"Recent posts
#1
26.1, 26,4 Series / Re: OPNSense forwarding packet...
Last post by ChristopherL - June 14, 2026, 11:29:47 PMThanks, but I believe you are mistaken. There is no switching loop and Flooding unknown unicast traffic occurs naturally on every layer 2 network. The excessive unknown unicast is being generated when the firewalls route packets with mismatched ethernet destinations that they should be discarding. The TCPDump above demonstrates this happening.
Moreover, if there was a switching loop we would see a lot broader impact, we wouldnt see TTL expired messages, we would see more than just a couple of duplicate packets most of the time, and the issue wouldn't come and go regularly in the way that it was.
Storm control on the firewall interfaces would interfere with CARP. UUFB also would interfere with connectivity to the firewalls, especially as they use two MAC addresses (the interface MAC and the CARP MAC).
Forwarding incorrect packets is a documented bug in FreeBSD that will affect any OPNSense deployment that enables netflow and CARP on the same interface.
Moreover, if there was a switching loop we would see a lot broader impact, we wouldnt see TTL expired messages, we would see more than just a couple of duplicate packets most of the time, and the issue wouldn't come and go regularly in the way that it was.
Storm control on the firewall interfaces would interfere with CARP. UUFB also would interfere with connectivity to the firewalls, especially as they use two MAC addresses (the interface MAC and the CARP MAC).
Forwarding incorrect packets is a documented bug in FreeBSD that will affect any OPNSense deployment that enables netflow and CARP on the same interface.
#2
26.1, 26,4 Series / Re: Network connections are di...
Last post by Monviech (Cedrik) - June 14, 2026, 09:19:32 PMThe only thing I know here that it's generally not a problem because the latest installed SA wins.
Duplicate SAs can be normal during rekeying.
Check your logs if you can find the reason why multiple SAs have been created, there should be some evidence.
Trap+Start as start action could be changed to "Start" if you want to be initiator or "None" if the other side should initiate. Finding out who is the best initiator can help with some of these quirks.
Duplicate SAs can be normal during rekeying.
Check your logs if you can find the reason why multiple SAs have been created, there should be some evidence.
Trap+Start as start action could be changed to "Start" if you want to be initiator or "None" if the other side should initiate. Finding out who is the best initiator can help with some of these quirks.
#3
26.1, 26,4 Series / Re: OPNSense not able to re-cl...
Last post by pfry - June 14, 2026, 08:45:50 PMQuote from: Afif on June 14, 2026, 04:14:25 PMI'm not using ZFS on this system.[...]
Here's mine as an example. ~200 log files with an average size of ~90MB (file system defaults, firewall only, no netflow or hostwatch, most rule logging enabled, averaging a few hundred connections at any given moment), consuming... <3.3GB (I didn't bother to get a precise compression ratio).
Code Select
root@fw:/home/user # df -hT
Filesystem Type Size Used Avail Capacity Mounted on
zroot/ROOT/default zfs 1.4T 1.4G 1.4T 0% /
devfs devfs 1.0K 0B 1.0K 0% /dev
/dev/gpt/efiboot0 msdosfs 260M 1.3M 259M 1% /boot/efi
zroot/var/mail zfs 1.4T 112K 1.4T 0% /var/mail
zroot zfs 1.4T 96K 1.4T 0% /zroot
zroot/tmp zfs 1.4T 3.4M 1.4T 0% /tmp
zroot/usr/ports zfs 1.4T 96K 1.4T 0% /usr/ports
zroot/home zfs 1.4T 140K 1.4T 0% /home
zroot/var/audit zfs 1.4T 96K 1.4T 0% /var/audit
zroot/var/tmp zfs 1.4T 96K 1.4T 0% /var/tmp
zroot/var/crash zfs 1.4T 96K 1.4T 0% /var/crash
zroot/var/log zfs 1.4T 3.3G 1.4T 0% /var/log
zroot/usr/src zfs 1.4T 96K 1.4T 0% /usr/src
devfs devfs 1.0K 0B 1.0K 0% /var/dhcpd/dev
root@fw:/home/user # zpool get feature@lz4_compress,feature@zstd_compress
NAME PROPERTY VALUE SOURCE
zroot feature@lz4_compress active local
zroot feature@zstd_compress enabled local
root@fw:/home/user # ls -la /var/log/filter
total 3252314
drwx------ 2 root wheel 203 Jun 14 08:01 .
drwxr-xr-x 17 root wheel 39 Jun 14 03:01 ..
-rw------- 1 root wheel 87636510 Nov 27 2025 filter_20251127.log
-rw------- 1 root wheel 113842291 Nov 28 2025 filter_20251128.log
-rw------- 1 root wheel 66937381 Nov 29 2025 filter_20251129.log
-rw------- 1 root wheel 63962720 Nov 30 2025 filter_20251130.log
-rw------- 1 root wheel 65829378 Dec 1 2025 filter_20251201.log
-rw------- 1 root wheel 59705785 Dec 2 2025 filter_20251202.log
-rw------- 1 root wheel 65167863 Dec 3 2025 filter_20251203.log
-rw------- 1 root wheel 58694081 Dec 4 2025 filter_20251204.log
-rw------- 1 root wheel 57220899 Dec 5 2025 filter_20251205.log
-rw------- 1 root wheel 58380288 Dec 6 2025 filter_20251206.log
[...]
-rw------- 1 root wheel 112167589 Jun 5 23:59 filter_20260605.log
-rw------- 1 root wheel 100272143 Jun 6 23:59 filter_20260606.log
-rw------- 1 root wheel 89032171 Jun 7 23:59 filter_20260607.log
-rw------- 1 root wheel 97640115 Jun 8 23:59 filter_20260608.log
-rw------- 1 root wheel 96846494 Jun 9 23:59 filter_20260609.log
-rw------- 1 root wheel 85642933 Jun 10 23:59 filter_20260610.log
-rw------- 1 root wheel 88817261 Jun 11 23:59 filter_20260611.log
-rw------- 1 root wheel 91362771 Jun 12 23:59 filter_20260612.log
-rw------- 1 root wheel 89815402 Jun 13 23:59 filter_20260613.log
-rw------- 1 root wheel 35648453 Jun 14 08:57 filter_20260614.log
lrwxr-x--- 1 root wheel 35 Jun 14 08:01 latest.log -> /var/log/filter/filter_20260614.log
root@fw:/home/user #
#4
26.1, 26,4 Series / 26.1.9: Health graphs do not b...
Last post by camellia - June 14, 2026, 06:55:00 PMHi everyone
Prior to 26.1.8_5, the value of Collected Reports was zero in the power-off time Health graphs. However, in 26.1.9, in the power-off time Health graphs, the value of Collected Reports is constant but not zero.
The following is an example of a Health graph for Quality, but the phenomenon is similar for other categories. Power-off time is from around 7:00 to around 18:00.
You cannot view this attachment.
Prior to 26.1.8_5, the value of Collected Reports was zero in the power-off time Health graphs. However, in 26.1.9, in the power-off time Health graphs, the value of Collected Reports is constant but not zero.
The following is an example of a Health graph for Quality, but the phenomenon is similar for other categories. Power-off time is from around 7:00 to around 18:00.
You cannot view this attachment.
#5
26.1, 26,4 Series / Re: Maltrail Failed to establi...
Last post by Othvez - June 14, 2026, 06:41:38 PMThe errors suggest that the issue is no longer fail2ban access itself, but that the Maltrail service listening on 127.0.0.1:8338 is stopping or crashing intermittently. Since the alias works for a while and then starts returning "Connection refused", I'd check whether the Maltrail sensor/server process is still running when the errors occur and review the Maltrail logs around that time. It may be worth investigating why the service on port 8338 is terminating rather than focusing on the allowlist configuration.
#6
German - Deutsch / Re: Firewallkonfiguration für ...
Last post by andyknownasabu - June 14, 2026, 05:39:23 PMSuper Danke! In dem Fall brauche ich meine Firewall-Regeln dann gar nicht mehr?
EDIT: Doch, anscheinend schon wie ich gerade gesehen habe.
EDIT: Doch, anscheinend schon wie ich gerade gesehen habe.
#7
German - Deutsch / Re: Firewallkonfiguration für ...
Last post by stefanpf - June 14, 2026, 05:16:52 PMHi,
mittels des Plugins
os-udpbroadcastrelay
die Ports 6666 und 6667 aus dem Iot in das HA Netz übertragen.
https://github.com/rospogrigio/localtuya/issues/1507
Aber Vorsicht, dass macht süchtig.
Wenn man dann Sonos, YouTube, Netflix für Verschiedene Devices darüber realisiert hat, sind irgendwann soviele High Ports freigegeben, dass man sich die Netztrennung fast schenken kann :)
Alternativ einmal darüber nachdenken den HA mit zwei NICs ausstatten.
mittels des Plugins
os-udpbroadcastrelay
die Ports 6666 und 6667 aus dem Iot in das HA Netz übertragen.
https://github.com/rospogrigio/localtuya/issues/1507
Aber Vorsicht, dass macht süchtig.
Wenn man dann Sonos, YouTube, Netflix für Verschiedene Devices darüber realisiert hat, sind irgendwann soviele High Ports freigegeben, dass man sich die Netztrennung fast schenken kann :)
Alternativ einmal darüber nachdenken den HA mit zwei NICs ausstatten.
#8
German - Deutsch / Firewallkonfiguration für Tuya...
Last post by andyknownasabu - June 14, 2026, 04:31:57 PMHallo zusammen,
ich habe mehrere Tuya-Geräte in Benutzung. Diese bekommen IPs in einem eigenen Subnetz 192.168.3.x.
Kontrollieren/konfigurieren möchte ich die Geräte jedoch über die TuyaLocal Integration in HomeAssistant. Der HomeAssistant-Server ist im Subnetz 192.168.1.x
Ich habe OPNSense so konfiguriert, dass man vom 1er Netz zwar in das 3er Netz kommt, aber nicht umgekehrt. Freigegeben in die Richtung 3er-Netz -> 1-er Netz habe ich nur alle Ports, die Tuya laut Dokumentation benötigt (siehe Bild).
Trotzdem tut es nicht. Ich kann kein Tuya Gerät hinzufügen.
Hat jemand von euch ein ähnliches Setup erfolgreich am Laufen und kann mir hier weiterhelfen?
Besten Dank!
ich habe mehrere Tuya-Geräte in Benutzung. Diese bekommen IPs in einem eigenen Subnetz 192.168.3.x.
Kontrollieren/konfigurieren möchte ich die Geräte jedoch über die TuyaLocal Integration in HomeAssistant. Der HomeAssistant-Server ist im Subnetz 192.168.1.x
Ich habe OPNSense so konfiguriert, dass man vom 1er Netz zwar in das 3er Netz kommt, aber nicht umgekehrt. Freigegeben in die Richtung 3er-Netz -> 1-er Netz habe ich nur alle Ports, die Tuya laut Dokumentation benötigt (siehe Bild).
Trotzdem tut es nicht. Ich kann kein Tuya Gerät hinzufügen.
Hat jemand von euch ein ähnliches Setup erfolgreich am Laufen und kann mir hier weiterhelfen?
Besten Dank!
#9
26.1, 26,4 Series / Re: OPNSense not able to re-cl...
Last post by Afif - June 14, 2026, 04:14:25 PMQuote from: pfry on June 14, 2026, 02:31:40 PMAre you using file system defaults (ZFS, compression)? The compression works very well on log files. (To check, "df -hT" and if ZFS, "zpool get feature@lz4_compress,feature@zstd_compress".)
I'm not using ZFS on this system. Here is the output from the command.
root@OPNsense:/home/afif # df -hT
Filesystem Type Size Used Avail Capacity Mounted on
/dev/da0p2 ufs 29G 6.4G 20G 24% /
devfs devfs 1.0K 0B 1.0K 0% /dev
/dev/da0p1 msdosfs 256M 1.3M 255M 0% /boot/efi
root@OPNsense:/home/afif #
#10
General Discussion / Re: How does OPNsense remember...
Last post by JasMan - June 14, 2026, 03:38:47 PMQuote from: Monviech (Cedrik) on June 13, 2026, 04:58:13 PMIt's not a cookie, it's localStorage.
https://github.com/opnsense/core/blob/bb78d31407a4f36e585d8872ed15969e09832e2f/src/opnsense/www/js/opnsense_bootgrid.js#L633
Perfect! Thank's a lot!
Quote from: nero355 on June 13, 2026, 08:11:32 PMQuote from: JasMan on June 13, 2026, 01:44:45 PMI'm asking because my modified views get very often lost. I can't determine a pattern.TIP :
Use a seperate Profile for your browser for all your OPNsense activities and perhaps also other Network/Server stuff that you need to do from time to time.
Mozilla based browsers use something like this :
Windows :
firefox.exe -P <YourProfielNameHere>
librefox.exe -P <YourProfielNameHere>
Linux/*BSD :
firefox -P <YourProfileNameHere>
librefox -P <YourProfileNameHere>
For the shortcut that starts the browser.
You can create the Profiles by starting the browser without the <YourProfileNameHere> part and after a few clicks you will have a new one by using the menu that appears :)
Nice idea.
If I'm not able to find the reason why the local storage gets lost, this will be my plan B :)
