"Recent posts
#1
General Discussion / Re: Trouble with VLAN setup on...
Last post by InvalidHandle - Today at 04:59:41 AMIt sounds like you are missing firewall configuration for the vlan interfaces that you set up and I don't think you need the bridge.
If you want to allow traffic between both LAN and vLAN networks I'm not sure what you gain with the vlan unless you really need to split a single port into multiple subnets. Here is the documentation on vlans: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html
If you want to allow traffic between both LAN and vLAN networks I'm not sure what you gain with the vlan unless you really need to split a single port into multiple subnets. Here is the documentation on vlans: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html
#2
General Discussion / Re: Can OPNsense allow only a ...
Last post by InvalidHandle - Today at 04:14:20 AMI haven't done what you are trying, but here is how I would approach that.
Create a WAN Gateway with the IP gateway of your Proxy and enable it.
Create a LAN subnet in Interface and enable it.
Configure the LAN DCHP unless you are setting static addresses.
Assign the Interface, ex: igb2 (depending on what port you are plugging into)
Select the proxy WAN in the Interface gateway settings (At the bottom of the config page) of the LAN subnet interface that you created.
Copy the default LAN to WAN (Default LAN to any rule) for the new LAN interface, deselect LAN and select your new LAN Proxy Interface and save.
Verify traffic flow on the firewall live view.
Create a WAN Gateway with the IP gateway of your Proxy and enable it.
Create a LAN subnet in Interface and enable it.
Configure the LAN DCHP unless you are setting static addresses.
Assign the Interface, ex: igb2 (depending on what port you are plugging into)
Select the proxy WAN in the Interface gateway settings (At the bottom of the config page) of the LAN subnet interface that you created.
Copy the default LAN to WAN (Default LAN to any rule) for the new LAN interface, deselect LAN and select your new LAN Proxy Interface and save.
Verify traffic flow on the firewall live view.
#3
General Discussion / OPNsense DNS over TLS forward ...
Last post by InvalidHandle - Today at 03:54:47 AMI have submitted a bug report to Unbound on Github. If you are also experiencing this issue and have anything to add that I didn't include, please share a comment or comment directly to Unbound on Github.
I've tried reinstalling Unbound, but the issue persists. My setup follows all OPNsense instructions for setting up DNS over TLS. DNS traffic flows over the service and the DNSBL is working but the upstream DNS traffic is unencrypted. No DNS servers are set anywhere else in OPNsense and I have a firewall rule blocking outbound DNS on port 53. The firewall shows DNS traffic going out to the port specified in Unbound.
I've tried reinstalling Unbound, but the issue persists. My setup follows all OPNsense instructions for setting up DNS over TLS. DNS traffic flows over the service and the DNSBL is working but the upstream DNS traffic is unencrypted. No DNS servers are set anywhere else in OPNsense and I have a firewall rule blocking outbound DNS on port 53. The firewall shows DNS traffic going out to the port specified in Unbound.
#4
General Discussion / Re: Can OPNsense allow only a ...
Last post by cicirrr - Today at 03:43:08 AMTYSM!
#5
General Discussion / Re: Trouble with VLAN setup on...
Last post by User074357 - Today at 01:32:00 AMQuote from: pfry on November 20, 2025, 11:32:07 PMWithout seeing your config, my next guess would be "Interfaces: Settings" -> "VLAN Hardware Filtering" - I'd disable all of the offloads, at least for testing. I don't know of any firmware issues that would affect i225/226 VLAN filtering, but you never can tell. I assume your NAS is directly connected to the firewall?All the offloads are disabled. NAS is directly connected to one of my firewall ports.
I attached some screenshots of my configuration to this post.
#6
General Discussion / Re: Trouble with VLAN setup on...
Last post by pfry - November 20, 2025, 11:32:07 PMWithout seeing your config, my next guess would be "Interfaces: Settings" -> "VLAN Hardware Filtering" - I'd disable all of the offloads, at least for testing. I don't know of any firmware issues that would affect i225/226 VLAN filtering, but you never can tell. I assume your NAS is directly connected to the firewall?
#7
General Discussion / Re: OpnSense SFP+ connection t...
Last post by cologuy - November 20, 2025, 11:11:44 PMIn case anyone finds this thread this has been resolved by swapping the router.
I installed Opnsense 25.7 on a Sophos XG310 with a 4 port fiber expansion module and restored the settings from the M470. I had to adjust the interface assignments but it just took a few minutes and I was up and running.
I used all the same RJ45 -> SFP+ module/cables and I get a full 2g+ up/down through the box. I also tested four different brands of SFP+->RJ45 adapters and they all push 2g+ through the XG310 router.
So the problem appears to be with the Watchguard M470 limiting traffic to 1g for some reason. The XG310 also has a i3-6100 desktop CPU which is about half the CPU power of the E3-1260Lv5 in the M470 so it was definitely not a CPU issue. I'm going to install a E3-1275v5 Xeon just because they are so cheap and we should be good as we step up to 5g or even 10g internet as it drops in price.
I installed Opnsense 25.7 on a Sophos XG310 with a 4 port fiber expansion module and restored the settings from the M470. I had to adjust the interface assignments but it just took a few minutes and I was up and running.
I used all the same RJ45 -> SFP+ module/cables and I get a full 2g+ up/down through the box. I also tested four different brands of SFP+->RJ45 adapters and they all push 2g+ through the XG310 router.
So the problem appears to be with the Watchguard M470 limiting traffic to 1g for some reason. The XG310 also has a i3-6100 desktop CPU which is about half the CPU power of the E3-1260Lv5 in the M470 so it was definitely not a CPU issue. I'm going to install a E3-1275v5 Xeon just because they are so cheap and we should be good as we step up to 5g or even 10g internet as it drops in price.
#8
25.7, 25.10 Series / Re: Unable to get Multiwan Loa...
Last post by rajivdr - November 20, 2025, 11:09:56 PMHi, Anyone able to get it working ?
#9
Hardware and Performance / Re: OPNsense on VMware
Last post by Jose - November 20, 2025, 10:42:48 PMQuote from: spetrillo on November 15, 2025, 06:52:45 PMHello all,
My client runs an OPNsense firewall on VMware. It runs really well and takes no real resources. I am building a replacement 25.7 firewall. As I got to the storage config I stopped thinking...should I allocate two disks and run these in a ZFS raid 1 pair. Well can someone comment if this makes any sense under VMware?
Thanks,
Steve
Hi spetrillo, I could not speak for VMWare Hypervisor or cloud based but I'm using OPNsense under FreeBSD Bhyve with underlying ZFS, I've just installed OPNsense on a single RAW image(can also be a ZVOL) formatted as single/stripe ZFS disk from the OPN installer.
Whit ZFS even on a single disk the system will take advantages of the ZFS compression/snapshots/Boot Environments etc, despite it being on a single disk the ZFS filesystem is resilient/superior to any other filesystem and bulletproof wen installed on two or more drives, but as mentioned completely unnecessary to be installed on two vdisks on the top level unless for testing/development purposes.
And speaking on "Boot Environments" this is a must have feature especially if you upgrade often, with a ZFS installation the OPNsense UI will enable a feature called "System:Snapshots" and this will benefit the average users with little to no command-line experience to easily revert back to a previous working OPNsense state, or to create a new Boot Environment and reboot into it to experiment with system wide changes, here is a screenshot of such feature:
You cannot view this attachment.
Also with ZFS there are additional advantages such as scheduled system snapshots, export/import but not the case here, between I've been using OPNsense with ZFS way before it was experimentally introduced and later officially added to the installer and I can tell you it is rock solid/stable on any modern hardware and/or VM with decent resources.
Also I've been doing something similar on another system with Qemu/KVM for quite some time but with BTRFS on the host data store for development/testing with no issues at all.
Regards
#10
General Discussion / Re: Trouble with VLAN setup on...
Last post by User074357 - November 20, 2025, 10:29:45 PMQuote from: pfry on November 20, 2025, 09:07:17 PMRouting issues? Your PC would normally use the firewall as its gateway in order to route to the NAS subnet. In the other direction, the NAS would also use the firewall as its gateway to reach your PC. And, of course, if you use it to route, the firewall would need a default gateway to the Internet. You have the option of routing directly on the bridge, e.g. use a static route on your PC to route to the NAS through the firewall. If it's not routing, you'll likely need to provide more detailed information.
I use bridges for everything, as I can conveniently assign interfaces to whatever bridge I need them on at any given time, with no address or rule changes. It's not for everyone, but it works.
Routing seems to be fine. I can see the OPNsense sending outbound packets on the VLAN interface.
Just did a packet capture on both ends. There are ARP requests outgoing on the VLAN interface which never get responded to by TrueNAS.
When attempting to ping the OPNsense box from the NAS with "ping 192.168.20.1" the NAS also sends ARP requests which are never responded to.
Not sure what's going on there.
