"Recent posts
#1
26.1, 26,4 Series / Re: 2 WAN Uplinks split routin...
Last post by wincent - Today at 04:39:58 AMI thank you need a layer 3 switch that supports PBR to be placed between two FritzBoxes and OPNsense devices.
#2
Hardware and Performance / Re: PPPoE performance with cur...
Last post by pfry - Today at 02:22:07 AMPPPoE is apparently single-thread on FreeBSD... but that should only halve your performance (or thereabouts) on that dual-core CPU. The CPU load figure may be misleading, but even proving that premise may not be enlightening. You could try OPNsense on a machine with greater single-thread performance, but a 3.4GHz Skabylake shouldn't be too bad. A Zen 5 (e.g. 9600X at 5.4GHz) might double it (on this workload). I haven't used PPPoE (knocking on wood...) myself (even my old DSLs used bridging or routing for static IPs, which I've always had; my only PPP link was ISDN, and 128k was pretty easy to achieve).
Edit: For the heck of it (quoting myself), you might try "netstat" - "-m", "-i", perhaps "-Q", "-T", "-x", "-s" options (most have to be issued separately), and see if anything looks bad. I'm not sure if these will provide useful data for a PPPoE device.
Edit: For the heck of it (quoting myself), you might try "netstat" - "-m", "-i", perhaps "-Q", "-T", "-x", "-s" options (most have to be issued separately), and see if anything looks bad. I'm not sure if these will provide useful data for a PPPoE device.
#3
Intrusion Detection and Prevention / Policy Editor?
Last post by spetrillo - Today at 12:55:52 AMThe following shows up when I access web GUI from my phone. It does not show up when I access from my Linux desktop:
We strongly advise to use policies instead of single rule based changes to limit the size of the configuration. A list of all manual changes can be revised in the policy editor (available here)
Is there doc on using the policy editor?
Steve
We strongly advise to use policies instead of single rule based changes to limit the size of the configuration. A list of all manual changes can be revised in the policy editor (available here)
Is there doc on using the policy editor?
Steve
#4
German - Deutsch / Re: Absoluter Anfänger hat Ver...
Last post by cola247 - June 28, 2026, 11:47:50 PMMerke schon, die Fragen überfordern die Gottmoderatoren in ihrer Einfachheit.
Ist auch Wurst, bin auch ohne euer angelesenes Halbwissen durchgestiegen. Naja, eigentlich kann dieses Forum damit zu. Aber was ist dann Eure Existenzberechtigung hier ?
:-D
Ihr seid schon ganz schön harte, introvertierte IT-Buben. Ohne euch gäbe es keine Pyramiden. Haha. Tschau Kakao.
Ist auch Wurst, bin auch ohne euer angelesenes Halbwissen durchgestiegen. Naja, eigentlich kann dieses Forum damit zu. Aber was ist dann Eure Existenzberechtigung hier ?
:-D
Ihr seid schon ganz schön harte, introvertierte IT-Buben. Ohne euch gäbe es keine Pyramiden. Haha. Tschau Kakao.
#5
Q-Feeds (Threat intelligence) / Re: Q-Feeds, Suricata, Crowdse...
Last post by dinguz - June 28, 2026, 11:46:48 PMWorth keeping in mind: with quick-match rule evaluation (the pf default), the first blocklist rule that matches gets the hit, and the packet never reaches the rules below it. So whichever list sits highest in your rule order absorbs most of the hits for any IP that's on multiple lists, regardless of which list is actually better. Comparing hit counts across blocklists to judge quality is therefore skewed by rule order, not just list coverage. For a fair comparison, log all lists in parallel (pass-with-log instead of block) or rotate the rule order periodically.
#6
Hardware and Performance / PPPoE performance with current...
Last post by mattuz - June 28, 2026, 10:55:43 PMHello everyone I have a Lenovo Tiny m910q with I3-7100T and 4GB of RAM. I installed via pci-e a x4 nics rtl8125 card.
In the next month my local isp will hook up fiber optic with up to 2.5GB speed, and I'm getting ready all the hardware.
I started doing some lcoal test and iperf3 between opnsense and a pc results 2.37Gbit/s that seem ok. But using the same pc with linux and creating a PPPoE server is giving awful performance, I cannot get it past 500Mbit/s even with all the optimization recommanded online.
I tried two different pc for the PPPoE server to make sure it wasn't this side bootlenecking (even on a ryzen 9) but I can't get it past that limit. Looking at opnsense host cpu usage during the test it doesn't go over 30% so I don't really get it...
Unfortunatly I do not have any other scenario to test.. I would like to get your input it what might be the cause of this... I would like to get this Lenovo Tiny (opnsense host) to be 2.5GB capable as soon as the connectivity is hooked up
In the next month my local isp will hook up fiber optic with up to 2.5GB speed, and I'm getting ready all the hardware.
I started doing some lcoal test and iperf3 between opnsense and a pc results 2.37Gbit/s that seem ok. But using the same pc with linux and creating a PPPoE server is giving awful performance, I cannot get it past 500Mbit/s even with all the optimization recommanded online.
I tried two different pc for the PPPoE server to make sure it wasn't this side bootlenecking (even on a ryzen 9) but I can't get it past that limit. Looking at opnsense host cpu usage during the test it doesn't go over 30% so I don't really get it...
Unfortunatly I do not have any other scenario to test.. I would like to get your input it what might be the cause of this... I would like to get this Lenovo Tiny (opnsense host) to be 2.5GB capable as soon as the connectivity is hooked up
#7
26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...
Last post by meyergru - June 28, 2026, 10:36:17 PMO.K., I never had the need to look at those logs. I do adblocking using browser plugins.
If you normally use OpnSense for all things network-centric, you may be better off to have everything pertaining to logging and things there. Also, if you have DNS problems because of excessive blocking, you can switch centrally on OpnSense only this way, because otherwise you would have to wait for your clients to pick up the alternative DNS server IP.
If you normally use OpnSense for all things network-centric, you may be better off to have everything pertaining to logging and things there. Also, if you have DNS problems because of excessive blocking, you can switch centrally on OpnSense only this way, because otherwise you would have to wait for your clients to pick up the alternative DNS server IP.
#8
26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...
Last post by nero355 - June 28, 2026, 10:31:07 PMQuote from: meyergru on June 28, 2026, 10:24:03 PMWho wants to look at a DNS query log and for what purpose?To check what's going when you need to block something that's not blocked by the current Blocking Lists and/or to see who has been naughty by calling home :)
QuoteAnd even if you do, why not look at OpnSense's DNS logs, if you care about who asks for what?Because I have Pi-Hole + Unbound running on a seperate Server for many years now and like to keep it that way so I have completely Disabled Unbound @ OPNsense right after the first boot.
My OPNsense does Routing/NAT/Firewall/DHCP and that's all it needs to do for me :)
#9
26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...
Last post by meyergru - June 28, 2026, 10:24:03 PMWho wants to look at a DNS query log and for what purpose? And even if you do, why not look at OpnSense's DNS logs, if you care about who asks for what?
#10
26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...
Last post by nero355 - June 28, 2026, 10:20:34 PMQuote from: meyergru on June 28, 2026, 12:50:35 PMI would rather instruct OpnSense itself to make use of your PiHole as upstream server and not instruct clients to use that directly.Horrible idea :
The Pi-Hole Query Log will only show the Router IP Address as the Client instead of each Client on your network with it's own IP Address !!
The one and only right way is to tell all your Clients that they should talk to Pi-Hole directly as their only DNS Server.
