"Recent posts
#1
25.7, 25.10 Series / Re: Continual issues updating
Last post by franco - Today at 03:23:02 PMFor some reason (lib)fetch has issues with LTE connections. The package manager itself switched to libcurl. I assume your packages updated fine and you're left struggling with how to update the base/kernel? If so I can show you the manual commands to update (and downloading the sets with curl).
Cheers,
Franco
Cheers,
Franco
#2
German - Deutsch / Re: Verständnisfrage zu Portfo...
Last post by osmom - Today at 03:18:01 PMQuote from: meyergru on December 01, 2025, 04:08:12 PMMit einem vServer wird das wohl eher schwierig... Virtualisierung per Proxmox auf einem Virtualisierungshost? Ich meinte schon einen echten Root-Server.das war auch nicht mein Gedanke, sondern ich habe das ganze von seinem Ziel her betrachtet, einen neuen Server aufzusetzen. Weil er schreibt ja "@JeGr: Das Ziel ist, ein total vermurkstes WordPress-Hosting zu umgehen" Das muss ich ja nicht zwangsweise hinter Hetzner-Host, Promox, Opensense, Reverse-Proxy machen.
#3
Announcements / OPNsense 25.7.9 released
Last post by franco - Today at 03:12:42 PMWhat is up everyone,
A bug snuck into the last release that did not properly disable the
caching of DNS entries when using multiple blocklists with different
network restrictions. We have used the opportunity to polish the
notification code and apply behaviour during the migration of the
old blocklist to the new format.
The saga around safe command execution continues in this release
as well. Otherwise it is a rather quiet release and 2025 is almost
over. Happy holidays!
Here are the full patch notes:
o system: gateway monitor Shell class use et al
o system: no longer back up DUID but add compatibility glue to opnsense-importer
o system: replace exec() in config encrypt/decrypt
o system: replace history diff exec() with shell_safe()
o system: safe execution tweaks in rc.routing_configure
o system: fix log keyword search regression introduced in 25.7.7
o reporting: unbound: fix quick allow/blocklist actions by applying them to all blocklists
o firewall: run filterlog directly after rules apply and remove promiscous mode
o firewall: allow setting a custom authentication HTTP header for alias URL fetch (contributed by nox-404)
o firewall: for better IPv6 PMTU let "timex" and "paramprob" ICMP types through
o firewall: do not allow nesting in GeoIP aliases
o firewall: live log: restructure DOM layout to reduce wasted header space
o firewall: live log: revert static property, persistence is disabled for this grid
o firewall: safe execution changes in rules reloading code
o firewall: safe execution changes in rc.filter_synchronize
o dnsmasq: minor tweaks in lease commands
o firmware: Shell class replacements in scripting
o kea-dhcp: add lease commands, tabulator GroupBy, URL hashes
o kea-dhcp: add DNR option (contributed by schreibubi)
o network time: status: refactor to MVC/API
o ipsec: connections: prevent model caching when referring items within the same model
o ipsec: sessions: fix missing commands translation
o isc-dhcp: move syslog definitions to plugin file
o unbound: prevent caching of blocklist entries on overlapping subnet policies
o unbound: notify user if a blocklist reset is required
o unbound: reconfigure if marker file present
o unbound: missing lock in del_host_override action
o backend: minor shell execution changes and readability
o backend: use mwexecf(m) where possible
o backend: extend mwexecfb() with PID and log file support
o mvc: fix default sort order being ignored in fetchBindRequest()
o shell: rewite timeout() using safe execution functions
o ui: refresh notification status after default apply button is done
o ui: remove obsolete jQuery bootgrid files
o plugins: os-acme-client 4.11[1]
o plugins: os-ndp-proxy-go 1.1[2]
o plugins: os-tailscale 1.3[3]
o plugins: os-turnserver 1.1[4]
o plugins: os-upnp 1.8 features assorted improvements to plugin and daemon (contributed by Self-Hosting-Group)
o plugins: os-web-proxy-sso has been marked for removal in 26.1
o plugins: os-zabbix-agent 1.18[5]
o plugins: os-zabbix-proxy 1.16[6]
o ports: filterlog no longer uses unneeded promiscuous mode
o ports: openvpn 2.6.17[7]
o ports: unbound 1.24.2[8]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/security/tailscale/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/turnserver/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-agent/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[7] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.17
[8] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2
A bug snuck into the last release that did not properly disable the
caching of DNS entries when using multiple blocklists with different
network restrictions. We have used the opportunity to polish the
notification code and apply behaviour during the migration of the
old blocklist to the new format.
The saga around safe command execution continues in this release
as well. Otherwise it is a rather quiet release and 2025 is almost
over. Happy holidays!
Here are the full patch notes:
o system: gateway monitor Shell class use et al
o system: no longer back up DUID but add compatibility glue to opnsense-importer
o system: replace exec() in config encrypt/decrypt
o system: replace history diff exec() with shell_safe()
o system: safe execution tweaks in rc.routing_configure
o system: fix log keyword search regression introduced in 25.7.7
o reporting: unbound: fix quick allow/blocklist actions by applying them to all blocklists
o firewall: run filterlog directly after rules apply and remove promiscous mode
o firewall: allow setting a custom authentication HTTP header for alias URL fetch (contributed by nox-404)
o firewall: for better IPv6 PMTU let "timex" and "paramprob" ICMP types through
o firewall: do not allow nesting in GeoIP aliases
o firewall: live log: restructure DOM layout to reduce wasted header space
o firewall: live log: revert static property, persistence is disabled for this grid
o firewall: safe execution changes in rules reloading code
o firewall: safe execution changes in rc.filter_synchronize
o dnsmasq: minor tweaks in lease commands
o firmware: Shell class replacements in scripting
o kea-dhcp: add lease commands, tabulator GroupBy, URL hashes
o kea-dhcp: add DNR option (contributed by schreibubi)
o network time: status: refactor to MVC/API
o ipsec: connections: prevent model caching when referring items within the same model
o ipsec: sessions: fix missing commands translation
o isc-dhcp: move syslog definitions to plugin file
o unbound: prevent caching of blocklist entries on overlapping subnet policies
o unbound: notify user if a blocklist reset is required
o unbound: reconfigure if marker file present
o unbound: missing lock in del_host_override action
o backend: minor shell execution changes and readability
o backend: use mwexecf(m) where possible
o backend: extend mwexecfb() with PID and log file support
o mvc: fix default sort order being ignored in fetchBindRequest()
o shell: rewite timeout() using safe execution functions
o ui: refresh notification status after default apply button is done
o ui: remove obsolete jQuery bootgrid files
o plugins: os-acme-client 4.11[1]
o plugins: os-ndp-proxy-go 1.1[2]
o plugins: os-tailscale 1.3[3]
o plugins: os-turnserver 1.1[4]
o plugins: os-upnp 1.8 features assorted improvements to plugin and daemon (contributed by Self-Hosting-Group)
o plugins: os-web-proxy-sso has been marked for removal in 26.1
o plugins: os-zabbix-agent 1.18[5]
o plugins: os-zabbix-proxy 1.16[6]
o ports: filterlog no longer uses unneeded promiscuous mode
o ports: openvpn 2.6.17[7]
o ports: unbound 1.24.2[8]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/security/tailscale/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/turnserver/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-agent/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[7] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.17
[8] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2
#4
25.7, 25.10 Series / Time based Shaper?
Last post by knebb - Today at 03:10:14 PMMoin,
I just configured my shaper for VoIP traffic. Seems to work fine so far.
For the pipes I assigned the following upload rates:
VoIP: 10Mbit/s
default Uplaod: 350Mbit/s
Now from my Internet provider I got information about the max, average and guaranteed bandwidth:
Upload max: 500Mbit/s
Upload avg: 400Mbit/s
Upload min: 375Mbit/s
Now the shaper limits the traffice based on the configured upload pipe always to 350Mb/s sharp.
This is no good as I am wasting possibly available upload bandwidth. 350 vs. 500).
But configuring the shaper/ pipe to a higher value might lead to a saturated uplink without trafic shaping, right?
Is there any change to configure the shaper upload bandwidth based on some sort of automation? I like to have VoIP on top prio during the day but in the night the backup process should use all available bandwidth (500 instead of 350) to do the backups...
Thanks for ideas!
/KNEBB
I just configured my shaper for VoIP traffic. Seems to work fine so far.
For the pipes I assigned the following upload rates:
VoIP: 10Mbit/s
default Uplaod: 350Mbit/s
Now from my Internet provider I got information about the max, average and guaranteed bandwidth:
Upload max: 500Mbit/s
Upload avg: 400Mbit/s
Upload min: 375Mbit/s
Now the shaper limits the traffice based on the configured upload pipe always to 350Mb/s sharp.
This is no good as I am wasting possibly available upload bandwidth. 350 vs. 500).
But configuring the shaper/ pipe to a higher value might lead to a saturated uplink without trafic shaping, right?
Is there any change to configure the shaper upload bandwidth based on some sort of automation? I like to have VoIP on top prio during the day but in the night the backup process should use all available bandwidth (500 instead of 350) to do the backups...
Thanks for ideas!
/KNEBB
#5
Zenarmor (Sensei) / Re: Remote Elasticsearch Datab...
Last post by Seimus - Today at 03:09:33 PMQuote from: sy on Today at 01:08:33 PMWe believe you can continue using local Elasticsearch by increasing existing resources instead of creating a new Elasticsearch server.
Yea I am sorry but no.
You can not do this on a bare-metal devices, such as any miniPC or DEC used to run OPNsense, which is the majority of the user base. You are resource limited.
This actually created another performance problem for ZA and Throughput. Cause one of the ways how to get higher throughput, e.g better performance, was to move the DB on a remote destination so it is not eating up into the Single core performance.
Regards,
S.
#6
German - Deutsch / Re: Zeitbasierte Shaper-Regelu...
Last post by osmom - Today at 03:08:45 PMBisher hast du deiner Opensens nur gesagt, das max.350 Mbit/s raus gehen sollen, egal bei welchen Datenpaket.
Wenn du dich jetzt noch in Queues und Rules einliest kannst du deinem VOIP Paket eine höere Priorität als deinem normalen Datenverkehr und dem Backup die niedrigste Priorität geben. Dann werden VOIP-Pakete immer bevorzugt und danach die restliche Bandbreite an normalen Datenverkehr und Backup aufgeteilt. Wenn der höhere Datenverkehr nicht da ist, dann bekommen die niedrigen Klassen die Bandbreite.
So habe ich es verstanden, man möge mich koriegieren wenn ich falsch liege.
Wenn du dich jetzt noch in Queues und Rules einliest kannst du deinem VOIP Paket eine höere Priorität als deinem normalen Datenverkehr und dem Backup die niedrigste Priorität geben. Dann werden VOIP-Pakete immer bevorzugt und danach die restliche Bandbreite an normalen Datenverkehr und Backup aufgeteilt. Wenn der höhere Datenverkehr nicht da ist, dann bekommen die niedrigen Klassen die Bandbreite.
So habe ich es verstanden, man möge mich koriegieren wenn ich falsch liege.
#7
German - Deutsch / Re: Routing Frage
Last post by knebb - Today at 03:03:18 PMDAs ist mal wieder ein typischer Fall von "Marketing-Verarsche" :(
Ja, diese Switches können tatsächlich routen. Und werden deshalb auch als L3 Switches beworben. Dabei sind sie bestenfalls L2+ Switches. Die können nämlich nicht die üblichen Routing-Protokolle, sondern nur statisches Routing.
Wie funktionert das bei denen? Du musst für jedes VLAN ein Interface des Switches einrichten. Und dieses Interface ist das jeweilige Default-Gateway des VLANs. Und dann wohl noch ein paar Sachen konfigurieren lt. Doku: IPv4 Routing, Inter-VLAN Routing (L3 Mode), Static Routes.
DANN routet das Ding (habe ich hier selbst im Einsatz, aber nur als ordentlicher Switch) wohl tatsächlich zwischen den VLANs.
Bleibt die Frage, die auch @meyegru gestellt hat, wo der Sinn von via VLAN getrennten Netzwerken ist, wenn die Routing-Wege dazwischen dann doch wie ein offenes Scheunentor sind...
Meine Empfehlung wäre auch, diese doch etwas krude Infrastruktur zusammenzulegen und nur ein lokales LAN zu betrieben. Ist ja auch besser, wenn man versteht was man macht ;)
/KNEBB
Ja, diese Switches können tatsächlich routen. Und werden deshalb auch als L3 Switches beworben. Dabei sind sie bestenfalls L2+ Switches. Die können nämlich nicht die üblichen Routing-Protokolle, sondern nur statisches Routing.
Wie funktionert das bei denen? Du musst für jedes VLAN ein Interface des Switches einrichten. Und dieses Interface ist das jeweilige Default-Gateway des VLANs. Und dann wohl noch ein paar Sachen konfigurieren lt. Doku: IPv4 Routing, Inter-VLAN Routing (L3 Mode), Static Routes.
DANN routet das Ding (habe ich hier selbst im Einsatz, aber nur als ordentlicher Switch) wohl tatsächlich zwischen den VLANs.
Bleibt die Frage, die auch @meyegru gestellt hat, wo der Sinn von via VLAN getrennten Netzwerken ist, wenn die Routing-Wege dazwischen dann doch wie ein offenes Scheunentor sind...
Meine Empfehlung wäre auch, diese doch etwas krude Infrastruktur zusammenzulegen und nur ein lokales LAN zu betrieben. Ist ja auch besser, wenn man versteht was man macht ;)
/KNEBB
#8
German - Deutsch / Re: Routing Frage
Last post by osmom - Today at 02:39:17 PMLäuft auf den Promox Server 2 ein Fileserver oder was anders für deinen MAC? Kannst du das virtuelle Gerät evt. in das 10.0.1.x Netz bringen? Evt durch eine zusätzliche Netzwerkkarte?
Laut dem Manual von deinem Switch kann der nicht viel routen, schau dir mal im SwitchManual die Kapitel IPv4 Routing Tabel und Static Routing an.
Laut dem Manual von deinem Switch kann der nicht viel routen, schau dir mal im SwitchManual die Kapitel IPv4 Routing Tabel und Static Routing an.
#9
25.7, 25.10 Series / Re: Continual issues updating
Last post by Matthew_Kent - Today at 02:25:37 PMYes. The only connection I can get here is via a 5G connection. I can manually download the files fine from the distribution sites, so was wondering if I just download them and then SCP them to the correct location it will save the firewall from having to do the download.
#10
25.7, 25.10 Series / Re: Changing NIC caused me a w...
Last post by Monviech (Cedrik) - Today at 02:02:50 PMI guess not having a management interface can make things harder.
So next time, OOB makes a change easier too.
So next time, OOB makes a change easier too.
