"Recent posts
#1
Hardware and Performance / Re: DEC750 Questions
Last post by ProximusAl - Today at 11:26:56 AMNo response from that email either :(
It's like the shop doesnt have anyone working there.
It let me place an order, and crickets since the order acknowledgement.
It's like the shop doesnt have anyone working there.
It let me place an order, and crickets since the order acknowledgement.
#2
Q-Feeds (Threat intelligence) / Womens From Your Town - Anonym...
Last post by pedrohaa - Today at 11:23:27 AMGirls In Your City - No Verify - Anonymous Casual Dating
https://secrelocal.com
Womens In Your Town - Anonymous Adult Dating - No Selfie
https://secrelocal.com
Womens In Your Town - Anonymous Adult Dating - No Selfie
#3
German - Deutsch / Re: Probleme mit DNS + VLAN + ...
Last post by viragomann - Today at 11:20:51 AMDas sollte eigentlich funktionieren. Tut es aber nicht.
Ein offensichtliches Problem kann ich nicht erkennen. Ich würde daher den Paketfluss mit Paket Capture untersuchen.
Erst am Clients Interface. Da sollten die Pakete eigentlich ankommen.
Und dann am WAN. Das zeigt dann auch, ob OPNsense korrekt routet und nattet.
Ein offensichtliches Problem kann ich nicht erkennen. Ich würde daher den Paketfluss mit Paket Capture untersuchen.
Erst am Clients Interface. Da sollten die Pakete eigentlich ankommen.
Und dann am WAN. Das zeigt dann auch, ob OPNsense korrekt routet und nattet.
#4
German - Deutsch / Re: Dynamische WAN IP - Info-M...
Last post by viragomann - Today at 11:15:31 AMDanke für den Anstoß.
Ich hatte explizit nach einer Lösung mit Monit im Netz gesucht, aber nichts brauchbares gefunden, und mit dem Modul bin ich auch noch nicht wirklich vertraut.
Für Dyn. DNS Updates nutze ich das native Backend, weil ich mit dem ddclient FreeDNS nicht updaten konnte, obwohl ein Template integriert ist.
Die aktuelle IP habe ich aber in /tmp/pppoe0_oldip gefunden.
Ja, Monit könnte mich auf diese Weise über eine Änderung des File-Inhalts informieren, allerdings würde mich im Fall einer Änderung der neue Inhalt interessieren.
Zweck ist, die IP zu kennen, um mich per VPN zu verbinden, falls das Dyn DNS Update fehlschlägt.
Es bräuchte also noch die Möglichkeit, dass Monit Inhalt eines Files ins Mail integriert. Aber eine solche kann ich nicht finden.
Könnte man das eventuell im "Mail format" angeben?
Grüße
Ich hatte explizit nach einer Lösung mit Monit im Netz gesucht, aber nichts brauchbares gefunden, und mit dem Modul bin ich auch noch nicht wirklich vertraut.
Für Dyn. DNS Updates nutze ich das native Backend, weil ich mit dem ddclient FreeDNS nicht updaten konnte, obwohl ein Template integriert ist.
Die aktuelle IP habe ich aber in /tmp/pppoe0_oldip gefunden.
Ja, Monit könnte mich auf diese Weise über eine Änderung des File-Inhalts informieren, allerdings würde mich im Fall einer Änderung der neue Inhalt interessieren.
Zweck ist, die IP zu kennen, um mich per VPN zu verbinden, falls das Dyn DNS Update fehlschlägt.
Es bräuchte also noch die Möglichkeit, dass Monit Inhalt eines Files ins Mail integriert. Aber eine solche kann ich nicht finden.
Könnte man das eventuell im "Mail format" angeben?
Grüße
#5
German - Deutsch / Speedtest unterschiedlich zwis...
Last post by budda85 - Today at 11:15:08 AMHallo zusammen,
aktuell habe ich das Problem, dass mein Internet sehr langsam ist. Das zeigt sich zum Beispiel darin, dass meine zwei Internetradios ständig am Puffern sind und es keinen durchgehenden Stream gibt.
Das erste was ich dann mal durchführen wollte um das Problem zu finden, war ein Speedtest mit meiner Opensense. Mit dem Community Speedtestplugin habe ich das dann gestartet und festgestellt, dass es erhebliche Unterschiede zwischen der HTTP und der Socket Methode gibt.
Ich habe von Vodefone eine 500/50 Leitung gebucht. In dem Screenshot sind die ersten beiden Tests mit der Socket Methode durchgeführt und die letzten beiden mit der http.
You cannot view this attachment.
Jetzt stelle ich mir die Frage wo dieser Unterschied herkommt und ob ich eventuell auch hier schon auf mein eigentliches Problem stoße.
Gruß, budda
aktuell habe ich das Problem, dass mein Internet sehr langsam ist. Das zeigt sich zum Beispiel darin, dass meine zwei Internetradios ständig am Puffern sind und es keinen durchgehenden Stream gibt.
Das erste was ich dann mal durchführen wollte um das Problem zu finden, war ein Speedtest mit meiner Opensense. Mit dem Community Speedtestplugin habe ich das dann gestartet und festgestellt, dass es erhebliche Unterschiede zwischen der HTTP und der Socket Methode gibt.
Ich habe von Vodefone eine 500/50 Leitung gebucht. In dem Screenshot sind die ersten beiden Tests mit der Socket Methode durchgeführt und die letzten beiden mit der http.
You cannot view this attachment.
Jetzt stelle ich mir die Frage wo dieser Unterschied herkommt und ob ich eventuell auch hier schon auf mein eigentliches Problem stoße.
Code Select
Versionen
OPNsense 25.7.9-amd64
FreeBSD 14.3-RELEASE-p5
OpenSSL 3.0.18Code Select
WAN / Internet
:
: Vodafone
:
.-----+-----.
| Gateway | (CableModem, TC4400-EU)
'-----+-----'
|
WAN | IP or Protocol
|
.-----+------. private DMZ .------------.
| OPNsense +-----------------+ DMZ-Server |
'-----+------' 192.168.50.1 '------------'
|
LAN | 192.168.10.1/24
|
.-----+------.
| LAN-Switch |
'-----+------'
|
...-----+------... (Clients/Servers)
Gruß, budda
#6
25.7, 25.10 Series / Re: Time based Shaper?
Last post by knebb - Today at 11:05:18 AMHi,
thanks for the hints. I am currently configuring it. Still not understanding how it all works together, especially the two rule types and the issue with the reported bug...
Created a FW-rule on the (NATed) WAN interface (outgoing, src: VoIP VLAN) to assign traffic to the VoIP Shaper Queue (which is bound to the VoIP pipe, limited to 10Mb/s). Queue weight is 90.
Then created a schedule for "office times" and used a FW-rule to assign any other traffic (excluding the VoIP) to the "default office time upload queue" which is assigned to a pipe and by this limited to 365Mb/s (guaranteed value of 375Mb/s less the 10Mb/s for VoIP). This sheduled rule is ordered before the above one. Weight of the queue is 10.
So I have:
Disabled all Shapoer rules.
Created a FW rule on the WAN interface:
(Tried to assign the reverse traffic to the same queue, same result)
My expection:
Outgoing traffic should be limited to 365Mb/sec.
My observation:
Outgoing traffic is NOT limited.
I even see in the FW-protocol the traffic is assigned to the queue.
Any idea?
thanks for the hints. I am currently configuring it. Still not understanding how it all works together, especially the two rule types and the issue with the reported bug...
Created a FW-rule on the (NATed) WAN interface (outgoing, src: VoIP VLAN) to assign traffic to the VoIP Shaper Queue (which is bound to the VoIP pipe, limited to 10Mb/s). Queue weight is 90.
Then created a schedule for "office times" and used a FW-rule to assign any other traffic (excluding the VoIP) to the "default office time upload queue" which is assigned to a pipe and by this limited to 365Mb/s (guaranteed value of 375Mb/s less the 10Mb/s for VoIP). This sheduled rule is ordered before the above one. Weight of the queue is 10.
So I have:
- Pipe VoIP - Limit 20
- Pipe LAN daytime - Limit 365
- Pipe LAN nighttime - Limit 500
- Queue VoIP - weight 90
- Queue LAN daytime - weight 50
- Queue LAN nighttime - weight 50
Disabled all Shapoer rules.
Created a FW rule on the WAN interface:
- Outgoing, src: LAN, DST: any, protocol: any, schedule: daytime, traffic shaping in rule direction: Queue LAN daytime
(Tried to assign the reverse traffic to the same queue, same result)
My expection:
Outgoing traffic should be limited to 365Mb/sec.
My observation:
Outgoing traffic is NOT limited.
I even see in the FW-protocol the traffic is assigned to the queue.
Any idea?
#7
Development and Code Review / Re: Automating configuration o...
Last post by bimbar - Today at 10:53:12 AMI dream of a direct CLI interface to the configuration like for example juniper or fortinet.
#8
General Discussion / Zoraxy Reverse Proxy does not ...
Last post by crazywolf13 - Today at 10:45:10 AMHi
So issue is between Zoraxy (Reverse Proxy written in Go) and OPNsense WebUI. Currently Zoraxy seems to work with most if not all sites except OPNSense.
When trying to add a HTTP Proxy for OPNsense there are a couple of options available:
- [] Allow plain HTTP access # Allow inbound connections without TLS/SSL
- [] Disable Requests Logging # Disable logging for all incoming requests for this hostname
- [] Disable Statistic Collection # Disable collecting statistics for this hostname but keep request logging
- [] Monitor Uptime # Enable active uptime monitor and auto disable upstreams that are offline
- [] Use Sticky Session # Enable stick session on load balancing
- [] Disable Chunked Transfer Encoding # Enable this option if your upstream uses a legacy HTTP server implementation (e.g. Proxmox / opencloud)
- [] Require TLS # Proxy target require HTTPS connection
- [] Skip Verification # Check this if proxy target is using self signed certificates
- [] Skip WebSocket Origin Check # Check this to allow cross-origin websocket requests
It's also possible to set/remove headers on zoraxy>client or zoraxy>origin
I've tried about every possible way and could not get it to work, I seem to be not the only one: https://github.com/tobychui/zoraxy/discussions/228
I've tried this suggestion: https://github.com/opnsense/plugins/issues/4471#issuecomment-2742109624 which did not work and also this one https://github.com/opnsense/plugins/issues/4471#issuecomment-2599639355 by adding the line
Here a curl output of the site:
Zoraxy does not seem to have an option to force a specific HTTP version, and as this is not neccessary for any other proxy setup in my homelab (50+ http proxies) I think there should be another way?
It would be very nice if we could get to the bottom of this, thanks!
So issue is between Zoraxy (Reverse Proxy written in Go) and OPNsense WebUI. Currently Zoraxy seems to work with most if not all sites except OPNSense.
When trying to add a HTTP Proxy for OPNsense there are a couple of options available:
- [] Allow plain HTTP access # Allow inbound connections without TLS/SSL
- [] Disable Requests Logging # Disable logging for all incoming requests for this hostname
- [] Disable Statistic Collection # Disable collecting statistics for this hostname but keep request logging
- [] Monitor Uptime # Enable active uptime monitor and auto disable upstreams that are offline
- [] Use Sticky Session # Enable stick session on load balancing
- [] Disable Chunked Transfer Encoding # Enable this option if your upstream uses a legacy HTTP server implementation (e.g. Proxmox / opencloud)
- [] Require TLS # Proxy target require HTTPS connection
- [] Skip Verification # Check this if proxy target is using self signed certificates
- [] Skip WebSocket Origin Check # Check this to allow cross-origin websocket requests
It's also possible to set/remove headers on zoraxy>client or zoraxy>origin
I've tried about every possible way and could not get it to work, I seem to be not the only one: https://github.com/tobychui/zoraxy/discussions/228
I've tried this suggestion: https://github.com/opnsense/plugins/issues/4471#issuecomment-2742109624 which did not work and also this one https://github.com/opnsense/plugins/issues/4471#issuecomment-2599639355 by adding the line
Code Select
server.http-parseopts = ( "method-get-body" => "enable" ) to the file: /usr/local/etc/lighttpd/lighttpd.conf I hope that's the correct one? Both of these suggested fixes did not work for zoraxy, I'm still getting the Bad request error:Here a curl output of the site:
Code Select
❯❯ curl -v https://opnsense.XXX.dev
* Host opnsense.XXX.dev:443 was resolved.
* IPv6: (none)
* IPv4: 10.10.20.9
* Trying 10.10.20.9:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Established connection to opnsense.XXX.dev (10.10.20.9 port 443) from XXX port 57877
* using HTTP/1.x
> GET / HTTP/1.1
> Host: opnsense.XXX.dev
> User-Agent: curl/8.16.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* Request completely sent off
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Length: 2789
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< Content-Type: text/html; charset=UTF-8
< Date: Tue, 09 Dec 2025 09:10:56 GMT
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Referrer-Policy: same-origin
< Server: OPNsense
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< Set-Cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 10:10:56 GMT; Max-Age=3600; path=/; secure; HttpOnly
< Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 1; mode=block
<
<!doctype html>
<html lang="en-US" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="robots" content="noindex, nofollow" />
<meta name="keywords" content="" />
<meta name="description" content="" />
<meta name="copyright" content="" />
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<title>Login | OPNsense</title>
<link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
<link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">
<script src="/ui/js/jquery-3.5.1.min.js"></script>
<script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>
<script>
$( document ).ready(function() {
$.ajaxSetup({
'beforeSend': function(xhr) {
xhr.setRequestHeader("X-CSRFToken", "lsIHDJMZv7fNwZEWS_S0Pw" );
}
});
});
</script>
</head>
<body class="page-login">
<div class="container">
<main class="login-modal-container">
<header class="login-modal-head" style="height:50px;">
<div class="navbar-brand">
<img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
</div>
</header>
<div class="login-modal-content">
<div id="inputerrors" class="text-danger"> </div><br />
<form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="NqqKPVoCWf2rymUXMqttXQ" value="lsIHDJMZv7fNwZEWS_S0Pw" autocomplete="new-password" />
<div class="form-group">
<label for="usernamefld">Username:</label>
<input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
</div>
<div class="form-group">
<label for="passwordfld">Password:</label>
<input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
</div>
<button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>
</form>
</div>
</main>
<div class="login-foot text-center">
<a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025 <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
</div>
</div>
</body>
</html>
* Connection #0 to host opnsense.XXX.dev:443 left intact
Zoraxy does not seem to have an option to force a specific HTTP version, and as this is not neccessary for any other proxy setup in my homelab (50+ http proxies) I think there should be another way?
It would be very nice if we could get to the bottom of this, thanks!
#9
25.7, 25.10 Series / Re: Local DNS overrides no lon...
Last post by meyergru - Today at 09:51:02 AMYou do not have to set an upstream DNS server for Unbound at all, because it can resolve on its own.
Try leaving the DNS servers empty in System:Settings:General and uncheck both "DNS server options" on that page.
Try leaving the DNS servers empty in System:Settings:General and uncheck both "DNS server options" on that page.
#10
25.7, 25.10 Series / Re: Could This Be The Reason?
Last post by Monviech (Cedrik) - Today at 09:47:48 AMThe issue with a readme is that people do not read a readme in general. And if its too long its TL:DR so even less people even attempt to give it a go.
Better keep it as short and concise as possible, like e.g. the rules of the internet. xD
Better keep it as short and concise as possible, like e.g. the rules of the internet. xD
