"Recent posts
#1
26.1 Series / Re: Unbound DNS
Last post by (MARLOO) - Today at 03:45:17 AMThis is a frequent Unbound DNS issue on OPNsense where allowlists don't take effect immediately due to caching, CNAME redirects, or incomplete propagation after adding domains.
Check Reporting First
Go to Reporting > Unbound DNS > Overview or Details to spot the blocked domain (and any CNAME chain). Click it to whitelist directly—this auto-adds to Services > Unbound DNS > Blocklists > Allowlist Domains.
Use CLI on OPNsense: dig example.com @127.0.0.1 to trace resolutions and whitelist all linked domains.
Clear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.
Flush client DNS too (e.g., ipconfig /flushdns on Windows). Test again—exceptions working confirms blocklist config is fine, just needs refresh.
Official Documentation
Full Unbound setup: [docs.opnsense.org/manual/unbound.html]
Reporting guide: [docs.opnsense.org/manual/reporting_unbound_dns.html]
Check Reporting First
Go to Reporting > Unbound DNS > Overview or Details to spot the blocked domain (and any CNAME chain). Click it to whitelist directly—this auto-adds to Services > Unbound DNS > Blocklists > Allowlist Domains.
Use CLI on OPNsense: dig example.com @127.0.0.1 to trace resolutions and whitelist all linked domains.
Clear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.
Flush client DNS too (e.g., ipconfig /flushdns on Windows). Test again—exceptions working confirms blocklist config is fine, just needs refresh.
Official Documentation
Full Unbound setup: [docs.opnsense.org/manual/unbound.html]
Reporting guide: [docs.opnsense.org/manual/reporting_unbound_dns.html]
#2
Hardware and Performance / Re: DEC3920 Quick Review
Last post by OPNenthu - Today at 02:50:33 AMYes, you're right. They disabled it on the VP2440's I226-V interfaces, but none of the V-series ones were affected.
#3
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - Today at 02:43:14 AMQuote from: OPNenthu on Today at 02:34:15 AMIn some posts I've started exporting screenshots in WebP format as it compresses really well and I can squeeze in an extra image or two compared to PNG or JPEG. But yes, it's sometimes required to split images across multiple posts.Quote from: dirtyfreebooter on April 05, 2026, 06:36:38 PMASPM L1 is enabled for igc NICs from pciconf, Disabled for ax (10g) NICs.
For what it's worth, ASPM L1 is enabled on my V1410's I226-V NICs:Code Selectcap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
max read 512
link x1(x1) speed 5.0(5.0) ASPM L1(L1)
This might not be the best for latency but I haven't seen any stability issues or drop outs at all. I suspect your VP2440 might also have ASPM L1 on the I226-V ports, but disabled on the X710 ports with the latest coreboot update. So this configuration seems common.
In all likelihood this passes Deciso's validaton testing so I'm wondering if something else could be at play.
VP2440, AMI bios ASPM is completely disabled for all devices. Coreboot 0.9.0, ASPM is enabled for igc and ixl, but igc did this same behavior. Protectli released 0.9.1-rc3 Coreboot and i run that for weeks with full ASPM and no issues. Protectli support says they addressed the ASPM issue with igc in that Coreboot BIOS, FWIW.
i never once had an issue with X710 and ASPM, on the VP2440 or supermicro boards with X710-DA2 pci nic.
#4
Hardware and Performance / Re: DEC3920 Quick Review
Last post by OPNenthu - Today at 02:34:15 AMIn some posts I've started exporting screenshots in WebP format as it compresses really well and I can squeeze in an extra image or two compared to PNG or JPEG. But yes, it's sometimes required to split images across multiple posts.
For what it's worth, ASPM L1 is enabled on my V1410's I226-V NICs:
This might not be the best for latency but I haven't seen any stability issues or drop outs at all. I suspect your VP2440 might also have ASPM L1 on the I226-V ports, but disabled on the X710 ports with the latest coreboot update. So this configuration seems common.
In all likelihood this passes Deciso's validaton testing so I'm wondering if something else could be at play.
Quote from: dirtyfreebooter on April 05, 2026, 06:36:38 PMASPM L1 is enabled for igc NICs from pciconf, Disabled for ax (10g) NICs.
For what it's worth, ASPM L1 is enabled on my V1410's I226-V NICs:
Code Select
cap 10[a0] = PCI-Express 2 endpoint max data 256(512) FLR RO NS
max read 512
link x1(x1) speed 5.0(5.0) ASPM L1(L1)
This might not be the best for latency but I haven't seen any stability issues or drop outs at all. I suspect your VP2440 might also have ASPM L1 on the I226-V ports, but disabled on the X710 ports with the latest coreboot update. So this configuration seems common.
In all likelihood this passes Deciso's validaton testing so I'm wondering if something else could be at play.
#5
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - Today at 02:10:47 AMQuote from: Patrick M. Hausen on Today at 12:55:56 AMPlease attach images to your posts directly on this forum and do not use "image hosters" at all. These are not image hosting services but personal data harvesting services. Or why do you think they're free to use as in "no cost"?
i tried attaching them, the limit is 256KiB for the entire post. so that doesn't really work.
#6
Zenarmor (Sensei) / Help with Blocking Firstly See...
Last post by pSych0bUNny - Today at 01:08:10 AMKia ora,
It may be my misunderstanding however I think I have blocked all 'Firstly Seen Sites' (Policies > Security > "High Control")...
ref attached - zen_blockedSite
...however Zenamour still allows these...?
ref attached - firstSeen
Why are these sites allowed?
They are random URLs created by Proton VPN - I would like to block them.
OPNsense: 26.1.5
Zenamour:
Engine: 2.4.2
DB: 2.0.26033110
Agent: 2.4.1
UI: 2.4.32
License: FREE
It may be my misunderstanding however I think I have blocked all 'Firstly Seen Sites' (Policies > Security > "High Control")...
ref attached - zen_blockedSite
...however Zenamour still allows these...?
ref attached - firstSeen
Why are these sites allowed?
They are random URLs created by Proton VPN - I would like to block them.
OPNsense: 26.1.5
Zenamour:
Engine: 2.4.2
DB: 2.0.26033110
Agent: 2.4.1
UI: 2.4.32
License: FREE
#7
Hardware and Performance / Re: DEC3920 Quick Review
Last post by Patrick M. Hausen - Today at 12:55:56 AMPlease attach images to your posts directly on this forum and do not use "image hosters" at all. These are not image hosting services but personal data harvesting services. Or why do you think they're free to use as in "no cost"?
#8
Hardware and Performance / Re: DEC3920 Quick Review
Last post by cookiemonster - Today at 12:42:26 AMQuote from: dirtyfreebooter on April 04, 2026, 09:19:40 PMThank youQuote from: cookiemonster on April 04, 2026, 09:07:07 PMWould you consider using another image hoster? imgur is not available in the UK. I would have liked to see those.
https://help.imgur.com/hc/en-us/articles/41592665292443-Imgur-access-in-the-United-Kingdom
oh didn't realize that. i switched them over to imgchest.com
#9
General Discussion / Re: Help needed with DNSCrypt ...
Last post by Patrick M. Hausen - April 05, 2026, 10:41:48 PM$PERSON has got a couple of accounts under the same name in various tech related forums. I suspect they are human but tend to copy & paste AI slop trying to be "helpful".
#10
26.1 Series / Unbound DNS
Last post by haim9080 - April 05, 2026, 10:32:02 PMHello everyone, I have OPNSENSE at home running on a MINIPC with N100, and 16GB RAM, now I did UNBOUND DNS and I put a domain in the ALLOWLIST, and I do a cache refresh and everything, it doesn't work.
But if I make an exception for it, it will work. How can I fix this?
https://jumpshare.com/s/5M6HGv9aVYS48Vw0vbFb
But if I make an exception for it, it will work. How can I fix this?
https://jumpshare.com/s/5M6HGv9aVYS48Vw0vbFb
