"Recent posts
#1
25.7, 25.10 Series / NAT breaks Windows update
Last post by mlangendoen - Today at 02:36:31 PMHi all,
After upgrading to 25.10 Windows update is not working anymore for devices that are behind NAT. Device that do not NAT so only routed and firewalled have no problems.
anyone a idea?
After upgrading to 25.10 Windows update is not working anymore for devices that are behind NAT. Device that do not NAT so only routed and firewalled have no problems.
anyone a idea?
#2
General Discussion / Re: still see traffic going ou...
Last post by robertkwild - Today at 01:56:25 PMreading this
In order to provide a secure and verified environment, it is advisable to use a firewall rule to prohibit any outgoing DNS traffic on port 53 when using DNS over TLS. If clients choose to directly query other nameservers on their own, a NAT redirect rule can be used to send these requests to 127.0.0.1:53, which is the local Unbound service. This will ensure that these requests are sent over TLS.
ive done the block rule
IPv4+6 TCP/UDP * * ! RFC1918 53 (DNS) * * block LAN DNS to internet
but how do i set up the NAT
what do i put in
destination - any
destination port range - 53
redirect target ip - 127.0.0.1/32 or "this firewall"
redirect target port - 53
thanks,
rob
In order to provide a secure and verified environment, it is advisable to use a firewall rule to prohibit any outgoing DNS traffic on port 53 when using DNS over TLS. If clients choose to directly query other nameservers on their own, a NAT redirect rule can be used to send these requests to 127.0.0.1:53, which is the local Unbound service. This will ensure that these requests are sent over TLS.
ive done the block rule
IPv4+6 TCP/UDP * * ! RFC1918 53 (DNS) * * block LAN DNS to internet
but how do i set up the NAT
what do i put in
destination - any
destination port range - 53
redirect target ip - 127.0.0.1/32 or "this firewall"
redirect target port - 53
thanks,
rob
#3
Web Proxy Filtering and Caching / Access external IP over Squid
Last post by humnab - Today at 01:44:04 PMHello,
I'm using Squid as intranparent forward proxy, now I need to access a internal server over a public IP and this does not work.
When I use no proxy and the rules from:
https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
it works, but I found no possibility to SNAT the Squid proxy itself, how can this be done?
I'm using Squid as intranparent forward proxy, now I need to access a internal server over a public IP and this does not work.
When I use no proxy and the rules from:
https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
it works, but I found no possibility to SNAT the Squid proxy itself, how can this be done?
#4
General Discussion / Re: block cameras to internet
Last post by robertkwild - Today at 01:25:59 PMLOL, what an idiot, your right @meyergru
my phone was still on wifi, as soon as i was on mobile data went back on the tapo app and i can no longer see my camera feeds, interesting i dont need the other ipv6 rule, it just works with the ipv4 rule (i attach below pic)
https://postimg.cc/5HgtF54C
my phone was still on wifi, as soon as i was on mobile data went back on the tapo app and i can no longer see my camera feeds, interesting i dont need the other ipv6 rule, it just works with the ipv4 rule (i attach below pic)
https://postimg.cc/5HgtF54C
#5
25.7, 25.10 Series / Re: ACME failing because of "O...
Last post by browne - Today at 01:12:58 PMQuote from: Taomyn on November 04, 2025, 11:25:20 AMI think I found the problem. Every single conf file for the certificates has a valueCode SelectLe_OCSP_Staple='1'
even though the GUI clearly shows it's disabled
When I force a renewal it works, but when I check the file it's still enabled
If I change the value in the file to 0 and then renew it also works, but it remains 0
Hey, we are facing the same issue.
Did you manage to solve this for good?
#6
25.7, 25.10 Series / Re: New skin "flexcolor"
Last post by Seimus - Today at 12:37:50 PMQuote from: Schnuffel2008 on December 17, 2025, 09:49:46 PMis it?Yes it is.
Keep in mind not everyone uses or even feels like to touch the CLI ;)
If it can be fixed by patching the pkg, please go for it.
Regards,
S.
#7
Virtual private networks / Redirect dns traffic through w...
Last post by pitoucol - Today at 12:32:29 PMHello
Is it possible to take unbound requests and send them back through a wireguard gateway? If so, what would be the method?
Could you help me build the rules and understand them?
I have a functional wireguard gateway, and unbound operational too.
Thank you
Is it possible to take unbound requests and send them back through a wireguard gateway? If so, what would be the method?
Could you help me build the rules and understand them?
I have a functional wireguard gateway, and unbound operational too.
Thank you
#8
General Discussion / Re: 25.7.9 update - xorgproto:...
Last post by franco - Today at 11:08:24 AMMaybe, you haven't said which version you have.
#9
General Discussion / GRE traffic blocked by
Last post by Zugschlus - Today at 10:41:02 AMHi,
I have OPNsense 25.7.8. To keep legacy telephones running, I have a number of GRE tunnels that terminate on devices that are behind OpenVPN on the remote side, and on a system in my internal network. The traffic from the internal network to the OpenVPN link is blocked by the built-in "Default deny / state violation rule":
You cannot view this attachment.
I have both a bidirectional floating rule without state tracking:
You cannot view this attachment.
You cannot view this attachment.
and corresponding directional rules in both the OpenVPN and the internal rule list.
The traffic is still blocked.
How can I get that GRE traffic to pass?
Greetings
Marc
I have OPNsense 25.7.8. To keep legacy telephones running, I have a number of GRE tunnels that terminate on devices that are behind OpenVPN on the remote side, and on a system in my internal network. The traffic from the internal network to the OpenVPN link is blocked by the built-in "Default deny / state violation rule":
You cannot view this attachment.
I have both a bidirectional floating rule without state tracking:
You cannot view this attachment.
You cannot view this attachment.
and corresponding directional rules in both the OpenVPN and the internal rule list.
The traffic is still blocked.
How can I get that GRE traffic to pass?
Greetings
Marc
#10
General Discussion / Re: OPNWAF Business - Remove a...
Last post by Wuensch-AG-Adm - Today at 10:04:25 AMQuote from: pfry on September 13, 2025, 12:33:37 AMAre you referring to the sshlockout alias?No
