"Recent posts
#1
25.7, 25.10 Series / Re: NAT reflection rules being...
Last post by cookiemonster - Today at 09:45:27 PMNot clicking on links but... I would check that you have disabled "block private networks" on the WAN intrface configuration and that your nat rule prob should work better with "wan address" as the destination.
#2
General Discussion / Stop automatic default route g...
Last post by JimIFN - Today at 09:35:51 PMHello:
I run a small ISP, and I'm using OPNsense in a failover pair as my core ISP router. I have some public IP address ranges assigned, and I am announcing them via BGP to my upstreams. I also receive via BGP default (and some additional) routes.
Currently, in my route table, the kernel route is inserted by the gateways. This overrides the default route from BGP. Unfortunately, this means if BGP session drops to a peer, the default route remains in place..but I do NOT want that. I want my default route managed by BGP.
I tried deleting the gateways, but "bad things" happened. Is there some way to disable the gateway system, or at least suppress insertion of the default route into the kernel routing table?
I run a small ISP, and I'm using OPNsense in a failover pair as my core ISP router. I have some public IP address ranges assigned, and I am announcing them via BGP to my upstreams. I also receive via BGP default (and some additional) routes.
Currently, in my route table, the kernel route is inserted by the gateways. This overrides the default route from BGP. Unfortunately, this means if BGP session drops to a peer, the default route remains in place..but I do NOT want that. I want my default route managed by BGP.
I tried deleting the gateways, but "bad things" happened. Is there some way to disable the gateway system, or at least suppress insertion of the default route into the kernel routing table?
#3
25.7, 25.10 Series / Re: NAT reflection rules being...
Last post by ltcptgeneral - Today at 09:34:30 PMAdding that from the same LAN client, I am able to directly use wget/curl to 10.0.1.2:80 without any issue, and there is not generally any other firewall rules blocking LAN -> DMZ connections. Looking at the firewall log, I can see that the same connection (from the POV of the firewall) is blocked when the result of the rdr rule, but passed if it is a direct connection.
Firewall log: https://drive.google.com/file/d/1fHwGOXNZeLku4mB2D3xY2U96TWPebs2T/view?usp=sharing
Firewall log: https://drive.google.com/file/d/1fHwGOXNZeLku4mB2D3xY2U96TWPebs2T/view?usp=sharing
#4
General Discussion / Re: Can I inststall smokeping ...
Last post by franco - Today at 09:29:23 PMThat's a lot pf Perl dependencies and it doesn't build for me either. I'm relatively sure that's a FreeBSD ports tree error.
Cheers,
Franco
Cheers,
Franco
#5
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...
Last post by netwarden - Today at 08:58:09 PMQuote from: Q-Feeds on Today at 01:11:28 PMQuote from: netwarden on Today at 09:36:34 AMQuoteOh my mistake, yes on the latest version you only need to enable it in our plugin indeed.
Please update the documentation to reflect this. Also, it doesn't seem to be working - I don't see any malicious domains getting blocked in the Unbound logs.
We've updated our documentation. The official documentation within the OPNsense docs is in review. Thank you for pointing it out.
That you don't see any domains blocked might be a good sign. It's not a list of Ads and Trackers which gets hits constantly. You can use the test functionality within Unbound (/ui/unbound/dnsbl/index#blocklist_tester) to see if it's working. Try these domains:Code Selectplant-with-crypto.org
platform8414.com
You should see output like this:Code Select{
"status": "OK",
"action": "Block",
"policy": {
"source_nets": [],
"address": "0.0.0.0",
"rcode": 0,
"description": "compat",
"id": "09f398e4-3704-4957-b857-baaf590691c9",
"prio": 3.402823669209385e+38,
"hidx": 1,
"bl": "qf_malware_domains"
}
}
Yes, I see them. I believe I am all set for now. Thanks for helping me out.
{
"status": "OK",
"action": "Block",
"policy": {
"source_nets": [],
"address": "0.0.0.0",
"rcode": 0,
"description": "compat",
"id": "78805629-a0dd-4cb4-ac04-0510a653078e",
"prio": 3.402823669209385e+38,
"hidx": 1,
"bl": "qf_malware_domains"
}
}
#6
Tutorials and FAQs / Re: OPNsense + PROXMOX + VLANs...
Last post by viragomann - Today at 07:41:22 PMQuote from: spetrillo on December 14, 2025, 06:20:56 PMI am running into the same problem as you, but I just read an article where it talks about creating a Linux bridge, assigning an IP, and that becomes the LAN side. My problem with that is that my network has a few vlans, so how do I get those in the OPNsense config also?If you run OPNsense virtualized you can do the whole VLAN termination on the hypervisor, Proxmox in your case. So you don't need to create any VLAN inside OPNsense, just add a virtual interface to it for each.
Or you do the VLAN termination inside OPNsense. Both is possible.
In both cases you need to enable VLAN awareness on the Proxmox bridges.
#7
25.7, 25.10 Series / NAT reflection rules being ove...
Last post by ltcptgeneral - Today at 07:36:48 PMI'm following the documentation guide on setting up NAT reflection. Like in the guide, I have an nginx server and want to use NAT reflection to allow WAN, LAN, and DMZ clients to use the reverse proxy. The only difference I can tell from the documentation is that my nginx server has multiple interfaces, including one on the LAN.
I have set up the DNAT rule:
Interface - WAN, LAN, DMZ_VLAN
Source - Any:Any
Destination - 192.168.86.2:8080 (the opnsense WAN address, as it is currently behind another NAT)
NAT - 10.0.1.2:80 (the nginx DMZ IP address)
This should already allow LAN and WAN clients to connect to the server. WAN clients are able to connect. However, this is not working for LAN clients, and I can see in the firewall log that the default deny rule is being applied. I enabled the automatic firewall rule generation like in the documentation, which I can see has already created a floating rule that should allow LAN and WAN clients through to the DMZ address.
However, this is not the case, and when I use wget/curl from a LAN client fetching http://192.168.86.2:8080, I can see that the firewall is blocking the traffic using the default deny rule. This is despite the generated rule allowing any source to 10.0.1.2:80 on LAN, WAN, and DMZ interfaces.
Strangely, another port forward to another host on port 22 is working properly from both WAN and LAN clients, although this host does not have multiple interfaces.
I have set up the DNAT rule:
Interface - WAN, LAN, DMZ_VLAN
Source - Any:Any
Destination - 192.168.86.2:8080 (the opnsense WAN address, as it is currently behind another NAT)
NAT - 10.0.1.2:80 (the nginx DMZ IP address)
This should already allow LAN and WAN clients to connect to the server. WAN clients are able to connect. However, this is not working for LAN clients, and I can see in the firewall log that the default deny rule is being applied. I enabled the automatic firewall rule generation like in the documentation, which I can see has already created a floating rule that should allow LAN and WAN clients through to the DMZ address.
However, this is not the case, and when I use wget/curl from a LAN client fetching http://192.168.86.2:8080, I can see that the firewall is blocking the traffic using the default deny rule. This is despite the generated rule allowing any source to 10.0.1.2:80 on LAN, WAN, and DMZ interfaces.
Strangely, another port forward to another host on port 22 is working properly from both WAN and LAN clients, although this host does not have multiple interfaces.
#8
Tutorials and FAQs / Re: OPNsense + PROXMOX + VLANs...
Last post by viragomann - Today at 07:35:43 PMQuote from: elreyquerabio on Today at 04:34:57 PMIt seems there's not much activity here.Sadly you didn't provide the requested information. So it's hard to help.
#9
General Discussion / Re: Lan Interface - VLan 1 - 2...
Last post by viragomann - Today at 07:27:30 PMYou need to add virtual IPs if you have multiple WAN IPs from your ISP or a subnet and want services on OPNsense to listen on multiple of them.
Also if you run two OPNsense in high availability you need to add a VIP of type CARP in this case.
Virtual IPs are just additonal IP to access OPNsense or even services on it.
Type Proxy ARP works a bit different, however. It cannot used for services on OPNsense itself. With this OPNsense just responses ARP requests to this IP. You can use it for forward traffic behind.
On internal interface there are very rara good use cases. That's why I asked for it.
One is if you want to run multiple layer 2 subnets on a singel network interface for instance.
Also if you run two OPNsense in high availability you need to add a VIP of type CARP in this case.
Virtual IPs are just additonal IP to access OPNsense or even services on it.
Type Proxy ARP works a bit different, however. It cannot used for services on OPNsense itself. With this OPNsense just responses ARP requests to this IP. You can use it for forward traffic behind.
On internal interface there are very rara good use cases. That's why I asked for it.
One is if you want to run multiple layer 2 subnets on a singel network interface for instance.
#10
General Discussion / Re: Lan Interface - VLan 1 - 2...
Last post by coffeecup25 - Today at 07:14:59 PMVirtual IP is new to me. I have never even heard the term before reading this. Google says they are fairly common, sort of.
Like most things in Google, they provide a lot of information up to a point. Then nothing.
I found how to set them up. Lots of people offer information on that.
Nobody offers a simple explanation of what they are used for. What is the use case? Why would somebody want one and what would it do? Without using lots of jargon.
Like most things in Google, they provide a lot of information up to a point. Then nothing.
I found how to set them up. Lots of people offer information on that.
Nobody offers a simple explanation of what they are used for. What is the use case? Why would somebody want one and what would it do? Without using lots of jargon.
