"Recent posts
#1
25.7, 25.10 Series / Re: Gateway Group - confusing ...
Last post by franco - Today at 07:55:20 AMHi Evert,
You're right. The VIP support was removed a while back and the "Link Priority" really refers to the tier selection. I've cleared that up in
https://github.com/opnsense/core/commit/53d61b9d
Cheers,
Franco
You're right. The VIP support was removed a while back and the "Link Priority" really refers to the tier selection. I've cleared that up in
https://github.com/opnsense/core/commit/53d61b9d
Cheers,
Franco
#2
25.7, 25.10 Series / Re: python -- several vulnerab...
Last post by franco - Today at 07:21:38 AM25.10.2 is out since yesterday. We're planning for 26.1.2 at the end of this week to pick up the newer Python batch into community as well.
Cheers,
Franco
Cheers,
Franco
#3
German - Deutsch / OPNsense Cluster und Let's Enc...
Last post by TheExpert - Today at 07:19:54 AMHallo zusammen,
ich baue gerade einen OPNsense Cluster auf, auf dem ich auch ein Let's Encrypt Zertifikat einbinden möchte. Grundsätzlich weiß ich, wie das umgesetzt wird. Aber ich frage mich, wie man das auf einem Cluster umsetzt?
Die Zertifikate können im Rahmen der Synchronisation auf den Backup-Knoten kopiert werden, so dass die Einrichtung des ACME Clients nur auf dem primären Knoten ausreichend sein müsste, richtig? Was aber ist, wenn der primäre Knoten für längere Zeit nicht verfügbar ist und das Let's Encrypt Zertifikat genau in dieser Zeit abläuft und dann nicht automatisch erneuert wird? Es ist eine sehr theoretische Frage, weil das Zertifikat vermutlich sehr rechtzeitig erneuert wird - zumindest war das bei der Sophos UTM so. Der Fall des abgelaufenen Zertifikates sollte eigentlich nicht auftreten, aber wir wissen alle, dass es immer zu dummen Umständen kommt, die dann doch genau solche eigentlich unwahrscheinlichen Fälle hervorbringen.
Oder muss ich auf dem Backup-Knoten den ACME Client konfigurieren, um dort das Zertifikat auch automatisch regelmäßig zu erneuern? Dann aber stellt sich die Frage, ob man überhaupt 2 Zertifikate für den gleichen Domainnamen anfordern kann? Letztere Frage stellt sich mir außerdem, weil meine Sophos UTM noch läuft und ich in der Migrationsphase zu OPNsense bin.
Im Internet finde ich immer nur die grundsätzliche Beschreibung zur Einrichtung von Let's Encrypt in der OPNsense, aber nirgendwo wird auf die Einrichtung auf einem Cluster eingegangen - zumindest habe ich dazu bisher nichts gefunden.
Vielen Dank und viele Grüße
TheExpert
ich baue gerade einen OPNsense Cluster auf, auf dem ich auch ein Let's Encrypt Zertifikat einbinden möchte. Grundsätzlich weiß ich, wie das umgesetzt wird. Aber ich frage mich, wie man das auf einem Cluster umsetzt?
Die Zertifikate können im Rahmen der Synchronisation auf den Backup-Knoten kopiert werden, so dass die Einrichtung des ACME Clients nur auf dem primären Knoten ausreichend sein müsste, richtig? Was aber ist, wenn der primäre Knoten für längere Zeit nicht verfügbar ist und das Let's Encrypt Zertifikat genau in dieser Zeit abläuft und dann nicht automatisch erneuert wird? Es ist eine sehr theoretische Frage, weil das Zertifikat vermutlich sehr rechtzeitig erneuert wird - zumindest war das bei der Sophos UTM so. Der Fall des abgelaufenen Zertifikates sollte eigentlich nicht auftreten, aber wir wissen alle, dass es immer zu dummen Umständen kommt, die dann doch genau solche eigentlich unwahrscheinlichen Fälle hervorbringen.
Oder muss ich auf dem Backup-Knoten den ACME Client konfigurieren, um dort das Zertifikat auch automatisch regelmäßig zu erneuern? Dann aber stellt sich die Frage, ob man überhaupt 2 Zertifikate für den gleichen Domainnamen anfordern kann? Letztere Frage stellt sich mir außerdem, weil meine Sophos UTM noch läuft und ich in der Migrationsphase zu OPNsense bin.
Im Internet finde ich immer nur die grundsätzliche Beschreibung zur Einrichtung von Let's Encrypt in der OPNsense, aber nirgendwo wird auf die Einrichtung auf einem Cluster eingegangen - zumindest habe ich dazu bisher nichts gefunden.
Vielen Dank und viele Grüße
TheExpert
#4
General Discussion / Re: If you change the IP addre...
Last post by patient0 - Today at 07:08:21 AMQuote from: syuhei on February 08, 2026, 05:13:21 AMWhere is the best place to use tcpdump?
I'd start on the LAN of OPNsense8, just to verify that it gets that far with for an destination IP in the WAN net (which is not the OPNsense 8 WAN IP). Then on the WAN of OPNsense 8.
Btw: you don't have to use tcpdump on the command line, there is package capture in the GUI
https://docs.opnsense.org/manual/diagnostics_interfaces.html#packet-capture
#5
26.1 Series / Re: [Solved] After 26.1.1 Unbo...
Last post by jonny5 - Today at 06:58:43 AMOk - so it was the option in Unbound "Register DHCP Static Mappings" which more or less cancelled the forwarding for the local domain, with that disabled, it follows forwarding rules...
So the Overrides work as intended, which is great, and now Aliases asks Unbound (localhost:53) for hosts and my Aliases now update as expected.
So the Overrides work as intended, which is great, and now Aliases asks Unbound (localhost:53) for hosts and my Aliases now update as expected.
#6
26.1 Series / QUESTION: How to implement Spl...
Last post by Kornelius777 - Today at 06:47:42 AMDear all,
what was pretty easy with ISC, "somehow" doesn't want to fly using dnsmasq.
Using the option "forward first" in unbound appears not to work correctly.
At least, on my side, that option didn't bring any success.
Has anyone been able to implement Split Horizon DNS aka Split Brain DNS so far?
Would you mind sharing your thoughts and ideas with me?
Kind regards,
what was pretty easy with ISC, "somehow" doesn't want to fly using dnsmasq.
Using the option "forward first" in unbound appears not to work correctly.
At least, on my side, that option didn't bring any success.
Has anyone been able to implement Split Horizon DNS aka Split Brain DNS so far?
Would you mind sharing your thoughts and ideas with me?
Kind regards,
#7
Virtual private networks / Tailscale Multiple Instances
Last post by jss - Today at 04:13:46 AMIs there development in progress to make OPNsense be able to connect to multiple tailnets, similar to what wireguard and OpenVPN can do today?
If not, is it on a roadmap for development?
If not, is it on a roadmap for development?
#8
26.1 Series / Re: Fresh 26.1.1 configuration...
Last post by lmoore - Today at 03:38:42 AMI'm not familiar with the SG-200, however, I expect there are some settings you may want to change from their defaults.
Settings I used to disable globally on the SG-300 & SG-500 series switches are;
Dynamic Voice VLAN
GVRP
Smartport
I would also change the Default VLAN ID from 1 to a value for the network being configured.
With the interface VLAN mode, I would use Trunk ports for LAG's and set other ports to either General or Access mode. You can assign multiple VLAN's to ports in General mode.
With trunk ports where only VLAN's would be used on the port, I would set its PVID to 4095 - Forbidden, thus only tagged VLAN traffic traverses the port and no untagged traffic will be seen on it.
Note: Vendors which use VLAN ID 4095 will implement it differently. VLAN ID 4095 on the Cisco SG-300 & SG-500 (and probably on the SG-200) switches is a black hole, whereas on VMware VLAN ID 4095 will send _all_ network traffic through this VLAN.
In your environment I'll make some assumptions.
You've created all the VLAN's on the switch.
Switch-Port -> Node:
GE1 -> igb1
GE2 -> igb2
GE3 -> Test PC
Assuming igb1 will never have any VLAN's operating on it, you can set GE1 PVID to your Default VLAN ID and set the interface mode to Access.
Set GE2 interface mode to General and add tagged VLAN's 10,20 & 30. You can leave the PVID (untagged) at its default as long as it's not one of your tagged VLAN's. Set the Frame Type to 'Admit Tagged Only'.
In OPNsense configure a firewall rule on each of the VLAN interfaces to allow ICMP type Echo Request to the interface's address.
With all DHCP servers enabled and running in OPNsense, set GE3 Access port PVID to the VLAN you want to test. It is currently configured for VLAN ID 10. If you do not obtain an IP Address on the 192.168.110.0/24 subnet, manually configure the interface on the Test PC with an IP address in this subnet and see if you get a reply when you ping the OPNsense address of 192.168.110.1.
Settings I used to disable globally on the SG-300 & SG-500 series switches are;
Dynamic Voice VLAN
GVRP
Smartport
I would also change the Default VLAN ID from 1 to a value for the network being configured.
With the interface VLAN mode, I would use Trunk ports for LAG's and set other ports to either General or Access mode. You can assign multiple VLAN's to ports in General mode.
With trunk ports where only VLAN's would be used on the port, I would set its PVID to 4095 - Forbidden, thus only tagged VLAN traffic traverses the port and no untagged traffic will be seen on it.
Note: Vendors which use VLAN ID 4095 will implement it differently. VLAN ID 4095 on the Cisco SG-300 & SG-500 (and probably on the SG-200) switches is a black hole, whereas on VMware VLAN ID 4095 will send _all_ network traffic through this VLAN.
In your environment I'll make some assumptions.
You've created all the VLAN's on the switch.
Switch-Port -> Node:
GE1 -> igb1
GE2 -> igb2
GE3 -> Test PC
Assuming igb1 will never have any VLAN's operating on it, you can set GE1 PVID to your Default VLAN ID and set the interface mode to Access.
Set GE2 interface mode to General and add tagged VLAN's 10,20 & 30. You can leave the PVID (untagged) at its default as long as it's not one of your tagged VLAN's. Set the Frame Type to 'Admit Tagged Only'.
In OPNsense configure a firewall rule on each of the VLAN interfaces to allow ICMP type Echo Request to the interface's address.
With all DHCP servers enabled and running in OPNsense, set GE3 Access port PVID to the VLAN you want to test. It is currently configured for VLAN ID 10. If you do not obtain an IP Address on the 192.168.110.0/24 subnet, manually configure the interface on the Test PC with an IP address in this subnet and see if you get a reply when you ping the OPNsense address of 192.168.110.1.
#9
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by ligand - Today at 03:34:33 AMHi!
Any chance the build Simon is referring to can be added to the repo so I can install it?
Any chance the build Simon is referring to can be added to the repo so I can install it?
#10
General Discussion / Re: dnsmasq - no address range...
Last post by Mpegger - Today at 03:31:42 AMIn the DNSmasq Interface setting, after you disabled the WAN interface, were the other interfaces that you do need DNSmasq on checked? I just finished the swithover from ISC to DNSmasq myself today, and didn't see any such warnings in my DNSmasq logs. I know the little help blurb for Interface says "If no interfaces are selected, Dnsmasq will listen on all available IPv4 and IPv6 addresses by default", but I find more often then not, that you have to add in or explicitly choose an option to make sure it actually works.
