"Recent posts
#1
Web Proxy Filtering and Caching / Allowing Steam through Firewal...
Last post by PANZER - Today at 09:08:12 PMHello there, I´m kinda new to the OPNSense and general firewall topic. Im currently having issues with allowing Steam to authenticate my user.
I have two interfaces:
WAN (192.168.2.236)
LAN (192.168.0.1)
On the LAN I have configured the following rules as stated in the Steam firewall configuration guide (https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB)
If I now open Steam I run into an timeout. The connection log from Steam says the following in the .txt file.
I can´t see any blocking on the LAN side, so I think I setup everything correctly there. Even any LAN-Any-Allow rule won´t do it.
On the WAN site I can see alot of blockings from the default deny / state violation. I assume that Steam is sending their authentication over an CDN. This has a different IP and port, so the firewall thinks its a random packet and denys it.
How can I fix this problem?
I have two interfaces:
WAN (192.168.2.236)
LAN (192.168.0.1)
On the LAN I have configured the following rules as stated in the Steam firewall configuration guide (https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB)
If I now open Steam I run into an timeout. The connection log from Steam says the following in the .txt file.
I can´t see any blocking on the LAN side, so I think I setup everything correctly there. Even any LAN-Any-Allow rule won´t do it.
On the WAN site I can see alot of blockings from the default deny / state violation. I assume that Steam is sending their authentication over an CDN. This has a different IP and port, so the firewall thinks its a random packet and denys it.
How can I fix this problem?
#2
General Discussion / OPNsense plugin for bidirectio...
Last post by CK_beats - Today at 08:31:37 PMHello everyone,
I'd like to take a moment to promote a project I discovered on GitHub:
An extension for our OPNsense featuring a bidirectional plugin for AbuseIPDB!
The developer is currently still running it as a beta version. However, I've already been using it in a production environment for quite some time. It replaces all previous unidirectional blacklists—such as those from FireHol, etc.
I can highly recommend it!
https://github.com/KaiOppi/os-abuseipdb
Installation is child's play.
Setup is automatic—if you wish.
Give it a try!
I'd like to take a moment to promote a project I discovered on GitHub:
An extension for our OPNsense featuring a bidirectional plugin for AbuseIPDB!
The developer is currently still running it as a beta version. However, I've already been using it in a production environment for quite some time. It replaces all previous unidirectional blacklists—such as those from FireHol, etc.
I can highly recommend it!
https://github.com/KaiOppi/os-abuseipdb
Installation is child's play.
Setup is automatic—if you wish.
Give it a try!
#3
German - Deutsch / Re: "Lahmes" Internet seit Upd...
Last post by meyergru - Today at 08:14:15 PMIch habe die Anleitung doch verlinkt. Aber wenn es eine Telekom-Leitung ist, geht es nicht, auch das schrieb ich schon.
#4
German - Deutsch / NGINX-Konfigurationsänderungen...
Last post by freakofevil - Today at 08:00:25 PMHallo zusammen,
ich habe bereits einige Threads im Forum durchsucht und mehrere ähnliche Beiträge gefunden, in denen beschrieben wird, dass Änderungen an der NGINX-Konfiguration nicht sofort übernommen werden, obwohl man in der GUI auf ,,Apply" klickt.
Dabei wurden unter anderem folgende Dinge empfohlen:
* den orangenen Reload-Button zu verwenden,
* den Dienst über die GUI neu zu starten,
* oder die Einstellungen mehrfach neu anzuwenden.
Leider habe ich weiterhin genau dieses Problem auf meiner privaten OPNsense-Installation.
Problembeschreibung:
Sobald ich Änderungen am NGINX-Reverse-Proxy vornehme und anschließend auf ,,Apply" klicke, werden die Änderungen nicht aktiv.
Ich habe bereits getestet:
* normalen ,,Apply"-Button
* Stop/Start des Dienstes über die GUI
* Reload/Restart über die GUI
* mehrfaches Anwenden der Konfiguration
* Deaktivieren/Aktivieren von NGINX
* Prüfung auf Konfigurationsfehler
Das Verhalten bleibt jedoch identisch.
Die Änderungen funktionieren erst zuverlässig, wenn ich entweder:
* die komplette OPNsense neu starte
oder
* NGINX manuell per Shell reloade bzw. neu starte.
Direkt nach diesem manuellen Reload greifen die neuen Einstellungen problemlos.
Meine Fragen:
* Ist dieses Verhalten bekannt?
* Gibt es aktuell Probleme mit dem Reload der NGINX-Konfiguration im Plugin?
* Wird die aktive nginx.conf eventuell nicht korrekt neu geladen oder generiert?
* Haben andere Nutzer ähnliche Erfahrungen gemacht?
* Gibt es einen empfohlenen Workaround oder eine ,,saubere" Lösung dafür?
Ich würde mich freuen, wenn jemand seine Erfahrungen oder eine dauerhafte Lösung teilen könnte.
ich habe bereits einige Threads im Forum durchsucht und mehrere ähnliche Beiträge gefunden, in denen beschrieben wird, dass Änderungen an der NGINX-Konfiguration nicht sofort übernommen werden, obwohl man in der GUI auf ,,Apply" klickt.
Dabei wurden unter anderem folgende Dinge empfohlen:
* den orangenen Reload-Button zu verwenden,
* den Dienst über die GUI neu zu starten,
* oder die Einstellungen mehrfach neu anzuwenden.
Leider habe ich weiterhin genau dieses Problem auf meiner privaten OPNsense-Installation.
Problembeschreibung:
Sobald ich Änderungen am NGINX-Reverse-Proxy vornehme und anschließend auf ,,Apply" klicke, werden die Änderungen nicht aktiv.
Ich habe bereits getestet:
* normalen ,,Apply"-Button
* Stop/Start des Dienstes über die GUI
* Reload/Restart über die GUI
* mehrfaches Anwenden der Konfiguration
* Deaktivieren/Aktivieren von NGINX
* Prüfung auf Konfigurationsfehler
Das Verhalten bleibt jedoch identisch.
Die Änderungen funktionieren erst zuverlässig, wenn ich entweder:
* die komplette OPNsense neu starte
oder
* NGINX manuell per Shell reloade bzw. neu starte.
Direkt nach diesem manuellen Reload greifen die neuen Einstellungen problemlos.
Meine Fragen:
* Ist dieses Verhalten bekannt?
* Gibt es aktuell Probleme mit dem Reload der NGINX-Konfiguration im Plugin?
* Wird die aktive nginx.conf eventuell nicht korrekt neu geladen oder generiert?
* Haben andere Nutzer ähnliche Erfahrungen gemacht?
* Gibt es einen empfohlenen Workaround oder eine ,,saubere" Lösung dafür?
Ich würde mich freuen, wenn jemand seine Erfahrungen oder eine dauerhafte Lösung teilen könnte.
#5
26.1, 26,4 Series / Acme Certificates not renewing
Last post by dirtyfreebooter - Today at 07:18:54 PMRunning OPNsense Business 26.4_14-amd64
Acme cert expired today. The logs say:
but the cert is expired, if i manually click on issue/renew button, it renews fine.
Acme cert expired today. The logs say:
Code Select
AcmeClient: issue/renewal not required for certificate: <domain>but the cert is expired, if i manually click on issue/renew button, it renews fine.
#6
General Discussion / Re: Support AmneziaWG
Last post by smoore - Today at 07:02:54 PMThere is a legitimate need for a VPN that can work around enterprise SWG. I wrote my story here: https://forum.opnsense.org/index.php?msg=267146
It's also been mentioned that many hotels and other sites that hosts normal civilians impose restrictive policies that truly threaten legitimate work. I've stayed in hotel chains that WG doesn't work so I've used OpenVPN/tls-crypt on 443 to get to my console, but this workaround has aged and easy to catch.
AmneziaWG is one such solution (if the SWG doesn't blanket-kill UDP), but I agree, universal tools like wstunnel are longer-term solutions.
It's also been mentioned that many hotels and other sites that hosts normal civilians impose restrictive policies that truly threaten legitimate work. I've stayed in hotel chains that WG doesn't work so I've used OpenVPN/tls-crypt on 443 to get to my console, but this workaround has aged and easy to catch.
AmneziaWG is one such solution (if the SWG doesn't blanket-kill UDP), but I agree, universal tools like wstunnel are longer-term solutions.
#7
General Discussion / Re: AmneziaWG on OPNsense and ...
Last post by smoore - Today at 06:51:55 PMI strongly agree with unholy_saint (while at the same time, laughing at the irony of reading that statement out of context).
DPI threatened property damage in my case. I was out camping at a state park, far from celluar signal. The campground had Wifi, but I could not logon to WG, OpenVPN, or Tailscale. It even blocked ChatGPT, Claude, and others (although Gemini got through). Turns out the state has a unified profile for all state-provided internet and the strictest controls are set for the employees of the Department of Revenue. Therefore, all state WiFi is restricted to this common profile. State law prohibits disclosing the nature of the restrictions, so it's an exercise in reverse engineering. It's full enterprise SWG with a massive blocklist and DPI that scrubs VPN. Can't have those revenue employees poking holes out the tax office. Unfortunately for us civilian normies using state park facilities, we can't either.
I received a message that at home, a severe thunderstorm dumped enough rain to cause the sump pump alarms to activate. I needed to check the pump cycle rate and diagnose check valve failure. But I couldn't VPN into the network. So I had to endure a long message stream having somebody at home send me screenshots, click something, send another screenshot, and so forth, until we were satisfied the pumps were fine. Property damage avoided.
First thing back home was to search for a fix: AmneziaWG was on top of my list (OPNsense/tls-crypt on 443 is soooo 2018)
DPI threatened property damage in my case. I was out camping at a state park, far from celluar signal. The campground had Wifi, but I could not logon to WG, OpenVPN, or Tailscale. It even blocked ChatGPT, Claude, and others (although Gemini got through). Turns out the state has a unified profile for all state-provided internet and the strictest controls are set for the employees of the Department of Revenue. Therefore, all state WiFi is restricted to this common profile. State law prohibits disclosing the nature of the restrictions, so it's an exercise in reverse engineering. It's full enterprise SWG with a massive blocklist and DPI that scrubs VPN. Can't have those revenue employees poking holes out the tax office. Unfortunately for us civilian normies using state park facilities, we can't either.
I received a message that at home, a severe thunderstorm dumped enough rain to cause the sump pump alarms to activate. I needed to check the pump cycle rate and diagnose check valve failure. But I couldn't VPN into the network. So I had to endure a long message stream having somebody at home send me screenshots, click something, send another screenshot, and so forth, until we were satisfied the pumps were fine. Property damage avoided.
First thing back home was to search for a fix: AmneziaWG was on top of my list (OPNsense/tls-crypt on 443 is soooo 2018)
#8
German - Deutsch / Re: "Lahmes" Internet seit Upd...
Last post by cottec - Today at 06:25:23 PMQuote from: meyergru on May 14, 2026, 08:14:29 AMfalls Du keinen Telekom-DSL-Anschluss hast, mittels Mini-Jumbo-Frames die MTU auf 1500 Bytes zu erhöhen.
ich hab nen o2 Anschluss über ne Telekom Leitung...
Wo müsste ich das testen?
Beim pppoe device MTU 1500 eintragen und dann aus den Interfaces alles raus?
#9
General Discussion / Re: Chromecast cannot connect ...
Last post by MrHappyHippo - Today at 06:05:56 PMI'm having a dynamic prefix, that's why I set it to ::1. But if you're saying it won't work with DNAT rules in OPNsense, I'll try fix it with a ULA instead.
Good point as well about DNS only needing one protocol.
Good point as well about DNS only needing one protocol.
#10
General Discussion / [RESOLVED]Re: Stumped - Tracki...
Last post by lmoore - Today at 05:19:12 PMThe mud settled, the water cleared.
There before us it was plain to see.
4 x DNS queries internally
4 x NTP requests out the WAN port
The two previous rules are set to Last match, hence the evaluation continued to the Block rule I'd created.
There before us it was plain to see.
4 x DNS queries internally
4 x NTP requests out the WAN port
The two previous rules are set to Last match, hence the evaluation continued to the Block rule I'd created.
