Recent posts

#1
26.7 Series / Re: Updated - first impression...
Last post by nero355 - Today at 03:51:08 PM
Quote from: franco on Today at 09:23:47 AMThanks for your feedback... the people nagging there's excessive padding everywhere are awfully quiet at the moment.
To some degree it's funny trying to cater to this part of the user base and seeing a bit of backlash for it.

We can add padding, make it bigger, or we can leave it to acclimate. I'm unsure yet with the mixed signals.
You could say I am one of those people in general, but the thing is : I am not much of a widget guy...

One possible explanation of that is because I have a bad image of it in my mind since Windows Vista and Android started using those damn things and I was always like : Why the hell would you use those things ?!

I know they have a totally different purpose for OPNsense and they are basically not widgets and something much more useful instead, but still I somehow can't really be bothered by them... Sorry! :)


So to make a long story short :

This =>
Quote from: tbt39 on Today at 09:12:21 AMThat's fair. I'm not a designer, however, so apologies if I can't be more specific..
Is very nice and compact without wasting unnecessary screenspace so I like it and perhaps will consider Enabling it again in 26.7.x after upgrading ;)

The only possible improvement that I can think of is perhaps experimenting with a black line around the green (the button ?) and perhaps using white text with a small black edge around the same way it's used commonly for subtitles, but maybe it's not even needed in this case... dunno...

Ohh and I like this idea too by the way :
Quote from: dseven on Today at 10:36:45 AMa more in-keeping style would be to have a "LED" to the left of each item, with color indicating the status, rather than using the background of the whole "button"... but at the expense of a bit of "compactness"...
Seen that many times in other software (both round and square "LEDs" ) and can look very good!
#2
26.7 Series / Re: Upgrade, lost webgui and M...
Last post by franco - Today at 03:48:56 PM
There it is then:

SSL context creation failed
1050062A474C0000:error:0A000180:SSL routines:SSL_CONF_cmd:bad value:/usr/src/crypto/openssl/ssl/ssl_conf.c:995:cmd=MinProtocol, value=DTLSv1.1
1050062A474C0000:error:0A0001A3:SSL routines:SSL_CTX_new_ex:error in system default config:/usr/src/crypto/openssl/ssl/ssl_lib.c:4274:

And from https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security

> DTLS 1.0 is based on TLS 1.1, DTLS 1.2 is based on TLS 1.2, and DTLS 1.3 is based on TLS 1.3. There is no DTLS 1.1 because this version-number was skipped in order to harmonize version numbers with TLS.[2] Like previous DTLS versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".

We know what to do then, thanks!

In the meantime: do not use DTLSv1.1. It's going away.


Cheers,
Franco
#3
26.7 Series / Re: [Solved] Attempt to Upgrad...
Last post by meyergru - Today at 03:45:53 PM
https://forum.opnsense.org/index.php?msg=243083

However, the process is different for BIOS and UEFI boot, sometimes it depends on the type of boot disk and / or partitioning.

This is the reason why there is no automatic bootloader update (or upgrade of zpool options, FWIW). And if you want to update like depicted in the link, you need to have booted the NEW system first, which sometimes does not work, so it is a catch-22. That is why Franco wrote:

Quote from: franco on Today at 09:19:41 AMDoesn't change the fact that everyone including 26.7 would be affected either way by it unless they did a clean reinstall.
#4
26.7 Series / Re: [Solved] Attempt to Upgrad...
Last post by nero355 - Today at 03:39:35 PM
Quote from: jll544 on Today at 09:05:10 AM
Quote from: franco on July 15, 2026, 07:50:40 PMAllegedly this was fixed in late 15.1 RC cycle: https://github.com/opnsense/src/commit/56e59980b67
But the fix affects loader.efi, so it's not actually effective until the bootloader gets updated in ESP: https://www.freebsd.org/releases/15.1R/upgrading/#upgrade-loader-uefi

That's not something that happens as part of the OPNsense upgrade (should it?).
Patrick and meyergru have made some excellent instructions about upgrading the bootloader in a couple of topic so I am sure they can help you out in one of those topics :)

Quote from: Patrick M. Hausen on July 15, 2026, 06:03:22 PMSystem > Settings > Administration > Console
Quote from: meyergru on July 15, 2026, 06:22:19 PMYes.
I don't have the exact links anymore so could one of you do that part ?

Thnx! in advance ;)
#5
26.7 Series / Re: Totally confused by migrat...
Last post by nero355 - Today at 03:31:47 PM
Quote from: lignumaqua on Today at 03:48:54 AMPS - It would be nice if the rules export actually created and saved a file rather than just opening a web page that you have to cut and paste yourself. If you'll forgive me, this seems half done.
My bet is on this part of the browser settings : https://www.idownloadblog.com/2020/11/12/default-apps-actions-open-file-firefox/

I always change all of them to "Always ask" to counter unwanted actions from websites :)

Quote from: lignumaqua on Today at 01:08:20 AMCan I humbly suggest that this is still really confusing for those of us who didn't follow the process through the RCs?
I guess you missed all the information and discussion topics during the 26.1.x releases and basically the fact that you should have migrated before upgrading to 26.7.x to make sure this kind of stuff doesn't happen ;)
#6
26.7 Series / Re: OPNsense 27 upgrade – warn...
Last post by nero355 - Today at 03:25:23 PM
Quote from: (MARLOO) on Today at 04:25:26 AMAfter upgrading to OPNsense 27, I initially saw repeated warnings in Firewall > System > Firmware > Reporter, including PHP startup messages about mongodb.so and some other log entries.

At this point, it looks like the issue may have been related to Zenarmor rather than the firewall core itself. Zenarmor is installed on this system and uses a local reporting backend, so it is possible that the reporting database or backend state needed to be updated or reinitialized after the upgrade.
This is mentioned in another topic : It's something that got left behind after ZenArmor dumped MongoDB (As eveyone should IMHO !!!) and moved to SQLite and Elasti<something> version 8 instead of version 5 so you need to do some cleaning up now...
(I dont use ZenArmor so don't know every detail...)

QuoteI also noticed a ZFS pool warning after the firmware upgrade indicating that some supported pool features are not enabled yet.
The pool is still online and healthy
I am betting on OpenZFS getting upgraded and now telling you there is newer stuff to use.

Feel free to post the output here together with :
QuoteSMART for the SSD is passing
To double check everything :)

Quoteso this appears to be only an informational warning rather than an actual storage problem.
I think so too.
#7
General Discussion / Re: Captive Portal Not Working
Last post by viragomann - Today at 02:53:50 PM
Obviously you forgot to tick "enabled" in the CP settings.
#8
26.7 Series / Re: OpenSense Firewall Rule wi...
Last post by chrisq - Today at 01:55:23 PM
So this is on the accepted rule when Divert To is set to Intrusion Detection.

Pass then Block the matching the accept rule.

---
And if I remove Divert To on the rule it no longer blocks, but does not go through IDS.
#9
26.7 Series / Re: Upgrade, lost webgui and M...
Last post by GreenMatter - Today at 01:42:45 PM
Quote from: franco on Today at 09:03:19 AMWithout more debug output this won't resolve easily so let's try this when it's not working:

# fetch -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
# curl -o data.pkg -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg

So, with DTLS set to "1" all works:

root@bkp-OPNsense:~ # pkg update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
root@bkp-OPNsense:~ # fetch -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
resolving server address: pkg.opnsense.org:443
SSL options: 82004850
Peer verification enabled
Using OpenSSL default CA cert file and path
Verify hostname
TLSv1.3 connection established using TLS_AES_256_GCM_SHA384
Certificate subject: /CN=pkg.opnsense.org
Certificate issuer: /C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
requesting https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
remote size / mtime: 322185 / 1784295958
data.pkg                                               314 kB 3342 kBps    00s
root@bkp-OPNsense:~ #  curl -o data.pkg -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
13:31:42.013785 [0-0] * [HTTPS-CONNECT] added
13:31:42.014044 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 0 socks
13:31:42.018466 [0-0] * [HTTPS-CONNECT] connect, init
13:31:42.018557 [0-0] * [HTTPS-CONNECT] 1st attempt uses h2 from wanted versions
13:31:42.018574 [0-0] * [SETUP] happy eyeballing to origin pkg.opnsense.org:443
13:31:42.018622 [0-0] *   Trying [2001:1af8:5300:a010:1::1]:443...
13:31:42.018826 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:31:42.018851 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:31:42.019480 [0-0] * Host pkg.opnsense.org:443 was resolved.
13:31:42.019526 [0-0] * IPv6: 2001:1af8:5300:a010:1::1
13:31:42.019549 [0-0] * IPv4: 89.149.222.99
13:31:42.019569 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:31:42.019586 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:31:42.221458 [0-0] *   Trying 89.149.222.99:443...
13:31:42.221591 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:31:42.221616 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 2 socks
13:31:42.245167 [0-0] * [SETUP] added SSL filter for origin
13:31:42.247120 [0-0] * ALPN: curl offers h2,http/1.1
13:31:42.247481 [0-0] } [5 bytes data]
13:31:42.247532 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
13:31:42.247546 [0-0] } [1562 bytes data]
13:31:42.247628 [0-0] * SSL Trust Anchors:
13:31:42.247649 [0-0] *   CApath: /etc/ssl/certs
13:31:42.247672 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:31:42.247693 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:31:42.274063 [0-0] { [5 bytes data]
13:31:42.274120 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
13:31:42.274134 [0-0] { [122 bytes data]
13:31:42.274561 [0-0] * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
13:31:42.274584 [0-0] { [1 bytes data]
13:31:42.274619 [0-0] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
13:31:42.274632 [0-0] { [25 bytes data]
13:31:42.274670 [0-0] * TLSv1.3 (IN), TLS handshake, Certificate (11):
13:31:42.274683 [0-0] { [3550 bytes data]
13:31:42.276081 [0-0] * TLSv1.3 (IN), TLS handshake, CERT verify (15):
13:31:42.276102 [0-0] { [264 bytes data]
13:31:42.276254 [0-0] * TLSv1.3 (IN), TLS handshake, Finished (20):
13:31:42.276283 [0-0] { [52 bytes data]
13:31:42.276354 [0-0] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
13:31:42.276372 [0-0] } [1 bytes data]
13:31:42.276425 [0-0] * TLSv1.3 (OUT), TLS handshake, Finished (20):
13:31:42.276438 [0-0] } [52 bytes data]
13:31:42.276537 [0-0] * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
13:31:42.276561 [0-0] * ALPN: server accepted http/1.1
13:31:42.276578 [0-0] * Server certificate:
13:31:42.276598 [0-0] *   subject: CN=pkg.opnsense.org
13:31:42.276615 [0-0] *   start date: Jan 20 00:00:00 2026 GMT
13:31:42.276628 [0-0] *   expire date: Jan 20 23:59:59 2027 GMT
13:31:42.276648 [0-0] *   issuer: C=AT; O=ZeroSSL; CN=ZeroSSL RSA Domain Secure Site CA
13:31:42.276673 [0-0] *   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
13:31:42.276688 [0-0] *   Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
13:31:42.276701 [0-0] *   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
13:31:42.276722 [0-0] *   subjectAltName: "pkg.opnsense.org" matches cert's "pkg.opnsense.org"
13:31:42.276736 [0-0] * OpenSSL verify result: 0
13:31:42.276748 [0-0] * SSL certificate verified via OpenSSL.
13:31:42.276763 [0-0] * [SETUP] query ALPN
13:31:42.276776 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
13:31:42.276801 [0-0] * Established connection to pkg.opnsense.org (89.149.222.99 port 443) from 172.16.99.4 port 56453
13:31:42.276814 [0-0] * [HTTPS-CONNECT] removing connected setup filter
13:31:42.276826 [0-0] * [HTTPS-CONNECT] destroy
13:31:42.276838 [0-0] * [SETUP] removing connected setup filter
13:31:42.276850 [0-0] * [SETUP] destroy
  % Total    % Received % Xferd  Average Speed  Time    Time    Time   Current
                                 Dload  Upload  Total   Spent   Left   Speed
  0      0   0      0   0      0      0      0                              013:31:42.276976 [0-0] * using HTTP/1.x
13:31:42.277008 [0-0] } [5 bytes data]
13:31:42.277056 [0-0] > GET /FreeBSD:15:amd64/snapshots/latest/data.pkg HTTP/1.1
13:31:42.277056 [0-0] > Host: pkg.opnsense.org
13:31:42.277056 [0-0] > User-Agent: curl/8.21.0
13:31:42.277056 [0-0] > Accept: */*
13:31:42.277056 [0-0] >
13:31:42.277116 [0-0] * Request completely sent off
13:31:42.300220 [0-0] { [5 bytes data]
13:31:42.300296 [0-0] * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
13:31:42.300310 [0-0] { [297 bytes data]
13:31:42.300416 [0-0] * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
13:31:42.300433 [0-0] { [297 bytes data]
13:31:42.301188 [0-0] < HTTP/1.1 200 OK
13:31:42.301216 [0-0] < Date: Sat, 18 Jul 2026 11:36:47 GMT
13:31:42.301230 [0-0] < Server: Apache
13:31:42.301242 [0-0] < Last-Modified: Fri, 17 Jul 2026 13:45:58 GMT
13:31:42.301255 [0-0] < ETag: "4ea89-656cec6c03180"
13:31:42.301280 [0-0] < Accept-Ranges: bytes
13:31:42.301293 [0-0] < Content-Length: 322185
13:31:42.301306 [0-0] < Content-Type: application/vnd.apple.installer+xml
13:31:42.301320 [0-0] <
13:31:42.301333 [0-0] { [7948 bytes data]
100 314.6k 100 314.6k   0      0 825.4k      0                              0
13:31:42.394953 [0-0] * Connection #0 to host pkg.opnsense.org:443 left intact



And after having it changed to "1.1"

root@bkp-OPNsense:~ # pkg update
Updating OPNsense repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository OPNsense has no meta file, using default settings
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
Unable to update repository OPNsense
Error updating repositories!
root@bkp-OPNsense:~ # fetch -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
resolving server address: pkg.opnsense.org:443
SSL context creation failed
1050062A474C0000:error:0A000180:SSL routines:SSL_CONF_cmd:bad value:/usr/src/crypto/openssl/ssl/ssl_conf.c:995:cmd=MinProtocol, value=DTLSv1.1
1050062A474C0000:error:0A0001A3:SSL routines:SSL_CTX_new_ex:error in system default config:/usr/src/crypto/openssl/ssl/ssl_lib.c:4274:
fetch: https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg: Authentication error
root@bkp-OPNsense:~ # curl -o data.pkg -vv https://pkg.opnsense.org/FreeBSD:15:amd64/snapshots/latest/data.pkg
13:32:54.264461 [0-0] * [HTTPS-CONNECT] added
13:32:54.264665 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 0 socks
13:32:54.265958 [0-0] * Host pkg.opnsense.org:443 was resolved.
13:32:54.265987 [0-0] * IPv6: 2001:1af8:5300:a010:1::1
13:32:54.266003 [0-0] * IPv4: 89.149.222.99
13:32:54.266015 [0-0] * [HTTPS-CONNECT] connect, init
13:32:54.266026 [0-0] * [HTTPS-CONNECT] 1st attempt uses h2 from wanted versions
13:32:54.266043 [0-0] * [SETUP] happy eyeballing to origin pkg.opnsense.org:443
13:32:54.266068 [0-0] *   Trying [2001:1af8:5300:a010:1::1]:443...
13:32:54.266248 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:32:54.266284 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:32:54.266305 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:32:54.266318 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:32:54.474497 [0-0] *   Trying 89.149.222.99:443...
13:32:54.474649 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:32:54.474678 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 2 socks
13:32:54.498280 [0-0] * [SETUP] added SSL filter for origin
13:32:54.500281 [0-0] * SSL: could not create a context: error:0A000180:SSL routines::bad value
13:32:54.500308 [0-0] * [HTTPS-CONNECT] connect, all attempts failed
13:32:54.500321 [0-0] * [HTTPS-CONNECT] connect -> 27, done=0
13:32:54.500346 [0-0] * closing connection #0
curl: (27) SSL: could not create a context: error:0A000180:SSL routines::bad value








#10
26.7 Series / Re: I am stocked like a few ot...
Last post by franco - Today at 01:36:06 PM
On an SSH root shell, or when logged into the console, choose option 8 to get to shell and type the command (without the preceeding # sign).


Cheers,
Franco