Recent posts

#1
Quote from: dinguz on June 28, 2026, 11:46:48 PMWorth keeping in mind: with quick-match rule evaluation (the pf default), the first blocklist rule that matches gets the hit, and the packet never reaches the rules below it


You are right on that. I use qfeeds on the TOP of my Block policy and community one right bellow.

Comparing one to another, so qfeeds to the community projects is a bit as comparing apples to oranges. Because the quality is different between them.
Qfeeds targets and aims to provide more granular filtering, so meaning even if qfeed block-list doesn't block something yet the community one does it doesn't mean something leaked/malicious.

I had more false positives with Firehol block-lists compared to qfeeds.

Regards,
S.

#2
General Discussion / Configuration confusion
Last post by dairysmash - Today at 12:40:54 PM
Hello fellow forum members,

Since I'm still quite new to OPNsense, I'm looking for some advice here.

I installed OPNsense (version 14) on a Sophos XG310 because I felt it was a waste to return it to the manufacturer (support is ending soon). Every now and then, one of the twelve network interfaces goes missing. I can't quite explain why that happens.

I've configured a connection to Plusnet via a DSL modem. Upon dialing in, I am assigned an IP address. Once the connection is established, a transparently passed-through IP network with public IP addresses (217.xxx.xxx.xxx) becomes available, which I would like to route to the DMZ interface. How do I do that? Bridging?

In addition to the Plusnet DSL connection, there is a connection to Stadtwerke Schwedt (OPAL/FTTH). If the Stadtwerke Schwedt line is unavailable, internet traffic should be routed via the Plusnet DSL connection. Both the OPAL and DSL connections should remain active at all times, whereas the third connection—via LTE—should be configured solely as a backup.

It's probably not easy to say exactly how I should proceed, and there are likely various ways to handle this.

However, I would really appreciate any suggestions for a solution.
#3
@philippe_crowdsec

I also ran CrowdSec, put in quite some effort to set up a multi-node configuration with acquis on all my backend applications where collections were available etc. I even initiated the CrowdSec-Caddy integration on OPNsense.

My main points I found a bit dissatisfying:

- Distributed setup is a real pain when the hub is to be OPNsense, because credentials remote machines use to send events get overwritten every so often if you are not ultra careful. OK, operator error, but a bit of POLA violation, too. Reset to localhost and new secret happens much too easily.
- The blocklists available for free tier users are not well maintained and essentially worthless. Specifically while free tier users contribute to the main CrowdSec blocklist we do not get to subscribe to it for free.
- There is no affordable (like 100 $/€/£ per year) subscription offer for home users which I would seriously consider.

So I stopped using it entirely. I currently have a running subscription for Q-Feeds and I am quite satisfied with the results.

Kind regards,
Patrick
#4
26.1, 26,4 Series / Re: 2 WAN Uplinks split routin...
Last post by paul5012 - Today at 11:31:36 AM
Summary: problem solved
allthough it was excepted (as some contributors wrote here, thanks for the replies) that an automatic reply-to setting should make the
response packets leave the firewall towards the proper gateway I could not see this happen. Always the default route was choosen.
So
1) I do not (as I did in the beginning) choose some kind of automatic firewall generation in the DNAT rules, but choose "manual" rule creation
2) these manual rules can be set with the "Rules [new]" dialogue, but need "Advanced mode".
   there I had to configure under "Source Routing" the "Reply-to" to point to the correct uplink gateway.
   This means that I have one such rule per target host, target port and incoming interface.
   Technically one could combine multiple target hosts and ports into one rule but that would be less specific then and allow additional traffic possibly.

special thanks to @viragomann
 
#5
26.1, 26,4 Series / Re: [solved] Lost outbound NAT...
Last post by ProximusAl - Today at 11:25:57 AM
Quote from: franco on Today at 10:43:29 AMIf you have manual rules to migrate then you will set hybrid or manual, but that is already set for your use case.

If you don't have manual rules nothing needs to be migrated.


Cheers,
Franco

Sorry Franco.....

I *already* migrated my rules from Outbound NAT to SNAT (At which point Outbound NAT was set to Hybrid)

Once I migrated them to SNAT, I changed outbound NAT back to Automatic.

Is this what I should be doing, or should I change Outbound NAT to something else before upgrading?

EDIT: Figured it out. Set it back to Hybrid after reading the release notes properly :)
#6
@cookiemonster: I'm interested in the discussion about CrowdSec.

The product is free (security engine, scenarios, vpatch, WAF rules, Claude skill, etc.) and is MIT-licensed.
A blocklist is shared amongst users who share signals, for free, and many more are also free of charge.
There is 0 cost on the OpnSense integration.

So I'd be interested to understand your feelings better (or maybe it's about the SaaS console)?
If you have time and the will to discuss this, please PM me.
#7
Zenarmor (Sensei) / Re: Cancelling my subscription...
Last post by Seimus - Today at 11:13:34 AM
Hello mb,

Personally I do understand, why you would not want to implement Multi-core support into the HOME subs. As you mentioned yourself, companies are already abusing it. But on the other hand for us, the Home LABers and community Home sub, is ours to use.

We often over-exceed the deployments of SOHO/Medium sized Companies, just for the pleasure of fun/learning or personal need. While trying to be power efficient.
And exactly here is where a lot of us already are beyond 1-2.5G LAN speeds and need 10G InterVLAN throughput.

We mostly do not need any of the SASE features, but we need the raw performance.
The base features in Home sub are perfect for Home use, but the performance is a hurtle.



I do not want to go bad at you but,

Maybe it would be a good idea to have more awareness about the "SASE Starter" program here on the forum for people in the community.
As this would sooth the peoples worries.

The whole point why people were outraged in first place, was the uncertainty and lack of communication around the Multi-core support.
1. It was not properly communicated
2. People had to literary data-mine information about the Multi-core
3. When directly asked about this, nobody from ZA provided a direct answer


Similar to cookie & dinguz,
I myself allocated a lot of time Tshooting ZA, problems, BUGs and even finding few attack vectors. Sharing all of this with support, having bridge calls & con-joined Tshooting. Working with your engineers & developers is a pleasure, because they know what they are doing if they get all the pieces of the info.

So you can imagine now, how back-stabbed it felt to see that Home subs will not receive the MC support and communication around it was very bad.

Regards,
S.
#8
Announcements / Re: OPNsense 26.1.11 released
Last post by franco - Today at 11:08:23 AM
A hotfix release was issued as 26.1.11_3:

o system: hasPrivilege() not merging user privs correctly[31] (reported by iys8)
o firewall: fix some small issues in menu registration for legacy pages
o monit: re-allow spaces in start, stop and condition

[31] https://github.com/opnsense/core/security/advisories/GHSA-p9pr-782r-w2xw
#9
26.1, 26,4 Series / Re: Problem with shutdown/rebo...
Last post by caplam - Today at 10:58:53 AM
Hello,
this seems to be the same issue i faced here
I have suricata running in ips mode with divert.
so i updated to 26.1.11 and the issue is here

here is what i have pre update:
red@cerberus:~ $ sudo sockstat | grep suricata
root     suricata   29596 3   dgram  -> /var/run/log
root     suricata   29596 6   div4   *:8000                *:*
fred@cerberus:~ $
fred@cerberus:~ $
fred@cerberus:~ $ sudo ps auxwww | grep suricata
root    29596   0.1 23.8 2723192 1922216  -  Ss   20Jun26    96:13.75 /usr/local/bin/suricata -D -d 8000 --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml
fred    19042   0.0  0.0   13744    2032  0  S+   10:40       0:00.00 grep suricata
fred@cerberus:~ $
fred@cerberus:~ $
fred@cerberus:~ $ sudo fstat | grep suricata
root     suricata   29596 text /        248115 -rwxr-xr-x  11994960  r
root     suricata   29596   wd /            34 drwxr-xr-x      28  r
root     suricata   29596 root /            34 drwxr-xr-x      28  r
root     suricata   29596    0 /dev         20 crw-rw-rw-    null rw
root     suricata   29596    1 /dev         20 crw-rw-rw-    null rw
root     suricata   29596    2 /dev         20 crw-rw-rw-    null rw
root     suricata   29596    3* local dgram fffff8001bb27640 <-> fffff8001bce2dc0
root     suricata   29596    4 /var/log  27980 -rw-r-----       0  w
root     suricata   29596    5 -           476 -rw-r-----  6318542  w
root     suricata   29596    6* divert raw 0 0

and what i have when suricata  is stucked:

fred@cerberus:~ $ sudo sockstat | grep suricata
root     suricata   29596 3   dgram  (not connected)
root     suricata   29596 6   div4   *:8000                *:*
fred@cerberus:~ $
fred@cerberus:~ $ sudo ps auxwww | grep suricata
root    29596   0.1 23.8 2723192 1922216  -  Ss   20Jun26    96:15.42 /usr/local/bin/suricata -D -d 8000 --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml
root    44586   0.0  0.0   14312    2888  -  I    10:44       0:00.01 /bin/sh /usr/local/etc/rc.d/suricata stop
fred    67953   0.0  0.0   13744    2336  0  S+   10:46       0:00.00 grep suricata
fred@cerberus:~ $
fred@cerberus:~ $ sudo fstat | grep suricata
root     suricata   29596 text /        248115 -rwxr-xr-x  11994960  r
root     suricata   29596   wd /            34 drwxr-xr-x      28  r
root     suricata   29596 root /            34 drwxr-xr-x      28  r
root     suricata   29596    0 /dev         20 crw-rw-rw-    null rw
root     suricata   29596    1 /dev         20 crw-rw-rw-    null rw
root     suricata   29596    2 /dev         20 crw-rw-rw-    null rw
root     suricata   29596    3* local dgram fffff8001bb27640
root     suricata   29596    4 /var/log  27980 -rw-r-----       0  w
root     suricata   29596    5 -           476 -rw-r-----  6320460  w
root     suricata   29596    6* divert raw 0 0

when i killed pid 44586 opnsense was able to reboot and. the upgrade is ok.
#10
26.1, 26,4 Series / Re: When to migrate to new fir...
Last post by hharry - Today at 10:49:41 AM
I recently took the plunge, and used the rules migration assistant tool, the UI was a little clunky, but it worked, and the migrated rules to new format are all working as intended...i've since deleted all the old legacy format rules...