Recent posts

#1
I just tried in my test installation on latest community and I get returns:

root@OPNsense:~ # /usr/local/opnsense/scripts/kea/get_kea_leases.py --proto inet6
{"records":[{"address":"fd10::1","prefix_len":128,"type":"IA_NA","hwaddr":"00:15:5d:00:ad:3e","duid":"00:01:00:01:31:3d:5f:3e:00:15:5d:00:ad:3c","client_id":"","iaid":3,"valid_lifetime":4000,"expire":1778876996,"hostname":"","state":0,"if":null,"if_descr":"","is_reserved":[]},{"address":"fd10:0:0:1000::","prefix_len":56,"type":"IA_PD","hwaddr":"00:15:5d:00:ad:3e","duid":"00:01:00:01:31:3d:5f:3e:00:15:5d:00:ad:3c","client_id":"","iaid":3,"valid_lifetime":4000,"expire":1778876996,"hostname":"","state":0,"if":null,"if_descr":"","is_reserved":[]}]}

So if nothing is returned, either KEA's socket really knows no leases, or there is some logic error somewhere (which I don't expect right now).

Quite strange.
#2
@fastboot
Your 1st post looks like you went looking for ucode w/o 1st verifying the actual cpu you have.
My suspicion is, UEFI already applied ucode. What's the date of the UEFI?

Quote from: fastboot on May 14, 2026, 09:37:05 AMIs it possible that the split microcode file 06-9a-04.80 is missing from the package

100% is missing from the package !

Quote from: fastboot on May 14, 2026, 09:37:05 AMbut for Intel Core Gen12 / Alder Lake R0 I would expect platform 06-9a-04/80, not /40.

Not 100% true. The R0 "mobile" variant is a .40, while the R0 "desktop" variant is a .80

The Intel Core i3-1215U, Alder Lake R0 is a mobile cpu, so the .40 should be correct one.

Conclusion
Intel Core i3-1215U (Alder Lake R0) is a mobile CPU, so its microcode variant is .40.
.80 variants are desktop-only and do not apply.

sysctl -a | grep hw.model
sysctl -a | grep hw.cpuid

# Install cpuid tool if you don't have it
pkg install cpuid
# Check your CPU's full CPUID
cpuid | grep -i "family\|model\|stepping"




QuoteProtectli VP6630 UEFI specifics
Based on reports and Protectli firmware docs:
The default UEFI firmware does include some Intel microcode, usually matching the R0 stepping of CPUs sold with that board.
However:
It might not include the very latest microcode (especially security updates released after the board was shipped).
Therefore, OS-level microcode loading is still recommended.
UEFI typically updates the CPU at boot, before any OS starts, but the update is only what the firmware contains.
#3
German - Deutsch / IPSEC Tunnel Status via Zabbix...
Last post by holehner - Today at 09:18:36 PM
Hallo Zusammen,
ich habe den einen oder anderen Beitrag zu Zabbix hier gelesen.
Aktuell habe ich an meiner OPNSense den Zabbix Plugin installiert. Ich bekomme viele Werte, allerdings keine bzgl. den VPN Verbindungen.

Hat jemand Erfahrung wie ich mit Zabbix die VPN Verbindungen monitoren kann, Up/Down würde mir reichen.
Traffig davon ist die Kirsche auf der Sahne.

Hat jemand das Thema schon gehabt?

Viele Grüße und vielen Dank, Heiko
#4
German - Deutsch / Unbound unter OpenVPN
Last post by trixter - Today at 09:16:38 PM
Aktuelles Szenario:

Mehrere OpenVpn-Tunnel, die als DNS den Tunnel-Server mitgeben Bsp: 192.168.200.0/24 Tunnelnetz und GW/DNS/NTP ist die .200.1.
Damit Unbound funktioniert, sind as Interfaces "alle" angegeben.

Nun möchte ich aber auf dem WAN den DNS abschalten - klar könnte man das auch per Regel blocken, das ist nur ein Workaround. Macht man bei den Regeln einen Fehler, ist wieder alles offen.

Bei den Interfaces kann man nur physische Interfaces angeben - die Logischen für die OpenVpn-Instanzen kann man hier, warum auch immer, nicht angeben. Dabei würde das aus meiner Sicht so viel mehr Sinn ergeben.
>>Möchte meinen VPN-lern die internen Servernamen mitgeben, die den Rest der Welt nichts angehen!

Kann ich Unbound auf den VPN-Servern betreiben, ohne das auch auf WAN preiszugeben (wo sie vermutlich dran hängen)?

 
#5
German - Deutsch / Re: IPSEC - zwei SubNetze in P...
Last post by holehner - Today at 09:12:48 PM
Hallo Patrick,
danke für diesen Tipp, das habe ich noch gar nicht in Erwägung gezogen.
Ich habe die Tunnels angepasst, mal sehen was morgen ist.

Vielen Dank dir! Gruß Heiko
#6
26.1, 26,4 Series / Re: Odd Kea DHCPv6 behavior...
Last post by Ed V. - Today at 08:59:45 PM
# /usr/local/opnsense/scripts/kea/get_kea_leases.py --proto inet6
#
# /usr/local/opnsense/scripts/kea/get_kea_leases.py --proto inet
{"records":[{"address":"192.168.144.3","prefix_len":128,"type":"","hwaddr":"24:5e:be:74:d2:4b","duid":"","client_id":"01:24:5e:be:74:d2:4b","iaid":"","valid_lifetime":86400,"expire":1778926767,"hostname"...

#7
General Discussion / Re: Traffic Graph looks revers...
Last post by runo10 - Today at 08:36:12 PM
I dont have any proxy. Can be a bug on opnsense side?
#8
26.1, 26,4 Series / Re: [26.1] NAT reflection not ...
Last post by keeka - Today at 08:36:09 PM
Quote from: Kinerg on May 14, 2026, 11:56:52 PM
Quote from: nero355 on May 14, 2026, 03:45:22 PMIf possible you should avoid Reverse NAT a.k.a. NAT Loopback anyway, so maybe a good moment to consider moving away from it ?!
Why? Genuine question.

It's considered a sub-optimal workaround, less secure. I decided to pass on NAT reflection options, for both pfsense and OPNsense, probably some point after reading documentaion, beginning with https://docs.netgate.com/pfsense/en/latest/nat/reflection.html. I then thought split DNS might be affected by TTL, so avoided that solution. Eventuallly addressing it only when needed, with my own NAT rules. AIUI it's only considered NAT reflection if the redirected traffic 'hairpins' via the WAN.
#10
26.1, 26,4 Series / Re: Odd Kea DHCPv6 behavior...
Last post by Ed V. - Today at 08:07:57 PM
The hook library is there (both dhcp6 and dhcp4):

    "hooks-libraries": [
      {
        "library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so"
      },
      {
        "library": "/usr/local/lib/kea/hooks/libdhcp_host_cmds.so"
      }
    ],

The script works - but only returns IPv4 leases...