Recent posts

#1
Tutorials and FAQs / Help understanding firewall lo...
Last post by matterbury - Today at 06:24:13 AM
Hi,

I've had a quick look for info on this subject but there are a *lot* of posts that seem related but the ones I've read don't help (me).

I'm getting lots of default blocks for traffic I *think* shouldn't be possible, in particular where both the source and destination are on a different subnet than that of the interface in the log message. In some cases the source and destination are on the same subnet (VLAN) which confuses me more.

Everything seems to be working fine so I'm more curious and interested in reducing "noise" if possible, not looking for a fix as such.

Example screenshots attached.

In this case the TRUSTED interface is VLAN 10 with IP range 192.168.10.0/24, the .20. subnet is for VLAN 20, and I'm using Dnsmasq DNS on both VLANs (forwarded from Unbound).

It looks like a DNS query from one host on the .20. subnet to the Dnsmasq server on 20.1 so I'm curious why it's even seen by the firewall *and* why the log claims it's on the TRUSTED interface (how did that happen?).

My topology is roughly: opnsense on Proxmox on Zimaboard 2 with 2 NICs, one for WAN, one for LAN, 4 VLANs on the LAN (one the default), LAN port connects to a switch, switch connects to 3 access points with an SSID per VLAN, all ports on the switch in trunk mode (no adding or removing of tags).

I've omitted a lot of detail as I don't *think* much of it is relevant but LMK what other info I should provide (and apologies in advance).

Thanks in advance for any info.
#2
I'm seeing the same issue. My workaround is to run a SOCKS proxy on the firewall itself and connect through that, but that's a hack.
#3
26.1, 26,4 Series / Re: Large number of files accu...
Last post by lmoore - Today at 05:01:21 AM
Quote from: franco on March 12, 2026, 09:03:51 AMGreat, thanks again for the report!


Cheers,
Franco

OPNsense 26.1.11_6

Deja vu

% ls -l /tmp/tmpcfd_* | wc -l
    9339
#4
Chinese - 中文 / Re: OPNsense adds pfTop, file ...
Last post by opnwall - Today at 04:48:31 AM
Updated to support OPNsense 26.7,please visit https://opnwall.github.io/OPNsense-repo/
#5
Hello everyone,
I would like to introduce the Opnwall OPNsense Community Repository, an independent community repository providing additional plugins and utilities for OPNsense.

Repository:
https://github.com/Opnwall/OPNsense-repo

Package repository:
https://opnwall.github.io/OPNsense-repo/

Supported platforms
  • OPNsense 26.x
  • FreeBSD 14 / FreeBSD 15
  • amd64 architecture

The correct package repository is selected automatically using ${ABI}.

Installation
Log in to the OPNsense shell as root and run:
fetch -o /usr/local/etc/pkg/repos/opnwall.conf \
  https://opnwall.github.io/OPNsense-repo/opnwall.conf

pkg update -f

Then open:
System
└── Firmware
    └── Plugins

The available Opnwall packages beginning with os- should now appear in the plugin list.

Available plugins
  • os-ddclient-opnwall — Extended DDClient replacement with Aliyun, Tencent Cloud and IPv6 interface support
  • os-ddns-go — DDNS-Go dynamic DNS integration
  • os-lang — Chinese localization updater
  • os-lucky — Lucky network toolbox integration
  • os-mihomo — Mihomo proxy integration
  • os-pftop — pfTop diagnostics page
  • os-sing-box — sing-box proxy integration
  • os-staticarp — Static ARP binding integration
  • os-ttyd — ttyd web terminal integration
  • os-unboundcustom — Custom configuration options for Unbound DNS

Removing the repository
To remove the repository configuration:
rm -f /usr/local/etc/pkg/repos/opnwall.conf
pkg update -f

This removes only the repository configuration. It does not uninstall plugins that have already been installed.
Individual plugins can be removed from the OPNsense plugin page or with:
pkg delete <package-name>
Source code
The complete source code for all published plugins is available in the repository:
https://github.com/Opnwall/OPNsense-repo/tree/main/src

Each src/os-* directory is an independent plugin project and includes a build.sh script for building on a compatible OPNsense/FreeBSD system.
Bug reports, compatibility feedback and contributions are welcome:
https://github.com/Opnwall/OPNsense-repo/issues

Important notice
This is an independent community project. It is not affiliated with, maintained by, or officially supported by the OPNsense Project or Deciso B.V.
Before installing third-party plugins:
  • Back up your OPNsense configuration.
  • Test the packages in a non-production environment whenever possible.
  • Verify compatibility after every major OPNsense upgrade.
  • Proxy, DNS and DDNS plugins may change important network behavior, so review their configuration carefully.

Licenses for the source code and bundled third-party components are provided within the respective project directories.
#6
General Discussion / Re: Unbound DNS keeps crashing...
Last post by lmoore - Today at 04:39:00 AM
Quote from: nero355 on July 13, 2026, 11:16:37 PMNo it's really Windows 10 itself but I can't remember what it was about

I've not found anything on Windows 10, however, Windows 11 has 'DoHWellKnownServers' in the registry. Perhaps this is what you are thinking of.

Last night I blocked connections on one of my networks to the DNS server address on OPNsense. Checking this morning, there were no queries either from Windows-10 or Windows-11 to the Google DNS servers.
#7
General Discussion / Re: Periodic NIC issues (?) wi...
Last post by BrandyWine - Today at 03:32:18 AM
I don't think it was ever asked. How exactly does your i226 ifaces (that are in use) ever go idle enough for either ASPM or EEE to turn them off? It's make no sense that any working iface would ever go idle enough to get into a deep power-down state.

It's still not clear if the issue resides in the 2MB or the 1MB NVM, nobody knows.

Unless someone can drum up a way to monitor ring/Tx/Rx/buffers/etc and power states of the NIC in realtime, the issue is cat-chasing-tail. I don't think it's a APSM or EEE problem at this point. I might suspect some 226's have a silicon gremlin.
#8
26.1, 26,4 Series / Re: How reliable is Firewall:D...
Last post by hharry - Today at 03:06:31 AM
OPNsense for several major versions, has suffered from showing incorrect rules in firewall sessions and states.

https://forum.opnsense.org/index.php?topic=46029.msg236282#msg236282

To this day, i still see the same set of issues in 26.x

For me i always see these issues when either

1. F/W rules are changed, then sessions and states are listed with incorrect F/W rules
2. immediately after OPNsense reboot ( no F/W rule change is involved ), then sessions and states are listed with incorrect F/W rules


In both cases, i need to reset F/W states to clear out the issue...after resetting F/W states, then all F/W sessions and states then list correct / expected rules, until either of above cases are executed again, then the cycle repeats...
#9
Let her brighten up your night - No Selfie
https://privatedates.live
 
She's ready to meet you now
#10
General Discussion / Re: Can interfaces switch on r...
Last post by nero355 - July 13, 2026, 11:19:30 PM
Quote from: bimbar on July 13, 2026, 06:35:44 PMThat is a bit of a weird question - we are hosted on ovhcloud, and after the latest update to 26.1.7_1 the interfaces vtnet0 (LAN) and vtnet1 (WAN) have switched places. So to fix, I had to reassign the interfaces, vtnet0 is now WAN and vtnet1 is now LAN, and everything works again.
Your VM heard that I think it's more logical to have it the way it is now and decided to switch the interfaces! LOL! ^_^