"Recent posts
#1
26.1 Series / configuration backup always co...
Last post by tcm1010 - Today at 03:16:11 AMMy configuration backups currently seem to always contain RRD data, regardless if the option "Do not backup RRD data" is checked or not in the web GUI.
Taking a closer look at the backup XML file, an XML tree browser shows:
if "Do not backup RRD data" is checked:
[...]
<syslog/>
+<rrddata></rrddata> # RRD data is there
+<schedules></schedules>
</opnsense>
if "Do not backup RRD data" is unchecked:
[...]
<syslog/>
+<rrddata></rrddata> # RRD data is still there...
+<schedules></schedules>
+<rrddata></rrddata> # ...and another copy is here!
</opnsense>
From what I can gather of the GUI backups I have taken manually via the web GUI in the past few months... I started with OPNsense version 25.7.11-2, and backups without the RRD data were about ~70 kB in size, with the RRD data, 2.5 MB. This is what I expect.
I updated to version 26.1, and then the backups with and without the RRD data were of equal size, about 2.7 MB at the time. So regardless of the web GUI option, the backups now contained the RRD data.
At the time, I discovered in the logs I was experiencing the error in issue 9686 (https://github.com/opnsense/core/issues/9686), and so I applied the patch mentioned therein:
# opnsense-patch 6933841c6
The errors in the logs went away, as expected. However, the backups with the RRD data were now ~6 MB in size (!) and without the RRD data ~3 MB in size. (See the XLM browser snippet mentioned above. This is my current state.)
I then upgraded to 26.1.2_5 and also installed the plug-in os-sftp-backup to try automated backups. The sftp backups are ~3 MB in size. Given my current situation, I do not know if these are supposed to include the RRD data or not. (There does not seem to be a separate option to include or not include the RRD backups in the sftp backup section of the web GUI.)
So, now the questions:
1. How can I get back to a state where the configuration backups without the RRD data are "small" again?
2. If the os-sftp-backup plug-in is working as designed (i.e., including the RRD data), how may I request an option in that section of the web GUI with the same option, i.e., "Do not backup RRD data"?
P.S. For completeness, the /conf/config.xml file is ~3 MB and has one copy of the rrddata.
Taking a closer look at the backup XML file, an XML tree browser shows:
if "Do not backup RRD data" is checked:
[...]
<syslog/>
+<rrddata></rrddata> # RRD data is there
+<schedules></schedules>
</opnsense>
if "Do not backup RRD data" is unchecked:
[...]
<syslog/>
+<rrddata></rrddata> # RRD data is still there...
+<schedules></schedules>
+<rrddata></rrddata> # ...and another copy is here!
</opnsense>
From what I can gather of the GUI backups I have taken manually via the web GUI in the past few months... I started with OPNsense version 25.7.11-2, and backups without the RRD data were about ~70 kB in size, with the RRD data, 2.5 MB. This is what I expect.
I updated to version 26.1, and then the backups with and without the RRD data were of equal size, about 2.7 MB at the time. So regardless of the web GUI option, the backups now contained the RRD data.
At the time, I discovered in the logs I was experiencing the error in issue 9686 (https://github.com/opnsense/core/issues/9686), and so I applied the patch mentioned therein:
# opnsense-patch 6933841c6
The errors in the logs went away, as expected. However, the backups with the RRD data were now ~6 MB in size (!) and without the RRD data ~3 MB in size. (See the XLM browser snippet mentioned above. This is my current state.)
I then upgraded to 26.1.2_5 and also installed the plug-in os-sftp-backup to try automated backups. The sftp backups are ~3 MB in size. Given my current situation, I do not know if these are supposed to include the RRD data or not. (There does not seem to be a separate option to include or not include the RRD backups in the sftp backup section of the web GUI.)
So, now the questions:
1. How can I get back to a state where the configuration backups without the RRD data are "small" again?
2. If the os-sftp-backup plug-in is working as designed (i.e., including the RRD data), how may I request an option in that section of the web GUI with the same option, i.e., "Do not backup RRD data"?
P.S. For completeness, the /conf/config.xml file is ~3 MB and has one copy of the rrddata.
#2
26.1 Series / Re: OPNSense Get Hacked
Last post by nicholaswkc - Today at 02:54:58 AMQuote from: jonny5 on February 17, 2026, 04:34:01 PMQuote from: nicholaswkc on February 16, 2026, 10:46:10 AMCan the OPNSense affected also if hacker got access to LAN?
Internal Firewall rules with separate zones/interfaces for Wifi/Client/DMZ/Core/etc. Would advise using VLANs if you can, otherwise subneting with /24s is a good idea.
From what I've read, you might also want to turn on MAC-Address filters on your WAPs and/or OPNSense's DHCP, good luck!
I have MAC filtering enabled. NO SSH and open ports. How to create VLAN or subnetting?
#3
High availability / Re: Little Confused
Last post by falken - Today at 01:21:14 AMQuote from: meyergru on March 04, 2026, 03:35:12 PMThat is what I meant: Sure, it causes no immediate conflicts, iff the MACs are different. However, you must set the aliases on both sides in advance, not just one. Otherwise, a fail-over would null the existing settings.Yeah you would want to make sure they all are set on all servers.
#4
26.1 Series / Truncated Update downloads 26....
Last post by Darkvader - Today at 01:17:21 AMHello,
I'm having an uphill battle getting my opnsense installation updated. I've scoured the forum and discovered the curl/fetch method to update and even trying that doesn't work. I'm getting some strange errors.
and
Running curl and fetch twice seems to give different file sizes, even when trying multiple times, which suggests to me a problem on the download server side of things.
This also applies when downloading the file with firefox. that also will fail too.
No other download fails over my connection. sometimes i do get hitching but that shouldn't cause an EOF to be sent when I try to download something.
This is about the fifth time i've had failed updates with the same packages (base and kernel) on different versions. Sometimes they resolve themselves, sometimes they don't and need me to fight it. I believe i'm having the same issue on multiple servers/repos because even changing repos doesn't seem to resolve the problem.
I did see something a little while ago that people do have issues with 5G NSA/LTE connections, which is what i'm using; however, i doubt that'd cause the issue i'm having here. Nothing else i download fails in the same way.
I have tested this a few different ways and it seems to me that when the download exceeds an amount of time, it will close the connection and stop the download. over my vpn, which allows a much faster download (because it's not traffic shaped as much), it completes sucessfully.
Is there anything you'd suggest i can try? or is there something else going on here?
Thanks
D.
I'm having an uphill battle getting my opnsense installation updated. I've scoured the forum and discovered the curl/fetch method to update and even trying that doesn't work. I'm getting some strange errors.
Code Select
curl https://pkg.opnsense.org/FreeBSD:14:amd64/26.1/sets/base-26.1.3-amd64.txz --output base=26.1.3-amd64.txz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
94 135.5M 94 127.8M 0 0 5282k 0 0:00:26 0:00:24 0:00:02 4323k
curl: (56) OpenSSL SSL_read: OpenSSL/3.0.19: error:0A000126:SSL routines::unexpected eof while reading, errno 0
and
Code Select
fetch https://pkg.opnsense.org/FreeBSD:14:amd64/26.1/sets/base-26.1.3-amd64.txz
base-26.1.3-amd64.txz 97% of 135 MB 3529 kBps 01s
fetch: base-26.1.3-amd64.txz appears to be truncated: 138295975/142168104 bytesRunning curl and fetch twice seems to give different file sizes, even when trying multiple times, which suggests to me a problem on the download server side of things.
This also applies when downloading the file with firefox. that also will fail too.
No other download fails over my connection. sometimes i do get hitching but that shouldn't cause an EOF to be sent when I try to download something.
This is about the fifth time i've had failed updates with the same packages (base and kernel) on different versions. Sometimes they resolve themselves, sometimes they don't and need me to fight it. I believe i'm having the same issue on multiple servers/repos because even changing repos doesn't seem to resolve the problem.
I did see something a little while ago that people do have issues with 5G NSA/LTE connections, which is what i'm using; however, i doubt that'd cause the issue i'm having here. Nothing else i download fails in the same way.
I have tested this a few different ways and it seems to me that when the download exceeds an amount of time, it will close the connection and stop the download. over my vpn, which allows a much faster download (because it's not traffic shaped as much), it completes sucessfully.
Is there anything you'd suggest i can try? or is there something else going on here?
Thanks
D.
#5
26.1 Series / Re: Clarification on source-ba...
Last post by OPNenthu - Today at 12:26:59 AMThanks @falken. Now I have to revisit the dual-stack discussions in the Tutorials forum to recall why IPv4 (only) is recommended by some for internal services, but it's good to have options.
The Blocklist feature request should be helpful even for cases besides dynamic IPv6, I hope. I can imagine others wanting to do things like excluding localhost or specific clients/subnets from broader network and default policies.
The Blocklist feature request should be helpful even for cases besides dynamic IPv6, I hope. I can imagine others wanting to do things like excluding localhost or specific clients/subnets from broader network and default policies.
#6
Intrusion Detection and Prevention / Re: Suricata custom.yaml and O...
Last post by jonny5 - Today at 12:11:19 AMMore or less forced a BPF filter for Suricata in PCAP mode as I realized that is configured on the command line options...
So I edited "/usr/local/etc/rc.d/suricata" and changed the now commented out line with the next line:
Now I have already tested the earlier BPF, it starts with it, and it filters (I was able to comment-out my pass rules I was using to ignore traffic).
How can we enable natural use of the -F <filename> for a BPF filter to use when in PCAP mode?
To all doing IPS and wondering if you can BPF for Suricata, in short, no, it does not appear so.
If you were to BPF your IPS, you would now have as a first level filter on your network the BPF filter itself for all interfaces Suricata would be IPS for... which generally if you are only trying to get Suricata to focus on important stuff... isn't going to work here as it filters the traffic before Suricata sees it and thus it can not pass it along.
So I edited "/usr/local/etc/rc.d/suricata" and changed the now commented out line with the next line:
Code Select
# [ -z "$suricata_flags" ] && suricata_flags="-D"
suricata_flags="-D -F /usr/local/etc/suricata/capture-filter.bpf"Now I have already tested the earlier BPF, it starts with it, and it filters (I was able to comment-out my pass rules I was using to ignore traffic).
How can we enable natural use of the -F <filename> for a BPF filter to use when in PCAP mode?
To all doing IPS and wondering if you can BPF for Suricata, in short, no, it does not appear so.
If you were to BPF your IPS, you would now have as a first level filter on your network the BPF filter itself for all interfaces Suricata would be IPS for... which generally if you are only trying to get Suricata to focus on important stuff... isn't going to work here as it filters the traffic before Suricata sees it and thus it can not pass it along.
#7
26.1 Series / Re: [SOLVED] Error upgrading f...
Last post by lUomino - March 04, 2026, 11:39:56 PMI also upgraded from 26.1.2_5 and received the same popup. The system continued to upgrade and seems to be working normally.
I looked in the error logs and found some suspicious entries in the backend logs, all from the config.d process:
I looked in the error logs and found some suspicious entries in the backend logs, all from the config.d process:
Code Select
2026-03-04T17:08:50-05:00Errorconfigd.py[8a5a8686-eb4e-4ce0-b36f-182539b085c3] Script action failed with Command '/usr/local/opnsense/scripts/ddclient/ddclient_opn.py -l' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 85, in execute subprocess.run(script_command, env=self.config_environment, shell=True, ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ check=not self.disable_errors, stdout=output_stream, stderr=error_stream) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.13/subprocess.py", line 577, in run raise CalledProcessError(retcode, process.args, output=stdout, stderr=stderr) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/ddclient/ddclient_opn.py -l' returned non-zero exit status 1.
2026-03-04T17:08:46-05:00Errorconfigd.py[e8e9881d-1ff4-4fc8-8808-d2daaa156e9f] Script action failed with Command '/usr/local/opnsense/scripts/ddclient/ddclient_opn.py -l' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 85, in execute subprocess.run(script_command, env=self.config_environment, shell=True, ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ check=not self.disable_errors, stdout=output_stream, stderr=error_stream) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.13/subprocess.py", line 577, in run raise CalledProcessError(retcode, process.args, output=stdout, stderr=stderr) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/ddclient/ddclient_opn.py -l' returned non-zero exit status 1.
2026-03-04T17:08:43-05:00Errorconfigd.py[5ecb8de5-f9dd-4ddf-9ec6-15828cc1f26b] Script action failed with Command '/usr/local/opnsense/scripts/ddclient/ddclient_opn.py -l' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 85, in execute subprocess.run(script_command, env=self.config_environment, shell=True, ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ check=not self.disable_errors, stdout=output_stream, stderr=error_stream) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.13/subprocess.py", line 577, in run raise CalledProcessError(retcode, process.args, output=stdout, stderr=stderr) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/ddclient/ddclient_opn.py -l' returned non-zero exit status 1.
#8
General Discussion / Re: ISP bandwidth is cut in 1/...
Last post by meyergru - March 04, 2026, 11:39:51 PMIf that is true, RSS mode should fix it.
#9
General Discussion / Re: Unifi VLANs with new OPNse...
Last post by meyergru - March 04, 2026, 11:32:25 PMYou noticed the smiley?
There have been discussions back and forth between switching the Unifi management VLAN from untagged (VLAN 1). I once did that and dialled everything back because you then have problems adopting new devices as they only respond on the untagged network. You would need a specifc "initial provisoning" port on your switch for that.
Altogether, I found that the best way (for me) is to stay with Unifi's default (i.e. having untagged/VLAN 1) as the main management network and have all user traffic on different VLANs. The only problem is that the untagged network is being used at all and this can be solved by using two physical interfaces on OpnSense. I like to have multiple interfaces connected to the switch anyway, to have more bandwitdh for inter-VLAN traffic.
Unifi works just fine with IP ranges different from 192.168.1.0/24 and I like to keep that free for ONT/modem access.
There have been discussions back and forth between switching the Unifi management VLAN from untagged (VLAN 1). I once did that and dialled everything back because you then have problems adopting new devices as they only respond on the untagged network. You would need a specifc "initial provisoning" port on your switch for that.
Altogether, I found that the best way (for me) is to stay with Unifi's default (i.e. having untagged/VLAN 1) as the main management network and have all user traffic on different VLANs. The only problem is that the untagged network is being used at all and this can be solved by using two physical interfaces on OpnSense. I like to have multiple interfaces connected to the switch anyway, to have more bandwitdh for inter-VLAN traffic.
Unifi works just fine with IP ranges different from 192.168.1.0/24 and I like to keep that free for ONT/modem access.
#10
Zenarmor (Sensei) / Re: Google Voice keeps getting...
Last post by lorem - March 04, 2026, 11:30:56 PMAs soon as I add the blocked IP to the exclusion it works. Restarting isn't necessary. The problem happens when Google changes the IP or port.
I already did the "Have Feedback" last time and I had several messages back and forth with the support person. The last one he wanted me to make and send Wireshark CAP files. I feel if they really want to debug what is a problem in their software they would do it themselves. This is not a configuration issue on my end, so I stopped at that point.
I am not on the business level subscription with official support, so I hope perhaps I can get more eyes on this issue by posting here. I think that Google Voice is a very popular app should be listed in Policy -> App controls. At the least I want to point out the inconsistency of how categories are processed as I did in my original post above.
I already did the "Have Feedback" last time and I had several messages back and forth with the support person. The last one he wanted me to make and send Wireshark CAP files. I feel if they really want to debug what is a problem in their software they would do it themselves. This is not a configuration issue on my end, so I stopped at that point.
I am not on the business level subscription with official support, so I hope perhaps I can get more eyes on this issue by posting here. I think that Google Voice is a very popular app should be listed in Policy -> App controls. At the least I want to point out the inconsistency of how categories are processed as I did in my original post above.
