Recent posts

#1
26.1, 26,4 Series / Re: How reliable is Firewall:D...
Last post by hharry - Today at 11:48:38 AM
here is just one example, where after OPsense reboot (no F/W rule change made). For me, aliases i don't believe are the issue. And the issue is not specific to the anti-lockout rule either, many other examples of sessions and states listed against incorrect rule ( other than anti-lock out rule ).

OPNsense 26.1.11_6-amd64, The below sessions, as shown in gfx image attached, are;

1. self initiated outbound BGP session, the source IP address is the PPPoE interface address
2. self initiated outbound ICMP gateway monitor, the source IP address is the PPPoE interface address

Neither of these sessions, meet the anti-lockout rule logic, yet that's how they are listed in the UI etc...


root@OPNsense_LAB:~ # pfctl -vvPsr | grep -A4 @32
No ALTQ support in kernel
ALTQ related functions disabled
@32 pass in quick on vmx2 proto tcp from any to (self:8) port = 22 flags S/SA keep state label "36d299b849ebe9b05a0f6345a51a906b"
  [ Evaluations: 7300      Packets: 988       Bytes: 120437      States: 1     ]
  [ Inserted: uid 0 pid 54268 State Creations: 1     ]
  [ Last Active Time: Tue Jul 14 19:41:27 2026 ]
@33 pass in quick on vmx2 proto tcp from any to (self:8) port = 80 flags S/SA keep state label "fef898ed65e45e8c227a870f82b2b68d"
root@OPNsense_LAB:~ #


root@OPNsense_LAB:~ #  pfctl -vvs states | grep -C2 rule.32
No ALTQ support in kernel
ALTQ related functions disabled
all tcp 10.0.0.163:22 <- 10.0.0.237:59484       ESTABLISHED:ESTABLISHED
   [3533813239 + 3489464576] wscale 10  [4123816029 + 262400] wscale 8
   age 00:05:40, expires in 24:00:00, 388:640 pkts, 32784:91349 bytes, rule 32
   id: a401496a00000000 creatorid: cfe531b8
   origif: vmx2
--
   origif: vmx3
all icmp 192.168.40.1:10406 -> 192.168.40.254:8       0:0
   age 267:15:10, expires in 00:00:10, 944926:944926 pkts, 27402854:27402854 bytes, rule 32, allow-opts, max-mss 1452
   id: 5256476a00000000 creatorid: cfe531b8 route-to: 192.168.40.254@pppoe1
   origif: pppoe1
all tcp 192.168.40.1:29603 -> 192.168.40.254:179       ESTABLISHED:ESTABLISHED
   [2763199284 + 4294836480] wscale 10  [498719610 + 524544] wscale 8
   age 267:15:01, expires in 23:59:59, 384846:381950 pkts, 23668079:23520397 bytes, rule 32, allow-opts, max-mss 1452
   id: 5356476a00000000 creatorid: cfe531b8 route-to: 192.168.40.254@pppoe1
   origif: pppoe1
root@OPNsense_LAB:~ #

#2
General Discussion / Re: Periodic NIC issues (?) wi...
Last post by meyergru - Today at 11:08:00 AM
I only assumed that the reset code was added later to Linux because it was missing in the FreeBSD driver, which otherwise looked like a port. I really did not do any software archeology. :-)

If that problem is handled in iflib in FreeBSD, it is not really needed in the hardware-specific driver.

If Intel knew that problem existed from the get-go, which would be implied if the hangup fix was there from the first commit, they should have better fixed it in hardware, though.
#3
General Discussion / Re: Periodic NIC issues (?) wi...
Last post by tuto2 - Today at 10:55:51 AM
Quote from: meyergru on Today at 09:43:14 AMIntel seems to have "fixed" the hang problem by detecting it in the Linux driver and issuing a reset - FreeBSD has only now picked up that change in the OS driver (that was what my bug report was about).

"TX hangs" have been around forever, which is why watchdog timeouts have been baked into iflib from the get-go (but broke somewhere along the way 5 years ago, the logic wasn't missing), the same goes for the Linux driver - the reset logic has been in there since the first commit. Nothing special about it. However, it being broken definitely hinted at other platforms only reporting "micro freezes" instead of full freezes.
#4
26.1, 26,4 Series / Re: New Source NAT - specific ...
Last post by dseven - Today at 10:00:49 AM
A quick bit of research reveals that MAP-E uses the ICMP client identifier in place of a source port for tracking. The MAP-E CPE would normally rewrite the client ID to a number within your assigned port range. If your ping client supports it, try specifying a client ID within your range. On modern Linux, the '-e' option should work...
#5
General Discussion / Re: Periodic NIC issues (?) wi...
Last post by meyergru - Today at 09:43:14 AM
When I had the problem on my Minisforum MS-01, it did not resolve by a NIC firmware upgrade. Not even disabling global ASPM helped (it did on some china boxes I have).

The problem went away after a BIOS update from Minisforum. So I figure that there are conditions where micro-sleeps trigger a hangup. ASPM potentially allows for those sleep states. It might be the case that Intel also tried to fix it in NIC firmware, however, there are several chip revisions out for I226V and some may have a hardware idiosyncrasy that causes this which cannot be healed via NIC firmware.

Intel seems to have "fixed" the hang problem by detecting it in the Linux driver and issuing a reset - FreeBSD has only now picked up that change in the OS driver (that was what my bug report was about).

So:

1. There are chip revisions (e.g., the latest ones have a smaller structure width and consume less power). You can see that via " pciconf -lv | grep -B3 igc", look at the "rev" value (mine is 0x04 on my current china box, I have others with 0x03). I think that early versions had a hardware problem that cause hangups. I did not investigate up to what revision these problems exist. I also do not remember which revision was on my Minisforum MS-01.

2. On some boxes, disabling ASPM globally via BIOS settings or tuneable does fix the problem, so you should try this.

3. On some boxes, you can get BIOS upgrades (e.g. Protectli, Minisforum).

4. My experience is that if the problems persist, updating the NIC firmare does not help.

5. In the future, we will have a FreeBSD driver with Intel's workaround that handles the remaining problems, the fixed kernel can be tested right now.
#6
26.1, 26,4 Series / Re: TLS issues when trying to ...
Last post by meyergru - Today at 09:29:54 AM
Not happening here, neither from a connected client nor from OpnSense itself. So this must be specific to some setups.

Do you have altered MTUs, like with PPPoE or do you use MSS clamping?

Since you deinstalled Zenarmor, did you first enable some kind of hardware offloading, like LRO, to improve performance and forgot to disable it again?
#7
26.1, 26,4 Series / Re: New Source NAT - specific ...
Last post by Ametite - Today at 09:23:39 AM
I wanted to report that my previous statement is partially incorrect.

I did further testing and, with this hybrid SNAT configuration, only 1:4 of the ICMP pings are successful, exactly the same as the ratio of the IPv4 range port assigned to me by my provider.

Granted, there's no source port for ICMP, but I think some sort of "random port" is generated somewhere, something that is independent by the operating system I'm testing from (whether Linux or Windows makes no difference).

Just to be clear, now I have hybrid NAT, a manual rule that intercept TCP/UDP traffic and force the exit port range 24576:32767 and the other one generated by auto-conf LAN->WAN with any protocol and * as source NAT port.
#8
Dear community,

Last weekend we launched our new website, including the subscription management portal that was already available before.

As part of this update, we've worked on integrating the TIP more closely with the website and introduced Single Sign-On (SSO) to make the experience smoother. We're planning to add more integrations and improvements in the future.

We'd love to hear your feedback. If you notice anything that could be improved, something that doesn't work as expected, or simply have suggestions, please let us know.

Thanks in advance for taking the time to test it and share your thoughts!
#9
Tutorials and FAQs / Re: Help understanding firewal...
Last post by meyergru - Today at 09:12:37 AM
If the default deny rule catches traffic, it is because nothing else allowed the traffic. For TCP, that could be out-of-state traffic that is not caught by an existing rule, which is most often the cause somebody wonders why that rule does not apply.

However, this is UDP traffic, which is stateless, so I figure you have no rule to allow that traffic. For convenience, there is a default "allow any" rule created for the first LAN and for that (V)LAN only. Thus, if you do not allow DNS traffic to your firewall on any other (V)LAN, it will be caught by the default deny rule and thus be blocked.

You may not have noticed yet, because many browsers do not even use DNS on port 53 any more (doing DoT or DoH instead), such that DNS worked despite port 52 being blocked. Maybe you have a rule allowing internet access for your second VLAN, such that 8.8.8.8 can be reached.

P.S.: You created the "noise" all by yourself, because you enabled logging for the default deny rule. The whole purpose of the default deny rule is that you can log what it does - otherwise, you would not need it. While enabling logging on that can be helpful to diagnose something going wrong, blocking packets is the whole purpose of a firewall. Normally, you don't watch it doing its job.
#10
French - Français / Quelle est la meilleure agence...
Last post by Riem - Today at 09:01:42 AM
Salut. Je gère l'infrastructure réseau d'une petite structure (une dizaine de postes, OPNSense en frontal pour le pare-feu et le routage), et depuis quelques mois le responsable marketing me sollicite de plus en plus souvent sur des sujets qui dépassent largement mon périmètre habituel.

La dernière en date il veut refondre complètement le site de l'entreprise, un WordPress qui tourne depuis 2019 et qui n'a jamais vraiment été optimisé. Il cherche à faire appel à une agence spécialisée et m'a demandé mon avis, probablement parce que je suis "le tech" de la boîte et que dans sa tête tout ce qui touche à un écran ça me concerne. Bref, je me retrouve à devoir l'orienter et je n'y connais pas grand chose en référencement naturel. Ce que je comprends vaguement : il voudrait quelqu'un qui maîtrise à la fois l'aspect technique du SEO (vitesse de chargement, structure des URLs, balisage correct) et la partie éditoriale. Le site est sous WordPress donc il faut que l'agence soit à l'aise avec cet environnement, Yoast ou Rank Math, les thèmes qui alourdissent tout...

Certains d'entre vous ont déjà eu à orienter leur direction vers une meilleure agence SEO pour WordPress, et sur quoi vous vous êtes basés pour comparer ? Budget, références clients, audit gratuit proposé avant signature... je sais pas trop ce qui fait la différence.