Recent posts

#1
---Translate from ChatGPT----
Hello everyone,

I'm currently using the community edition of qfeed on OPNsense and am generally satisfied. However, I'm considering an upgrade to the Plus or Premium version. Right now, qfeed and CrowdSec share the blocking duties; between them, they already filter out most unwanted traffic. The remaining protection is handled by traditional filter rules.

Since I plan to make a NAS accessible from the internet for personal use and security is a top priority, I'm wondering whether an upgrade would noticeably improve protection. An update/response interval of 4 hours sounds more reassuring than 7 days. qfeed's pricing also seems reasonable to me, which unfortunately isn't the case with CrowdSec.

What are others' experiences with upgrading to Plus/Premium? Does it deliver tangible benefits in practice—especially for internet-facing services?

cu Richard

---Original German----
Hallo zusammen,

ich nutze derzeit die Community-Version von qfeed auf OPNsense und bin damit grundsätzlich zufrieden. Dennoch überlege ich, auf die Plus- bzw. Premium-Version zu wechseln. Aktuell teilen sich qfeed und CrowdSec die Blockieraufgaben; den Großteil der unerwünschten Zugriffe filtern die beiden bereits zuverlässig. Den restlichen Schutz übernehmen klassische Filterregeln.

Da ich privat ein von außen erreichbares NAS bereitstellen möchte und mir Sicherheit besonders wichtig ist, frage ich mich, ob ein Upgrade den Schutz spürbar verbessert. Ein Aktualisierungs-/Reaktionsintervall von 4 Stunden klingt für mich überzeugender als 7 Tage. Zudem ist der Preis von qfeed für mich attraktiv, was ich von CrowdSec derzeit leider nicht sagen kann.

Wie sind eure Erfahrungen mit einem Upgrade auf Plus/Premium? Bringt es in der Praxis messbare Vorteile – insbesondere bei extern erreichbaren Diensten?


VG Richard
#2
26.1 Series / Re: Feature Request: FIDO2 / W...
Last post by Monviech (Cedrik) - Today at 05:53:48 PM
Ideally you could use the business edition with OpenID Connect support and an identity provider that supports the auth scheme you require. Im assume there is some OIDC provider who offers Yubikey support.
#3
It might be better to skip NAT and use a layer 4 proxy (e.g. haproxy or caddy) that can stream between ipv4/ipv6 front end to ipv4 only backend. That reduces a lot of pain with IPv6 NAT and GUA/ULA weirdness.

I think the Kubernetes folks call that Ingress Controller and use traefik most of the time instead of haproxy or caddy.

Otherwise I think I would try a simple port forward (destination NAT)
#4
Now that the server started it should be fine.

You dont need NAT rules at all, you only need a firewall rule that allows access to the caddy ports on This Firewall.

And for dynamic dns, use a different check type? Maybe interface check doesnt work for some reason in your setup?

Check the FAQ and troubleshooting here:
https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-troubleshooting

Try to pinpoint the issue.
#5
Zenarmor (Sensei) / Re: Issue with OPNsense 26.1.3...
Last post by sy - Today at 05:22:52 PM
Hi,

Could you try updating again and share the logs using the "Have Feedback" option located in the bottom left corner of the UI?
#6
Zenarmor (Sensei) / Re: Device recognition issue w...
Last post by sy - Today at 05:20:44 PM
Hi LucaS,

When a L3 device is existing, You need to mark it as Router device. Please visit the following link for further detail.

https://www.zenarmor.com/docs/support/faq#zenarmor-shows-only-one-device-for-all-clients-behind-my-router-how-can-i-make-it-show-them-individually
#7
26.1 Series / Feature Request: FIDO2 / WebAu...
Last post by opnessense - Today at 05:14:59 PM
Hi all,
with the latest OPNsense releases I'm reviewing my access security and I'd like to officially propose FIDO2 / WebAuthn support for WebGUI login.

I already use YubiKeys as a strong authentication method on other platforms in my homelab, and I would really like to have a similar experience on OPNsense as well.

I'm aware that OPNsense currently supports TOTP-based 2FA ("Local + Timebased One Time Password"), which works fine and can also be used with a YubiKey as TOTP generator, but the workflow I'm interested in is the more modern security key flow:

WebGUI login with username + password + YubiKey FIDO2/WebAuthn

optional security key PIN + physical touch as the second factor

ability to associate multiple security keys per user (primary key + backup key)

ideally, the option to enforce security key use at least for admin accounts.

I see there is already an open issue for FIDO/FIDO2/U2F support in the core, and some older forum discussions about this topic, so I'd like to add my voice and renew interest in this feature. There are users (like me) who are already using FIDO2/WebAuthn on other infrastructure components and would like to align OPNsense firewall access with the same security level.

For my use case this would be a major hardening step for WebGUI access, especially in scenarios where the admin may log in from trusted but not strictly "personal" machines.

Thanks a lot for your great work and for considering this feature request.
#8
Lol damn sometimes it just takes someone to repeat the obvious.

So first off I did check that file,
I saw these errors in the caddy.log file

Error: caddy process exited with error: exit status 1
Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: address already in use
Error: caddy process exited with error: exit status 1
Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: address already in use
Error: caddy process exited with error: exit status 1

Looking at the used ports I saw

sockstat -4 -6 -l | grep ':80'
root     lighttpd   50842 9   tcp4   *:80                  *:*
root     lighttpd   50842 10  tcp6   *:80                  *:*
root     suricata   91301 6   div4   *:8000                *:*
root     suricata   91301 7   div4   *:8000                *:*
root     suricata   91301 8   div4   *:8000                *:*
root     suricata   91301 9   div4   *:8000                *:*
root     crowdsec    4445 18  tcp4   127.0.0.1:8080        *:*
root     kea-ctrl-a 72069 7   tcp4   127.0.0.1:8000        *:*

At first, I thought this was the web-gui, I did move it to a different port in the admin settings and I figured since I only use https I didn't have to do anything else.

Restarting the web-gui service did stop lighttpd from using port 80, but when I started caddy it would come back.

Any way, looking at it again this morning I realized I missed a setting in the web gui,  "Disable web GUI redirect rule".

I just enabled that setting, and Caddy was able to start up.
But I'm still having problems with the reverse proxying and DDNS.

The reverse proxy isn't working at all for the subdomain and the DDNS part is still erroring out with
"error","ts":"2026-03-09T16:12:02Z","logger":"dynamic_dns","msg":"looking up IP address","ip_source":"interface","error":"no IP addresses returned"}
With my Nginx based reverse proxy, along with the firewall rules I also have a NAT rule to direct the external ports to the internal IP of the reverse proxy. Do I need to do add a similar NAT rule for but "this firewall" like the firewall rule?

Sorry about all the edits and the way I wrote this post, I got a little too excited when the caddy server actually started.

#9
General Discussion / Re: Need help understand NPTv6
Last post by wallaby501 - Today at 04:57:47 PM
My diagrams.net expertise is sorely lacking but basically this.


I understand well enough the IPv4 side (essentially it's just a NAT port forward on the WAN to the service IP of the pod) and that works without issue but just trying to go dual stack here. Essentially it's the same thing only since IPv6 guarantees you GUA I assume that I should only listen on my K8s vlan GUA and then redirect that to the pod service IP. Which half makes me think that if I made a firewall rule that directs anything on the K8s vlan external IP to that pod IP I might be fine.

Image might not show so here it is- https://imgur.com/a/BcZuYwq
#10
The I226 drivers work just fine. There are also device with 4x I226 and 2x Intel 10GBps SFP+, which also work fine. The N3x5 variants get a lot hotter than the N1x0, so you probably want active cooling or consider one of the latter.

You can also buy these boxes from Protectli with warranty, but with a premium.