"Recent posts
#1
26.1, 26,4 Series / Re: 26.1.6_2 Destination NAT ...
Last post by lmoore - Today at 06:58:05 PMBack in those days, transparently redirecting HTTP, FTP, IPSec, Real Audio, etc to proxies running on localhost was the go. This is probably why the majority of examples will redirect to a port for the Proxy Service running on the firewall.
Other scenarios was to redirect connections arriving from the Internet to internal servers.
Then came the challenge to get reflection of internal connections working with IPF.
There have been many improvements with PF firewalls over the years. However, there is always the need for improvements.
@Franco Is there somewhere in the OPNsense documentation pages where one can easily locate the additional set up guide's and how-to's?
Cheers,
Larry.
Other scenarios was to redirect connections arriving from the Internet to internal servers.
Then came the challenge to get reflection of internal connections working with IPF.
There have been many improvements with PF firewalls over the years. However, there is always the need for improvements.
@Franco Is there somewhere in the OPNsense documentation pages where one can easily locate the additional set up guide's and how-to's?
Cheers,
Larry.
#2
26.1, 26,4 Series / Re: NetBird Interface breaks b...
Last post by JoopB - Today at 06:36:28 PMOk thanx. So fix is clear, but will take a while to get implemented everywhere.
Will be checking those release notes every update.
Will be checking those release notes every update.
#3
Development and Code Review / Re: What is the status of KEA ...
Last post by drosophila - Today at 06:10:47 PMQuote from: nero355 on April 25, 2026, 03:15:13 PMBut I can remember that at some point it was no longer compatible with UEFI Servers so double check if the software you eventually go for can also do that!That would likely be a reason to keep trying to get KEA to work; possibly I'll attempt to install a symlink to the actual install file that with an appended "ff". Should be possible but it's certainly an evil hack. KEA can easily filter by boot agent type and therefore serve different stuff for BIOS vs. EFI.
Quote from: https://punkt.de/de/blog/2017/automatisierte-installation-von-servern-mit-freebsd-und-zfs.htmlDie bereits per TFTP bereitgestellte Umgebung muss nun noch zusätzlich per NFS exportiert werden.That likely was the issue that kept my attempt from succeeding. It did load the netboot-capable boot but since I expected this to be fully handled by TFTP I didn't export the boot FS via NFS (which would have been easy since NFS already serves selected datasets). A pity that one can't do away with TFTP entirely, NFS is less hacky and much faster. and if you have TFTP running, then things must already be secured against nefarious clients so that NFS won't be an additional security issue. For installers, one can just set all respective underlying filesystem permissions to be readonly for everyone since they're not sensitive and thus only manipulation must be prevented. The automated install might need sensitive things like passwords or certificates to be served ("Anschließend setzen wir das Root–Passwort, damit wir uns über die Konsole anmelden können: (...) ROOT_PW_HASH ist dabei natürlich durch den echten Hash des Root–Passworts zu ersetzen."), but a basic interactive install doesn't have these problems.
Thanks for the heads-up!
#4
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - Today at 06:05:35 PMjust wanted to post a follow up. after my last changes (those few tunables), i have had very stable experience. i updated to 26.4 and migrated my rules, but i have had 100% uptime on OS and WAN since i updated and rebooted for the update.
haven't had a change to redo some of my cable management since i replaced the unifi cloud gateway fiber, but i like the pop of red :) lol
haven't had a change to redo some of my cable management since i replaced the unifi cloud gateway fiber, but i like the pop of red :) lol
#5
General Discussion / Shaper queues and schedulers
Last post by keeka - Today at 04:38:53 PMI started looking at traffic shaping with OPNsense. With the bufferbloat recipe, I fail to see the utility of queues when FQ Codel is the pipe scheduler. Would pointing the rules directly at the relevant pipes achieve similar or do you lose something?
When traffic prioritisation is the goal, does it make sense to set pipe scheduler to WFQ or QFQ, then enable codel on the queues? Does this get best of both worlds (fair queuing within weighted queues) or something unexpected?
Thanks for any insights.
When traffic prioritisation is the goal, does it make sense to set pipe scheduler to WFQ or QFQ, then enable codel on the queues? Does this get best of both worlds (fair queuing within weighted queues) or something unexpected?
Thanks for any insights.
#6
General Discussion / Re: GeoIP not working
Last post by franco - Today at 04:15:05 PMIn recent 26.1.x there's a Firewall: Aliases: Actions tab with "Update GeoIP" button to bridge that user gap. In theory the update is deferred for the right reasons, but users do not always agree.
Cheers,
Franco
Cheers,
Franco
#7
26.1, 26,4 Series / Re: Firewall Rules Migration A...
Last post by Monviech (Cedrik) - Today at 04:03:24 PMIn firewall rules new when pressing Inspect you should also see all legacy rules mixed in, with the correct order displayed.
#8
26.1, 26,4 Series / Re: 26.1.6_2 Destination NAT ...
Last post by franco - Today at 03:47:41 PMPart of the confusion appears to come from the fact that the old page selected port "80" as default redirect port. People likely never saw "any" as a viable option and a bit of internal core plumbing appeared to be incomplete for decades.
Cheers,
Franco
Cheers,
Franco
#9
General Discussion / Re: GeoIP not working
Last post by mb19 - Today at 03:36:54 PMHi!
I'm a bit late to the discussion, but today I've been configuring this and ended up here.
I read the post and felt discouraged bc at the end, it was mentioned that the issue was fixed in version 26.1, but I realized I was already running 26.1.6 and still had the same problem 😭
So I wanted to share what worked for me.
From the OPNsense console, I ran:
"configctl filter update geoip" --> this returned "OK"
Then I ran:
"configctl filter geoip stats" --> Interestingly, this referenced the CSV file that the GUI was trying to download from the URL
So, after following some AI suggestions/checking the Python scripts config, "we" concluded that the "Apply" button in the GUI does download the data using the URL with the license key, but it's the intermediate step, the trigger between the GUI downloading the data and using that data, that's failing.
So I manually executed:
"python3 /usr/local/opnsense/scripts/filter/download_geoip.py"
502 files written, with a total number of 1217420 lines
locations filename : GeoLite2-Country-Locations-en.csv
IPv4 filename : GeoLite2-Country-Blocks-IPv4.csv
IPv6 filename : GeoLite2-Country-Blocks-IPv6.csv
After running this, the GeoIP data finally appeared in the GUI.
Hope this helps someone!
I'm a bit late to the discussion, but today I've been configuring this and ended up here.
I read the post and felt discouraged bc at the end, it was mentioned that the issue was fixed in version 26.1, but I realized I was already running 26.1.6 and still had the same problem 😭
So I wanted to share what worked for me.
From the OPNsense console, I ran:
"configctl filter update geoip" --> this returned "OK"
Then I ran:
"configctl filter geoip stats" --> Interestingly, this referenced the CSV file that the GUI was trying to download from the URL
So, after following some AI suggestions/checking the Python scripts config, "we" concluded that the "Apply" button in the GUI does download the data using the URL with the license key, but it's the intermediate step, the trigger between the GUI downloading the data and using that data, that's failing.
So I manually executed:
"python3 /usr/local/opnsense/scripts/filter/download_geoip.py"
502 files written, with a total number of 1217420 lines
locations filename : GeoLite2-Country-Locations-en.csv
IPv4 filename : GeoLite2-Country-Blocks-IPv4.csv
IPv6 filename : GeoLite2-Country-Blocks-IPv6.csv
After running this, the GeoIP data finally appeared in the GUI.
Hope this helps someone!
#10
26.1, 26,4 Series / Re: Firewall Rules Migration A...
Last post by Patrick M. Hausen - Today at 03:08:28 PMCurrently both old and new rules are active on your system. I have no idea in which order they are applied.
Disable all the old rules, check if everything works, if yes delete them with the assistant.
Disable all the old rules, check if everything works, if yes delete them with the assistant.
