Recent posts

#1

26.1 Series / Re: Override DHCP Valid Lifeti...

Last post by nero355 - Today at 05:31:38 PM

Since I don't have a github login

Then create one! LOL! :P

#2

Zenarmor (Sensei) / Re: update to 2.4.2 hangs

Last post by dirtyfreebooter - Today at 05:13:22 PM

i looks like the update server is having major bandwidth issues. i just speedtest and my network seems fine 945 mbps up/down. no other network issues. update server is going at like 50 kb/s. i manually fetching the pkg in my browser to test.



speedtest

#3

25.7, 25.10 Series / Re: Router not having WAN acce...

Last post by nero355 - Today at 05:12:52 PM

and the default gateway is the correct IP address.

I am guessing your OPNsense WAN is simply set to DHCP and should be the Default Gateway : Is that the case ?

When you say NAT do you mean the one on the router or the client?

I mean Outbound NAT in OPNsense : Is it setup correctly ?

In general you never NAT on the Client side ;)



But to be honest I think it might be easier to reset your configuration and just follow the First Boot Setup Wizard correctly to fix this issue, unless you figure out how to fix everything manually...

#4

Hardware and Performance / Re: Debian on DEC4640

Last post by nero355 - Today at 05:05:46 PM

I DD'd (in Rufus) the SUSE Harvester ISO to a USB and it boots UEFI, this install no longer uses BIOS boot as an option since (I think) v1.7.0 release.

I have indeed read about (open)SUSE dropping Legacy BIOS Boot Mode in the future but I can't remember the exact version so it could be that one.

#5

26.1 Series / Re: Is latest OPNSesne 26.1.x ...

Last post by DEC740airp414user - Today at 04:53:14 PM

The timing is unfortunate. We decided to hotfix this for business users later today. The full batch of SA's includes more changes to pf than necessary (or even relevant to us) so this it has to wait for 26.1.6 or you can build a kernel from https://github.com/opnsense/src/commits/stable/26.1/ directly which has all the commits.


Cheers,
Franco

updated business appliance

thank you for keeping us secured

#6

Zenarmor (Sensei) / update to 2.4.2 hangs

Last post by dirtyfreebooter - Today at 04:52:51 PM

i updated to 25.10.2_8 this morning. now zenarmor has an update. and it just hangs. i killed the pkg process and tried again and it just hangs. no problems with the OPNsense update earlier. does any updates from zenarmor ever get tested? the QA the process end to end? ugh

i've also tried updating from the zenarmor dashboard button. same thing, hangs on fetching.

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.10.2_8 (amd64) at Thu Mar 26 09:46:37 MDT 2026
Strict TLS 1.3 and CRL checking is enabled.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
Waiting for another process to update repository SunnyValley
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (88 candidates): .......... done
Processing candidates (88 candidates): . done
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
os-sensei: 2.4.1 -> 2.4.2 [SunnyValley]

Number of packages to be upgraded: 1

112 MiB to be downloaded.
[1/1] Fetching os-sensei-2.4.2.pkg:

#7

Zenarmor (Sensei) / Re: Zenarmor performance @ Int...

Last post by dirtyfreebooter - Today at 04:50:06 PM

I thought multithread was available in one of the paid versions?

The faster the clock speed, the better ZA will run, kind of the only rule of thumb we currently have. I'm looking at an n355 device for my next hardware, something with at least 6 i226 ports and maybe trade a couple for some SFP+ (10g lan to lan would be NICE). I only have gigabit out to wan, so don't need the i226, but it's what I'm finding because it's what most people want going forward.

Also looking at a different model with 8 i226 ports, not seeing anything with "cheaper" i350 ports anymore, and I'm not going to try Realtek for real work.

the roadmap has it 90% complete and has it listed under business and higher licenses, so no paid home license.

#8

25.7, 25.10 Series / Re: OPNWAF Redirect Match not ...

Last post by Monviech (Cedrik) - Today at 04:47:32 PM

This looks like a pretty smart solution to the immediate issue.

I have to think about how we approach this in the GUI, skipping the LocationMatch generation can be the most viable solution.

It should be quite a small diff as well.

About a GUI for rewrites, I am not completely sure about it. Raw config imports (import directives in the shell) might be the way to go at a certain point of complexity.

#9

25.7, 25.10 Series / Re: OPNWAF Redirect Match not ...

Last post by ivosir - Today at 04:35:59 PM

Hello,

I see your point. The configuration you suggest unfortunately doesn't seem to work.

I also tried other combinations of <Location> or <LocationMatch> and Redirect or RedirectMatch, the only working one is when Redirect is nested in <Location>, as mentioned in Apache docs: https://httpd.apache.org/docs/current/mod/mod_alias.html#redirect. It does not solve the problem though.

Code Select Expand

<Location "/one">
    Redirect 301 "http://newserver.com/one"
</Location>
RedirectMatch apparently cannot be enclosed in <Location>, at least the documentation doesn't mention such a case: https://httpd.apache.org/docs/current/mod/mod_alias.html#redirectmatch. If I am getting it right, RedirectMatch is interpreted before LocationMatch but due to the fact that it's enclosed inside LocationMatch, the whole block never gets triggered.

However, thanks to the Apache docs and ChatGPT, I've found a workaround which can even be used with the current GUI and Redirect Match type. :-) It makes use of environment variables.

The GUI fields look like this:

  Local path: /mailman/(?<CUSTOMPATH>.*)
  Remote destinations: https://<LIST-SERVER>/mailman/%{env:MATCH_CUSTOMPATH}

It translates into following configuration block in gateway_vhosts.conf:

Code Select Expand

<LocationMatch "/mailman/(?<CUSTOMPATH>.*)">
    RedirectMatch 308 "https://<LIST-SERVER>/mailman/%{env:MATCH_CUSTOMPATH}"
</LocationMatch>
It is a bit cumbersome, but works well. :-)

As a longer-term solution, perhaps implementing some basic GUI interface for mod_rewrite in addition to mod_alias would be fruitful?

Ivo

#10

German - Deutsch / Update fails with no route to ...

Last post by xaxology - Today at 04:12:50 PM

Hello,

ich versuche die ganze Zeit die opnsense 25.1 auf einen neueren stand zu bekommen aber bekomme immer wieder den selben fehler.
die 25.1 ist relativ frisch installiert und die config aus einer 23.1 übernommen. ich brauche die legacy vpn tunnel einstellungen aktuell.

ich habe bereits ipv6 deaktiviert und den mirror mehrfach gewechselt und die datenbank neu erstellen lassen aber das hat nicht geholfen.
es wurde auch bereits ein update über die cli versucht das leider einfach endlos läuft und keinen abschluss findet.

Manchmal werden ein paar pakete gefetched, aber kurz danach kommt der fehler.

ein direktes upgrade auf 25.7 ist aktuell keine option.

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.1 (amd64) at Thu Mar 26 15:53:31 CET 2026
Updating OPNsense repository catalogue...
Waiting for another process to update repository OPNsense
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (157 candidates): .......... done
Processing candidates (157 candidates): ....... done
The following 112 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    jq: 1.8.0
    libinotify: 20240724_2
    libuuid: 2.41.1_1
    libxml2-legacy: 2.11.9_1
    lua54: 5.4.8
    py311-jq: 1.8.0_1

Installed packages to be UPGRADED:
    boost-libs: 1.86.0_1 -> 1.88.0_1
    ca_root_nss: 3.104 -> 3.108
    curl: 8.11.1_1 -> 8.14.1
    dhcp6c: 20241008 -> 20250513
    dnsmasq: 2.90_4,1 -> 2.91_1,1
    easy-rsa: 3.2.1_1,1 -> 3.2.3,1
    expat: 2.6.4 -> 2.7.1
    glib: 2.80.5_1,2 -> 2.84.1_3,2
    hostapd: 2.11_1 -> 2.11_3
    icu: 74.2_1,1 -> 76.1,1
    indexinfo: 0.3.1 -> 0.3.1_1
    jansson: 2.14 -> 2.14.1
    kea: 2.6.1_2 -> 2.6.3_1
    krb5: 1.21.3 -> 1.21.3_1
    libcbor: 0.11.0 -> 0.12.0_2
    libedit: 3.1.20240808,1 -> 3.1.20250104,1
    libffi: 3.4.6 -> 3.5.1
    libfido2: 1.15.0 -> 1.16.0
    libidn2: 2.3.7 -> 2.3.8
    libnghttp2: 1.64.0 -> 1.66.0
    libpsl: 0.21.5_1 -> 0.21.5_2
    libucl: 0.9.2 -> 0.9.2_1
    libunistring: 1.2 -> 1.3
    libxml2: 2.11.9 -> 2.14.5
    lighttpd: 1.4.77 -> 1.4.79
    monit: 5.34.3 -> 5.35.2
    mpd5: 5.9_18 -> 5.9_19
    mpdecimal: 4.0.0 -> 4.0.1
    nettle: 3.10.1 -> 3.10.2
    nss: 3.107 -> 3.113.1_1
    ntp: 4.2.8p18_1 -> 4.2.8p18_4
    openldap26-client: 2.6.9 -> 2.6.10
    openssh-portable: 9.9.p1_1,1 -> 10.0.p1_1,1
    openssl: 3.0.15_1,1 -> 3.0.17,1
    openvpn: 2.6.13 -> 2.6.14
    opnsense: 25.1 -> 25.1.12
    opnsense-lang: 25.1 -> 25.1.11
    opnsense-update: 25.1 -> 25.1.11
    pcre2: 10.43 -> 10.45_1
    perl5: 5.36.3_2 -> 5.40.2_2
    pftop: 0.10_1 -> 0.13
    php83: 8.3.15 -> 8.3.23
    php83-ctype: 8.3.15 -> 8.3.23
    php83-curl: 8.3.15 -> 8.3.23
    php83-dom: 8.3.15 -> 8.3.23
    php83-filter: 8.3.15 -> 8.3.23
    php83-gettext: 8.3.15 -> 8.3.23
    php83-ldap: 8.3.15 -> 8.3.23
    php83-mbstring: 8.3.15 -> 8.3.23
    php83-pcntl: 8.3.15 -> 8.3.23
    php83-pdo: 8.3.15 -> 8.3.23
    php83-pecl-radius: 1.4.0b1_2 -> 1.4.0b1_3
    php83-phalcon: 5.8.0 -> 5.9.3
    php83-phpseclib: 3.0.42 -> 3.0.46
    php83-session: 8.3.15 -> 8.3.23
    php83-simplexml: 8.3.15 -> 8.3.23
    php83-sockets: 8.3.15 -> 8.3.23
    php83-sqlite3: 8.3.15 -> 8.3.23_1
    php83-xml: 8.3.15 -> 8.3.23
    php83-zlib: 8.3.15 -> 8.3.23
    py311-Babel: 2.16.0 -> 2.17.0_1
    py311-Jinja2: 3.1.4 -> 3.1.6
    py311-anyio: 4.7.0 -> 4.9.0
    py311-async_generator: 1.10 -> 1.10_1
    py311-attrs: 24.3.0 -> 25.3.0
    py311-certifi: 2024.12.14 -> 2025.6.15
    py311-charset-normalizer: 3.4.1_1 -> 3.4.2
    py311-cryptography: 42.0.8_5,1 -> 44.0.3_2,1
    py311-duckdb: 1.1.3 -> 1.3.1_1
    py311-h11: 0.14.0 -> 0.16.0
    py311-h2: 4.1.0 -> 4.1.0_1
    py311-hpack: 4.0.0 -> 4.0.0_1
    py311-httpcore: 1.0.7 -> 1.0.9
    py311-httpx: 0.28.1 -> 0.28.1_1
    py311-hyperframe: 6.0.0 -> 6.0.0_1
    py311-ldap3: 2.9.1 -> 2.9.1_1
    py311-markupsafe: 2.1.5_1 -> 3.0.2
    py311-numexpr: 2.10.2 -> 2.11.0
    py311-numpy: 1.26.4_2,1 -> 1.26.4_6,1
    py311-openssl: 24.1.0,1 -> 25.0.0_1,1
    py311-outcome: 1.3.0_1 -> 1.3.0_2
    py311-packaging: 24.2 -> 25.0
    py311-pandas: 2.1.4,1 -> 2.2.3_2,1
    py311-pyasn1-modules: 0.4.0 -> 0.4.1
    py311-pylsqpack: 0.3.18 -> 0.3.22
    py311-pytz: 2024.2,1 -> 2025.2_1,1
    py311-pyyaml: 6.0.1 -> 6.0.1_1
    py311-requests: 2.32.3 -> 2.32.4
    py311-setuptools: 63.1.0_1 -> 63.1.0_3
    py311-sortedcontainers: 2.4.0 -> 2.4.0_1
    py311-sqlite3: 3.11.11_7 -> 3.11.13_11
    py311-trio: 0.28.0 -> 0.30.0
    py311-truststore: 0.10.0 -> 0.10.1
    py311-typing-extensions: 4.12.2 -> 4.14.0
    py311-tzdata: 2024.2 -> 2025.2
    py311-ujson: 5.10.0 -> 5.10.0_1
    py311-vici: 5.9.11 -> 5.9.11_1
    python311: 3.11.11 -> 3.11.13
    rrdtool: 1.9.0 -> 1.9.0_1
    sqlite3: 3.46.1,1 -> 3.50.2_1,1
    sudo: 1.9.16p2_1 -> 1.9.17p1
    suricata: 7.0.8 -> 7.0.11_1
    syslog-ng: 4.8.1_3 -> 4.8.2_3
    unbound: 1.22.0_1 -> 1.23.1
    wpa_supplicant: 2.11_2 -> 2.11_5
    zstd: 1.5.6 -> 1.5.7

Number of packages to be installed: 6
Number of packages to be upgraded: 106

The process will require 40 MiB more space.
98 MiB to be downloaded.
pkg-static: https://pkg.opnsense.org/FreeBSD:14:amd64/25.1/latest/All/ntp-4.2.8p18_4.pkg: No route to host
Starting web GUI...done.
***DONE***