some I can't get it to not happen.
I currently have one VM on OPNsense 25.7.1_1-amd64 that runs into this issue. Sometimes it works for a few weeks without any problems and sometimes Unbound crashes a few times in a few hours (~9 times yesterday).
I have setup a monit script that checks for the PID File and starts unbound if it is missing. Works for me, but it's super ugly.
I do not use GeoIP whatsoever, so that shouldn't be related.
If I can test or help in any way, hit me up.
#9
25.7 Series / Re: DPINGER Error 65 After Upg...
Last post by House Of Cards - August 30, 2025, 07:40:19 PM #10
Tutorials and FAQs / Re: [Tutorial] How to Secure a...
Last post by millerwissen - August 30, 2025, 06:21:52 PMJust letting people know i made a little mistake here while writing the tutorial it's actually:
Source: Single Host or Network f000::/4
Destination: Any
Already edited but in case you followed it and didn't catch it you might want to edit on your opnsense box, despite being quite obvious since you're trying to block destination not source but anyway..
Source: Single Host or Network f000::/4
Destination: Any
Already edited but in case you followed it and didn't catch it you might want to edit on your opnsense box, despite being quite obvious since you're trying to block destination not source but anyway..
