"Recent posts
#1
Tutorials and FAQs / Re: [HOWTO] Configure WAN MTU ...
Last post by funtowne - Today at 02:37:09 PMQuote from: meyergru on Today at 02:33:02 PMI use it with M-Net. I know that Telekom and their resellers does not work with 1500 bytes MTU.
Good to know; I'm also on M-Net FTTH. Looks like I have some homework tonight and can unwind my MSS workaround in the same go. Thanks for the quick reply!
#2
Tutorials and FAQs / Re: [HOWTO] Configure WAN MTU ...
Last post by meyergru - Today at 02:33:02 PMI use it with M-Net. I know that Telekom and their resellers does not work with 1500 bytes MTU.
#3
Tutorials and FAQs / Re: [HOWTO] Configure WAN MTU ...
Last post by funtowne - Today at 02:17:50 PM@meyergru With which ISP in Germany are you utilizing the sortachonky-mini-baby-jumbo Frames?
I'm also oddly honored to have my post made it in the pppps of the OP :) Credit goes to the post I found on github for the workaround.
I'm also oddly honored to have my post made it in the pppps of the OP :) Credit goes to the post I found on github for the workaround.
#4
German - Deutsch / Re: Telekom Magenta SIP mit VM...
Last post by meyergru - Today at 01:53:10 PMRTP wäre ja erst der zweite Schritt - das würdest Du dann ggf. merken, wenn Du nichts hörst oder nicht gehört wirst.
Der erste Schritt wäre SIP-Registrierung. Und ja, die Logs vorher sahen ja auch so aus, als ob die Pakete rausgehen aber nichts zurückkommt. Daher meine Frage mit der Priorität der Outbound NAT Rules. Du kannst ja mal auf dem WAN Interface lauschen, ob da etwas von den SIP-Servern zurückkommt. Man kann auch das Logging für die Default Block Regel aktivieren, um zu sehen, ob da was ist, was geblockt wird.
Der erste Schritt wäre SIP-Registrierung. Und ja, die Logs vorher sahen ja auch so aus, als ob die Pakete rausgehen aber nichts zurückkommt. Daher meine Frage mit der Priorität der Outbound NAT Rules. Du kannst ja mal auf dem WAN Interface lauschen, ob da etwas von den SIP-Servern zurückkommt. Man kann auch das Logging für die Default Block Regel aktivieren, um zu sehen, ob da was ist, was geblockt wird.
#5
Announcements / OPNsense 26.1.3 released
Last post by franco - Today at 01:28:03 PMHi and hello,
This update finally brings in Python 3.13 after the struggle we had with
3.11 and missing security patches. A number of things were fixed for the
new rules GUI as well as assorted minor things in all areas of the code
base. Two FreeBSD security advisories are also included and a reboot is
needed to finish this update.
Of note are the recent modifications of the firmware scripting as they
follow a fix in 26.1.2 that seems to have resolved the partial upgrade
failures people have been reporting over the last 2 years. It turned out
that the issue was a cleanup routine in the core package that removed
temporary files in the background while the package manager was still
attempting to install more packages.
Here are the full patch notes:
o system: add note field to store comments for each snapshot
o system: add configurable "memberOf" attribute to LDAP connector
o system: do not scrub unrelated IPv6 DHCP ranges from Dnsmasq LAN config during wizard
o system: adapt DHCP address shell setup for new config access functions
o system: adapt web GUI certificate renew for new config access function
o system: adapt initial port configuration DHCP setting for new config access functions
o system: avoid using "(system)" user revision annotation to match legacy and MVC code
o system: fix log files 'go to page' edge case and row count persistence/max
o system: ignore future backups when they exist to ensure new backups are saved
o system: ensure proper types are emitted in searchGatewayAction() when configd action fails
o system: use safe iteration for cert/ca in system_trust_configure()
o system: fixed broken link in modal header when using HA and saving administration settings
o system: create a backup on factory reset
o system: unify pwd_changed_at usage
o reporting: restore canvas state in health graph to fix Firefox display bug
o interfaces: generalise the dhcp6c_script using the new IFNAME variable
o interfaces: fix enter key in assignment description and general cleanup
o interfaces: protect device reads against forcing empty arrays into $config
o firewall: check for schedules in use in new rules
o firewall: add import/export function and missing lock on set action
o firewall: better focus selected alias updates to in crease performance when either --aliases or --types is used
o firewall: implement missing ICMP types in new rules GUI (contributed by Bjoern Jakobsen)
o firewall: adjust for parseReplace() for icmp-type "skip"
o firewall: fix NAT rule enabled checks display (contributed by Aaron Rogers)
o firewall: prevent separator char from being used in category names
o firewall: fix running into error using well known protocols with "-" in them
o firewall: add validation to prevent using both gateway and reply-to in the same rule in new GUI
o firewall: add a command button to open the live log with pre-filled rule ID in new GUI
o firewall: move download and upload commands out of partial into global commands in new GUI
o firewall: reduce complexity in URL hash handling and when using firewall_rule_lookup.php in new GUI
o firewall: fix default ipprotocol mismatch so that when not specified both are indicated
o firewall: update destination NAT ACL to match our menu entry
o firewall: fix issues with searching in the states page
o firewall: allow well known ports in local-port destination NAT
o firewall: adjust row selection behaviour for internal rules in MVC pages
o firewall: offer aliases the same was as the field type expects them
o dnsmasq: add IP address validations for some of the DHCPv4 and DHCPv6 options (contributed by Greelan)
o firmware: fix automatic advanced toggle in settings
o firmware: shorten the reboot message to fit the spinner on the same line
o firmware: tweaks for update/upgrade cleanup behaviours between core and opnsense-update
o firmware: add support for aux repository handling in opnsense-update
o installer: ufs: ignore errors when flushing the full disk
o intrusion detection: upgrade ET Open ruleset to version 8.0 (contributed by 0nnyx)
o openvpn: add options for legacy ciphers (contributed by Bjoern Jakobsen)
o radvd: use safe config array iteration over virtual IPs
o unbound: persist overrides PTR configuration and allow the user to deselect it
o backend: removed mwexec() and mwexec_bg() functions following their deprecation
o backend: add config_push_array() and config_merge_array() helpers
o backend: remove constant configd cleanups as they may influence requests from other threads executing different commands
o mvc: restructure menu items and system using findNodeByPath()/getItem() additions
o mvc: BaseListField: generic implementation of static options
o mvc: PortField: make "well-known" port numbers known by allowing them to be mapped to their respective numbers
o mvc: collect UUID field so it can be searched, but only if the searchPhrase contains a valid UUID
o tests: merge stable filter tests to double check upcoming changes
o ui: batch bootgrid enable/disable-selected toggle by default
o ui: swap order of custom bootgrid commands placement making sure they participate in command binding
o plugins: os-acme-client 4.14[1]
o plugins: os-caddy 2.1.0[2]
o plugins: os-haproxy 5.1[3]
o plugins: os-netbird 1.2
o plugins: os-nextcloud-backup 1.2[4]
o plugins: os-q-feeds-connector 1.5[5]
o plugins: os-tailscale 1.4[6]
o plugins: os-theme-cicada 1.41 (contributed by Team Rebellion)
o plugins: os-theme-flexcolor 1.1 (contributed by Schnuffel2008)
o plugins: os-theme-tukan 1.31 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.51 (contributed by Team Rebellion)
o plugins: os-upnp 1.9[7]
o src: igmp: do not upgrade IGMP version beyond net.inet.igmp.default_version
o src: igmp: apply net.inet.igmp.default_version to existing interfaces
o src: ice: handle allmulti flag in ice_if_promisc_set function
o src: icmp6: clear csum_flags on mbuf reuse
o src: file: qualify pointers to capsicum rights as const
o src: file: add a fd flag with O_RESOLVE_BENEATH semantics
o src: file: Fix the !CAPABILITIES build
o src: unix: Set O_RESOLVE_BENEATH on fds transferred between jails[8]
o src: rtsock: Fix stack overflow[9]
o src: divert: Use a better source identifier for netisr_queue_src() calls
o src: if_ovpn: add interface counters
o src: e1000: fix setting the promiscuous mode
o src: pfctl: allow new page character (^L) in pf.conf
o src: sctp: support bridge interfaces
o src: ifconfig: assorted stable fixes
o src: ip_mroute: assorted stable fixes
o src: vtnet: assorted stable fixes
o ports: libucl 0.9.4
o ports: nss 3.121[10]
o ports: python 3.13.12[11]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/26.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/26.1/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/26.1/net/haproxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/26.1/sysutils/nextcloud-backup/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/26.1/security/q-feeds-connector/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/26.1/security/tailscale/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/26.1/net/upnp/pkg-descr
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:04.jail.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:05.route.asc
[10] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html
[11] https://docs.python.org/release/3.13.12/whatsnew/changelog.html
This update finally brings in Python 3.13 after the struggle we had with
3.11 and missing security patches. A number of things were fixed for the
new rules GUI as well as assorted minor things in all areas of the code
base. Two FreeBSD security advisories are also included and a reboot is
needed to finish this update.
Of note are the recent modifications of the firmware scripting as they
follow a fix in 26.1.2 that seems to have resolved the partial upgrade
failures people have been reporting over the last 2 years. It turned out
that the issue was a cleanup routine in the core package that removed
temporary files in the background while the package manager was still
attempting to install more packages.
Here are the full patch notes:
o system: add note field to store comments for each snapshot
o system: add configurable "memberOf" attribute to LDAP connector
o system: do not scrub unrelated IPv6 DHCP ranges from Dnsmasq LAN config during wizard
o system: adapt DHCP address shell setup for new config access functions
o system: adapt web GUI certificate renew for new config access function
o system: adapt initial port configuration DHCP setting for new config access functions
o system: avoid using "(system)" user revision annotation to match legacy and MVC code
o system: fix log files 'go to page' edge case and row count persistence/max
o system: ignore future backups when they exist to ensure new backups are saved
o system: ensure proper types are emitted in searchGatewayAction() when configd action fails
o system: use safe iteration for cert/ca in system_trust_configure()
o system: fixed broken link in modal header when using HA and saving administration settings
o system: create a backup on factory reset
o system: unify pwd_changed_at usage
o reporting: restore canvas state in health graph to fix Firefox display bug
o interfaces: generalise the dhcp6c_script using the new IFNAME variable
o interfaces: fix enter key in assignment description and general cleanup
o interfaces: protect device reads against forcing empty arrays into $config
o firewall: check for schedules in use in new rules
o firewall: add import/export function and missing lock on set action
o firewall: better focus selected alias updates to in crease performance when either --aliases or --types is used
o firewall: implement missing ICMP types in new rules GUI (contributed by Bjoern Jakobsen)
o firewall: adjust for parseReplace() for icmp-type "skip"
o firewall: fix NAT rule enabled checks display (contributed by Aaron Rogers)
o firewall: prevent separator char from being used in category names
o firewall: fix running into error using well known protocols with "-" in them
o firewall: add validation to prevent using both gateway and reply-to in the same rule in new GUI
o firewall: add a command button to open the live log with pre-filled rule ID in new GUI
o firewall: move download and upload commands out of partial into global commands in new GUI
o firewall: reduce complexity in URL hash handling and when using firewall_rule_lookup.php in new GUI
o firewall: fix default ipprotocol mismatch so that when not specified both are indicated
o firewall: update destination NAT ACL to match our menu entry
o firewall: fix issues with searching in the states page
o firewall: allow well known ports in local-port destination NAT
o firewall: adjust row selection behaviour for internal rules in MVC pages
o firewall: offer aliases the same was as the field type expects them
o dnsmasq: add IP address validations for some of the DHCPv4 and DHCPv6 options (contributed by Greelan)
o firmware: fix automatic advanced toggle in settings
o firmware: shorten the reboot message to fit the spinner on the same line
o firmware: tweaks for update/upgrade cleanup behaviours between core and opnsense-update
o firmware: add support for aux repository handling in opnsense-update
o installer: ufs: ignore errors when flushing the full disk
o intrusion detection: upgrade ET Open ruleset to version 8.0 (contributed by 0nnyx)
o openvpn: add options for legacy ciphers (contributed by Bjoern Jakobsen)
o radvd: use safe config array iteration over virtual IPs
o unbound: persist overrides PTR configuration and allow the user to deselect it
o backend: removed mwexec() and mwexec_bg() functions following their deprecation
o backend: add config_push_array() and config_merge_array() helpers
o backend: remove constant configd cleanups as they may influence requests from other threads executing different commands
o mvc: restructure menu items and system using findNodeByPath()/getItem() additions
o mvc: BaseListField: generic implementation of static options
o mvc: PortField: make "well-known" port numbers known by allowing them to be mapped to their respective numbers
o mvc: collect UUID field so it can be searched, but only if the searchPhrase contains a valid UUID
o tests: merge stable filter tests to double check upcoming changes
o ui: batch bootgrid enable/disable-selected toggle by default
o ui: swap order of custom bootgrid commands placement making sure they participate in command binding
o plugins: os-acme-client 4.14[1]
o plugins: os-caddy 2.1.0[2]
o plugins: os-haproxy 5.1[3]
o plugins: os-netbird 1.2
o plugins: os-nextcloud-backup 1.2[4]
o plugins: os-q-feeds-connector 1.5[5]
o plugins: os-tailscale 1.4[6]
o plugins: os-theme-cicada 1.41 (contributed by Team Rebellion)
o plugins: os-theme-flexcolor 1.1 (contributed by Schnuffel2008)
o plugins: os-theme-tukan 1.31 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.51 (contributed by Team Rebellion)
o plugins: os-upnp 1.9[7]
o src: igmp: do not upgrade IGMP version beyond net.inet.igmp.default_version
o src: igmp: apply net.inet.igmp.default_version to existing interfaces
o src: ice: handle allmulti flag in ice_if_promisc_set function
o src: icmp6: clear csum_flags on mbuf reuse
o src: file: qualify pointers to capsicum rights as const
o src: file: add a fd flag with O_RESOLVE_BENEATH semantics
o src: file: Fix the !CAPABILITIES build
o src: unix: Set O_RESOLVE_BENEATH on fds transferred between jails[8]
o src: rtsock: Fix stack overflow[9]
o src: divert: Use a better source identifier for netisr_queue_src() calls
o src: if_ovpn: add interface counters
o src: e1000: fix setting the promiscuous mode
o src: pfctl: allow new page character (^L) in pf.conf
o src: sctp: support bridge interfaces
o src: ifconfig: assorted stable fixes
o src: ip_mroute: assorted stable fixes
o src: vtnet: assorted stable fixes
o ports: libucl 0.9.4
o ports: nss 3.121[10]
o ports: python 3.13.12[11]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/26.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/26.1/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/26.1/net/haproxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/26.1/sysutils/nextcloud-backup/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/26.1/security/q-feeds-connector/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/26.1/security/tailscale/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/26.1/net/upnp/pkg-descr
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:04.jail.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:05.route.asc
[10] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html
[11] https://docs.python.org/release/3.13.12/whatsnew/changelog.html
#6
26.1 Series / Re: BUG: Category Color Picker
Last post by Monviech (Cedrik) - Today at 01:25:13 PMI just used Safari on an M2 based Macbook and I could choose a color in the color picker and it got saved correctly.
#7
High availability / Re: Dnsmasq - doesn't work for...
Last post by Seimus - Today at 12:24:19 PMYes that is correct, that's how DHCP works.
You can have the Clients to reach the VIP, but the response for DHCP offer will come from the interface IP and not VIP.
You can only bind the listening interface/IP but not the responding.
I am running two DHCP servers based on DNSmasq on linux servers. They are both active, as DNSmasq doesnt support HA, so I have set on the second one a delay in response. Meaning the first server always is the one respond first.
Regards,
S.
You can have the Clients to reach the VIP, but the response for DHCP offer will come from the interface IP and not VIP.
You can only bind the listening interface/IP but not the responding.
I am running two DHCP servers based on DNSmasq on linux servers. They are both active, as DNSmasq doesnt support HA, so I have set on the second one a delay in response. Meaning the first server always is the one respond first.
Regards,
S.
#8
Zenarmor (Sensei) / Re: Google Voice keeps getting...
Last post by Seimus - Today at 12:15:35 PMDid you try to restart ZA after allowing it in the policies?
Regards,
S.
Regards,
S.
#9
German - Deutsch / Re: Telekom Magenta SIP mit VM...
Last post by falkt - Today at 11:54:14 AMIch hab jetzt ne Win11 VM aufgesetzt und mal mit MicroSIP getestet - Jetzt wirds spannend:
Der Request Richtung Telekom wird laut MicroSIP erfolgreich verschickt, danach passiert aber nichts mehr.
In den Live Logs der OPNsense sieht man die NAT Rule die funktioniert.
--> Man sieht auch kein Reject für eingehende Pakete seitens Telekom.
Man könnte meinen die Telekom bekommt den Request nicht (nicht prüfbar) oder antwortet darauf nicht.
Nach einiger Zeit läuft MicroSIP dann in einen Timeout.
Fixe Portforwarding machen ja eigentlich keinen Sinn oder?
Klar kann man 5060 und die RTP Range auf den SIP Gateway schieben aber so sollte SIP ja nicht funktionieren.
Oder habe ich hier einen großen Denkfehler?
EDIT:
Das hier ist ebenfalls interessant:
Telekom hilft Forum
Genau das gleiche Thema, scheinbar zwar ein anderer SIP Client aber das ist ja Wurscht.
Der Request Richtung Telekom wird laut MicroSIP erfolgreich verschickt, danach passiert aber nichts mehr.
In den Live Logs der OPNsense sieht man die NAT Rule die funktioniert.
--> Man sieht auch kein Reject für eingehende Pakete seitens Telekom.
Man könnte meinen die Telekom bekommt den Request nicht (nicht prüfbar) oder antwortet darauf nicht.
Nach einiger Zeit läuft MicroSIP dann in einen Timeout.
Fixe Portforwarding machen ja eigentlich keinen Sinn oder?
Klar kann man 5060 und die RTP Range auf den SIP Gateway schieben aber so sollte SIP ja nicht funktionieren.
Oder habe ich hier einen großen Denkfehler?
EDIT:
Das hier ist ebenfalls interessant:
Telekom hilft Forum
Genau das gleiche Thema, scheinbar zwar ein anderer SIP Client aber das ist ja Wurscht.
#10
25.7, 25.10 Series / Re: IPSEC Site-site VPN help, ...
Last post by jonm - Today at 11:15:56 AMThanks for your help.
I switched to pre-shared keys and now it's working. I might try public key again at some point.
I switched to pre-shared keys and now it's working. I might try public key again at some point.
