"Recent posts
#1
German - Deutsch / Einsteigerfrage zu NAT
Last post by Bubber - Today at 08:05:56 PMHallo,
ich bin neu hier und daher unerfahren.
Setup:
Ich nutze meine opnsense virtualisiert unter proxmox. Sie hängt hinter einem ISP-Router der im Bridge-Modus läuft. Sie hat neben WAN noch LAN und eine DMZ. In der DMZ habe ich einen Server laufen, den ich aus dem Internet erreichbar machen will.
Dazu habe ich ein vollständige Portweiterleitung gemacht. Das funktioniert auch tadellos.
Problem:
Nun möchte ich aber, Port 22 aus dem Internet komplett blockieren. Eine entsprechende Regel habe ich für das WAN-Interface angelegt und sie vor die (autom. generierte) NAT-Regel platziert. Leider greift sie aber nicht. Es wird einfach alles an den in der Portweiterleitung festgelegten Host weitergeleitet.
Das selbe Problem habe ich auch, wenn ich eine Wireguard-Instanz auf der Firewall laufen lassen möchte. Egal was ich eingestellt habe; Anfragen auf Port 51820 werden auch an den Host weitergeleitet statt von der Firewall/Wireguard behandelt zu werden.
Ich habe irgendwo gelesen (leider kann ich die Quelle auf die Schnelle nicht finden), dass bei NAT vor den "normalen" Regeln bearbeitet wird. Aber trotzdem muss es doch eine Möglichkeit geben, dass ich Wireguard nutzen oder ssh auf WAN blockieren kann?!?
Über Feedback oder Hinweise die mir bei der Lösung bzw. für das bessere Verständnis meines Problems helfen, wäre ich sehr dankbar!
BG
bubber
ich bin neu hier und daher unerfahren.
Setup:
Ich nutze meine opnsense virtualisiert unter proxmox. Sie hängt hinter einem ISP-Router der im Bridge-Modus läuft. Sie hat neben WAN noch LAN und eine DMZ. In der DMZ habe ich einen Server laufen, den ich aus dem Internet erreichbar machen will.
Dazu habe ich ein vollständige Portweiterleitung gemacht. Das funktioniert auch tadellos.
Problem:
Nun möchte ich aber, Port 22 aus dem Internet komplett blockieren. Eine entsprechende Regel habe ich für das WAN-Interface angelegt und sie vor die (autom. generierte) NAT-Regel platziert. Leider greift sie aber nicht. Es wird einfach alles an den in der Portweiterleitung festgelegten Host weitergeleitet.
Das selbe Problem habe ich auch, wenn ich eine Wireguard-Instanz auf der Firewall laufen lassen möchte. Egal was ich eingestellt habe; Anfragen auf Port 51820 werden auch an den Host weitergeleitet statt von der Firewall/Wireguard behandelt zu werden.
Ich habe irgendwo gelesen (leider kann ich die Quelle auf die Schnelle nicht finden), dass bei NAT vor den "normalen" Regeln bearbeitet wird. Aber trotzdem muss es doch eine Möglichkeit geben, dass ich Wireguard nutzen oder ssh auf WAN blockieren kann?!?
Über Feedback oder Hinweise die mir bei der Lösung bzw. für das bessere Verständnis meines Problems helfen, wäre ich sehr dankbar!
BG
bubber
#2
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by franco - Today at 07:58:34 PMThat makes sense then. Happy to see this progress. :)
We could indeed annotate the mirrors with the architectures, but keep in mind when we would add an architecture then these mirrors are invalid until declared otherwise in a release. Perhaps a minor thing, but it indicates manual maintenance which may not be worth the effort.
Cheers,
Franco
We could indeed annotate the mirrors with the architectures, but keep in mind when we would add an architecture then these mirrors are invalid until declared otherwise in a release. Perhaps a minor thing, but it indicates manual maintenance which may not be worth the effort.
Cheers,
Franco
#3
General Discussion / Re: Can OPNsense allow only a ...
Last post by viragomann - Today at 07:52:19 PMQuote from: cicirrr on Today at 10:55:08 AMRight now I'm using basic policy routing, but I'm not sure if that's the correct or safest way to do it.It is.
Just ensure that the policy-routing rule is set on the top of the rule set, so that it is checked before other rules allowing any outbound.
Quote from: cicirrr on Today at 10:55:08 AMShould I separate it by device or VLAN?I assume, you'd assigned static IPs to the concerned devices, maybe via DHCP. So put all these IPs into an alias and use it as source in the policy-routing rule.
Of course, you can also put all these devices in a separate VLAN if you want. So you don't need the source alias.
#4
German - Deutsch / Re: Problem mit sftp Backup üb...
Last post by viragomann - Today at 07:31:03 PMHallo,
Hat der Server eine Route zu OPNsense2?
Wenn ja, lässt OPNsense1 die Verbindung zu?
Quote from: harald99 on Today at 04:39:01 PMWenn ich ein sftp Backup von der OPNsense2 anstoße, kommt die OPNsense2 nicht per SSH an den Server.kennt sie denn die Route dahin?
Hat der Server eine Route zu OPNsense2?
Wenn ja, lässt OPNsense1 die Verbindung zu?
#5
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by Seimus - Today at 07:11:11 PMUpgraded today as well on my N5105 PRX node
It came with the i226-V firmware:
Upgraded to 2.32 using the 1MB file + the flashing utility for linux, process was without problems.
Regards,
S.
It came with the i226-V firmware:
Code Select
NVM Version : 2.20(2.14)
NVM Version : 2.20(2.14)
NVM Version : 2.20(2.14)
NVM Version : 2.20(2.14)
Upgraded to 2.32 using the 1MB file + the flashing utility for linux, process was without problems.
Code Select
CURRENT FAMILY: 1.0.0
CONFIG VERSION: 1.20.0
; NIC device
BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
SUBVENDOR: 8086
SUBDEVICE: 0000
NVM IMAGE: FXVL_125C_V_1MB_2.32.bin
EEPID: 80000425
RESET TYPE: REBOOT
REPLACES: 80000290
END DEVICE
Code Select
NVM Version : 2.50(2.32)
NVM Version : 2.50(2.32)
NVM Version : 2.50(2.32)
NVM Version : 2.50(2.32)
Regards,
S.
#6
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by Maurice - Today at 07:06:14 PMI was indeed wondering which mirror gets used with the default "(default)" setting. That's kind of obfuscated. 😅 But I eventually figured out that opnsense-update reads the "url" value from repos/OPNsense.conf, which does get set to CORE_PACKAGESITE at build time.
Until now, I didn't modify CORE_PACKAGESITE, hence I had to inject my mirror into config.xml.sample. Starting with 25.7.8 I will stop doing this since it's no longer necessary with the correct CORE_PACKAGESITE.
Modifying repositories/opnsense.xml isn't really necessary, correct. I just thought it would make sense to remove the amd64 mirrors while I'm at it.
Going forward, it might make sense to add an "architecture" property to each mirror in repositories/opnsense.xml. Mirrors could offer a single or multiple architectures. The GUI then could only display the mirrors which offer the system's architecture.
Cheers
Maurice
Until now, I didn't modify CORE_PACKAGESITE, hence I had to inject my mirror into config.xml.sample. Starting with 25.7.8 I will stop doing this since it's no longer necessary with the correct CORE_PACKAGESITE.
Modifying repositories/opnsense.xml isn't really necessary, correct. I just thought it would make sense to remove the amd64 mirrors while I'm at it.
Going forward, it might make sense to add an "architecture" property to each mirror in repositories/opnsense.xml. Mirrors could offer a single or multiple architectures. The GUI then could only display the mirrors which offer the system's architecture.
Cheers
Maurice
#7
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by Seimus - Today at 06:25:54 PMUpgraded today as well on my main N100 FW
It came with the i226-V firmware:
Upgraded to 2.32 using the 2MB file, process was without problems.
Regards,
S.
It came with the i226-V firmware:
Code Select
[1] igc0: EEPROM V2.13-0 eTrack 0x80000284
[1] igc1: EEPROM V2.13-0 eTrack 0x80000284
[1] igc2: EEPROM V2.13-0 eTrack 0x80000284
[1] igc3: EEPROM V2.13-0 eTrack 0x80000284
Upgraded to 2.32 using the 2MB file, process was without problems.
Code Select
CURRENT FAMILY: 1.0.0
CONFIG VERSION: 1.20.0
; NIC device
BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
SUBVENDOR: 8086
SUBDEVICE: 0000
NVM IMAGE: FXVL_125C_V_2MB_2.32.bin
EEPID: 80000422
RESET TYPE: REBOOT
REPLACES: 80000284
END DEVICE
Code Select
[1] igc0: EEPROM V2.32-0 eTrack 0x80000422
[1] igc1: EEPROM V2.32-0 eTrack 0x80000422
[1] igc2: EEPROM V2.32-0 eTrack 0x80000422
[1] igc3: EEPROM V2.32-0 eTrack 0x80000422
Regards,
S.
#8
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by franco - Today at 06:08:36 PMThanks, this works nicely. Now I can get the fingerprints back if I install a development version from our repo. This is still not optimal but it helps and I'll keep pondering about it. I also pushed the man page update for the opnsense-bootstrap change.
FWIW, I don't think you strictly need to change opnsense.xml as your inject the correct mirror into the configuration as it seems. But I was wondering where it reads the default from anyway which is the OPNsense.conf file so I think you don't even need to do that and "(default)" should just work.
Maybe we can hide the other repositories for aarch64 on opnsense.xml but I'm not sure yet.
Cheers,
Franco
FWIW, I don't think you strictly need to change opnsense.xml as your inject the correct mirror into the configuration as it seems. But I was wondering where it reads the default from anyway which is the OPNsense.conf file so I think you don't even need to do that and "(default)" should just work.
Maybe we can hide the other repositories for aarch64 on opnsense.xml but I'm not sure yet.
Cheers,
Franco
#9
25.7, 25.10 Series / High CPU on Dashboard
Last post by cyberfarer - Today at 05:59:29 PMGreetings,
I am seeing an issue on the dashboard where widgets cause many PHP and PHP-CGI processes to spawn that eventually consume all CPU. The widgets themselves become unresponsive. I've noted this issue raised on these forums but not addressed and possibly unrelated.
Logs show entries like this:
This began when configuring IDS, but I have since disabled and removed all rules and the issue persists so I now believe it is unrelated.
Thoughts and ideas are welcome.
P.S. CPU is fine so long as I don't visit the dashboard or remove the impacted widgets.
I am seeing an issue on the dashboard where widgets cause many PHP and PHP-CGI processes to spawn that eventually consume all CPU. The widgets themselves become unresponsive. I've noted this issue raised on these forums but not addressed and possibly unrelated.
Logs show entries like this:
Code Select
2025-11-19T22:11:53-05:00 OPNsense.localdomain configd.py 381 - [meta sequenceId="18"] [68d947aa-2219-44e2-b504-bb0cc73ee1c8] Script action failed with Command '/usr/local/opnsense/scripts/routes/gateway_status.php' died with <Signals.SIGKILL: 9>. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/routes/gateway_status.php' died with <Signals.SIGKILL: 9>.
This began when configuring IDS, but I have since disabled and removed all rules and the issue persists so I now believe it is unrelated.
Thoughts and ideas are welcome.
P.S. CPU is fine so long as I don't visit the dashboard or remove the impacted widgets.
#10
General Discussion / Trouble with VLAN setup on 4-p...
Last post by User074357 - Today at 05:08:10 PMHi,
I have a 4-port OPNsense box to which I have my WAN, PC and NAS connected. OPT1 and OPT2 (NAS and PC) are bridged for LAN. I know it's not recommended to use a bridge for this, but I'm trying to avoid a dedicated switch for now.
The NAS is running TrueNAS SCALE and I now want to create a VLAN for some of the VMs on it. I added a VLAN interface on TrueNAS with tag 20 and the static IP 192.168.20.2/24. I then created a VLAN for igc1 (OPT1) with tag 20 on OPNsense and removed OPT1 from the bridge, since I read I cannot use the untagged interface on a bridge while also using VLANs. The goal is to use 2 VLANs between TrueNAS and OPNsense and adding one of them to the OPNsense LAN bridge.
I added the VLAN interface under assignments and set the IPv4 Configuration Type to Static IPv4 and configured the IP 192.168.20.1/24.
I was expecting to be able to ping my TrueNAS host under 192.168.20.2 from my PC in LAN now, but this doesn't work (100% packet loss). The firewall live view also doesn't show anything.
I'm new to VLANs and I know I should just buy a managed switch, but I'm confused as to why this doesn't work. Am I missing something?
I have a 4-port OPNsense box to which I have my WAN, PC and NAS connected. OPT1 and OPT2 (NAS and PC) are bridged for LAN. I know it's not recommended to use a bridge for this, but I'm trying to avoid a dedicated switch for now.
The NAS is running TrueNAS SCALE and I now want to create a VLAN for some of the VMs on it. I added a VLAN interface on TrueNAS with tag 20 and the static IP 192.168.20.2/24. I then created a VLAN for igc1 (OPT1) with tag 20 on OPNsense and removed OPT1 from the bridge, since I read I cannot use the untagged interface on a bridge while also using VLANs. The goal is to use 2 VLANs between TrueNAS and OPNsense and adding one of them to the OPNsense LAN bridge.
I added the VLAN interface under assignments and set the IPv4 Configuration Type to Static IPv4 and configured the IP 192.168.20.1/24.
I was expecting to be able to ping my TrueNAS host under 192.168.20.2 from my PC in LAN now, but this doesn't work (100% packet loss). The firewall live view also doesn't show anything.
I'm new to VLANs and I know I should just buy a managed switch, but I'm confused as to why this doesn't work. Am I missing something?
