"Recent posts
#1
26.1, 26,4 Series / Re: A firewalll rule pattern t...
Last post by hithereall - Today at 11:00:12 PMFor fun, i would try and lower the MTU on your peer to 1365 or so when on mobile/away from home, assuming you have them on default 1420.
#2
Documentation and Translation / Re: Suggestion: Include Busine...
Last post by franco - Today at 10:55:36 PMThe issue isn't the versioning scheme per se. The issue is that releasing a proper version takes a lot longer than issuing a hotfix. Doing less hotfixes in business increases the release rate, but also slows the release timing down.
In the past we've done internal patch levels for the packages sets we're publishing in business, but if core isn't patched there's nothing to attach a patch level to as a visible marker (also because git doesn't allow multiple tags on the same commit).
It's a luxury problem that needs some work to push through in order to avoid far worse alternatives like the one mentioned above.
Cheers,
Franco
In the past we've done internal patch levels for the packages sets we're publishing in business, but if core isn't patched there's nothing to attach a patch level to as a visible marker (also because git doesn't allow multiple tags on the same commit).
It's a luxury problem that needs some work to push through in order to avoid far worse alternatives like the one mentioned above.
Cheers,
Franco
#3
26.1, 26,4 Series / Re: External CA: auto-fetch no...
Last post by franco - Today at 10:42:03 PMThe whole CRL part of certificates is lackluster in design. OpenSSL even tries to verify a CRL for a certificate that doesn't have a CRLDP, because it doesn't have to be public. I get the trust aspect, but this an impossible situation by design amongst other weirdness.
For OpenVPN it's better to roll local certificates from your own CA and use the revocation feature locally as well. It works like a charm. No cost, no extra management interface, no third party.
Cheers,
Franco
For OpenVPN it's better to roll local certificates from your own CA and use the revocation feature locally as well. It works like a charm. No cost, no extra management interface, no third party.
Cheers,
Franco
#4
Hardware and Performance / Re: quad interface fierwall PC...
Last post by Greg_E - Today at 10:35:13 PMThere's not much Supermicro anymore, not in the low end stuff that makes a good firewall. Either that or I'm no longer finding this level of stuff.
#5
Hardware and Performance / Re: cpu-microcode-intel: no ma...
Last post by newsense - Today at 10:03:28 PM> Is there indeed a newer version of the microcode than 0x8001278?
The latest pkg in OPNsense is dated 2025-12-02.
In the meantime there's been at least one or two releases as far as I know but the FreeBSD port hasn't been updated...so we can only wait.
The latest pkg in OPNsense is dated 2025-12-02.
In the meantime there's been at least one or two releases as far as I know but the FreeBSD port hasn't been updated...so we can only wait.
#6
26.1, 26,4 Series / Re: 26.4_14 dhclient ip adres ...
Last post by jeroenm - Today at 09:36:24 PMQuote from: nero355 on Today at 06:37:40 PMQuote from: jeroenm on Today at 03:51:55 PMYesterday, after a power failure, iptv stopped working.I don't know how your IPTV setup looks like, but if possible please consider setting it up like this : https://forum.opnsense.org/index.php?topic=51192.msg262139#msg262139
After investigation IGMP Proxy wouldn't startup and in interfaces/overview the interface doesn't have an ip adres.
Reason I am mentioning this : I am a big fan of moving IPTV away from the Router and "Offloading it" to a seperate device :)
I'm using Canal+ via Freedom. I like the idea of offloading it to a a seperate device, but that's just one more thing that's using power and with the electricity prices at the moment...
#7
26.1, 26,4 Series / Re: 26.4_14 dhclient ip adres ...
Last post by jeroenm - Today at 09:33:36 PMQuote from: franco on Today at 04:11:54 PMReason TIMEOUT + FAIL is pretty fatal. I'm not sure why it would be failing, but it might be out of your immediate control. The information given in between (like a valid IP address) is bogus.
Cheers,
Franco
Thanks Franco, the bogus IP address got me of course, when connecting the ISP router the same problem exists.
Jeroen
#8
26.1, 26,4 Series / Re: A firewalll rule pattern t...
Last post by opnseeker - Today at 09:33:13 PMAll traffic within the network including traffic incoming via wireguard and outgoing via WAN and VPN use pi-hole deployed on a VM on the same Proxmox host as opnsense. Haven't seen any issues with that setup recently.
Pi-hole sends its queries to Unbound on OpnSense which uses recursive resolution.
I will checkout the link you posted and troubleshoot further.
I couldn't reproduce the issue so far when I am home.
Thanks for the help.
Pi-hole sends its queries to Unbound on OpnSense which uses recursive resolution.
I will checkout the link you posted and troubleshoot further.
I couldn't reproduce the issue so far when I am home.
Thanks for the help.
#9
Hardware and Performance / Re: Marvell/Aquantia AQ1 & AQ2...
Last post by Patrick M. Hausen - Today at 09:27:25 PMWhich once more confirms that the FreeBSD Foundation sponsored enhancements to if_bridge(4) are effective and for most use cases even up to 10G the bridge will not impose any bottleneck.
Yes, a router/firewall is not a switch, but for all users intending to replace a consumer box with OPNsense using a LAN bridge to avoid buying a separate switch is a perfectly valid solution.
Yes, a router/firewall is not a switch, but for all users intending to replace a consumer box with OPNsense using a LAN bridge to avoid buying a separate switch is a perfectly valid solution.
#10
Hardware and Performance / Re: Marvell/Aquantia AQ1 & AQ2...
Last post by ShadowsNight - Today at 09:21:27 PMThis has been running perfect for 3 weeks now! You guys are amazing!
The N355 in the Q11032H6 handles 9.6Gbs bridge transfer at 22% cpu usage, which i think is great! (this is my first step away from consumer routers)
I'm sharing this so others who want to replace their router find it easier, google sent me too some other dated instructions.
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
The N355 in the Q11032H6 handles 9.6Gbs bridge transfer at 22% cpu usage, which i think is great! (this is my first step away from consumer routers)
I'm sharing this so others who want to replace their router find it easier, google sent me too some other dated instructions.
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
