Recent posts

#1

26.1, 26,4 Series / Re: This makes me want to cry!...

Last post by dirtyfreebooter - Today at 03:03:18 AM

The logout logic of opnsense is a bit hit or miss... Most people never realize it because they don't keep sessions open for 4 hours.

This could have happened here.

Also changing from https to http can be catastrophic for up to 1-2 weeks. Chrome in particular if it has connected to a domain or ip using https beforehand, it refuses to acknowledge that http is a real thing.

Generally speaking, I would try incognito sessions.

i tried just accessing the with curl which also failed. guess what, it could be something wrong with OPNsense. its not bug free. its also fine. nothing is perfect. but it doesn't seem like something anyone would prioritize, which is also fine.

#2

General Discussion / Re: Dnsmasq help: how to suppr...

Last post by OPNenthu - Today at 01:56:20 AM

The only way I can get the ULA DNS address advertised (and only the ULA, not the GUA) is to make it the only 'dns-server [23]' option for the interface and delete the blank ones for the GUA ranges.

In this case though, the tags aren't doing anything and can also be deleted.

Code Select Expand

$ resolvectl status
...
Current DNS Server: 172.21.30.1
       DNS Servers: 172.21.30.1 fd7b:1236:9970:1003::1
        DNS Domain: clear.h1.internal

What I was hoping to achieve is some distinction between the prefixes so that I could set options on them separately (e.g. use the ULA range as DHCPv6 only and the GUA one as RA only).  But now I'm not even sure that's practical.  Maybe clients would just use one or the other.

How do you do this kind of split ULA/GUA addressing in the real world where there is no static IPv6 prefix from the ISP that can be configured without needing a constructor on the range?  Is it possible?

My best alternative plan to avoid dynamic IPv6 quirks (+others I've experienced) is to just give in to ULA addressing only within my network and NPTv6 for outbound, similar (though not the same) as what @Javier® posted here: https://forum.opnsense.org/index.php?topic=51376.msg263307#msg263307.  I tried it and it works, but of course the browser mostly prefers IPv4 in that case.  It's a little bit of a step backwards in terms of overhead (IPv4 NAT is mostly still used) and privacy (everything again NATed to a single address vs. hosts with regularly changing randomized host bits when privacy extensions are active).  But it's stable.

#3

General Discussion / Updates no longer working

Last post by gauche - Today at 01:00:53 AM

Hello,

I have a DEC750 running OPNSense business edition 25.4.3_4. Every now and then I update it, but when I've tried the past couple of days it has failed. I get a popup saying:

The provided subscription is either invalid or expired. Please make sure the input is correct. Otherwise contact sales or visit the online shop to obtain a valid one.

The update logs show:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.4.3_4 (amd64) at Sat Apr 18 08:54:45 AEST 2026
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/subscription: Forbidden
Fetching changelog information, please wait... fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/sets/changelog.txz: Forbidden
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/meta.txz: Forbidden
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.pkg: Forbidden
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.txz: Forbidden
Unable to update repository OPNsense
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
If I go to any of the mentioned URLs in a browser (substituting the subscription key in, of course), I get:

Access denied, visit https://opnsense-update.deciso.com/ for instructions

If I visit that URL, I get seemingly useless instructions:

In order to use the OPNsense business edition resources, please use your license key in the url in the following format:
    https://opnsense-update.deciso.com/$license_key/

It's like my license key has been revoked or something (obviously I've not been notified of any such action). I'm not really sure where to turn for help, so thought I'd start here. Any useful advice would be appreciated.

#4

26.1, 26,4 Series / Re: This makes me want to cry!...

Last post by sopex8260 - Today at 12:55:56 AM

The logout logic of opnsense is a bit hit or miss... Most people never realize it because they don't keep sessions open for 4 hours.

This could have happened here.

Also changing from https to http can be catastrophic for up to 1-2 weeks. Chrome in particular if it has connected to a domain or ip using https beforehand, it refuses to acknowledge that http is a real thing.

Generally speaking, I would try incognito sessions.

#5

Intrusion Detection and Prevention / Just converted from pfsense to...

Last post by rgranger - Today at 12:51:29 AM

rules.sqlite.LCK, i tried to update that once, it seems to fail, nothing else tries to install from the "ET Open" after this fails.
Also, should the rules checked become unchecked once the download fails?
I am stuck in that they won't download and I can't uncheck/bypass them.
I can delete them and then apply an empty policy and they still come back. It is like that dang Chucky! Can't kill him either.

OPNsense 26.1.6-amd64
FreeBSD 14.3-RELEASE-p10
Thanks in advance,
Rob

/
-rw-r--r--  1 root wheel      98 Apr 17 22:34 OPNsense.rules
-rw-r-----  1 root wheel    1893 Apr 17 22:34 abuse.ch.feodotracker.rules
-rw-r-----  1 root wheel  3086378 Apr 17 22:34 abuse.ch.sslblacklist.rules
-rw-r-----  1 root wheel      517 Apr 17 22:34 abuse.ch.sslipblacklist.rules
-rw-r-----  1 root wheel 57615431 Apr 17 22:34 abuse.ch.threatfox.rules
-rw-r-----  1 root wheel 16237448 Apr 17 22:34 abuse.ch.urlhaus.rules
-rw-r-----  1 root wheel  217376 Apr 17 22:34 emerging-sql.rules
-rw-r-----  1 root wheel  514601 Apr 17 22:34 emerging-web_server.rules
-rw-r-----  1 root wheel 60833792 Apr 17 22:35 rules.sqlite
-rw-r-----  1 root wheel        0 Apr 17 22:35 rules.sqlite.LCK

update:
i have removed the policy after unchecking all the rules. Still the
I have removed the policy  after unchecking all the rulesets, and still it trys to download rules.sqlite
How can I kill that as it seems to kill all the other downloads.

root@OPNsense:/usr/local/etc/suricata/rules # ll
total 2
-rw-r--r--  1 root wheel    98 Apr 17 23:19 OPNsense.rules
-rw-r-----  1 root wheel 28672 Apr 17 23:19 rules.sqlite
-rw-r-----  1 root wheel     0 Apr 17 23:19 rules.sqlite.LCK

#6

26.1, 26,4 Series / Re: This makes me want to cry!...

Last post by dirtyfreebooter - Today at 12:46:15 AM

If it's the timeout issue, then no need to reboot.  OPNsense is fine and it's just the web session that's gone stale.

Hit the browser refresh and log in again.

yea, i think i tried refreshing the page, lol. i even closed the browser and couldn't get to the login screen. all networking seemed fine and like i said, ssh worked and i rebooted it via the console and then the web ui worked again. i didn't report anything because i had nothing in the logs, so nothing was going to done about it (which is fine)

#7

26.1, 26,4 Series / Re: This makes me want to cry!...

Last post by OPNenthu - Today at 12:23:05 AM

If it's the timeout issue, then no need to reboot.  OPNsense is fine and it's just the web session that's gone stale.

Hit the browser refresh and log in again.

#8

General Discussion / Re: Ubiquity Cloud Fiber Gatew...

Last post by nero355 - Today at 12:09:32 AM

@nero355 Approved! 🤌

Hehehe! Thnx! ^_^

I gave it all I had... LOL!

#9

General Discussion / Re: [SOLVED] Help needed LAN t...

Last post by nero355 - Today at 12:05:59 AM

Yeah indeed my desktop can still access everything on LAN2 after I removed the default LAN rules on LAN2.

AWESOME!!! Thnx! :)

#10

General Discussion / Re: [SOLVED] Help needed LAN t...

Last post by Beehive-guy - April 17, 2026, 10:45:52 PM

could you test one more thing for me :

I think LAN2 could be reachable even without the Default LAN Firewall Rules copied to LAN2 because LAN initiates the connection.
Another thing I forgot to mention earlier, sorry! :)

No problem, Yeah indeed my desktop can still access everything on LAN2 after I removed the default LAN rules on LAN2