Recent posts

[Not]

#1

General Discussion / Re: Port OPNsense to Linux?

Last post by meyergru - Today at 09:39:05 AM

There is soo much already out there so what do you need exactly that they can not offer ?!

They could offer a decent UI with more limited features, but aimed at what most clueless people who come in here think a firewall should do. There are countless examples of voicing that, the last of which was this one.

That is: Not 3 different DHCP services, 4 different DNS servers, loose coupling between MAC / IP and DNS names that must be consolidated manually over the configuration of two services, not even counting the associated firewall rules.

It is very hard to down-size an existing appliance like OpnSense that has grown over the years and adapted many tools and plugins. The decline of FreeBSD poses a chance to start from scratch, with a specific clientele in mind.

What the Fritzbox does not is better in the direction of simplicity, but worse in the way of flexibility, e.g. you cannot have DNS aliases, making the use of name-based reverse proxies or having several services on one IP very difficult. Also, it lacks something like Adguard Home or Pi-Hole.

While IPfire and other Linux-based firewalls may have the correct feature-set, they suck even more on the "complexity" side for such users than OpnSense.

P.S.: To be clear: I like OpnSense for what it is. But, as I often said, it is not suited for the average Joe who does want "a little bit more" than what consumer routers offer. There are more of those these days with IoT and homelabbing. Such users just want the benefits, but are unable or unwilling to grasp the underlying concepts and need a stringent UI, which OpnSense does not offer.

So, this is a growing market that is neither met by Fritzboxes, IPfire, OpenWRT, OpnSense and all the others. Yet, I think that despite there being a lot of people who would love to have it, they are also the same people who do not want to pay for that luxury.

#2

26.1 Series / Re: Source NAT vs Outbound ?

Last post by alex402 - Today at 08:35:10 AM

Dear Franco,

I noticed that the invert exclamation mark is not showing in the destination address in Source NAT.

I apologize if this has already been discussed. If not, this needs to be fixed in future releases.

I use the version 26.1.5.

Thank you for your work.

#3

German - Deutsch / Re: OPNsense mit Caddy, VLans ...

Last post by spooner.arthur - Today at 06:37:16 AM

Ach so, noch ein Hinweis:
alle Server / Dienste laufen auf einem Proxmox Host

#4

General Discussion / Re: Supporting Consistent Intr...

Last post by cornfield - Today at 05:37:04 AM

How to delete?

#5

General Discussion / Re: Crashing after upgrading t...

Last post by bigdog420 - Today at 05:11:10 AM

Most likely Franco will check this out next week and see if there's something that can be done here or if it's an issue that needs to be fixed upstream

Thanks man! I appreciate your guys' help.

#6

Tutorials and FAQs / Re: IPv6 Control Plane with FQ...

Last post by OPNenthu - Today at 05:09:25 AM

If, 1. shows a problem, pretend you didn't do anything and start again

This is my method too, but now she just blames me automatically even when it's not my fault :)

Regarding the Household test on the LibreQoS site, I asked ChatGPT what the test looks for and it gave an interesting response.  It said that the houshold test falls down quickly when using FQ_CoDel because it cannot distinguish between flows.  All traffic has equal priority so things like gaming, VoIP, etc. can get impacted quickly when there is traffic from multiple clients.

To get a good score there we need CAKE, which can distinguish clients and flows.

As it's not available on FreeBSD, the best we can do is prioritize into queues.  I guess for that to work with FQ_CoDel we would need multiple pipes right?  Or maybe one pipe with no scheduler and instead use CoDel within priority queues?

I would be tempted to try this but I don't know how to match the traffic accurately.  For example, how do we use rules to distinguish video streaming from regular downloads (both using HTTPS)?   Are we supposed to match by destination, e.g. all YouTube.com -> send to high prio queue?

If someone has a guide for that in OPNsense it would be great.  I'm sometimes getting an 'F' on that test.

#7

26.1 Series / Re: OR type in Firewall: Log F...

Last post by OPNenthu - Today at 04:54:45 AM

Yep, in the live view upper right corner there's an option "Select any of given criteria (or)".

#8

26.1 Series / OR type in Firewall: Log Files...

Last post by grapes2331 - Today at 04:46:40 AM

Hello, I see when I create a filter at the top I can only use the AND is it possible to use OR to filter the live logs?

#9

Virtual private networks / openVPN randomly disconnecting

Last post by grapes2331 - Today at 04:39:54 AM

Hello, my openVPN client keeps randomly disconnecting for now reason and i see `IP packet with unknown IP version=0 seen`. I selected MSS fix option within the instance config, but it still seems to happen. I am using the following certification I'm not sure if this is increasing my packet and I need to specify a different MTU.


TLS static key

Public Key Algorithm: Elliptic Curve Cryptography (ECC)

Key Size: 521-bit

Elliptic Curve: NIST P-521 (secp521r1)

Signature Algorithm: ECDSA (Elliptic Curve Digital Signature Algorithm) with SHA-512

#10

General Discussion / Re: Crashing after upgrading t...

Last post by newsense - Today at 04:21:56 AM

Most likely Franco will check this out next week and see if there's something that can be done here or if it's an issue that needs to be fixed upstream