"Recent posts
#1
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by nero355 - Today at 06:23:22 PMQuote from: BrandyWine on Today at 05:15:41 PMMore like those who email you a Word doc with subject line "some pics for you", you open the doc and there's no pics, just a https link where you can go see the pics.But "The Stupidity Level" is the same and that's what I was aiming for :D
That's how absurd a lot of Intel docs online are. ;)
#2
26.1, 26,4 Series / Re: Get DUP! when I ping VIP a...
Last post by meyergru - Today at 06:13:28 PMAre you mixing tagged and untagged VLANs on the same OpnSense interface by any chance?
#3
26.1, 26,4 Series / Re: Can I steer hosts to a par...
Last post by meyergru - Today at 06:03:32 PMIf you have sufficient IP address room, you will never need that and this will almost always be true, unless you are a huge corporation where IPAM becomes neccessary.
I once worked for Siemens, who in 2000 had 443.000 employees with a corresponding number of IPs (at least 2 per employee, think of phones and PCs) distributed over hundreds of sites. They needed closely controlled IPAM in order to manage their networks.
It was common to add new IP ranges to certain VLANs when needed. Just because there will always be active devices in any network 24/7, you cannot "enlarge" or "re-assign" existing ranges by replacing a /24 with a different /23 subnet. Because of routing issues, you also need to segment your network into larger prefixes for locations, hopefully those are large enough to accomodate the needed total number of IPs.
Instead, you need to augment additional ranges to a certain network which can then be used for additional devices. I.e.: you enlarge the pool by adding non-consecutive ranges. Thus, the whole used IP space becomes heavily fragmented over time.
I once worked for Siemens, who in 2000 had 443.000 employees with a corresponding number of IPs (at least 2 per employee, think of phones and PCs) distributed over hundreds of sites. They needed closely controlled IPAM in order to manage their networks.
It was common to add new IP ranges to certain VLANs when needed. Just because there will always be active devices in any network 24/7, you cannot "enlarge" or "re-assign" existing ranges by replacing a /24 with a different /23 subnet. Because of routing issues, you also need to segment your network into larger prefixes for locations, hopefully those are large enough to accomodate the needed total number of IPs.
Instead, you need to augment additional ranges to a certain network which can then be used for additional devices. I.e.: you enlarge the pool by adding non-consecutive ranges. Thus, the whole used IP space becomes heavily fragmented over time.
#4
26.1, 26,4 Series / Re: Can I steer hosts to a par...
Last post by endurium - Today at 05:48:46 PMThanks for the helpful replies, I'm just creating static hosts in DNSMasq and tagging those that I wish to direct to AdguardHome DNS that I'm locally hosting. Each interface has a single DHCP pool and the static hosts have static IPs that are outside those pools.
That gets me to where I want with my home network, but still the question is what is the point of having more than one DHCP range in DNSMasq for an interface?
That gets me to where I want with my home network, but still the question is what is the point of having more than one DHCP range in DNSMasq for an interface?
#5
26.1, 26,4 Series / Get DUP! when I ping VIP addre...
Last post by ednt - Today at 05:31:43 PMWe have several interfaces in CARP.
If we ping the VIP address from one of them (no VLAN)
I get sporadic a DUP! and I can see that the slave, which is in backup mode, get the request and replies.
Not on every request, only sometimes.
We already cleared the arp cache of the involved switches.
As you can see, both opnsense send a reply:
But this happens only on the interface without VLAN and on an other interface.
And only when we ping from a server which has also an interface in the same network.
In dmesg I can not see any change of the CARP mode, so it is not 'flipping'.
We are running out of ideas.
Any other idea?
If we ping the VIP address from one of them (no VLAN)
I get sporadic a DUP! and I can see that the slave, which is in backup mode, get the request and replies.
Not on every request, only sometimes.
We already cleared the arp cache of the involved switches.
As you can see, both opnsense send a reply:
Code Select
17:19:32.363137 1c:c1:de:06:46:a2 > a4:bf:01:16:b1:db, ethertype IPv4 (0x0800), length 98: 192.168.254.248 > 192.168.254.167: ICMP echo reply, id 3595
64
17:19:32.363335 1c:c1:de:06:38:42 > a4:bf:01:16:b1:db, ethertype IPv4 (0x0800), length 98: 192.168.254.248 > 192.168.254.167: ICMP echo reply, id 3595
64
But this happens only on the interface without VLAN and on an other interface.
And only when we ping from a server which has also an interface in the same network.
In dmesg I can not see any change of the CARP mode, so it is not 'flipping'.
We are running out of ideas.
Any other idea?
#6
Hardware and Performance / Re: DEC750 NVMe thermal pad?
Last post by BrandyWine - Today at 05:30:57 PMQuote from: pfry on March 13, 2026, 02:27:44 PMBut contact/pressure is important, and M.2 boards are worthless/weak and generally unsupported;In some setups I have done, not specifically for an M.2 board, but to gain extra support I would build a 1-2 "towers" of 100% silicone under the board in area that needed supporting. Let that cure for ~12-24hrs, then proceed with the contact/pressure. The silicone is stiff enough to give some support, yet still yields enough.
foxx0 points out what I would call design flaws. Doing some DIY as-needed to make it better, is the right way.
As for temps when using stress, cat the temps in /sys/class/thermal/[zone]/temp , i find this to be more accurate.
#7
Hardware and Performance / Re: cpu-microcode-intel: no ma...
Last post by BrandyWine - Today at 05:17:28 PMI agree @fastboot, so let's see if the next package allows your device to install a ucode, and, which ucode exactly.
#8
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by BrandyWine - Today at 05:15:41 PMQuote from: nero355 on Today at 02:54:16 PMIt's like those people who send you pictures/screenshots inside a Microsoft Word document I guess... :-/More like those who email you a Word doc with subject line "some pics for you", you open the doc and there's no pics, just a https link where you can go see the pics.
That's how absurd a lot of Intel docs online are. ;)
#9
26.1, 26,4 Series / Re: A firewalll rule pattern t...
Last post by lmoore - Today at 04:58:01 PMA reason for random and coincidental lack of connectivity for the WireGuard nodes may be due to DNS. Where are your WireGuard nodes pointing to for their DNS?
Perhaps you could set up an additional WireGuard instance and only have WGP1 use that instance, ensuring it goes out the VPN gateway.
- Create a new WG instance.
- Tag the traffic arriving on the new WG instance.
- Create a Source NAT rule out the VPN Gateway and match the tag.
- Create an outgoing rule setting the gateway to your VPN gateway and matching the tag.
See if you can get this working without D-NAT.
Also, OPNsense documentation has a note regarding Interface Groups and multi-wan configurations: https://docs.opnsense.org/manual/firewall_groups.html#interface-groups
Good luck.
Perhaps you could set up an additional WireGuard instance and only have WGP1 use that instance, ensuring it goes out the VPN gateway.
- Create a new WG instance.
- Tag the traffic arriving on the new WG instance.
- Create a Source NAT rule out the VPN Gateway and match the tag.
- Create an outgoing rule setting the gateway to your VPN gateway and matching the tag.
See if you can get this working without D-NAT.
Also, OPNsense documentation has a note regarding Interface Groups and multi-wan configurations: https://docs.opnsense.org/manual/firewall_groups.html#interface-groups
Good luck.
#10
Development and Code Review / Re: OpenID Connect SSO plugin
Last post by nerd - Today at 04:18:33 PMQuote from: l3golas on April 11, 2026, 02:41:26 PMLogin with my Authentik works if I use the link https://<my_opnsense_hostname>/api/oidc/auth/login?provider=openid
But no button
This works for me:
Code Select
%url%
%icon%
Login with %name%
</a>
<style>
.login-sso-link-container {
display: flex;
justify-content: end;
margin-bottom: 20px;
}
.btn-primary {
width: 100%;
height: 35px !important;
margin-top: 20px;
}
</style>or this one if you don't use an icon:
Code Select
%url%
Login with %name%
</a>
<style>
.login-sso-link-container {
display: flex;
justify-content: end;
margin-bottom: 20px;
}
.login-sso-link-container .btn-primary {
width: 100%;
height: 35px !important;
margin-top: 20px;
}
</style>Quote from: lachee on September 13, 2025, 07:28:42 AMPlease let me know what you think :)
I love it! Thank you.
Not having OIDC in the community edition was a real bummer. Until I saw your plugin.
