"Recent posts
#1
26.1, 26,4 Series / Re: Connectivity Audit - No IP...
Last post by vk2him - Today at 09:43:08 AMThanks guys, yes I'm running AdGuard Home - strange as I've been running AGH and ipv6 for a long time and the ipv6 Connectivity Audit always worked for ipv6 until recently.
I just tried renaming mimugmail.conf to mimugmail-full.conf and the ipv6 Connectivity Audit then worked, however it wasn't able to perform the mimugmail repository update as it couldn't find the mimugmail.conf, so I reverted the name back to mimugmail.conf
I also noticed I had the priority: for mimugmail.conf set to 5, so I changed that to 150 however the ipv6 connectivity audit still failed.
I wonder if it is possible to force the ipv6 connectivity audit to use the same config that is used for ipv4?
I just tried renaming mimugmail.conf to mimugmail-full.conf and the ipv6 Connectivity Audit then worked, however it wasn't able to perform the mimugmail repository update as it couldn't find the mimugmail.conf, so I reverted the name back to mimugmail.conf
I also noticed I had the priority: for mimugmail.conf set to 5, so I changed that to 150 however the ipv6 connectivity audit still failed.
I wonder if it is possible to force the ipv6 connectivity audit to use the same config that is used for ipv4?
#2
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by Patrick M. Hausen - Today at 09:29:52 AMI have network group aliases with multiple URL tables exactly for the purpose of source invert to express "not in any of these block lists".
As for the underlying logic - I'm not a core developer, sorry.
As for the underlying logic - I'm not a core developer, sorry.
#3
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by techturtle - Today at 09:14:42 AMThanks for the answer - you mean Network group alias, right?
Group alias seems to only support other Network and host aliases - though I also need to nest External and URL Table. In the past I had some timing issues, where values of child aliases (ipsets; external type alias) weren't quickly enough populated to parent alias. Apparently group alias is only guaranteed to be eventually consistent with all child aliases, not immediately, as all values are copied over and not referenced. Or has this synchronization been improved in recent versions? Otherwise unfortunately that's not a viable solution for me.
Group alias seems to only support other Network and host aliases - though I also need to nest External and URL Table. In the past I had some timing issues, where values of child aliases (ipsets; external type alias) weren't quickly enough populated to parent alias. Apparently group alias is only guaranteed to be eventually consistent with all child aliases, not immediately, as all values are copied over and not referenced. Or has this synchronization been improved in recent versions? Otherwise unfortunately that's not a viable solution for me.
Quote from: Patrick M. Hausen on May 29, 2026, 04:59:05 PMSince the logic cannot easily be changedCan you (or someone else) elaborate, why not / what would need to be done?
#4
26.1, 26,4 Series / Re: Connectivity Audit - No IP...
Last post by dseven - Today at 09:02:52 AMThe audit scripts basically just pick the first (based on config filename) enabled package repo and use that as the test target, even if it's a third-party repo. That seems a bit ... fragile.
If you want to kludge around it, you probably could rename /usr/local/etc/pkg/repos/mimugmail.conf to mimugmail-full.conf (or something like that). If the filename doesn't match the repo name, the scripts will skip it (but it should still work as a pkg repo).
If you want to kludge around it, you probably could rename /usr/local/etc/pkg/repos/mimugmail.conf to mimugmail-full.conf (or something like that). If the filename doesn't match the repo name, the scripts will skip it (but it should still work as a pkg repo).
#5
26.1, 26,4 Series / Re: Connectivity Audit - No IP...
Last post by Patrick M. Hausen - Today at 08:58:50 AMThat is the community repo run by Michael Münz that you must have added manually at some time. Did you install AdGuard Home or Unifi Controller, possibly?
That repo does not have IPv6 connectivity.
That repo does not have IPv6 connectivity.
#6
26.1, 26,4 Series / Connectivity Audit - No IPv6 a...
Last post by vk2him - Today at 04:08:27 AMI've noticed a connectivity audit indicates I have no ipv6 connection, even though I have ipv6 working fine on my system. I can ping6 and traceroute6 from opnsense ssh and from a client without issue, and the correct ipv6 firewall rules are enabled.
test-ipv6.com also reports ipv6 is working.
Here is the output - is opn-repo.routerperformance.net the correct repo for ipv6 as a google search indicates it only has an ipv4 address?
test-ipv6.com also reports ipv6 is working.
Here is the output - is opn-repo.routerperformance.net the correct repo for ipv6 as a google search indicates it only has an ipv4 address?
Code Select
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 26.1.8_5 (amd64) at Sat May 30 11:45:49 AEST 2026
Current repository configuration:
/usr/local/etc/pkg/repos/FreeBSD.conf:
FreeBSD: { enabled: no }
FreeBSD-kmods: { enabled: no }
/usr/local/etc/pkg/repos/OPNsense-aux.conf:
OPNsense-aux: {
fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
url: "https://pkg.opnsense.org/${ABI}/26.1/aux",
signature_type: "fingerprints",
priority: 11,
enabled: no
}
/usr/local/etc/pkg/repos/OPNsense.conf:
OPNsense: {
fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
url: "https://pkg.opnsense.org/${ABI}/26.1/latest",
signature_type: "fingerprints",
priority: 11,
enabled: yes
}
/usr/local/etc/pkg/repos/mimugmail.conf:
mimugmail: {
url: "https://opn-repo.routerperformance.net/repo/${ABI}",
priority: 5,
enabled: yes
}
/usr/local/etc/pkg/repos/ntop.conf:
ntop: {
fingerprints: "/usr/local/etc/pkg/fingerprints/ntop",
url: https://packages.ntop.org/FreeBSD/${ABI}/latest,
signature_type: "fingerprints",
priority: 100,
enabled: yes
}
Checking connectivity for host: opn-repo.routerperformance.net -> 46.16.78.247
PING 46.16.78.247 (46.16.78.247): 1500 data bytes
1508 bytes from 46.16.78.247: icmp_seq=0 ttl=48 time=251.814 ms
1508 bytes from 46.16.78.247: icmp_seq=1 ttl=48 time=251.098 ms
1508 bytes from 46.16.78.247: icmp_seq=2 ttl=48 time=251.640 ms
1508 bytes from 46.16.78.247: icmp_seq=3 ttl=48 time=251.238 ms
--- 46.16.78.247 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 251.098/251.448/251.814/0.291 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 928 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: ... done
Processing entries: .......... done
mimugmail repository update completed. 189 packages processed.
Updating ntop repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: . done
Processing entries: . done
ntop repository update completed. 6 packages processed.
All repositories are up to date.
No IPv6 address could be found for host: opn-repo.routerperformance.net
Checking server certificate for host: opn-repo.routerperformance.net
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E7
verify return:1
depth=0 CN = opn-repo.routerperformance.net
verify return:1
DONE
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***
#7
Hardware and Performance / Re: Recommended OPNsense SFP+ ...
Last post by BrandyWine - Today at 03:46:46 AMAs already mentioned, make sure all the layer-1 stuff is good end-to-end.
Verify config on both ends.
Last resort, inquiry with vendor for possible grayware.
Verify config on both ends.
Last resort, inquiry with vendor for possible grayware.
#8
Intrusion Detection and Prevention / Issues with Divert (IPS)
Last post by dubbz - Today at 03:02:24 AMAlright I've been troubleshooting this for two days now and I'm completely out of ideas as to what could be wrong at this point. I've tried various Youtube videos, guides on the internet, searches through this forum(nothing quite fit this issue), and LLM chats. I'll dump as much info as I can remember but if there's anything extra I can show/provide, just let me know and I'll be happy to add it. The issue is that I am using the Divert(IPS) capture mode through Intrusion Detection, however even with settings enabled and my particular test method set to drop in the rules, it simply refuses to drop. To note, the IDS aspect seems to be working as I go into Intrusion Detection > Administration > Alerts and I find alerts from Steam and Discord from my computer on my LAN network so it just seems to be the IPS aspect that is failing.
I do not know if this is happening because of my specific test method or because something else is wrong and at this point I'm at a loss. I will preface that I used Google and ChatGPT in the set up and troubleshooting process when I stopped getting results in normal search and am not experienced with Opnsense so it's pretty likely that I've just configured something wrong. I initially configured based on videos and manual documents, had some initial issues with general networking that I resolved and some configuration issues on the IDS side but most of that seems to be straightened out. I'll add as much as I can think of for my set up and specs below but if there's anything else that would help, I'm happy to provide.
Hardware:
Sophos XG 210 Rev. 3, upgraded to i5-6500 CPU, 8GB RAM, factory Intel interface for the ports.
ISP:
Spectrum
Firmware:
OPNsense 26.1.8_5-amd64
FreeBSD 14.3-RELEASE-p12
OpenSSL 3.0.20
LAN connection:
-Wired through a Netgear SG108 8 port unmanaged switch for traffic to my PC, Synology NAS and Proxmox server, subnet 192.168.1.0/24
WAN connection:
-Direct from my Arris Surfboard SBG7400AC2 running in bridge mode so it doesn't handle anything but Coax to ethernet
OPT1/Wifi:
-Being used to run dedicated WIFI on a different subnet, will work on VLAN options for IoT later but for now, just WIFI and no VLAN anywhere else in the network. Ethernet running to WAN port on a Netgear R6900v2 router, handling DHCP for connected devices, subnet 192.168.2.0/24
-Remaining ports not yet configured.
System configuration:
Firewall:
Services:
I've done configurations to CrowdSec, Dynamic DNS, Kea DHCP, and Unbound DNS in addition to the Intrusion Detection but I'm not certain that is relevant so I'll spare you the clutter. Let me know if it is and I can provide any relevant info.
-Intrusion Detection>Settings:
I believe that is all the relevant firewall info but let me know if I can add anything else to help. From here, ChatGPT and Google had me testing through SSH a lot, particularly with these three curl commands:
curl http://testmynids.org/
curl http://testmynids.org/uid/eicar.com
curl http://testmynids.org/uid/index.html
I was using those to monitor the eve.json(tail -f /var/log/suricata/eve.json) through SSH to see if Eicar would be flagged. I confirmed Suricata was running, rules loaded, the policies were enabled, PF was stable, and the divert rules existed but eve.json never caught the test traffic and every attempt to curl succeeded. Notably, there were even times where the curl for eicar.com and index.html would hang for about 7 seconds, I would hear the fan on my firewall spin up, then it would return the info so it appears it was actively inspecting the traffic but never stopping it.
I think I'm about out of info to dump but I do want to point out something about the rules too. I ended up testing a lot of different rule settings and primarily with just the LAN and WAN interfaces to eliminate any possible problems from the Netgear router. I tried Quick checked and unchecked, protocol as any and TCP, TCP flags any checked and unchecked, state type as keep, sloppy, and none, disable reply-to checked and unchecked, and the interfaces set to the individual interfaces as well as fresh floating rule with WAN and LAN so it would be at the top as well as all the above setting changes to the floating as well. I never created a rule under the old Rules section but I do see some present so I presume it generates them in both places. I think that's all I have right now but again, anything else that can help you in helping me, just let me know
Thanks for any help you can give,
Dubbz
I do not know if this is happening because of my specific test method or because something else is wrong and at this point I'm at a loss. I will preface that I used Google and ChatGPT in the set up and troubleshooting process when I stopped getting results in normal search and am not experienced with Opnsense so it's pretty likely that I've just configured something wrong. I initially configured based on videos and manual documents, had some initial issues with general networking that I resolved and some configuration issues on the IDS side but most of that seems to be straightened out. I'll add as much as I can think of for my set up and specs below but if there's anything else that would help, I'm happy to provide.
Hardware:
Sophos XG 210 Rev. 3, upgraded to i5-6500 CPU, 8GB RAM, factory Intel interface for the ports.
ISP:
Spectrum
Firmware:
OPNsense 26.1.8_5-amd64
FreeBSD 14.3-RELEASE-p12
OpenSSL 3.0.20
LAN connection:
-Wired through a Netgear SG108 8 port unmanaged switch for traffic to my PC, Synology NAS and Proxmox server, subnet 192.168.1.0/24
WAN connection:
-Direct from my Arris Surfboard SBG7400AC2 running in bridge mode so it doesn't handle anything but Coax to ethernet
OPT1/Wifi:
-Being used to run dedicated WIFI on a different subnet, will work on VLAN options for IoT later but for now, just WIFI and no VLAN anywhere else in the network. Ethernet running to WAN port on a Netgear R6900v2 router, handling DHCP for connected devices, subnet 192.168.2.0/24
-Remaining ports not yet configured.
System configuration:
- -System is mostly default, I do have two gateways though. I believe the first which is WAN_DHCP gateway was configured with the wizard during initial setup since my ISP does DHCP. Second is a gateway configured for the Netgear router and configured at 192.168.3.2.
- -I've also got a single route configured for the WIFI using 192.168.2.0/24 as the network address and the above gateway for the configured gateway.
- -I also have SSH, root login, and password login enabled for testing purposes but once fully deployed, those will be disabled. Probably not relevant but just throwing it out there.
- -I do have some cron jobs set up as well to keep my GeoIP database and Unbound DNS blocklists updated as well as one to update and reload IDS rules.
- -LAN: Only changes from default are IPv4 Configuration Type: Static IPv4 and IPv4 Address: 192.168.1.1/24, DHCP is being handled by Kea DHCP.
- -WAN: Block private networks: enabled, Block bogon networks: enabled, IPv4 Configuration Type: DHCP so it can be assigned by ISP.
- -WIFI: IPv4 Configuration Type: Static IPv4, IPv4 address: 192.168.3.1/24, static for route and gateway so it can handle its own DHCP.
- -Settings: Disabled hardware checksum offload: checked, Disabled hardware TCP segmentation offload: checked, Disable hardware large receive offload: checked, VLAN hardware filtering: Disabled
Firewall:
- -Aliases: I have some aliases set up to forward ports to some of my servers since one of the Proxmox containers is a game server host and occasionally needs new ports forwarded. This also handles my GeoIP blocked countries and port forwarding to my Nginx Proxy Manager container. I don't think these will be relevant but if so, let me know and I'll provide detailed settings.
- -NAT>Destination NAT: I have some NAT rules here to route ports to the appropriate servers(Jellyfin, Synology NAS, Game server, Element-Synapse, Nginx)
- -Rules[new]: If I had to guess, this is probably where my problem is, I'll provide my rule order below.
-----TOP-----
LAN UDP Rule: Special rule sending syslog from my Nginx server to the firewall on port 5140 for blocking purposes
DROP>WAN>SOURCE:Blocked_Countries
- Interface: WAN, Quick: checked, Action: Block, Direction: In, Protocol: any, Source: Blocked_Countries, Destination: any, Divert-to: none, State type: Keep, all else: default.
DROP>WAN>SOURCE:CrowdSec_Blocklists
- Interface: WAN, Quick: checked, Action: Block, Direction: In, Protocol: any, Source: CrowdSec_Blocklists, Destination: any, Divert-to: none, State type: Keep, all else: default.
PASS>WIFI>SOURCE: 192.168.3.0/24>WIFI IPS Rule
- Interface: WIFI, Quick: Unchecked, Action: Pass, Direction: In, Protocol: TCP, Source: Single Network:192.168.3.0/24, Destination: any, TCP flags any: Checked, Divert-to: Intrusion Detection, State type: Sloppy, all else: default.
PASS>WIFI>SOURCE: 192.168.3.0/24>WIFI Inbound Rule
- Interface: WIFI, Quick: Checked, Action: Pass, Direction: In, Protocol: Any, Source: Single Network:192.168.3.0/24, Destination: any, TCP flags any: Unchecked, Divert-to: None, State type: Keep, all else: default.
PASS>LAN>SOURCE: LAN network>LAN IPS Rule
- Interface: LAN, Quick: Checked, Action: Pass, Direction: In, Protocol: TCP, Source: LAN network, Destination: any, TCP flags any: Checked, Divert-to: Intrusion Detection, State type: No state, Disable reply-to: Checked, all else: default.
PASS>LAN>SOURCE: 192.168.1.0/24>LAN Inbound Rule
- Interface: LAN, Quick: Checked, Action: Pass, Direction: In, Protocol: TCP, Source: Single Network:192.168.1.0/24, Destination: any, TCP flags any: Unchecked, Divert-to: None, State type: Keep, all else: default.
Services:
I've done configurations to CrowdSec, Dynamic DNS, Kea DHCP, and Unbound DNS in addition to the Intrusion Detection but I'm not certain that is relevant so I'll spare you the clutter. Let me know if it is and I can provide any relevant info.
-Intrusion Detection>Settings:
- Enabled: Checked, Capture mode: Divert(IPS), Listeners: 1, Pattern matcher: Hyperscan, Home networks: 1.0/24 and 2.0/24 on top of the defaults it adds, All else: default
- Abuse.ch/SSL fingerprint and IP blacklists: Enabled + Installed, ET Open lists: Enabled + Installed, OPNsense-App-detect: Enabled + Installed
- Currently only 4 set to drop, all others set to alert only. Drop: Emerging-malware.rules, opnsense.test.rules(OPNsense test eicar virus), local.rules(BLOCK TESTMYNIDS)
- Empty
- This part tells me it is at least working in IDS as it has been detecting Steam and Discord from my main PC, Alert: ET USER_AGENTS Steam HTTP Client User-Agent, ET INFO Observed Discord Domain (discord .com in TLS SNI), ET INFO Observed UA-CPU Header, ET INFO GNU/Linux APT User-Agent Outbound likely related to package management, GPL ATTACK_RESPONSE id check returned root
- all default
I believe that is all the relevant firewall info but let me know if I can add anything else to help. From here, ChatGPT and Google had me testing through SSH a lot, particularly with these three curl commands:
curl http://testmynids.org/
curl http://testmynids.org/uid/eicar.com
curl http://testmynids.org/uid/index.html
I was using those to monitor the eve.json(tail -f /var/log/suricata/eve.json) through SSH to see if Eicar would be flagged. I confirmed Suricata was running, rules loaded, the policies were enabled, PF was stable, and the divert rules existed but eve.json never caught the test traffic and every attempt to curl succeeded. Notably, there were even times where the curl for eicar.com and index.html would hang for about 7 seconds, I would hear the fan on my firewall spin up, then it would return the info so it appears it was actively inspecting the traffic but never stopping it.
I think I'm about out of info to dump but I do want to point out something about the rules too. I ended up testing a lot of different rule settings and primarily with just the LAN and WAN interfaces to eliminate any possible problems from the Netgear router. I tried Quick checked and unchecked, protocol as any and TCP, TCP flags any checked and unchecked, state type as keep, sloppy, and none, disable reply-to checked and unchecked, and the interfaces set to the individual interfaces as well as fresh floating rule with WAN and LAN so it would be at the top as well as all the above setting changes to the floating as well. I never created a rule under the old Rules section but I do see some present so I presume it generates them in both places. I think that's all I have right now but again, anything else that can help you in helping me, just let me know
Thanks for any help you can give,
Dubbz
#9
General Discussion / Packet received by interface b...
Last post by Somnolus - Today at 01:54:32 AMI'm trying to pass a very specific UDP packet from one interface to another on different networks on the same router. I've run a packet capture on both interfaces, I can see the packet coming in on the input interface but it just disappears after that. There are no firewall logs indicating the packet was blocked. I've tried sending the packet through with the firewall and NAT disabled but it still doesn't get processed. I'm convinced its either the interface or Kernel blocking the packet before the firewall can process it.
If anyone has any tips on where I can look to see why the packet is being blocked that would be great. Any help would be appreciated here as I'm at a complete loss on where to troubleshoot next.
If anyone has any tips on where I can look to see why the packet is being blocked that would be great. Any help would be appreciated here as I'm at a complete loss on where to troubleshoot next.
#10
General Discussion / IDS Home Networks - IPv6 Prefi...
Last post by MrHappyHippo - May 29, 2026, 11:13:20 PMHi everyone,
I have a question regarding the IDS configuration in OPNsense when using IPv6 with dynamic prefix delegation from the ISP.
Under:
Services → Intrusion Detection → Administration
there is the setting:
Home networks
Current default value:
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
The hint says:
"Networks to interpret as local"
For IPv4 this is straightforward, but I am unsure how this should properly be configured for IPv6 when the ISP delegated prefix changes dynamically.
Example:
LAN currently receives a delegated /64
Prefix may change after reconnect/reboot
Questions:
Should the current delegated IPv6 LAN subnet be manually added here?
Is there a recommended way to handle dynamic IPv6 prefixes?
Can interface macros/variables like $LAN_NET be used in this field?
What is the recommended best practice for IDS Home Networks with IPv6 PD?
I would appreciate clarification on the intended/recommended configuration.
Thanks!
I have a question regarding the IDS configuration in OPNsense when using IPv6 with dynamic prefix delegation from the ISP.
Under:
Services → Intrusion Detection → Administration
there is the setting:
Home networks
Current default value:
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
The hint says:
"Networks to interpret as local"
For IPv4 this is straightforward, but I am unsure how this should properly be configured for IPv6 when the ISP delegated prefix changes dynamically.
Example:
LAN currently receives a delegated /64
Prefix may change after reconnect/reboot
Questions:
Should the current delegated IPv6 LAN subnet be manually added here?
Is there a recommended way to handle dynamic IPv6 prefixes?
Can interface macros/variables like $LAN_NET be used in this field?
What is the recommended best practice for IDS Home Networks with IPv6 PD?
I would appreciate clarification on the intended/recommended configuration.
Thanks!
