"Recent posts
#1
General Discussion / Re: Cannot Setup
Last post by OPNenthu - Today at 11:33:30 PMHello,
If you want to boot on a PC then you need to make a bootable USB, yes, such as with Rufus.
If you want to boot on a VM then you need only the uncompressed .img file (no USB drive). You can mount the .img as a virtual CD-ROM within the VM settings and boot from it.
That should be it.
P.S.: I don't want honorific titles, man :) I'm just another user trying to help out.
Quote from: DigitalSquirrel01 on Today at 09:23:27 PMSo is it possible that I can make like a bootable drive USB using YUMI || RUFUS and then boot from the Oracle VirtualBox?
If you want to boot on a PC then you need to make a bootable USB, yes, such as with Rufus.
If you want to boot on a VM then you need only the uncompressed .img file (no USB drive). You can mount the .img as a virtual CD-ROM within the VM settings and boot from it.
That should be it.
P.S.: I don't want honorific titles, man :) I'm just another user trying to help out.
#2
General Discussion / Default install, but cannot co...
Last post by tbone56 - Today at 11:02:03 PMI am having issues with web access.
I reset opnsense to default.
Set WAN interface to DHCP
Set LAN interface to Static
I can ping other computers/devices on the network.
I can open the following websites:
https://crosswordclub.com/
https://speed.cloudflare.com/
https://app.netbird.io/
https://www.google.com/maps
I cannot open the following websites. The message is "ERR_ADDRESS_UNREACHABLE"
https://pcpartpicker.com/
https://www.speedtest.net
https://www.chase.com
https://www.paypal.com
I had previously configured netbird for my main pc and my server, and opnsense.
I'm not sure if that is the problem because, as I stated, I reset OPNSense back to default, and the netbird connections for the 2 computers are no longer showing in the Netbird > Connecton Status page of OPNSense.
I am very new to OPNSense, and this has me lost.
Why would I have connectivity to some websites?
Thanks.
I reset opnsense to default.
Set WAN interface to DHCP
Set LAN interface to Static
I can ping other computers/devices on the network.
I can open the following websites:
https://crosswordclub.com/
https://speed.cloudflare.com/
https://app.netbird.io/
https://www.google.com/maps
I cannot open the following websites. The message is "ERR_ADDRESS_UNREACHABLE"
https://pcpartpicker.com/
https://www.speedtest.net
https://www.chase.com
https://www.paypal.com
I had previously configured netbird for my main pc and my server, and opnsense.
I'm not sure if that is the problem because, as I stated, I reset OPNSense back to default, and the netbird connections for the 2 computers are no longer showing in the Netbird > Connecton Status page of OPNSense.
I am very new to OPNSense, and this has me lost.
Why would I have connectivity to some websites?
Thanks.
#3
German - Deutsch / Re: Firewallregeln lassen sich...
Last post by Pelikan Netzwerk - Today at 10:54:35 PMAlso bei der Änderung der Fenstergrößen ändert sich auch nichts. Es bleibt dabei, dass Optionsicons fehlen. Die Entwicklertools kann ich nicht richtig bedienen. Ich hatte aber, als das Fenster sich öffnete, nach der Bezeichnung gesucht. Es wurde kein Eintrag gefunden. Ein anderes Konto gibt es nicht bei der Firewall. Da müsste ich erst eins anlegen. Danke aber für Deine Hilfe.
#4
25.7, 25.10 Series / Re: os-acme-client 4.11 on Bus...
Last post by greY - Today at 10:41:29 PMMeanwhile I checked the files and the version seems the new one (that I deployed, mentioned in my last post)
It looks more like strange behaviour in the GUI / Configuration.
In the OPNsense ACME GUI, the DNS provider hetznercloud is explicitly selected. Despite that, ACME behaves like the legacy hetzner provider.
This is clearly visible in the acme.sh logs, which show usage of the legacy DNS API endpoint:
2026-01-10T22:20:58 acme.sh[Sat Jan 10 22:20:58 CET 2026]
url='https://dns.hetzner.com/api/v1/zones?name=org';
The same behavior occurs in both Business and Community editions of OPNsense.
I compared the file dns_hetznercloud.sh against the upstream version from the acme.sh GitHub repository, and it looks correct and up to date.
When hetznercloud is selected in the GUI, acme.sh should use the Hetzner Cloud DNS API via: https://api.hetzner.cloud/v1 as documented in the current Hetzner Cloud DNS API reference.
Is it possible that there is an issue in the OPNsense ACME GUI mapping, where selecting hetznercloud still triggers the legacy hetzner provider internally (or passes the wrong parameters to acme.sh)?
It looks more like strange behaviour in the GUI / Configuration.
In the OPNsense ACME GUI, the DNS provider hetznercloud is explicitly selected. Despite that, ACME behaves like the legacy hetzner provider.
This is clearly visible in the acme.sh logs, which show usage of the legacy DNS API endpoint:
2026-01-10T22:20:58 acme.sh[Sat Jan 10 22:20:58 CET 2026]
url='https://dns.hetzner.com/api/v1/zones?name=org';
The same behavior occurs in both Business and Community editions of OPNsense.
I compared the file dns_hetznercloud.sh against the upstream version from the acme.sh GitHub repository, and it looks correct and up to date.
When hetznercloud is selected in the GUI, acme.sh should use the Hetzner Cloud DNS API via: https://api.hetzner.cloud/v1 as documented in the current Hetzner Cloud DNS API reference.
Is it possible that there is an issue in the OPNsense ACME GUI mapping, where selecting hetznercloud still triggers the legacy hetzner provider internally (or passes the wrong parameters to acme.sh)?
#5
25.7, 25.10 Series / Re: choose shell for item 8 in...
Last post by tessus - Today at 10:28:15 PMI don't think that adding one line to a script is a complex solution. What I don't understand is that hardcoding a specific shell is considered the normal way of doing things.
Anyway, if a PR that adds one line to a script won't be accepted, because it is deemed too complex or too high of a maintenance burden there is no need to create one, is there?
Don't get me wrong, I have already used the workarounds you mentioned (all but spawning bash from the .cshrc), but I actually like the menu and overview the opnsense-shell script provides. I'm just not a fan of csh.
Too bad, I guess I will have to patch opnsense-shell every time there is an update.
Anyway, if a PR that adds one line to a script won't be accepted, because it is deemed too complex or too high of a maintenance burden there is no need to create one, is there?
Don't get me wrong, I have already used the workarounds you mentioned (all but spawning bash from the .cshrc), but I actually like the menu and overview the opnsense-shell script provides. I'm just not a fan of csh.
Too bad, I guess I will have to patch opnsense-shell every time there is an update.
#6
Virtual private networks / Re: Tailscale - Site-to-Site S...
Last post by nsmith17044 - Today at 09:30:09 PMAs an update to my recent post the AI support agent at Tailscale confirmed the subnet routing NAT behavior is enabled by default in the FreeBSD/OPNSense build and there is no plan/schedule to fix this.
The AI agent explicitly recommended using a Linux subnet router behind OPNSense running Tailscale to perform subnet routing.
The information I've been finding on Zerotier seems to infer it isn't primetime for fixed wireless / CGNAT configurations. Does anyone have anything good to say about Zerotier on OPNSense when on fixed wireless with CGNAT and performing subnet routing?
The AI agent explicitly recommended using a Linux subnet router behind OPNSense running Tailscale to perform subnet routing.
The information I've been finding on Zerotier seems to infer it isn't primetime for fixed wireless / CGNAT configurations. Does anyone have anything good to say about Zerotier on OPNSense when on fixed wireless with CGNAT and performing subnet routing?
#7
General Discussion / Re: Cannot Setup
Last post by DigitalSquirrel01 - Today at 09:23:27 PMGreetings Sir! I bid you a great day! I hope all is going for you today!
Okay. So that solves some of the problems that I was confused about. I have not downloaded 7 Zip because I thought that I did not have to because my computer was extracting everything as normal. And there is an option to zip a file if I have a big file to send, which the email will not send because of it being too big, so I assumed that it was on the computer already, and that it was not needed.
Let me check this fixes things?! :-)
Thank you!
May I contact you again if I have any more questions, Sir?
Addendum: So is it possible that I can make like a bootable drive USB using YUMI || RUFUS and then boot from the Oracle VirtualBox? Where do you think the problem is? Why is it not showing up on Virtual Box? What would cause this to occure.
Okay. So that solves some of the problems that I was confused about. I have not downloaded 7 Zip because I thought that I did not have to because my computer was extracting everything as normal. And there is an option to zip a file if I have a big file to send, which the email will not send because of it being too big, so I assumed that it was on the computer already, and that it was not needed.
Let me check this fixes things?! :-)
Thank you!
May I contact you again if I have any more questions, Sir?
Addendum: So is it possible that I can make like a bootable drive USB using YUMI || RUFUS and then boot from the Oracle VirtualBox? Where do you think the problem is? Why is it not showing up on Virtual Box? What would cause this to occure.
#8
Hardware and Performance / Internet speeds reduced set to...
Last post by manki_09 - Today at 09:16:56 PMI have an issue when I have my WAN connection set to 2.5gb link speed to my Xfinity XB8 gateway, my download speeds are limited to around 300-350mbps. When I change my link speed on the WAN side back to 1gb I get around 940mbps (max 1gb link will do).
See attached image for network diagram.
Some additional information
This occurs on all 3 VLANs connected to my switch.
IPerf3 from a LAN 10gb interface to OPNSense easily gets over 9000 mbps.
Running a server hosting openspeedtest and iperf3, all PCs get their correct speed for their link speed across all vlans.
WAN set to 1gb
Running speedtest from OPNSense CLI gets around 1500 mbps when link is set to 2.5gbps, but get very high latency (log attached).
Running speedtest from 10gb and 1gb PCs get 940mpbs
WAN set to 10gb
Running speedtest OPNSense CLI at 1gb link I get 940mbps
Running speedtest from 10gb PCs get 1800mbps+
Running speedtest from 1gb PCs get 300-350mbps
I've tried just about everything on the Aruba switch to see if was doing something funky but nothing improved or depreciated the performance.
I've also tried other internet speedtest services like fast.com and I get the same results.
Cables used are CAT6 and TwinAx. All cables are shorter than 1m, with Gateway to Router being 6 inches. All manufactured cables.
Any ideas would be great.
P.S.
Forgot to mention. I haven't seen CPU usage above ~15% on OPNSense and htop shows multiple cores being used during these speedtests with none close to peaking out. The system is bare metal running an Intel i5-10600t and 16gb on RAM.
See attached image for network diagram.
Some additional information
This occurs on all 3 VLANs connected to my switch.
IPerf3 from a LAN 10gb interface to OPNSense easily gets over 9000 mbps.
Running a server hosting openspeedtest and iperf3, all PCs get their correct speed for their link speed across all vlans.
WAN set to 1gb
Running speedtest from OPNSense CLI gets around 1500 mbps when link is set to 2.5gbps, but get very high latency (log attached).
Running speedtest from 10gb and 1gb PCs get 940mpbs
WAN set to 10gb
Running speedtest OPNSense CLI at 1gb link I get 940mbps
Running speedtest from 10gb PCs get 1800mbps+
Running speedtest from 1gb PCs get 300-350mbps
I've tried just about everything on the Aruba switch to see if was doing something funky but nothing improved or depreciated the performance.
I've also tried other internet speedtest services like fast.com and I get the same results.
Cables used are CAT6 and TwinAx. All cables are shorter than 1m, with Gateway to Router being 6 inches. All manufactured cables.
Any ideas would be great.
P.S.
Forgot to mention. I haven't seen CPU usage above ~15% on OPNSense and htop shows multiple cores being used during these speedtests with none close to peaking out. The system is bare metal running an Intel i5-10600t and 16gb on RAM.
#9
German - Deutsch / Re: Eigener DNS bei einer IPv6...
Last post by s.meier68 - Today at 08:51:02 PMMoin,
schaue mal hier rein. In IPv6 werden DNS Server entweder auch über dhcpv6 oder bei slaac über routing advertisements verteilt. Die wan Konfiguration ist übrigens relativ egal, wichtig ist wie es auf den internen Schnittstellen konfiguriert ist
Alternativ, solltest Du dnsmasq für dhcpv6 konfiguriert haben, must Du in der Konfiguration von dnsmasq ra einschalten, in den Optionen von dnsmasq eine DHCPv6 Option dns-server mit der IP Adresse des adguard Servers eintragen und in den Services radvd deaktivieren....
Gruß
schaue mal hier rein. In IPv6 werden DNS Server entweder auch über dhcpv6 oder bei slaac über routing advertisements verteilt. Die wan Konfiguration ist übrigens relativ egal, wichtig ist wie es auf den internen Schnittstellen konfiguriert ist
Alternativ, solltest Du dnsmasq für dhcpv6 konfiguriert haben, must Du in der Konfiguration von dnsmasq ra einschalten, in den Optionen von dnsmasq eine DHCPv6 Option dns-server mit der IP Adresse des adguard Servers eintragen und in den Services radvd deaktivieren....
Gruß
#10
German - Deutsch / ACME Plugin DNS-01 Challange T...
Last post by ChrisChros - Today at 08:30:36 PMHallo zusammen,
ich versuche aktuell ein sicheres Zertifikat mit dem ACME Plugin und Let's Encrypt einzurichten. Die Domain ist soweit bei ddnss.de eingerichtet und auch der der DynDNS-Service auf der Sense läuft soweit sauber und aktualisiert mit meine IP auf die Domain.
Allerdings bekomme ich es aktuell noch nicht hin mir ein Zertifikat erstellen zu lassen. Ich möchte den Challange Type DNS-01 verwenden, hierzu gibt es auch auf github eine kleine Anleitung wie das bei diesem Anbieter funktionieren soll.
https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_ddnss
Die Haken bei TXT Record und Wildcard habe ich gesetzt. Den Update Key habe ich entsprechend in dem Feld API-Token vom ACME-Plugin eingetragen. Jedoch scheitert die Validierung.
Im Log vom ACME-Plugin steht dazu folgendes:
Hat jemand eine Idee warum es nicht klappt?
Die DNS-01 Methode muss ich nutzen, da ich im Anschluss noch einen NGINX-Proxy einrichten möchte.
ich versuche aktuell ein sicheres Zertifikat mit dem ACME Plugin und Let's Encrypt einzurichten. Die Domain ist soweit bei ddnss.de eingerichtet und auch der der DynDNS-Service auf der Sense läuft soweit sauber und aktualisiert mit meine IP auf die Domain.
Allerdings bekomme ich es aktuell noch nicht hin mir ein Zertifikat erstellen zu lassen. Ich möchte den Challange Type DNS-01 verwenden, hierzu gibt es auch auf github eine kleine Anleitung wie das bei diesem Anbieter funktionieren soll.
https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_ddnss
Die Haken bei TXT Record und Wildcard habe ich gesetzt. Den Update Key habe ich entsprechend in dem Feld API-Token vom ACME-Plugin eingetragen. Jedoch scheitert die Validierung.
Im Log vom ACME-Plugin steht dazu folgendes:
Code Select
2026-01-10T20:21:59opnsense AcmeClient: validation for certificate failed: ****.ddnss.org
2026-01-10T20:21:59opnsense AcmeClient: domain validation failed (dns01)
2026-01-10T20:21:59opnsense AcmeClient: AcmeClient: The shell command returned exit code '2': '/usr/local/sbin/acme.sh --renew --syslog 7 --debug --server 'letsencrypt' --dns 'dns_ddnss' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/674e0cba009318.42719035' --certpath '/var/etc/acme-client/certs/674e0cba009318.42719035/cert.pem' --keypath '/var/etc/acme-client/keys/674e0cba009318.42719035/private.key' --capath '/var/etc/acme-client/certs/674e0cba009318.42719035/chain.pem' --fullchainpath '/var/etc/acme-client/certs/674e0cba009318.42719035/fullchain.pem' --domain '****.ddnss.org' --days '60' --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/674b1d0b3937d2.05903488_prod/account.conf''
2026-01-10T20:21:59opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --renew --syslog 7 --debug --server 'letsencrypt' --dns 'dns_ddnss' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/674e0cba009318.42719035' --certpath '/var/etc/acme-client/certs/674e0cba009318.42719035/cert.pem' --keypath '/var/etc/acme-client/keys/674e0cba009318.42719035/private.key' --capath '/var/etc/acme-client/certs/674e0cba009318.42719035/chain.pem' --fullchainpath '/var/etc/acme-client/certs/674e0cba009318.42719035/fullchain.pem' --domain '****.ddnss.org' --days '60' --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/674b1d0b3937d2.05903488_prod/account.conf'
2026-01-10T20:21:59opnsense AcmeClient: using challenge type: DNS Challenge
2026-01-10T20:21:59opnsense AcmeClient: account is registered: OPNsense Account
2026-01-10T20:21:59opnsense AcmeClient: using CA: letsencrypt
2026-01-10T20:21:59opnsense AcmeClient: renew certificate: ****.ddnss.org
2026-01-10T20:21:59opnsense AcmeClient: certificate must be issued/renewed: ****.ddnss.org
Hat jemand eine Idee warum es nicht klappt?
Die DNS-01 Methode muss ich nutzen, da ich im Anschluss noch einen NGINX-Proxy einrichten möchte.
