Recent posts

#1
German - Deutsch / Re: [Gelöst] Problem Reverse P...
Last post by Ronny1978 - Today at 07:34:08 AM
Mit Hilfe eines Mitglieds aus einem anderen Forum haben wir die Lösung gefunden:

Zusätzliche Header-Konfiguration:

header_up Host {host}
Damit ist das Problem gelöst.

Danke, JohneDoe 😉👍
#2
26.1 Series / SOLVED Re: Problem Reverse Pro...
Last post by Ronny1978 - Today at 07:31:54 AM
With the help of a member from another forum, we found the solution:

Additional header configuration:

header_up Host {host}
That solves the problem.

Thanks JohneDoe 😉👍
#3
General Discussion / Re: AI integration for OPNsens...
Last post by OPNenthu - Today at 07:15:30 AM
Speaking of the Mythos model, I don't know how much of this is industry hype but if it's really as capable as I'm reading, then I hope FreeBSD, OPNsense, and open source projects broadly figure out their strategy before those discovered vulnerabilities become liabilities to all the users.  This is my fear.

It's not difficult to imagine the immense pressure that these AI owners will be able to put on companies in order to pay them extortion fees for priority access to security findings.

And even then, who knows if and how many vulnerabilities are being sold and kept quiet.  We can guess who might be be buying.

I thought this article asked some good questions, even though it's written by a security company that I presume uses AI:

https://www.picussecurity.com/resource/blog/anthropics-project-glasswing-paradox
#4
German - Deutsch / Re: Wie benutze ich unbound DN...
Last post by stefanpf - Today at 06:40:48 AM
Möchte das nicht als die absolute Wahrheit verkaufen, aber folgendes scheint bei mir geholfen zu haben:
- router advertisments nicht über dnsmasq, sondern wieder über radv (Services / Router advertisements)
  Dort in den erweiterten Einstellungen
  deprecate prefix on
  shutdown prefix on
  Minimum interval 20
  Maximum interval 60
  Default Lifetime 60
  Preferred Lifetime 600
  Valid Lifetime 1800
 - Wifi: z.B. bei Unifi sicherstellen, dass Multicast nicht geblockt wird, DTIM auf 3

Zwischendurch hatte ich die RAs über dnsmasq verteilen lassen und habe es damit nicht dauerhaft zum laufen bekommen - primär ist das bei den Stubenhockern (Ipad, LG TV) aufgefallen.
#5
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by Maurice - Today at 04:53:41 AM
OPNsense 26.1.6 aarch64 packages and sets released.
#6
26.1 Series / Re: lots of empty space in new...
Last post by randell - Today at 03:49:59 AM
Quote from: Patrick M. Hausen on April 10, 2026, 10:18:14 PMSeconded. A browser has scroll bars. Just use all of the bloody space. And place all "action" buttons - new, select, delete, ... as well as apply - at the top of the page. Render a web page. It's a web UI, not an application.
Created an account just to +1 this.

I have a smallish laptop, 14" screen running 1080p resolution and that doesn't give much vertical space. It works much better with scrolling the entire window than the little grid.
#7
26.1 Series / Re: Is VPN kill switch rule st...
Last post by OPNenthu - Today at 02:16:59 AM
I'm looking for the current information, but struggling :)

I think none of the obvious sources (OPNsense docs, pfSense docs, OpenBSD pf manual, FreeBSD manual) explicitly state how this works.  The closest I've found so far is from the OpenBSD pf manual, but even that doesn't explicitly answer it.  You have to infer some things by reading between the lines.

https://www.openbsd.org/faq/pf/filter.html

QuotePacket filtering is the selective passing or blocking of data packets as they pass through a network interface.

Quotedirection
    The direction the packet is moving on an interface, either in or out.

The part that I underlined, in combination with the fact that interface rules are directional, I **think** implies the following filter flow (NAT omitted):

Ingress:
remote client ---> [WAN]("in" rules) ---> [LAN]("out" rules) ---> local server

Egress:
local client ---> [LAN]("in" rules) ---> [WAN]("out" rules) ---> remote server

Once state is established, subsequent packets bypass the filters.

In most cases we don't use "out" filters in OPNsense, so those filter points can logically seem as though they don't exist.  (Maybe this is a source of confusion and why it's sometimes said that filtering only happens once, at the interface the packet comes in on?)

Then the reason the VPN kill switch works is because when the packet that would otherwise go the VPN gateway shows up on WAN, the rules there are evaluated because the flow doesn't match a state*.  Then, the WAN "out" rule sees the tag on the packet that was set from the VPN interface and blocks.

So, it must be filtering on all interfaces that the packet traverses, not just the interface the packet came in on.  Else this wouldn't work.

Is this all correct so far?


*not clear how floating vs. interface pf states (not rules) affect this.  Floating states are default in OPNsense, as they are also in OpenBSD's pf.

You cannot view this attachment.

pfSense is the opposite (defaults to interface bound states) and explains some potential VPN leakage problems.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states

Maybe at least the rules on the VPN interface should be manually set to interface-bound?

¯\_(ツ)_/¯
#8
26.1 Series / Re: Problem installing OPNsens...
Last post by merlinz01 - Today at 01:51:09 AM
I got this same error installing OPNSense on Proxmox. I used Ubuntu live ISO and the parted tool to create a GPT partition table and then the installer succeeded.
#9
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - Today at 01:48:51 AM
yea i don't think its an actual issue. before, my connection was dropping off completely and the only fix to physically unplug and plug the cable back in, nothing i did on CLI like if down / if up, brought the connection back, so at least i feel i am at a better spot.
#10
Hardware and Performance / Re: DEC3920 Quick Review
Last post by pfry - Today at 01:31:38 AM
Quote from: dirtyfreebooter on Today at 12:23:30 AM[...]yea i dont think its an actual problem, its 0.00027%[...]

I just noticed I have some, a much higher percentage:

root@fw:/home/user # netstat -i
Name        Mtu Network          Address                Ipkts       Ierrs       Idrop      Opkts       Oerrs        Coll
[...]
bridge0    1500 <Link#20>        58:9c:fc:10:85:67  156005318           0           0   68605805     4905211           0
[...]

QuoteThis is a very specific and telling symptom.[...]the system is dropping packets[...]

Uh... that looks like an AI hallucination. It's looking to me like buffer evictions or similar. Possibly less than ideal, but I don't see any performance issues (I only have a 500Mb service). Oh, and there's all sorts of stuff (as in devices; ixl and ix at least) attached to that bridge. One of these days I'll upgrade (service and servers), and see if I have issues then.