"Recent posts
#1
General Discussion / Re: DHCP Lease Time/period
Last post by Patrick M. Hausen - Today at 03:14:06 PMQuote from: somanet on Today at 06:13:32 AMConfigure the OPNfirewall with interface WAN port
to operate with a public ip My question is is it safe ?
Well, it's a firewall, which means being safe/secure is the purpose. And if configuration of the WAN parameters to get your uplink working is the only thing you change from the installation defaults, then, yes, you are safe.
As soon as you start adjusting the firewall policy or anything else, that question can only be answered by you.
#2
26.1, 26,4 Series / Re: Ipsec Gui children scrollb...
Last post by nero355 - Today at 02:44:10 PMQuote from: franco on Today at 11:21:56 AMI'll discuss with Stephan.Is there any progress/news about the other discussions that we had some time ago about the New Firewall Rules page and similar situations like the KEA DHCP Leases related page ?
This seems all to be connected together as far as I can see :)
#3
26.1, 26,4 Series / Re: Unbound reporting stop wor...
Last post by nero355 - Today at 02:39:23 PMQuote from: franco on Today at 08:27:17 AMApprently this made some waves looking at https://github.com/freebsd/freebsd-ports/commit/3c11b048c3d -- in theory we could flip it back but I'll have to discuss internally. The minimum optimization requirement was probably done for a good reason.
Quote from: wincent on Today at 08:43:17 AMI'm glad to hear this.It was not exactly easy to find, but I guess you could check this : https://numpy.org/doc/stable/user/troubleshooting-importerror.html#segfaults-or-crashes
It's a tough decision. After all, OPNSense focuses on security performance, and Unbound DNS reporting is just a plug-in functional component. However, many firewall platforms or all-in-one servers may not be equipped with the latest CPU, and I believe many users still require this functionality.
And compare it to this : https://www.techpowerup.com/cpu-specs/pentium-e6500.c864
Found via https://duckduckgo.com/?q=Pentium(R)+Dual-Core+CPU+E6500
But if I am perfectly honest I can't really blame the guys for excluding such old CPU models : The days of Socket 775 are waaaay behind us now! :)
Looking at other software that had similar changes over the last 5 years or so I would recommand having at least something with AVX support for regular CPUs and I believe it was SSE4 for the Atom-like models.
Considering the horrible hardware prices situation we are currently in maybe you could look at used hardware that's in good condition as an upgrade option ?!
#4
High availability / Re: Updating backup instance
Last post by GreenMatter - Today at 02:35:01 PMQuote from: franco on June 10, 2026, 05:20:58 PM> fetch: /usr/local/opnsense/changelog/changelog.txz.sig appears to be truncated: 0/1332 bytesThis tip got me somewhere. I use local DNS (adguard with unbound as upstream) which is run separately from opnsense. On backup node Unbound doesn't work, initially I thought it was because of not available interfaces (ipv6 tunnel) unbound is binded to. But after deselecting them still doesn't work issuing error:
Usually a sign of DNS timeouts.
Code Select
Unable to open pipe. This is likely because Unbound isn't running.In cli:
Code Select
root@OPNsense-bkp:~ # dig opnsense.org
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 172.16.1.4#53: timed out
;; communications error to 2001:xxxxxxxxx::4#53: timed out
; <<>> DiG 9.20.22 <<>> opnsense.org
;; global options: +cmd
;; no servers could be reachedDespite of:
Code Select
root@OPNsense-bkp:~ # ping 172.16.1.4
PING 172.16.1.4 (172.16.1.4): 56 data bytes
64 bytes from 172.16.1.4: icmp_seq=0 ttl=64 time=0.227 ms
64 bytes from 172.16.1.4: icmp_seq=1 ttl=64 time=0.105 ms
--- 172.16.1.4 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.105/0.166/0.227/0.061 ms
root@OPNsense-bkp:~ # nc -vzu 172.16.1.4 53
Connection to 172.16.1.4 53 port [udp/domain] succeeded!After enabling
QuoteDo not use the local DNS service as a nameserver for this system
cli started working fine:
Code Select
root@OPNsense-bkp:~ # dig opnsense.org
; <<>> DiG 9.20.22 <<>> opnsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40326
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;opnsense.org. IN A
;; ANSWER SECTION: opnsense.org. 3 IN A 89.149.225.137
;; Query time: 0 msec
;; SERVER: 172.16.1.4#53(172.16.1.4) (UDP)
;; WHEN: Thu Jun 11 09:57:59 CEST 2026
;; MSG SIZE rcvd: 57 But update check still fails:
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 26.1.9 (amd64) at Thu Jun 11 10:00:41 CEST 2026
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/217364 bytes
done
Updating OPNsense repository catalogue...
Waiting for another process to update repository OPNsense
All repositories are up to date.
Checking for upgrades (107 candidates): .......... done
Processing candidates (107 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***So, I'm a bit lost....
EDIT:
It seems like that on top of not working unbound, the main culprit was not workable ipv6 interface (tunnel broker). After removing ipv6 entry of local DNS server (System - Settings - General) and enabling preference to use ipv4, finally system was able to fetch changelog.
Ultimate verification will be during next upgrade :-)
#5
General Discussion / Re: DHCP Lease Time/period
Last post by nero355 - Today at 02:18:59 PMJust change the default settings and you are good to go! :)
Everything you need to know is @ https://docs.opnsense.org ;)
Everything you need to know is @ https://docs.opnsense.org ;)
#6
26.1, 26,4 Series / Re: 26.1.8_5 - BUG: DNS64 not ...
Last post by inkeliz - Today at 01:35:14 PMThe new unbound 1.25.1 seems to include some important security fixes. I didn't update it yet, due to this DNS64 bug.
Have any other alternative to Unbound DNS (with DNS64 support)?
Have any other alternative to Unbound DNS (with DNS64 support)?
#7
French - Français / Quelqu'un a déjà utilisé copyf...
Last post by Meriloo - Today at 12:56:29 PMSalut,
Je me retrouve dans une situation un peu bizarre et je cherche des retours concrets. J'administre plusieurs instances OPNsense pour des petites structures (genre 4 ou 5 sites distincts, rien d'énorme), et depuis quelques semaines je teste des outils pour centraliser la documentation de mes configs. Un collègue m'a pointé vers www.copyfy.io en me disant que ça pouvait servir à gérer du contenu technique de façon structurée... sauf que j'arrive pas vraiment à cerner si c'est adapté à un usage réseau/infra ou si c'est plutôt orienté marketing/éditorial.
J'ai passé genre 20 minutes sur le site, les cas d'usage présentés restent assez vagues. Pas trouvé de retour d'expérience d'admins sys ou réseau là-dessus. Est-ce que quelqu'un ici a déjà croisé cet outil dans un contexte technique ? Ou vous utilisez autre chose pour documenter vos règles de firewall et vos configs VPN ?
Je me retrouve dans une situation un peu bizarre et je cherche des retours concrets. J'administre plusieurs instances OPNsense pour des petites structures (genre 4 ou 5 sites distincts, rien d'énorme), et depuis quelques semaines je teste des outils pour centraliser la documentation de mes configs. Un collègue m'a pointé vers www.copyfy.io en me disant que ça pouvait servir à gérer du contenu technique de façon structurée... sauf que j'arrive pas vraiment à cerner si c'est adapté à un usage réseau/infra ou si c'est plutôt orienté marketing/éditorial.
J'ai passé genre 20 minutes sur le site, les cas d'usage présentés restent assez vagues. Pas trouvé de retour d'expérience d'admins sys ou réseau là-dessus. Est-ce que quelqu'un ici a déjà croisé cet outil dans un contexte technique ? Ou vous utilisez autre chose pour documenter vos règles de firewall et vos configs VPN ?
#8
25.7, 25.10 Legacy Series / OPNWAF - conflicting TLS certi...
Last post by ivosir - Today at 12:20:30 PMHello,
We run OPNsense v25.10.2_12 with OPNWAF v2.1 proxy on top of it. There's a commercial wildcard certificate *.example.com installed on the machine. A couple of web sites use the cert with no problem. We also have a bunch of other web sites which use Let's Encrypt certificates managed by the OPNWAF built-in ACME client.
Now I need to set up a web site like a.b.example.com which is obviously not covered by the *.example.com certificate. I've enabled ACME in the respective Virtual Server configuration, but the certificate was not issued. What's worse, when I accept the self-signed fallback certificate, the proxy returns error 503. It does not even try to contact the upstream (back-end) web server.
Tried to set up another web site ab.example.com. It works with *.example.com but returns 503 when ACME is enabled (and fallback cert accepted). I cannot find any other output, there's no error in /var/log/apache/* log files even when I set logging to debug level. The Apache configuration in /usr/local/etc/apache24/Includes/gateway_vhosts.conf seems to be correct. Can it be that the two certificates (commercial + ACME one) cannot coexist for the same domain?
Thank you,
Ivo
P.S. Every OPNWAF reload takes 2-3 minutes during which one httpd process utilizes 100 % of one CPU core. None of web sites is working in such a moment of course which makes a reconfiguration quite difficult. The Apache error log reads "SIGUSR1 received. Doing graceful restart". Can it be that the config check takes so long? We have about 120 virtual hosts at the moment.
We run OPNsense v25.10.2_12 with OPNWAF v2.1 proxy on top of it. There's a commercial wildcard certificate *.example.com installed on the machine. A couple of web sites use the cert with no problem. We also have a bunch of other web sites which use Let's Encrypt certificates managed by the OPNWAF built-in ACME client.
Now I need to set up a web site like a.b.example.com which is obviously not covered by the *.example.com certificate. I've enabled ACME in the respective Virtual Server configuration, but the certificate was not issued. What's worse, when I accept the self-signed fallback certificate, the proxy returns error 503. It does not even try to contact the upstream (back-end) web server.
Tried to set up another web site ab.example.com. It works with *.example.com but returns 503 when ACME is enabled (and fallback cert accepted). I cannot find any other output, there's no error in /var/log/apache/* log files even when I set logging to debug level. The Apache configuration in /usr/local/etc/apache24/Includes/gateway_vhosts.conf seems to be correct. Can it be that the two certificates (commercial + ACME one) cannot coexist for the same domain?
Thank you,
Ivo
P.S. Every OPNWAF reload takes 2-3 minutes during which one httpd process utilizes 100 % of one CPU core. None of web sites is working in such a moment of course which makes a reconfiguration quite difficult. The Apache error log reads "SIGUSR1 received. Doing graceful restart". Can it be that the config check takes so long? We have about 120 virtual hosts at the moment.
#9
General Discussion / Re: Roku DNS storm is impactin...
Last post by keeka - Today at 12:10:04 PMQuote from: OPNenthu on June 10, 2026, 10:30:58 PMQuick update-
The DNS storm seems to have stopped overnight but I'm not sure why.
I wouldn't bet on it. When I first noticed the increase in DNS queries, I left the roku powered down for a short period. After restarting, DNS queries remained low for some time, but eventually returned to once per second for each of various hosts in logs.roku.com. I don't see any performance hits at that level but it is rather irritating and does put me off buying more such devices.
#10
High availability / Re: Multi site HA - question ....
Last post by davidfnf - Today at 11:58:40 AMQuote from: Sandyman on February 25, 2026, 06:55:10 PMHello
I look after two sites in a relatively remote area, they are about 1km apart. Both sites have relatively high speed FTTP links (c. 300Mbps). It is possible to install a wireless bridge between the sites. It would be beneficial to install a cellular WAN, because cars frequently take the telegraph poles out causing weeks of outage! However, only one site (site A) has cellular coverage.
Assuming that both site A and site B have OPNsense units, that a wireless bridge link (WBL FNF) is available, say using a TP-Link EAP215, and a cellular WAN at site A.
Is the following possible with OPNsense?
• Allowing the sub nets at site A and site B to communicate using the WBL
• Allowing site B to use the cellular WAN in case of FTTP failure at site B
If so, could you give me a pointer as to the features / configuration to explore?
Is there an easier way, perhaps I have missed something obvious?
Thank you in advance.
Yes, that should work. You can keep the two sites on separate subnets and route between them over the wireless bridge, then use Site A's cellular connection as a failover gateway for Site B if its FTTP link goes down.
