Recent posts

#1
General Discussion / Re: Zoraxy Reverse Proxy does ...
Last post by Maurice - Today at 12:31:53 AM
This indicates Zoraxy sends HTTP GET requests with a body, which is very much discouraged. No browser sends GET requests with a payload. So that's an issue you might want to raise with the Zoraxy devs.

Cheers
Maurice
#2
General Discussion / Re: Opnsense vs mainstream rou...
Last post by BrandyWine - Today at 12:31:14 AM
Quote from: Hollywood on December 21, 2025, 12:36:36 PMThe SSIDs are already setup in the access point.

Is each SSID in it's own subnet (vlan), and you trunk the wifi device to the firewall?
#4
General Discussion / Re: Web Interface Not Secure
Last post by BrandyWine - Today at 12:22:04 AM
Chrome? The ABC company, goole?

Self-signed certs is the issue for the notice. Try installing the cert as "trusted", then the notice will go away.

https://www.codegenes.net/blog/getting-chrome-to-accept-self-signed-localhost-certificate/
#5
Turn off / disable all the power stuff. Why is that even needed?
#6
General Discussion / Re: Suricata detecting outboun...
Last post by wsmlby - Today at 12:11:53 AM
In case people come here for the weird UDP 161 SNMP issue:

TL;DR: You likely have a Windows machine on your network looking for printers. You can block this by set up a floating rule.

I noticed the same issue on my Suricata log.

On opnsense: `tcpdump -n port 161` also shows traffic from opnsense to WAN.

Then I tried what Patrick suggested: Try `tcpdump -i <your-lan-if> -n port 161`. I can see it come from my windows laptop.

To block this, I set up a floating rule [Firewall] -> [Rules] -> [Floating] add rule:

Action: Reject, Interface: <Lan>, Direction: in, Protocol: UDP, Destination Port Range: SNMP, Descript: Block leaking SNMP

After that Suricata is quieter
#7
Quote from: OPNenthu on December 14, 2025, 06:02:29 AMIt Just Works™ in Linux.  Nothing needed besides the NIC driver (built in) and userspace tools like NetworkManager.
Well, the built-in part is perhaps the pitfall in many cases, because we don't always want to wait for a kernel release to fix an issue via driver code.
In some OS's there are ways to unload stuff that was loaded in from kernel directly, but it seems freeBSD is not one of them.
And things don't always "just work" in linux.

Specifically for OPNsense, I would prefer they compile kernel without nic drivers (stop using GENERIC), then during install detect nic and cfg the proper KLM to load on boot, this way we could replace a nic KLM at-will. In recent past I did compile kernel without igc and then loaded that driver manually.
#8
General Discussion / Re: Web Interface Not Secure
Last post by OPNenthu - December 21, 2025, 11:41:59 PM
I don't know if I resolved your concern or not. Let us know.

If it's still happening, can you take a couple screenshots and click on the "not secure" message to show us what is listed there?  Also, show us your web GUI certificate in OPNsense.
#9
General Discussion / Re: Zoraxy Reverse Proxy does ...
Last post by crazywolf13 - December 21, 2025, 11:36:06 PM
Thank you again for the suggestion, but I still don't want to switch to caddy :D

After digging into this for what seems like an eternity I was finally able to trace down why all my attems did not work to enable debug logging, I'm adding this here as it may be helpful for anyone stumbling upon this:

To enable debug options for lighttpd, edit the file /usr/local/etc/inc/plugins.inc.d/webgui.inc it's hardcoded in the /usr/local/etc/rc.restart_webgui script to fully regenerate from that hardcoded config. The source is available here: https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/webgui.inc

So with that info I way finally able to find a solution, this is to add the following line:

server.http-parseopts = ( "method-get-body" => "enable" ) after Line 488 in the config: https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/webgui.inc#L488

With this option zoraxy works just fine on opnsense!!

Before I post this fix all around in zoraxy github, is there maybe a way this could make it officially into opnsense?
I honestly don't fully understand these options, so I can not judge if there is any reason this is not already done. Or if there is any danger in activating this.


#10
Virtual private networks / Re: Multiple VLANs on site-to-...
Last post by viragomann - December 21, 2025, 10:32:27 PM
Quote from: miken32 on December 21, 2025, 10:23:35 PMYes that's what I ended up doing last week. I took a /28 out of the DHCP pool for VLAN 900
It's not possible to nat a /24 subnet to /28. This is not going to work at all.

Use a single IP (/32) and type "NAT" as suggested above.

Quote from: miken32 on December 21, 2025, 10:23:35 PMif I wanted to just move remote access from one VLAN to another, I'm not sure why one wouldn't just change the tunnel setup.
For instance, if you were not able to make changes on the remote site.