"Recent posts
#1
General Discussion / Has the OPNsense team applied ...
Last post by brendacruiz - Today at 12:24:39 PMHello everyone,
I've been running OPNsense quietly for ~4 years with zero complaints — it simply works perfectly.
Sorry if this has already been discussed, but I need to ask directly:
With all the talk about Anthropic's Claude Mythos Preview and Project Glasswing, has anyone from the OPNsense team or Foundation applied for access yet? Or do we think it's all hype/scam?
Would be great to hear from the devs and the community.
Thanks!
I've been running OPNsense quietly for ~4 years with zero complaints — it simply works perfectly.
Sorry if this has already been discussed, but I need to ask directly:
With all the talk about Anthropic's Claude Mythos Preview and Project Glasswing, has anyone from the OPNsense team or Foundation applied for access yet? Or do we think it's all hype/scam?
Would be great to hear from the devs and the community.
Thanks!
#2
Tutorials and FAQs / Re: OPNsense HA (CARP) with IP...
Last post by Monviech (Cedrik) - Today at 11:51:13 AMThe proxy populates pf tables with IP addresses, its as performant as any native table operations with the firewall aliases.
Any alias in Firewall -> Aliases you create is a pf table under the hood.
It also installs host routes for each IP address a client generates via SLAAC, if you have more than a million routes in your routing table things might get slower (I witnessed that with BGP and installing full internet routing tables), but with 300 host you will barely even notice anything.
TLDR
Filtering performance is basically native, because the proxy only populates pf tables and pf handles the matching.
The additional cost is mainly in host routes and update churn, but at 200–300 hosts that is negligible.
Any alias in Firewall -> Aliases you create is a pf table under the hood.
It also installs host routes for each IP address a client generates via SLAAC, if you have more than a million routes in your routing table things might get slower (I witnessed that with BGP and installing full internet routing tables), but with 300 host you will barely even notice anything.
TLDR
Filtering performance is basically native, because the proxy only populates pf tables and pf handles the matching.
The additional cost is mainly in host routes and update churn, but at 200–300 hosts that is negligible.
#3
26.1, 26,4 Series / Re: 26.1.X Wireguard - add net...
Last post by DEC740airp414user - Today at 11:34:40 AM"There's a "Dynamic gateway policy" checkbox on the interface—maybe that could be the solution to these errors?"
for my wireguard i do exactly that.
it enables gateway monitoring. i also click disable routes as well
for my wireguard i do exactly that.
it enables gateway monitoring. i also click disable routes as well
#4
General Discussion / Who could have seen this commi...
Last post by chemlud - Today at 11:18:13 AM #5
General Discussion / Re: help with unbound reportin...
Last post by OPNenthu - Today at 11:15:54 AMAnd the Unbound reports (Details tab) reveal nothing about which host is making those requests for msn.com?
#6
Intrusion Detection and Prevention / Update et open rules in air ga...
Last post by rob9999 - Today at 11:04:21 AMHello community,
I am new to suricata so please excuse my questions. We are running suricata 8.0.3 on an opnsense fw in an air gapped environment and need some help. What is the best way to import the rules file from et open to suricata ?
We tried to copy the unzipped rule file (emerging-all.rules) into the path /usr/local/etc/suricate/opnsense.rules and /usr/local/etc/suricate/rules
The rule files are visible in the gui but in the suricata logfile we see the following warning: "1 rule files specified, but no rules were loaded!" and " No rule files math the pattern /usr/local/etc/suricata/opnsense.rules/suricata.rules"
We also tried to use the command suricata-update --local "path_to_rules_file" --output /usr/local/etc/suricate/opnsense.rules --no-test. The error message in the log file is still "1 rule files specified, but no rules were loaded!" and no rules are visible in the gui.
Thanks.
I am new to suricata so please excuse my questions. We are running suricata 8.0.3 on an opnsense fw in an air gapped environment and need some help. What is the best way to import the rules file from et open to suricata ?
We tried to copy the unzipped rule file (emerging-all.rules) into the path /usr/local/etc/suricate/opnsense.rules and /usr/local/etc/suricate/rules
The rule files are visible in the gui but in the suricata logfile we see the following warning: "1 rule files specified, but no rules were loaded!" and " No rule files math the pattern /usr/local/etc/suricata/opnsense.rules/suricata.rules"
We also tried to use the command suricata-update --local "path_to_rules_file" --output /usr/local/etc/suricate/opnsense.rules --no-test. The error message in the log file is still "1 rule files specified, but no rules were loaded!" and no rules are visible in the gui.
Thanks.
#7
General Discussion / help with unbound reporting
Last post by starfox101 - Today at 11:00:51 AM Using unbound reporting I have, Top passed domains: MSN.Com 52%. What gives? I have nothing windows, Microsoft. Couple months back I used a win laptop because I had major hardware failure. Lost two network card's and a switch. Both network card's or in linux computers. I replaced two switch's both were the same age. Added unifi 24 poe. Everything is back up, but can't figure the msn thing.
Thanks
Thanks
#8
General Discussion / Re: still see traffic going ou...
Last post by OPNenthu - Today at 11:00:09 AMThe VIP is needed so that that the IP gets assigned to the loopback (lo0) interface. You can see it in Interfaces->Overview.
#9
General Discussion / Re: still see traffic going ou...
Last post by robertkwild - Today at 10:54:55 AMthanks OPNenthu,
Im a bit confused then, whats the point of making an VIP for it even tho i can enter it directly in?
Im a bit confused then, whats the point of making an VIP for it even tho i can enter it directly in?
#10
Tutorials and FAQs / Re: OPNsense HA (CARP) with IP...
Last post by opn_mndr12101 - Today at 10:52:29 AMThank you Cedrik, took some time to sink in, but sounds reasonable to me. It's quite a bit different from what I had in mind. Let's see how I can sell this concept to my customers IT guy.
Someone is reading it, now you know!
Edit:
One more thing! I know, this question will come, even if a bit off topic: Switching from a classical segmented IP filter (vulgo: firewall) setup to a host based filter, any idea, if and how this impacts overall performance? This is no a huge setup, but has ~200-300 hosts IPs per interface.
Quote from: Monviech (Cedrik) on April 20, 2026, 08:48:29 PMReading the man pages is a good idea, I wrote them :)
Someone is reading it, now you know!
Edit:
One more thing! I know, this question will come, even if a bit off topic: Switching from a classical segmented IP filter (vulgo: firewall) setup to a host based filter, any idea, if and how this impacts overall performance? This is no a huge setup, but has ~200-300 hosts IPs per interface.
