Recent posts

#1
General Discussion / Re: Install problem on NVMe (n...
Last post by Jwidess - Today at 02:45:21 AM
Something else I have noticed is that when using "nvmecontrol logpage -p 2 nvme0" the "Temperature:" is always exactly the same. I have never seen anything other than "311 K, 37.85 C, 100.13 F", the same goes for smartctl.
I will see tomorrow if I have a duplicate model drive I can test this on.
#2
25.1, 25.4 Series / Re: [SOLVED] NUT-Plugin (Netwo...
Last post by rkbest13 - Today at 01:02:16 AM
Paul.
How did and where did you enter those config values. I dont seem to see any setting in the GUI to do the same.

My new battery and old battery before swap both show 6 min runtime on APC1500vA UPS and i feel i need to set this to help protect the machine.
#3
This is a stab in the dark, but trying turning EEE off on OPNSense.

In the UK, we had issues with the 2.5G port on the DOCSIS 3.1 modem with specific firmware which were related to Energy Efficient Ethernet. We've since had a firmware upgrade on the modem to fix it, but hey...worth a try?
#4
25.7, 25.10 Series / Re: After upgrading to 25.7.9,...
Last post by kwo1 - Today at 12:17:43 AM
Thank you for your reply.  Correct, 192.168.2.251 is OPNsense.

To remove the possibility of the firewall rules influencing the issue, I removed my MGMT interface (which corresponds to the 192.168.2.251 IP) from opnsense and re-added it.  I did this under the Interfaces > Assignments section of the web GUI.  I then re-added it using the same device ID.  This removed ALL firewall rules previously associated with that MGMT interface.  Afte re-adding that interface, I was left with 0 rules attached to it.  I then created 1 rule seen below which allows all IPv4 and all protocols to access 192.168.2.251:
You cannot view this attachment.
On a computer (192.168.2.99) that's on the same MGMT subnet, I tried to access OPNsense via https://192.168.2.251 while performing the packet capture in opnsense.  The packet capture seems to show the computer sending a TLS client hello, but receiving no response back.  I think this is the root cause of my issue. 
You cannot view this attachment.
Again, I have my MGMT interface listed as a listening interface.  How else do I ensure that OPNsense responds to TLS communication?

You cannot view this attachment.
#5
FWIW, I have an XB7 gateway connected to my OPNsense via a 2.5GbE link.  I'm not seeing this, but IIRC it was a little sensitive to which modem port I used.  Have you tried switching the XB8 port?
#6
I've done a bit more testing that could point towards the Xfinity Gateway (in bridge mode) being the issue. I have a cheap managed switch with 2 SFP+ ports and 4x 2.5 gb ports. Put in between the Router and the Gateway, this gives me the ability to change port speeds on each device.

Here are my test results after running a speedtest a few times. I cycled through the ports a couple time to ensure nothing changed.


ModemRouterSpeed Result
2.5GB10GB~325mbps
2.5GB2.5GB~325mpbs
2.5GB1GB~650mpbs
1GB10GB940mpbs
1GB2.5GB940mpbs
1GB1GB940mpbs

It seems to run pretty consistent when the modem's link is set to 1GB at 900-940mpbs as a 1GB link should. 

However, when the modem's link is set to 2.5GB I get pretty inconsistent speeds, sometimes better than the speeds above but usually only 50-100mbps better. Never reaching within a 1GB link should be.


I have not tested my 2.5GB USB adapter yet since I have services being hosted on this and requires a gateway reboot to connect a new device/MAC. I may try it out tomorrow morning, but for now things seem to point towards the modem.



Quote from: passeri on January 12, 2026, 03:14:41 AM
Quote from: manki_09 on January 11, 2026, 11:01:56 PMI currently have shaping turned off. I tried shaping as a troubleshooting step to limit the speed to 1gb but nothing changed.
The intel x550 NICs will not auto negotiate to 2.5gbps. Which is programmed into the firmware. Manual selection is required. This is why I have a 2.5gb usb nic order so I can test if the NIC is at fault.
I see. You mean like this comment which I found on the Intel site here?
Quote from: Intel engineerThe autonegotiation for 2.5 and 5Gb speeds for the X550 was changed in 2020.
Default autonegotiation excludes the 2.5 and 5Gb speeds.
If 2.5 or 5Gb is chosen in the dropdown, it will change autonegotiation to only advertise that speed. So it is not forcing to 2.5Gb or 5Gb when those options are chosen, it changes the advertised speed.
That may be an issue if the switch is configured as forced to 2.5Gb instead of autonegotiate.
If that still does not help, please make sure the ethernet updated to the latest NVM and drivers.

This comment and the prior discussion on the Intel site imply to me that the problem may lie with NIC configuration rather than with Opnsense config. Your proposed test may be informative ("may" because I lack complete confidence in USB-Ethernet adapters even though I sometimes use them in testing).

Yes that's the post I learned that NIC needs to be manually set to get 2.5gb/5gb links by default. I don't have the latest firmware (3.70) for the NIC, but I do have 3.50 and looking at the change log I don't appear to be exhibiting the bugs that were fixed.

Last night I did do a bit of research and found this on the forums.
Adding Speed Parameters to X550 Config

I added a tunable option of dev.ix.1.advertise_speed with a value of 23 which now allows my NIC to auto negotiate to either 100, 1g, 2.5g or 10g. This seems to be working now. 
#7
General Discussion / Re: Install problem on NVMe (n...
Last post by Jwidess - January 12, 2026, 11:17:20 PM
Quote from: bsdimp on January 12, 2026, 10:13:55 PMSo async events are problems with the drive, usually temperature. Log page 2 is the SMART page and it should say what it is.

But if it's a constant spew, then maybe we aren't clearing enough bits in the event masks. Turning off logging almost certainly is the wrong approach, since all those interrupts are boggong down the system...

What does logpage 2 say? nvmecontrol logpage -p2 nvme0

Warner

Good point, I suppose just hiding these is not a great solution. My PR was primarily just a solution to give myself the option to suppress them to allow for an install. At the end of the bug report, I have my output from that machine with the drive experiencing the errors:

SP500GBP44UD900 nvmecontrol Output:
~ # nvmecontrol logpage -p 2 nvme0
SMART/Health Information Log
============================
Critical Warning State:        0x00
 Available spare:              0
 Temperature:                  0
 Device reliability:            0
 Read only:                    0
 Volatile memory backup:        0
Temperature:                    311 K, 37.85 C, 100.13 F
Available spare:                100
Available spare threshold:      10
Percentage used:                0
Data units (512,000 byte) read: 7531
Data units written:            10305
Host read commands:            216800
Host write commands:            150867
Controller busy time (minutes): 2596
Power cycles:                  32
Power on hours:                43
Unsafe shutdowns:              9
Media errors:                  0
No. error info log entries:    0
Warning Temp Composite Time:    0
Error Temp Composite Time:      0
Temperature 1 Transition Count: 0
Temperature 2 Transition Count: 0
Total Time For Temperature 1:  0
Total Time For Temperature 2:  0

Bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292410
#8
Virtual private networks / WireGuard VPN - OpenID Connect...
Last post by paulo.pereira - January 12, 2026, 10:53:20 PM
Hi,

We have bought a DEC4280 firewall to replace our current Cisco one.
We have configured WireGurad as our VPN with OpenID Connect as authentication on Captive Portal.
We have Unbound DNS disabled, we have internal DNS server.

The issue we have is that, in order to the Captive Portal to redirect to the right Microsoft Endpoints (ex. login.microsfot.com) I have to put the Microsoft Endpoints ip's addresses to the Captive Portal field "Allowed addresses", and this is unfeasible because of the many ip's that Microsoft uses.

We have tried to "Disable firewall rules" on the Portal and create them manually according to the Opensense Docs on the Wireguard Interface, but with no luck.

Any help with this will be appreciated, thanks!


Best Regards,

Paulo Pereira


#9
General Discussion / Re: Install problem on NVMe (n...
Last post by Patrick M. Hausen - January 12, 2026, 10:23:22 PM
@Warner welcome! Great to have you joining. Thanks a lot!
#10
Hardware and Performance / Starting homelab network - har...
Last post by hacktheplanet - January 12, 2026, 10:22:32 PM
Hi all!

I will be building out a homelab and would like to have the router running OPNSense. I am coming from a Fritzbox 7530 AX.

I am considering a number of hardware options and would appreciate some advice to help me narrow it down.

Use Case

My use case, as I implied above, is to set up a homelab but also just have a secure and functional home network, so I can do the following:

  • Segment my network into multiple VLANs
  • Set up semi-managed switches
  • Set up access points
  • Explore the IDS/IPS features - will probably run CrowdSec
  • Support personal devices for a household of 2-4 people
  • Set up PoE security cameras on seperate VLAN
  • Establish homelab to mess about with things like HomeAssistant, etc.
  • Set up a VPN or similar means of accessing self-hosted services when away from home
  • Future proof my network, at least 2.5G capable

My maximum budget would be €800, though ideally I'd like to stay well under that if possible.

Ready and Purpose Built Options

As far as brand new devices, I have been looking at the following:

1. Protectli VP2430

Pros:

  • From my understanding, specs wise it should be able to handle everything I need.
  • I can also configure it to have more than 8GB of RAM or just get it with 8GB and update it myself down the road if I see the need.
  • Can be configured with Coreboot
  • Can be configured with a TPM
  • Has a standard 2-year warranty

Cons

  • American company (with EU offices) - would prefer to support an EU company and not have to worry about current/future international relations
  • Relatively pricey, considering similar devices are available from Ali Express and other similar marketplaces

Overkill alternative:

Protecli VP2440

Similar pros and cons, just not sure if getting 10GbE is worth it.

I am not really convinced of the various Chinese brands that do similar devices, primarily due to concerns regarding ongoing support and security updates, but if somebody has similar suggestions that address these concerns somewhat, I would be interested in finding out more.

2. DEC697

Pros:

  • From my understanding, specs wise it should also be able to handle everything I need.
  • Supports OPNSense development
  • European
  • Comes with 2 year warranty
  • Comes with 1 year OPNSense Business Edition

Cons

  • RAM not upgradable, may not be as future proof?
  • Also pretty pricey

Questions I have about this product:
- Since this is running an AMD chip, does the lack of Coreboot still present a loss in terms of privacy and security?
- How limiting will 8GB be going forward?

Overkill alternative:

DEC750

Again, mainly for 10G future proofing.

Mini PCs

I have also looked into repurposing a SSF/USFF device as a router, like for example a Lenovo ThinkCentre M720q. I also have access to a bunch of Optiplex 5070 Micros, but these don't have the advantage of the PCIe slot (when used with a riser) that the Lenovo has.

Pros

  • Much cheaper
  • Possibly slightly better specs
  • Can be configured with more RAM later
  • Relatively low power still

Cons

  • Sourcing a device that's in good condition, with original power brick may be difficult
  • Need to source reputable/genuine Intel NIC
  • Need to source riser for PCIe slot or alternative for the Optiplex option
  • Very DIY, would feel afraid of misconfiguring the device and exposing myself to security issues
  • No warranty or support
  • Not as quiet
  • Higher power consumption

I also have an old Intel i5-4960k and GTX 970 system lying about in a big case, which maybe I could look at converting into a small form factor build, similar concerns as above though (mainly around security). In general, I am comfortable enough with problem solving with servers and personal devices as a Linux user, but ideally my router would be fairly set and forget (and reliable!), which I'm not sure these options would provide.

Bonus questions:

  • Has anybody had luck putting a device with OPNSense on it downstream of a FritzBox (which doesn't seem to support bridge mode) without too many issues due to double NAT? I've heard mixed reports that you can put the OPNSense router in the DMZ and forward traffic there, in order to avoid some issues with double NAT.
  • Does anybody have any suggestions for PoE capable switches and access points that play nicely with OPNSense - I've been considering MicroTik but I'm not entirely sure what to look for.

Any advice very much appreciated. Happy to elaborate on anything if need be.