Recent posts

#1

26.1, 26,4 Series / IPsec/Strongswan CVE-2026-4789...

Last post by Gauss23 - Today at 08:14:17 PM

Hi,

is OPNsense affected by https://www.strongswan.org/blog/2026/06/08/strongswan-vulnerability-(cve-2026-47895).html ?

Looks like 6.0.6 is the version currently installed with 26.1.9.

As this might be used for RCE without any authentication, it should be addressed, if affected.

Thank you.

#2

General Discussion / Re: Roku DNS storm is impactin...

Last post by OPNenthu - Today at 07:42:18 PM

I looked for a new "dumb" TV with no smart features.  I quickly found out unless you want to buy a professional display costing almost as much as a car you are stuck with this scheiße. 

</rant>

It almost seems like the market is rigged so the rentiers and data brokers always win...

#3

General Discussion / Re: newbie trying to set up ne...

Last post by RobertoZ - Today at 07:37:11 PM

not to say I know much - but isn't llm generated code extremely unsecure as well? Wouldn't that ruin the whole point of trying to use a firewall?

The OpenWRT One is a great piece of kit.  If you are using is as just an access point, it does no firewall duties, OpenSense will handle that. 

There are numerous guides and tutorials on the web on how to setup an OpenWRT router as just an AP.  It takes not even five minutes.  Turn off all DHCP and DNS services.  Configure it to get an automatic IP from upstream DHCP server (OpenSnese) and setup your SSID's and go. 

#4

General Discussion / Re: Allow IGMP queries on WAN ...

Last post by OPNenthu - Today at 07:35:04 PM

Comcast?

Sorry I never updated this thread.  I left it blocked and haven't had any problems with that.  I think it will depend on what services you get from your ISP.

I experimented with IGMP locally because my switch supports snooping, but my network is so small that I didn't appreciate any difference.

#5

General Discussion / Re: Roku DNS storm is impactin...

Last post by RobertoZ - Today at 07:23:51 PM

I have a TCL TV that has Roku OS on it.  It's constantly very chatty.  I use ControlD for DNS so I have it blocked.  I tried disconnecting the TV from the network, but then there is a bright white light on the front of the TV that constantly flashes with the intensity of a thousand suns.

I looked for a new "dumb" TV with no smart features.  I quickly found out unless you want to buy a professional display costing almost as much as a car you are stuck with this scheiße. 

</rant>

#6

Virtual private networks / Re: IPsec vpn with ptp

Last post by tbk49 - Today at 07:23:40 PM

Try if the loopback interfaces can always ping each other through the tunnel.

If thats the case, its not IPsec.

Some ping initiating something either sounds like the tunnel (a tunnel since its two, to be more precise) is not up, a firewall state is missing, or traffic is misrouted.

The loopbacks can ping each other so long as the IPsec tunnel is established because it is the IPs of the loopback of each device that is used as the IPsec endpoint for each side.

Does anything need to be NAT'ed? The peer is requesting NAT-T and I am not pushing any subnets to it from the firewall, except a DNS address. I was intending to just add a static route to each side so the relevant subnets could contact each other via each side's GRE tunnel.

Also, does it matter that each peer isn't using the same VLANs for their LAN-side networks or is this irrelevant?

#7

General Discussion / Re: Allow IGMP queries on WAN ...

Last post by dan786 - Today at 07:21:27 PM

I have the same thing  past week isp did network upgrades.  I'm not familair with the igmp protocall. It is in the bogons list so i assumed it should always be blocked   

#8

General Discussion / Re: Roku DNS storm is impactin...

Last post by Monviech (Cedrik) - Today at 07:12:03 PM

Denial of Service can take many shapes, one of them is harddrive space exhaustion. Any service that logs can be susceptible to it, thats why logs rotate and can have upper size limits etc... but rogue clients are always an issue, its one of the main reasons CDNs have so many customers xD

#9

General Discussion / Re: Roku DNS storm is impactin...

Last post by OPNenthu - Today at 07:08:05 PM

I only forward DNS to the pihole for select clients. Everything else, inclusing the pihole, queries opnsense unbound directly, which is not using any DNSBL.

That's effectively what the source-based Unbound policies allow you to do, since the OPNsense devs brought that into the community edition from the business edition some months ago.  It was a game changer for reducing the need for external DNS, IMO.

You could use NAT to forward just the Roku requests directly to 8.8.8.8 for example. Or give it a dhcp reservation with an external dns server right away.

Well, the desire is to actually block that telemetry, just in a way that doesn't also kill the OPNsense resources.  I feel like this is a design problem because any misbehaved actor on the network could similarly do this, no?  Just happy that this one happens to be benign.

BTW, the firewall in question has 8G of RAM.  The CPU is relatively weak (J4125) but still doesn't break a sweat as a pure firewall+router for gigabit.

#10

General Discussion / Re: Crowdsec Observations

Last post by dan786 - Today at 07:00:33 PM

I have seen what your talking about in past 3-4 years off and on useage of crowdsec. For home use i like the idea of it but has a bar that must be reach interms of understanding to install it. Anyways the biggest issues i have found with it first is the table it uses starts at like 60k but after few days or week it drops to 8k. I have tried fresh installs and same thing. Secondly  when i have adjusted the default ban from 4hrs to say 48 hrs it keeps defaulting back to 4. Third i have found some ip's dont get added to it list  few days after  they stopped being logged by opnsense like it delayed or somereason.