"Recent posts
#1
26.1 Series / Re: virus scanner for emails ?
Last post by bimbar - Today at 10:27:02 AMTo add to this, all that can be done with opnsense as it is, there is postfix, rspamd and clamav.
#2
26.1 Series / Re: IPv6 from Android devices ...
Last post by Javier® - Today at 10:16:37 AMHi everyone, I don't know how Dnsmasq works configuring pltime is not the same as configuring RDNSS
In opnsense, dnsmasq can be used in conjunction with radvd and used explicitly.
interface vlan123 {
RDNSS 2001:db8:cafe:beef::1 {
AdvRDNSSLifetime 604800;
};
};
In opnsense, dnsmasq can be used in conjunction with radvd and used explicitly.
interface vlan123 {
RDNSS 2001:db8:cafe:beef::1 {
AdvRDNSSLifetime 604800;
};
};
#3
26.1 Series / Re: Cosmetic, low prio. Remove...
Last post by iorx - Today at 10:01:25 AMSorry for the noise. Found posts on the subject. Will be removed later down the road...
Brgs,
Brgs,
#4
26.1 Series / Cosmetic, low prio. Remove the...
Last post by iorx - Today at 09:59:37 AMHi!
Just curious, can the old menu be removed for legacy rules "Rules" when everything is in "Rules [new]"?
Brgs,
Just curious, can the old menu be removed for legacy rules "Rules" when everything is in "Rules [new]"?
Brgs,
#5
26.1 Series / Re: KeaDHCP dynamic DHCP quest...
Last post by Monviech (Cedrik) - Today at 09:29:11 AMI assume it would make sense to check the KEA logs then why it assigns these leases?
#6
26.1 Series / Traffic to the VIP is detected...
Last post by mfpb - Today at 08:51:30 AMHello,
I have two OPNsense 26.1.4 instances with the same configuration (but different CIDRs).
OPNsense A (no issues) was updated from 25.x to 26.1, and then the firewall was migrated to the new rules.
OPNsense B (has issues) was installed fresh. The legacy firewall rules were manually copied from OPNsense A, and the firewall was migrated to the new rules.
I have a native network and several VLANs:
native: 10.0.0.0/24
vlan2: 10.0.2.0/24
vlanN: 10.0.N.0/24
vlan6: 10.0.6.0/24
These networks are grouped into interface groups:
group1: native, vlan2, ...
group2: vlan6, ...
I also have a VIP (IP alias), which I tried binding to the loopback or the native interface: 192.168.10.10
OPNsense HAProxy is bound to the VIP address on port 443.
Firewall rules:
Allow IN on interface "group1" from any to "This Firewall" TCP/443
Allow IN on interface "group2" from any to "This Firewall" TCP/443
When I try to access the VIP from a computer in vlan6, the traffic is blocked.
In the live logs, I see:
block IN interface vlan2 from 10.0.6.123:12345 to 192.168.10.10:443
If I disable the rule
"allow IN interface 'group2' ...", I get:
block IN interface vlan6 from 10.0.6.123:12345 to 192.168.10.10:443
I don't understand why vlan2 appears in the first case. And why it is blocked.
I have two OPNsense 26.1.4 instances with the same configuration (but different CIDRs).
OPNsense A (no issues) was updated from 25.x to 26.1, and then the firewall was migrated to the new rules.
OPNsense B (has issues) was installed fresh. The legacy firewall rules were manually copied from OPNsense A, and the firewall was migrated to the new rules.
I have a native network and several VLANs:
native: 10.0.0.0/24
vlan2: 10.0.2.0/24
vlanN: 10.0.N.0/24
vlan6: 10.0.6.0/24
These networks are grouped into interface groups:
group1: native, vlan2, ...
group2: vlan6, ...
I also have a VIP (IP alias), which I tried binding to the loopback or the native interface: 192.168.10.10
OPNsense HAProxy is bound to the VIP address on port 443.
Firewall rules:
Allow IN on interface "group1" from any to "This Firewall" TCP/443
Allow IN on interface "group2" from any to "This Firewall" TCP/443
When I try to access the VIP from a computer in vlan6, the traffic is blocked.
In the live logs, I see:
block IN interface vlan2 from 10.0.6.123:12345 to 192.168.10.10:443
If I disable the rule
"allow IN interface 'group2' ...", I get:
block IN interface vlan6 from 10.0.6.123:12345 to 192.168.10.10:443
I don't understand why vlan2 appears in the first case. And why it is blocked.
#7
26.1 Series / N5105 + i226-V (NVM 2.32) + OP...
Last post by (MARLOO) - Today at 08:27:53 AMHi,
hardware:
Intel N5105 box, 4 × Intel i226‑V (igc0–igc3)
NVM firmware: V2.32‑0 on all ports
OPNsense 26.1.4
LAN: UniFi Switch Lite 8 PoE (USW‑Lite‑8‑PoE), LAN on igc1
WAN: PPPoE Vodafone (Italy) on igc3 (with VLAN)
Since updating the i226 NVM to 2.32 and running 26.1.4 I'm seeing strange behaviour on every reboot:
If WAN (igc3) and LAN (igc1 → UniFi) are connected, during boot both ports show only amber on the switch and the firewall is unreachable from LAN.
In this situation the box often seems to hang (no red status LED blinking on the chassis, no visible console progress, only amber link, no traffic) and I have to hard power‑cycle it.
If I disconnect WAN and LAN and connect an HDMI monitor, the system boots normally, the red status LED starts blinking and OPNsense comes up without issues.
Once it has booted successfully, if I reconnect WAN and LAN, everything works as expected.
Once the system is up:
Internet and LAN are stable, full speed, no drops.
dmesg shows all 4 i226‑V with EEPROM V2.32-0 and only some link state changed to UP/DOWN messages during early boot, but no errors.
ifconfig shows igc1 and igc3 as 1000baseT full-duplex, status: active.
/var/log/boot.log is clean (interfaces, VLAN, PPPoE, WireGuard, DNS, etc. all configure fine).
BIOS:
ASPM and L1 Substate for all PCIe Root Ports are already Disabled.
I also set DMI Link ASPM Control from Auto to Disabled, but the behaviour on reboot did not change.
Questions:
Is this "long amber / sometimes hanging during boot" behaviour expected with i226 + NVM 2.32 + OPNsense 26.1.4, or does it indicate a problem?
Are there any additional recommended BIOS settings (ASPM, EEE, PCIe power saving) for i226 on OPNsense to avoid this kind of boot/link issue?
Should I keep the default igc settings (no tunables), or is there a minimal recommended set for this platform?
I can provide full dmesg, boot.log and additional logs if needed.
Thanks!
hardware:
Intel N5105 box, 4 × Intel i226‑V (igc0–igc3)
NVM firmware: V2.32‑0 on all ports
OPNsense 26.1.4
LAN: UniFi Switch Lite 8 PoE (USW‑Lite‑8‑PoE), LAN on igc1
WAN: PPPoE Vodafone (Italy) on igc3 (with VLAN)
Since updating the i226 NVM to 2.32 and running 26.1.4 I'm seeing strange behaviour on every reboot:
If WAN (igc3) and LAN (igc1 → UniFi) are connected, during boot both ports show only amber on the switch and the firewall is unreachable from LAN.
In this situation the box often seems to hang (no red status LED blinking on the chassis, no visible console progress, only amber link, no traffic) and I have to hard power‑cycle it.
If I disconnect WAN and LAN and connect an HDMI monitor, the system boots normally, the red status LED starts blinking and OPNsense comes up without issues.
Once it has booted successfully, if I reconnect WAN and LAN, everything works as expected.
Once the system is up:
Internet and LAN are stable, full speed, no drops.
dmesg shows all 4 i226‑V with EEPROM V2.32-0 and only some link state changed to UP/DOWN messages during early boot, but no errors.
ifconfig shows igc1 and igc3 as 1000baseT full-duplex, status: active.
/var/log/boot.log is clean (interfaces, VLAN, PPPoE, WireGuard, DNS, etc. all configure fine).
BIOS:
ASPM and L1 Substate for all PCIe Root Ports are already Disabled.
I also set DMI Link ASPM Control from Auto to Disabled, but the behaviour on reboot did not change.
Questions:
Is this "long amber / sometimes hanging during boot" behaviour expected with i226 + NVM 2.32 + OPNsense 26.1.4, or does it indicate a problem?
Are there any additional recommended BIOS settings (ASPM, EEE, PCIe power saving) for i226 on OPNsense to avoid this kind of boot/link issue?
Should I keep the default igc settings (no tunables), or is there a minimal recommended set for this platform?
I can provide full dmesg, boot.log and additional logs if needed.
Thanks!
#8
26.1 Series / Re: KeaDHCP dynamic DHCP quest...
Last post by FrankAusNRW - Today at 08:27:40 AMSame issue here w/ OPNsense 26.1.4. ICS-DHCP is not installed anymore and DNSmask DHCP is disabled, so only KEA is running.
The DHCP range is going from .200-.249. All IP adresses in the DHCP range AND all unused IP addresses outside the DHCP range are blocked, even for inactive clients w/ fixed leases.
Effectively there is no chance for a client to obtain an IP address at the moment.
This is causing some trouble.
Is there a workaround or a fix in the near future?
If not, I need to get back to ICS or DNSmask DHCP for the time beeing.
The installation was a fresh ISO 26.1.2 installation.
The DHCP range is going from .200-.249. All IP adresses in the DHCP range AND all unused IP addresses outside the DHCP range are blocked, even for inactive clients w/ fixed leases.
Effectively there is no chance for a client to obtain an IP address at the moment.
This is causing some trouble.
Is there a workaround or a fix in the near future?
If not, I need to get back to ICS or DNSmask DHCP for the time beeing.
The installation was a fresh ISO 26.1.2 installation.
#9
26.1 Series / Re: virus scanner for emails ?
Last post by Monviech (Cedrik) - Today at 07:36:17 AMA virus scanner for emails is not that great if it cannot block encrypted attachments, or unzip archives etc, and give admins and users a portal in which they can view potentially blocked mails safely, and potentially restore them.
I would rather use a mail transfer agent (MTA) service that offers these features instead if relying on clamav and postfix on opnsense.
You need at least a well configured amavis/spam-assassin/clamav environment to get some benefit, moreso with a professional paid solution.
If you just have a few clients, the virus scanning software on the PCs will already do the heavy lifting where it counts.
I would rather use a mail transfer agent (MTA) service that offers these features instead if relying on clamav and postfix on opnsense.
You need at least a well configured amavis/spam-assassin/clamav environment to get some benefit, moreso with a professional paid solution.
If you just have a few clients, the virus scanning software on the PCs will already do the heavy lifting where it counts.
#10
26.1 Series / virus scanner for emails ?
Last post by Karla - Today at 07:26:03 AMIs it possible to add a virus scanner for emails.
I think, then a email proxy is needed.
I think, then a email proxy is needed.
