Recent posts

#1
Thank you in advance for advice, in case people in this forum succeeded in installing "from scratch" Opnsense on AWS EC2 (i.e. not by using the commercial Opnsense AMI).

Followed an older post (only one I found on the topic : https://edepree.com/2020/08/02/installing-opnsense-on-lightsail.html) but this is for Opnsense 20.1 and FreeBSD 12 which is no longer available on AWS.

Details below

su
pkg install wget
wget https://raw.githubusercontent.com/opnsense/update/master/src/bootstrap/opnsense-bootstrap.sh.in
!!! comment out the reboot at the end
chmod +x opnsense-bootstrap.sh.in
sh ./opnsense-bootstrap.sh.in -r 26.1


Installing Opnsense 26.1 on FreeBSD 14 AMI (AWS) on EC2 (t3.micro or t3.small) works fine
...
Message from opnsense-26.1.11_6:

--
One step ahead, one step behind it, now you gotta run to get even
Fetching base-26.1.11-amd64.txz: ............ done
Fetching kernel-26.1.11-amd64.txz: ...... done
...
3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:
        syslogd_enable="NO"
4. Shut down the standard FreeBSD syslogd:
     kill `cat /var/run/syslog.pid`
5. Start syslog-ng:
     /usr/local/etc/rc.d/syslog-ng start
=====
Message from opnsense-26.1.11_6:
--
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing kernel-26.1.11-amd64.txz... done
Installing base-26.1.11-amd64.txz... done
Cleaning obsolete files... done
Please reboot.
root@freebsd:/home/ec2-user #

At this point the VM has 2 ENI (WAN=10.10.1.5, LAN=10.10.2.5) and I edited /usr/local/etc/config.xml (as per the post above) the LAN entry under   <interfaces> before rebooting
Original
    <wan>
      <enable>1</enable>
      <if>mismatch1</if>
      <mtu/>
      <ipaddr>dhcp</ipaddr>
      <ipaddrv6>dhcp6</ipaddrv6>
      <subnet/>
      <gateway/>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
      <dhcphostname/>
      <media/>
      <mediaopt/>
      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
    </wan>
    <lan>
      <enable>1</enable>
      <if>mismatch0</if>
      <ipaddr>192.168.1.1</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>idassoc6</ipaddrv6>
      <subnetv6>64</subnetv6>
      <media/>
      <mediaopt/>
      <track6-interface>wan</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
    </lan>

Modified

    <wan>
      <enable>1</enable>
      <if>mismatch1</if>
      <mtu/>
      <ipaddr>dhcp</ipaddr>
      <subnet/>
      <gateway/>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
      <dhcphostname/>
      <media/>
      <mediaopt/>
    </wan>
    <lan>
      <enable>1</enable>
      <if>mismatch0</if>
      <ipaddr>dhcp</ipaddr>
      <subnet/>
      <media/>
      <mediaopt/>
    </lan>

Also to make sure the serial console remains available:
root@freebsd:/home/ec2-user # cat /boot/loader.conf.local
kern.vty=sc
kern.tty.comconsole="sc"

At this point I reboot and will get in the initial configuration, then hangs here in the console without getting in the menu

OPNsense.localdomain kernel - - [meta sequenceId="8"] <118>Service `sysctl' has been restarted.
OPNsense.localdomain kernel - - [meta sequenceId="9"] <118>>>> Invoking start script 'beep'
OPNsense.localdomain kernel - - [meta sequenceId="10"] <118>Root file system: /dev/gpt/rootfs
OPNsense.localdomain kernel - - [meta sequenceId="11"] <118>Thu Jul  9 18:13:32 UTC 2026
OPNsense.localdomain kernel - - [meta sequenceId="12"] <118>
OPNsense.localdomain kernel - - [meta sequenceId="13"] <118>*** OPNsense.localdomain: OPNsense 24.1.10_8 ***
OPNsense.localdomain kernel - - [meta sequenceId="14"] <118>
OPNsense.localdomain kernel - - [meta sequenceId="15"] <118> LAN (ena1)      -> v4/DHCP4: 10.10.2.5/24
OPNsense.localdomain kernel - - [meta sequenceId="16"] <118> WAN (ena0)      -> v4/DHCP4: 10.10.1.5/24
OPNsense.localdomain kernel - - [meta sequenceId="17"] <118>


 HTTPS: SHA256 42 17 B5 44 80 FE 11 27 C7 53 97 DD 1E 94 BA 24
               F6 53 14 77 66 C0 60 6A D6 E0 91 49 8B 0F AC 25

Also at this point ssh and  https connections to the WAN and LAN public IP fail with timeout and the only way I have to see what happened is to detach the root disk, attach it as data to another VM and look at the logs.  But looking at the system (/var/log/system_20260709.log) and filter (/var/log/filter_20260709.log) logs the system is not dead after printing the fingerprint at the console, the firewall seems to just block SSH and HTTPS to the WAN interface

system_20260709.log
...
OPNsense.localdomain kernel - - [meta sequenceId="18"] <118> HTTPS: SHA256 97 CC 6F 8F 2C 74 F7 F7 A0 E3 06 56 DE 6B 89 D3
OPNsense.localdomain kernel - - [meta sequenceId="19"] <118>               C2 C3 CC 3A 18 46 B4 0D 8C 27 DF E0 C9 2A B0 F5
OPNsense.localdomain opnsense 88982 - [meta sequenceId="20"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : opendns_configure_do())
OPNsense.localdomain opnsense 88982 - [meta sequenceId="21"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : openssh_configure_do(,lan))
OPNsense.localdomain opnsense 88982 - [meta sequenceId="22"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : unbound_configure_do(,lan))
OPNsense.localdomain opnsense 88982 - [meta sequenceId="23"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : vxlan_configure_do())
OPNsense.localdomain opnsense 88982 - [meta sequenceId="24"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : webgui_configure_do(,lan))
OPNsense.localdomain opnsense 88982 - [meta sequenceId="25"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : wireguard_sync(,lan))
OPNsense.localdomain opnsense 92965 - [meta sequenceId="26"] /usr/local/etc/rc.newwanip: The command '/usr/local/sbin/ntpd -g -c '/var/etc/ntpd.conf'' returned exit code '1', th
OPNsense.localdomain opnsense 92965 - [meta sequenceId="27"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : opendns_configure_do())
OPNsense.localdomain opnsense 92965 - [meta sequenceId="28"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : openssh_configure_do(,wan))
OPNsense.localdomain opnsense 92965 - [meta sequenceId="29"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : unbound_configure_do(,wan))
OPNsense.localdomain opnsense 92965 - [meta sequenceId="30"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : vxlan_configure_do())
OPNsense.localdomain opnsense 92965 - [meta sequenceId="31"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : webgui_configure_do(,wan))
OPNsense.localdomain opnsense 92965 - [meta sequenceId="32"] /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : wireguard_sync(,wan))
OPNsense.localdomain opnsense 88982 - [meta sequenceId="33"] /usr/local/etc/rc.newwanip: The command '/usr/sbin/daemon -f -p '/var/run/updaterrd.pid' '/var/db/rrd/updaterrd.sh''

filter_20260709.log
OPNsense.localdomain filterlog 25056 - [meta sequenceId="1"] 51,,,c6449923fcfe3ab76e49d9391c552b90,ena1,match,pass,in,4,0x0,,255,0,0,DF,17,udp,576,10.10.2.1,10.10.2.5,67,68,556
OPNsense.localdomain filterlog 25056 - [meta sequenceId="2"] 59,,,f994f615e00b8be0042263f86c79913f,ena0,match,pass,in,4,0x0,,255,0,0,DF,17,udp,576,10.10.1.1,10.10.1.5,67,68,556
OPNsense.localdomain filterlog 99278 - [meta sequenceId="3"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,170.247.170.2,17143,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="4"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,192.112.36.4,39965,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="5"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,198.97.190.53,36777,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="6"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,199.7.83.42,19529,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="7"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,192.36.148.17,46699,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="8"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,199.7.83.42,43062,53,36
OPNsense.localdomain filterlog 99278 - [meta sequenceId="9"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0x0,,64,0,0,DF,17,udp,56,10.10.2.5,192.36.148.17,11280,53,36

... and can see SSH and HTTPS are blocked by the firewall
OPNsense.localdomain filterlog 72498 - [meta sequenceId="49"] 77,,,2e441470eff61ecebaeab50a8128a2e2,ena1,match,pass,out,4,0xb8,,64,62599,0,none,17,udp,76,10.10.2.5,138.197.135.239,123,123,56
OPNsense.localdomain filterlog 72498 - [meta sequenceId="50"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21014,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,55978,22,0,S,1116859751,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="51"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21015,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,55978,22,0,S,1116859751,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="52"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21016,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,55978,22,0,S,1116859751,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="53"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21017,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,56039,443,0,S,1256389213,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="54"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21018,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,56040,443,0,S,2039657916,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="55"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21019,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,56041,443,0,S,2504498693,,64240,,mss;nop;wscale;nop;nop;sackOK
OPNsense.localdomain filterlog 72498 - [meta sequenceId="56"] 4,,,02f4bab031b57d1e30553ce08e0ec131,ena0,match,block,in,4,0x0,,116,21020,0,DF,6,tcp,52,76.65.68.5,10.10.1.5,56040,443,0,S,2039657916,,64240,,mss;nop;wscale;nop;nop;sackOK


Also
Tried FreeBSD 13 with Opnsense 24.1 same behavior. Extracted the /var/log logs (detached root volume, reattached to another VM as data) and in the logs there is no obvious error, kernel panic or anything that could explain the lockdown. 
#2
Development and Code Review / Re: vibecoded plugin
Last post by Vectralis - Today at 12:44:31 AM
Quote from: Vectralis on July 08, 2026, 05:34:28 PMthat's exactly what i mean. sshd (hardware). i planned to use an hdd just for backups, but i didn't have a spare hdd laying around. that's why i ended up using an sshd for backups. i simply found that in my drawer lol.

Is it possible to do it with the sshd?
#3
General Discussion / How to set up Single NIC OPNse...
Last post by Vectralis - Today at 12:42:21 AM
Hi everyone,

I am a complete beginner with OPNsense and networking in general. I want to build a "Router-on-a-stick" setup using a single-NIC PC with OPNsense 26.1, but I need some guidance on the exact step-by-step configuration.

My Goal & Hardware:
- ISP: Proximus VDSL (Belgium)
- Fritz!Box 7530 (currently acting as router/modem, want to use it purely as modem).
- OPNsense PC: Has only 1 physical NIC.

Switches:
- TL-SG105E (located in the Modem Room)
- TL-SG108E (located in the Router Room)

Target Network Settings:
- OPNsense LAN IP: 192.168.129.1/24
- Fritz!Box IP (for web management): 192.168.129.2/24

DHCP Range:
192.168.129.50 – 192.168.129.254

DNS: 1.1.1.1

Physical Connection Plan:

- Inter-switch link: Cable from TL-SG105E Port 1 to TL-SG108E Port 1.

- Modem Room (TL-SG105E):
Port 2 connected to Fritz!Box LAN 1 (for Internet traffic).
Port 3 connected to Fritz!Box LAN 2 (to access Fritz!Box web GUI at 192.168.129.2).
Ports 4–5 for local clients.

- Router Room (TL-SG108E):
Port 2 connected to the OPNsense single NIC.
Ports 3–8 for local clients / APs.

My Questions:

- VLAN Tagging / Switch Setup:
How should I precisely configure the 802.1Q Tagged/Untagged ports and PVIDs on both TP-Link switches for VLAN 1 (LAN) and VLAN 10 (WAN)?

- OPNsense 26.1 Setup:
Since I am using a single physical NIC:
What exact steps do I need to take in OPNsense to set up the VLAN 10 interface for WAN while keeping the physical NIC for LAN (192.168.129.1)?
How should I configure LAN / WAN settings?

- Fritz!Box Configuration:
Is connecting two cables from the Fritz!Box to the SG105E (one for WAN on VLAN 10, one for LAN management on VLAN 1) the correct way to keep access to 192.168.129.2?

Could someone walk me through the correct sequence of steps so I don't lock myself out during setup?

Thanks a lot for helping out a beginner!

And sorry if I ask dumb questions lol
#4
Hardware and Performance / Re: Severe Boot Delays & Recur...
Last post by pfry - Today at 12:31:12 AM
Quote from: aru.persia on July 09, 2026, 11:15:04 PM[...]Temperature Sensor 1: 79°C ⚠️ (This is dangerously high for NVMe and likely the source of the timeout.)[...]

It's high, but not unusual - most SSD controllers have limits in the 75-85C range. They draw 2-20W, with M.2 devices generally limited to 6-8W. Most NVME devices will be right up at that limit. They have (generally) very effective thermal throttling, which you appear to be seeing. Yours could just be a hot runner (which would arguably be a hardware fault). Out of curiosity, what's the ambient temperature?

I'm not defending use of M.2 SSDs with no/minimal thermal management, by the way.
#5
Hi everyone,
I'm seeking some insight into an issue I'm experiencing with the Kea DHCP service on my OPNsense setup. After a recent migration to new hardware, I've noticed that several active leases are being categorized under a "Loopback" interface in the "Services: Kea DHCP: Leases DHCPv4" view, rather than their respective VLAN interfaces.

Environment:
OPNsense 26.7 RC2
Service: Kea DHCP
Symptoms:

While devices are receiving IP addresses and network traffic is routing correctly across my VLANs, the GUI lease table consistently shows multiple devices, including those with static reservations grouped under "Loopback."

Configuration Details:
I have verified that the interfaces are correctly assigned and enabled in the GUI, and the physical VLANs are showing as "Up" under Interfaces > Assignments.
However, looking at the generated configuration file (/usr/local/etc/kea/kea-dhcp4.conf), the interfaces array is as follows:

"interfaces": [
    "vlan01",
    "vlan02",
    "ixl0"
],



Questions:
Is it normal behavior for leases to appear under "Loopback" in the Kea DHCP GUI when the interface is not explicitly listed in the generated kea-dhcp4.conf?
Are there any known issues regarding the synchronization between the OPNsense GUI interface assignments and the Kea configuration generator?
Any guidance or troubleshooting steps to ensure these leases map correctly to their actual interfaces would be greatly appreciated.

Thanks in advance.

Before my migration, and on the last stable release, leases were sorted by VLAN.

#6
General Discussion / System memory cache is consist...
Last post by camellia - Today at 12:02:33 AM
Hi everyone

System memory cache in "Reporting Health" is always zero.

You cannot view this attachment.

Should the graph show "laundry" instead of "cache"?
Is the graph always zero because it doesn't reflect the value of "laundry"?
#7
Hardware and Performance / Re: Inseego MiFi Pro M4 as WAN...
Last post by pfry - July 09, 2026, 11:53:58 PM
Quote from: Greg_E on July 09, 2026, 10:59:34 PM[...]I'll have to boot up a linux live and see if I can make heads or tails out of ethtool and see why these cards are so picky.[...]

I don't think it'll tell you anything, but it can't hurt to look. The vendor lock doesn't seem to be OS-specific (not surprising since Intel wrote the drivers as well as the firmware). It's a crapshoot - some of my x710s are not vendor-locked, and I can't see any external distinguisher.
#8
26.7 Release Candidate Series / Re: Settings for Reporting Hea...
Last post by camellia - July 09, 2026, 11:45:34 PM
I confirmed the change in 26.7-RC2.

Thanks.
#9
26.7 Release Candidate Series / Re: OPNsense 26.7-BETA images
Last post by nero355 - July 09, 2026, 11:43:57 PM
Quote from: Patrick M. Hausen on July 09, 2026, 10:03:14 PMI can guess that Deciso likes to use Transcend SSDs.

I also recommend and use these as boot devices for e.g. TrueNAS. They are not the fastest but have really high TBW (write endurance) numbers even for the smaller ones. Nice industrial grade stuff.

In my DEC750 there's a TS256GMTE710T.
You reminded me of something from a while ago : https://forum.opnsense.org/index.php?topic=51263.0

And today this topic popped up : https://forum.opnsense.org/index.php?topic=52339.0

And there is also this older topic : https://forum.opnsense.org/index.php?topic=51528.0


Transcend in all of them indeed! Good call! :)
#10
General Discussion / Re: Unbound DNS keeps crashing...
Last post by lmoore - July 09, 2026, 11:42:15 PM
Outbound NAT for internal DNS servers.