"Recent posts
#1
Hardware and Performance / Re: DEC3920 Quick Review
Last post by OPNenthu - Today at 01:05:15 AMThis chassis design really is beautiful.
Maybe they were trying to figure out if it's a prohibited item under the new policy :P
https://protectli.com/news/statement-fcc-covered-list-update-to-ban-foreign-routers-in-the-us/
I'm just curious: if the VP2440 already does 2Gbps on WAN, where did it fall short? Is it just ZenArmor, or did you see bottlenecks in VLAN routing as well?
I wish coreboot had an option to disable the iGPU as that could be contributing a little to the power draw.
Quote from: dirtyfreebooter on April 03, 2026, 10:25:45 PMUS customs held it for 7+ days, after two docusign attempts with Fedex international customer service, they finally released it.
Maybe they were trying to figure out if it's a prohibited item under the new policy :P
https://protectli.com/news/statement-fcc-covered-list-update-to-ban-foreign-routers-in-the-us/
Quote from: dirtyfreebooter on April 03, 2026, 10:25:45 PMNot sure how much more lab testing I will do before it replaces my Protectli VP2440. I only have 1 Gbps fiber, upgrading to 2 Gbps, so kept the testing simple to WAN on 2.5g interface and LAN on 10g. I didn't have a chance to setup and test wireguard, but since the VP2440 with N150 can handle ~2Gbps wireguard, this should have no problem with my use case.
I'm just curious: if the VP2440 already does 2Gbps on WAN, where did it fall short? Is it just ZenArmor, or did you see bottlenecks in VLAN routing as well?
Quote from: dirtyfreebooter on April 03, 2026, 10:25:45 PMPleasantly surprised this thing idles less than the Protectli VP2440 (which is 12w with Coreboot 0.9.1-rc3 with ASPM enabled).
I wish coreboot had an option to disable the iGPU as that could be contributing a little to the power draw.
#2
Tutorials and FAQs / Re: [HOWTO] OpnSense under vir...
Last post by snulgy - Today at 12:59:22 AMwell, after way too much time spent on this I am giving up, for now at least. I don't absolutely need this dual home VM there but I hate not getting to the bottom of an issue like this.
It must be asymmetric routing related as some (?) return traffic "comes back" via the opnsense interface from other network devices despite staying in the same local VLAN. I put "come back" in quotes because it's more like "seen by opnsense" which causes all these drop logs, but the packets do arrive.
when I remove the VM's interface in that VLAN, causing all traffic to have to go through opnsense, no more state violations.
I tested everything I could think of, but the Linux bridge setup in proxmox is pretty simple and checks out and the interfaces in opnsense also show what I would expect. yet..
I might come back to this, and if anyone has theories I'm interested. Thanks!
It must be asymmetric routing related as some (?) return traffic "comes back" via the opnsense interface from other network devices despite staying in the same local VLAN. I put "come back" in quotes because it's more like "seen by opnsense" which causes all these drop logs, but the packets do arrive.
when I remove the VM's interface in that VLAN, causing all traffic to have to go through opnsense, no more state violations.
I tested everything I could think of, but the Linux bridge setup in proxmox is pretty simple and checks out and the interfaces in opnsense also show what I would expect. yet..
I might come back to this, and if anyone has theories I'm interested. Thanks!
#3
Tutorials and FAQs / Re: IPv6 Control Plane with FQ...
Last post by Seimus - Today at 12:57:20 AMQuote from: OPNenthu on April 03, 2026, 11:55:08 PMI think maybe these:
https://forum.opnsense.org/index.php?topic=43856.0
https://forum.opnsense.org/index.php?topic=45135.0
It'll take some time to play but if I find a way to improve the Household test score I will post back.
Nice you found it!
I should maybe again reconsider, to test and maybe write about Weighted scheduler + Latency Queue management. I previously did think about it, but it does require more configuration and could confuse the general user.
Regards,
S.
#4
General Discussion / Re: Monit + Wazuh?
Last post by cookiemonster - Today at 12:41:36 AMDoesn't monit check only for the existence of the pid ? In other words, it does not care what its number is, just that it exists.
I can't tell more as I tried wazuh and found it too much for my home needs. Corporate.. of course a valid option.
I can't tell more as I tried wazuh and found it too much for my home needs. Corporate.. of course a valid option.
#5
General Discussion / DNS, DoH, DoT, DoQ, DNSCrypt, ...
Last post by Mario_Rossi - Today at 12:25:58 AMHi, I'm looking for information, but the topic is very complex and fragmented. I'm not sure if this is the right section; if so, I apologize.
The question is simple to say, but far from done.
On the one hand, I'd like my firewall to monitor all DNS queries to filter out ads and other malicious/unwanted content. On the other, I'd like all outgoing queries from my firewall to be secure and anonymized (as much as possible).
I've found several discussions online, but they're starting to get old, so they don't match the latest versions of OPNsense and the various plugins/services, or things have simply changed.
I'd like to start a discussion, perhaps to be updated over time based on the evolution of OPNsense and the world out there. Possibly divided into sections for those who use third-party plugins like PiHole/ADGuard integrated into the OPNsense installation or on other VMs/CTs/devices within their network, those who only use unbound/firewall rules, and those who want to use a combination of these tools. As you can imagine, it's all incredibly complex and has a lot of variables.
The question is simple to say, but far from done.
On the one hand, I'd like my firewall to monitor all DNS queries to filter out ads and other malicious/unwanted content. On the other, I'd like all outgoing queries from my firewall to be secure and anonymized (as much as possible).
I've found several discussions online, but they're starting to get old, so they don't match the latest versions of OPNsense and the various plugins/services, or things have simply changed.
I'd like to start a discussion, perhaps to be updated over time based on the evolution of OPNsense and the world out there. Possibly divided into sections for those who use third-party plugins like PiHole/ADGuard integrated into the OPNsense installation or on other VMs/CTs/devices within their network, those who only use unbound/firewall rules, and those who want to use a combination of these tools. As you can imagine, it's all incredibly complex and has a lot of variables.
#6
Tutorials and FAQs / Re: IPv6 Control Plane with FQ...
Last post by OPNenthu - April 03, 2026, 11:55:08 PMI think maybe these:
https://forum.opnsense.org/index.php?topic=43856.0
https://forum.opnsense.org/index.php?topic=45135.0
It'll take some time to play but if I find a way to improve the Household test score I will post back.
https://forum.opnsense.org/index.php?topic=43856.0
https://forum.opnsense.org/index.php?topic=45135.0
It'll take some time to play but if I find a way to improve the Household test score I will post back.
#7
General Discussion / Re: Best way to set up DMZ wit...
Last post by nero355 - April 03, 2026, 10:37:24 PMQuote from: User074357 on April 03, 2026, 12:54:13 AMMy LAN network has its own /64 prefix now and everything works as expected.I am not sure about this part :
Now I also want to add IPv6 support to my DMZ network, but I'm unsure about how to deal with the firewall rules.
However I'm not sure how to create a rule for IPv6, which allows access to the internet
Quotewhile blocking access to LAN and also the FritzBox on the WAN interface.But I would expect the following situation :
Can I simply block access to the /59 prefix somehow?
However since this prefix is dynamic by the ISP I'm not sure how to proceed.
- Your IPv6 Prefix is at least valid for a certain period if it's not completely static.
- Each of your networks get a /64 based on a ID you can assign to them : 0/1/2/3/4/etc.
- You could put all of these /64 in an Alias cut off at the ID.
- And then use this Alias in the Firewall Rule(s).
In case your IPv6 Prefix changes the amount of editing you need to do is minimal this way :)
I can't find any information about the ID that I am mentioning here @ https://docs.opnsense.org/ so I feel like I am saying something wrong here, but I am pretty sure I am not ?!
#8
Hardware and Performance / DEC3920 Quick Review
Last post by dirtyfreebooter - April 03, 2026, 10:25:45 PMPicked up a DEC3920 from OPNsense Shop. US customs held it for 7+ days, after two docusign attempts with Fedex international customer service, they finally released it.
The hardware itself is very well made. Almost a work of art. There is fan noise, though its minor, not like a 1U Dell / Supermicro. You can hear the fan noise go up and down. AMD V3C18 CPU, comes with hyperthreads disabled.
Not sure how much more lab testing I will do before it replaces my Protectli VP2440. I only have 1 Gbps fiber, upgrading to 2 Gbps, so kept the testing simple to WAN on 2.5g interface and LAN on 10g. I didn't have a chance to setup and test wireguard, but since the VP2440 with N150 can handle ~2Gbps wireguard, this should have no problem with my use case.
Pleasantly surprised this thing idles less than the Protectli VP2440 (which is 12w with Coreboot 0.9.1-rc3 with ASPM enabled). Out of the box without having to mess with any settings or tuneables.
Memory
1x 16gb DDR5 Micron Technology CT16G56C46U5.C8H
Speed: 5600 MT/s
NVMe
Transcend TS256GMTE712A 256gb
NVMe PCIe Gen 4 x4
NAND Flash Type,112-layer 3D NAND (TLC)
Sequential Read Speed "Up to 3,800 MB/s"
Sequential Write Speed "Up to 3,200 MB/s"
Random Read / Write "Up to 350,000 IOPS / Up to 330,000 IOPS"
Endurance "Up to 4,000 TBW (Terabytes Written) / 1.84 DWPD"
MTBF "3,000,000 hours"
Network
igc i226-V nics ship with v2.25 firmware
Power and iperf tests
All power measured at wall outlet of 110v using PN2000 power meter.
reboot - 57.64s
idle - wan igc1, lan igc0 (first boot) - 8.78w
iperf upload - 18.75w - 2.35 Gbit/s
iperf download - 18.60w - 2.35 Gbit/s
idle - zenarmor, wan igc0, lan ax0 - 9.92w
iperf upload - 21.53w - 2.35 Gbit/s
iperf download - 22.04w - 2.35 Gbit/s
Zenarmor with SQLite database with default policy with more than 50% policy blocks turned on. adds about 1w to idle. ~5w to routing 2.5g.
Photos
The hardware itself is very well made. Almost a work of art. There is fan noise, though its minor, not like a 1U Dell / Supermicro. You can hear the fan noise go up and down. AMD V3C18 CPU, comes with hyperthreads disabled.
Not sure how much more lab testing I will do before it replaces my Protectli VP2440. I only have 1 Gbps fiber, upgrading to 2 Gbps, so kept the testing simple to WAN on 2.5g interface and LAN on 10g. I didn't have a chance to setup and test wireguard, but since the VP2440 with N150 can handle ~2Gbps wireguard, this should have no problem with my use case.
Pleasantly surprised this thing idles less than the Protectli VP2440 (which is 12w with Coreboot 0.9.1-rc3 with ASPM enabled). Out of the box without having to mess with any settings or tuneables.
Memory
1x 16gb DDR5 Micron Technology CT16G56C46U5.C8H
Speed: 5600 MT/s
NVMe
Transcend TS256GMTE712A 256gb
NVMe PCIe Gen 4 x4
NAND Flash Type,112-layer 3D NAND (TLC)
Sequential Read Speed "Up to 3,800 MB/s"
Sequential Write Speed "Up to 3,200 MB/s"
Random Read / Write "Up to 350,000 IOPS / Up to 330,000 IOPS"
Endurance "Up to 4,000 TBW (Terabytes Written) / 1.84 DWPD"
MTBF "3,000,000 hours"
Network
igc i226-V nics ship with v2.25 firmware
Power and iperf tests
All power measured at wall outlet of 110v using PN2000 power meter.
reboot - 57.64s
idle - wan igc1, lan igc0 (first boot) - 8.78w
iperf upload - 18.75w - 2.35 Gbit/s
iperf download - 18.60w - 2.35 Gbit/s
idle - zenarmor, wan igc0, lan ax0 - 9.92w
iperf upload - 21.53w - 2.35 Gbit/s
iperf download - 22.04w - 2.35 Gbit/s
Zenarmor with SQLite database with default policy with more than 50% policy blocks turned on. adds about 1w to idle. ~5w to routing 2.5g.
Photos
#9
Tutorials and FAQs / Re: Technitium DNS Server on O...
Last post by nero355 - April 03, 2026, 10:12:03 PMQuote from: gehoernchen on April 03, 2026, 05:04:36 PMTechnitium requires .NETMy #1 reason not to use it :)
There are enough alternatives for both FreeBSD and Linux that do their job just fine!
#10
General Discussion / Re: WAN Failover
Last post by sorano - April 03, 2026, 09:47:48 PMQuote from: t84a on April 03, 2026, 08:46:44 PMQuote from: nero355 on April 03, 2026, 03:59:33 PMQuote from: t84a on April 03, 2026, 03:27:36 PMAfter the upgrade that required the rule migration, my Failover no longer works.It's completely your own choice to migrate the rules or not for now and probably until the end of the year or so !! ;)
It's too late. I already migrated the rules. Now my Failover doesn't work.
Rollback your backup config!
