"Recent posts
#1
German - Deutsch / Re: [Gelöst] Problem Reverse P...
Last post by Ronny1978 - Today at 07:34:08 AMMit Hilfe eines Mitglieds aus einem anderen Forum haben wir die Lösung gefunden:
Zusätzliche Header-Konfiguration:
Damit ist das Problem gelöst.
Danke, JohneDoe 😉👍
Zusätzliche Header-Konfiguration:
Code Select
header_up Host {host}Damit ist das Problem gelöst.
Danke, JohneDoe 😉👍
#2
26.1 Series / SOLVED Re: Problem Reverse Pro...
Last post by Ronny1978 - Today at 07:31:54 AMWith the help of a member from another forum, we found the solution:
Additional header configuration:
That solves the problem.
Thanks JohneDoe 😉👍
Additional header configuration:
Code Select
header_up Host {host}That solves the problem.
Thanks JohneDoe 😉👍
#3
General Discussion / Re: AI integration for OPNsens...
Last post by OPNenthu - Today at 07:15:30 AMSpeaking of the Mythos model, I don't know how much of this is industry hype but if it's really as capable as I'm reading, then I hope FreeBSD, OPNsense, and open source projects broadly figure out their strategy before those discovered vulnerabilities become liabilities to all the users. This is my fear.
It's not difficult to imagine the immense pressure that these AI owners will be able to put on companies in order to pay themextortion fees for priority access to security findings.
And even then, who knows if and how many vulnerabilities are being sold and kept quiet. We can guess who might be be buying.
I thought this article asked some good questions, even though it's written by a security company that I presume uses AI:
https://www.picussecurity.com/resource/blog/anthropics-project-glasswing-paradox
It's not difficult to imagine the immense pressure that these AI owners will be able to put on companies in order to pay them
And even then, who knows if and how many vulnerabilities are being sold and kept quiet. We can guess who might be be buying.
I thought this article asked some good questions, even though it's written by a security company that I presume uses AI:
https://www.picussecurity.com/resource/blog/anthropics-project-glasswing-paradox
#4
German - Deutsch / Re: Wie benutze ich unbound DN...
Last post by stefanpf - Today at 06:40:48 AMMöchte das nicht als die absolute Wahrheit verkaufen, aber folgendes scheint bei mir geholfen zu haben:
- router advertisments nicht über dnsmasq, sondern wieder über radv (Services / Router advertisements)
Dort in den erweiterten Einstellungen
deprecate prefix on
shutdown prefix on
Minimum interval 20
Maximum interval 60
Default Lifetime 60
Preferred Lifetime 600
Valid Lifetime 1800
- Wifi: z.B. bei Unifi sicherstellen, dass Multicast nicht geblockt wird, DTIM auf 3
Zwischendurch hatte ich die RAs über dnsmasq verteilen lassen und habe es damit nicht dauerhaft zum laufen bekommen - primär ist das bei den Stubenhockern (Ipad, LG TV) aufgefallen.
- router advertisments nicht über dnsmasq, sondern wieder über radv (Services / Router advertisements)
Dort in den erweiterten Einstellungen
deprecate prefix on
shutdown prefix on
Minimum interval 20
Maximum interval 60
Default Lifetime 60
Preferred Lifetime 600
Valid Lifetime 1800
- Wifi: z.B. bei Unifi sicherstellen, dass Multicast nicht geblockt wird, DTIM auf 3
Zwischendurch hatte ich die RAs über dnsmasq verteilen lassen und habe es damit nicht dauerhaft zum laufen bekommen - primär ist das bei den Stubenhockern (Ipad, LG TV) aufgefallen.
#5
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by Maurice - Today at 04:53:41 AMOPNsense 26.1.6 aarch64 packages and sets released.
#6
26.1 Series / Re: lots of empty space in new...
Last post by randell - Today at 03:49:59 AMQuote from: Patrick M. Hausen on April 10, 2026, 10:18:14 PMSeconded. A browser has scroll bars. Just use all of the bloody space. And place all "action" buttons - new, select, delete, ... as well as apply - at the top of the page. Render a web page. It's a web UI, not an application.Created an account just to +1 this.
I have a smallish laptop, 14" screen running 1080p resolution and that doesn't give much vertical space. It works much better with scrolling the entire window than the little grid.
#7
26.1 Series / Re: Is VPN kill switch rule st...
Last post by OPNenthu - Today at 02:16:59 AMI'm looking for the current information, but struggling :)
I think none of the obvious sources (OPNsense docs, pfSense docs, OpenBSD pf manual, FreeBSD manual) explicitly state how this works. The closest I've found so far is from the OpenBSD pf manual, but even that doesn't explicitly answer it. You have to infer some things by reading between the lines.
https://www.openbsd.org/faq/pf/filter.html
The part that I underlined, in combination with the fact that interface rules are directional, I **think** implies the following filter flow (NAT omitted):
Ingress:
remote client ---> [WAN]("in" rules) ---> [LAN]("out" rules) ---> local server
Egress:
local client ---> [LAN]("in" rules) ---> [WAN]("out" rules) ---> remote server
Once state is established, subsequent packets bypass the filters.
In most cases we don't use "out" filters in OPNsense, so those filter points can logically seem as though they don't exist. (Maybe this is a source of confusion and why it's sometimes said that filtering only happens once, at the interface the packet comes in on?)
Then the reason the VPN kill switch works is because when the packet that would otherwise go the VPN gateway shows up on WAN, the rules there are evaluated because the flow doesn't match a state*. Then, the WAN "out" rule sees the tag on the packet that was set from the VPN interface and blocks.
So, it must be filtering on all interfaces that the packet traverses, not just the interface the packet came in on. Else this wouldn't work.
Is this all correct so far?
*not clear how floating vs. interface pf states (not rules) affect this. Floating states are default in OPNsense, as they are also in OpenBSD's pf.
You cannot view this attachment.
pfSense is the opposite (defaults to interface bound states) and explains some potential VPN leakage problems.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states
Maybe at least the rules on the VPN interface should be manually set to interface-bound?
¯\_(ツ)_/¯
I think none of the obvious sources (OPNsense docs, pfSense docs, OpenBSD pf manual, FreeBSD manual) explicitly state how this works. The closest I've found so far is from the OpenBSD pf manual, but even that doesn't explicitly answer it. You have to infer some things by reading between the lines.
https://www.openbsd.org/faq/pf/filter.html
QuotePacket filtering is the selective passing or blocking of data packets as they pass through a network interface.
Quotedirection
The direction the packet is moving on an interface, either in or out.
The part that I underlined, in combination with the fact that interface rules are directional, I **think** implies the following filter flow (NAT omitted):
Ingress:
remote client ---> [WAN]("in" rules) ---> [LAN]("out" rules) ---> local server
Egress:
local client ---> [LAN]("in" rules) ---> [WAN]("out" rules) ---> remote server
Once state is established, subsequent packets bypass the filters.
In most cases we don't use "out" filters in OPNsense, so those filter points can logically seem as though they don't exist. (Maybe this is a source of confusion and why it's sometimes said that filtering only happens once, at the interface the packet comes in on?)
Then the reason the VPN kill switch works is because when the packet that would otherwise go the VPN gateway shows up on WAN, the rules there are evaluated because the flow doesn't match a state*. Then, the WAN "out" rule sees the tag on the packet that was set from the VPN interface and blocks.
So, it must be filtering on all interfaces that the packet traverses, not just the interface the packet came in on. Else this wouldn't work.
Is this all correct so far?
*not clear how floating vs. interface pf states (not rules) affect this. Floating states are default in OPNsense, as they are also in OpenBSD's pf.
You cannot view this attachment.
pfSense is the opposite (defaults to interface bound states) and explains some potential VPN leakage problems.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states
Maybe at least the rules on the VPN interface should be manually set to interface-bound?
¯\_(ツ)_/¯
#8
26.1 Series / Re: Problem installing OPNsens...
Last post by merlinz01 - Today at 01:51:09 AMI got this same error installing OPNSense on Proxmox. I used Ubuntu live ISO and the parted tool to create a GPT partition table and then the installer succeeded.
#9
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - Today at 01:48:51 AMyea i don't think its an actual issue. before, my connection was dropping off completely and the only fix to physically unplug and plug the cable back in, nothing i did on CLI like if down / if up, brought the connection back, so at least i feel i am at a better spot.
#10
Hardware and Performance / Re: DEC3920 Quick Review
Last post by pfry - Today at 01:31:38 AMQuote from: dirtyfreebooter on Today at 12:23:30 AM[...]yea i dont think its an actual problem, its 0.00027%[...]
I just noticed I have some, a much higher percentage:
Code Select
root@fw:/home/user # netstat -i
Name Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll
[...]
bridge0 1500 <Link#20> 58:9c:fc:10:85:67 156005318 0 0 68605805 4905211 0
[...]
QuoteThis is a very specific and telling symptom.[...]the system is dropping packets[...]
Uh... that looks like an AI hallucination. It's looking to me like buffer evictions or similar. Possibly less than ideal, but I don't see any performance issues (I only have a 500Mb service). Oh, and there's all sorts of stuff (as in devices; ixl and ix at least) attached to that bridge. One of these days I'll upgrade (service and servers), and see if I have issues then.
