Recent posts

Pages1 2 3 ... 10
#1
General Discussion / Re: Rule weirdness / Allow all...
Last post by lmoore - Today at 04:36:23 PM
Best to start by looking at the detailed information in the log (https://docs.opnsense.org/manual/logging_firewall.html#live-view), which is at the end of the line.

Click on the information icon. In the window which opens, scroll down to the end and and look for the tcpflags line. You may see flags of F or R in the logs for the blocked connections, as they all relate to the connection which logged a pass at 14:45:23 - which should show a flag of S.

It may have been the connection was closed but the client belatedly sent flags to close the connection - judging by the time stamps.

Did you check the Apple System Status page at that time?
#2
German - Deutsch / Re: Empfehlung für Access-Poin...
Last post by nero355 - Today at 04:13:26 PM
Quote from: Patrick M. Hausen on May 31, 2026, 08:47:09 PMWas würden ihr für WiFi empfehlen, wenn Unifi als zu teuer und proprietär und Mikrotik als zwar mächtig aber eben auch mächtig kompliziert empfunden wird?

Zentrale Management-Plane ist nicht gefordert, es werden maximal zwei Geräte. Also Web-UI pro Gerät ist prima.
Quote from: Patrick M. Hausen on Today at 01:02:58 PMEinen hAP-axN zu nehmen, hätte den Vorteil, dass man noch einen eingebauten Switch dazu bekommt.
https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap725-wall/

- Cheaper than UniFi but similar models.
- Should be useable without Omada Controller too.
- 'Wall' models are the future IMHO :)



/Mein Deutsch ist sehr slecht... ;)
#3
Zenarmor (Sensei) / SOLVED: Zenarmor performance e...
Last post by jaykumar2005 - Today at 03:51:51 PM
Zenarmor team did verify the OPNsense installation and Zenarmor configuration. It came up during the investigation that the bandwidth drop was unaffected by Zenarmor either in Bypass mode or Stopped. This was not a Zenarmor issue.

Few hours of digging through all the devices, figured "Flow Control" was enabled on Switch to Firewall Port (PVID). Disabling flow control fixed the issue.

Its surprising that Iperf3 between the devices --> Switch --> FW was all showing no issue. Only across devices --> Switch --> FW --> Speedtest was showing drop in bandwidth, I was derailed by a misleading correlation.
#4
General Discussion / Re: Rule weirdness / Allow all...
Last post by mooh - Today at 03:43:48 PM
The rules
#5
General Discussion / Rule weirdness / Allow all not...
Last post by mooh - Today at 03:43:01 PM
I have a network that's supposed to have unrestricted IPv4 internet access. The rule set has worked fine for years. Today, I was made aware that some Apple iCloud service seems to be broken. Sure enough, with global logging on, I saw that connections to 17.145.16.2:443 were blocked by the default rule. While scratching my head trying to find out what went wrong, I saw that the pass rule kicked in again without any intervention.

The screenshot shows 2 source devices, but the pass rule doesn't care about the source address. No one else had access to the firewall.

What could possibly be the reason for this behaviour?

System is OPNsense 26.4_14-amd64
#6
26.1, 26,4 Series / Re: [CALL FOR TESTING] Kea DHC...
Last post by Monviech (Cedrik) - Today at 02:40:48 PM
For reference, I could test it myself now.

Here some screenshots with a Fritzbox as example:

https://github.com/opnsense/core/pull/10252#issuecomment-4592525328

I don't hide my prefix since it's dynamic anyway.
#7
Development and Code Review / Re: Unbound DNS API Endpoints
Last post by ethan240 - Today at 01:38:36 PM
I got this working on 25.7.

https://docs.opnsense.org/development/api.html#required-parameters-and-expected-responses
https://docs.opnsense.org/development/api/core/unbound.html
https://192.168.1.1/ui/unbound/overrides

Code below will set a new override, save changes then print all the current overrides.

Code Select
import requests
from tabulate import tabulate

HOST = "192.168.1.1"
API_KEY = "xxx"
API_SECRET = "xxx"

def record_value(record, rr_type):
  if rr_type == "TXT":
    return record.get("txtdata", "")
  if rr_type == "MX":
    mx = record.get("mx", "")
    prio = record.get("mxprio", "")
    return f"{prio} {mx}".strip()
  return record.get("server", "")


def fqdn(record):
  hostname = record.get("hostname", "")
  domain = record.get("domain", "")
  return ".".join(part for part in [hostname, domain] if part)


def dns_rows(data):
  hosts = data.get("rows")

  rows = []
  for record in hosts:
    rows.append({
      "enabled": "yes" if str(record.get("enabled", "0")) == "1" else "no",
      "type": record.get("rr", ""),
      "name": fqdn(record),
      "value": record_value(record, record.get("rr", "")),
      "ttl": record.get("ttl", ""),
      "description": record.get("description", ""),
      "uuid": record.get("uuid", ""),
    })

  return sorted(rows, key=lambda row: (row["name"], row["type"], row["value"]))

# https://docs.opnsense.org/development/api/core/unbound.html

# set a record
resp_set = requests.post(
  url=f"https://{HOST}/api/unbound/settings/add_host_override",
  auth=(API_KEY, API_SECRET),
  data={
    "host": {
      "description": "description_here",
      "domain": "domain.com",
      "enabled": "1",
      "hostname": "test123",
      "mx": "",
      "mxprio": "",
      "rr": "A",
      "server": "127.0.0.69",
      "ttl": "60",
      "txtdata": ""
    }
  }
)
resp_set.raise_for_status()

# apply/save a record
resp_save = requests.post(
  url=f"https://{HOST}/api/unbound/service/reconfigure/",
  auth=(API_KEY, API_SECRET),
  data={}
)
resp_save.raise_for_status()

# get a list of current records
resp_get = requests.post(
  url=f"https://{HOST}/api/unbound/settings/search_host_override/",
  auth=(API_KEY, API_SECRET),
  data={"current":1,"rowCount":-1,"sort":{}}
)
resp_get.raise_for_status()

print(tabulate(dns_rows(resp_get.json()), headers="keys", tablefmt="github"))
#8
German - Deutsch / Re: Empfehlung für Access-Poin...
Last post by Monviech (Cedrik) - Today at 01:22:25 PM
Ich bin faul daheim und benutze seit Jahren Zyxel Accesspoints (e.g. Zyxel NWA210AX) und manage die einfach in der Cloud von denen (obwohl sie auch lokale Benutzeroberflächen haben). Ich spare mir den Controller und Roaming und das ganze Zeug funktioniert einfach out of the box. Hab keine Zeit für zu viel Custom Firmware oder komplizierte Konfiguration.

Läuft gut am VLAN trunk der OPNsense, haben sogar 2 Ports für Daisy Chaining wenn man will.
#9
German - Deutsch / Re: Empfehlung für Access-Poin...
Last post by Patrick M. Hausen - Today at 01:02:58 PM
Einen hAP-axN zu nehmen, hätte den Vorteil, dass man noch einen eingebauten Switch dazu bekommt. VLAN-Trunk kann man auch direkt auf der OPNsense terminieren. Aber eins nach dem anderen. Danke nochmal.
#10
Zenarmor (Sensei) / Re: Zenarmor performance expec...
Last post by sy - Today at 12:52:42 PM
Hi,

Yes, to access multicore support and achieve 10 Gbps performance, one would need to purchase the business edition.
Pages1 2 3 ... 10