Recent posts

#1
I have a tomcat application (Guacamole) that runs just great behind Caddy.

Perform a tcpdump to investigate what is going on on the network. Use the browser developer console to see the browser's view of the situation - connections, objects, failures ...

#2
25.7, 25.10 Series / DNSmasq DHCP Problem?
Last post by spetrillo - Today at 03:59:22 PM
Morning all,

I am using dnsmasq as my default DHCP server. I have two DHCP entries that do not seem to want to clear from my leases. Attached is the screenshot. You will see 192.168.1.68 and 192.168.1.78. Both VMs do not exist but I cannot seem to clear them. How can I fix this?

Thanks,
Steve
#3
General Discussion / Re: Awful performance, when ac...
Last post by fylo - Today at 03:33:02 PM
Hello,

i have a similar setup and behavior, a OPNsense Firewall, a Caddy as reverse proxy and a tomcat-application. Other application (non tomcat) on the same proxy are working well but the tomcat app is awfull slow. The app and the data is loading, but whit an offset of 1 to 2 Minutes.

Did you find any solution?

Best regards and thanks for helping.
#4
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by humnab - Today at 03:16:19 PM
Hello,

perhaps mpm-prefork / mpm-event is the point to look on:


Quotehttps://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_2016_2019_inklusive_Outlook_Anywhere_RPC_over_http

a2dismod mpm_event
a2enmod mpm_prefork
systemctl apache2.service restart

Dieser Hinweis stammt von Marco Maus und ist wichtig damit die Authentifizierung per NTLM funktioniert.

This information comes from Marco Maus and is important for NTLM authentication to work.




#5
Quote from: passeri on December 16, 2025, 12:21:39 AM
Quote from: lukas.liechti on December 15, 2025, 07:10:08 PMAdd another tunable. This time, we're allowing NIC drivers to use ISR queues.
net.isr.dispatch = deferred

Lukas, I was aware of the other tunables but I did not find this particular one in the Opnsense docs, whether on the page yourreference or in a search. I did find it offered by Gemini.

Are you able to comment further on the source for this one please, and its actual effects? My reading of the referenced page is that it may be unnecessary.

The Link i stombeld over the "rss" tuning. Boosting OPNsense PPPoE FTTP speeds with some quick changes /  [xda-developers.com]

Then i searched in the opnsense Docs and found under "Performance" all the things i needed.
Opnsense Performance

For me next to to rss where the rss.bits (net.inet.rss.bits = X / bit depending on core count) the biggest improvment, which now also makes sense. :)
#6
General Discussion / Re: opnsense shutting down
Last post by OPNenthu - Today at 02:41:58 PM
An old post from Ad explains that particular line: https://forum.opnsense.org/index.php?topic=25825.msg124748#msg124748

Doesn't seem like that one is anything to worry about.  If your system's not staying up long enough to view the logs then that makes it difficult.  Can you attach a serial console so that you can have a copy of the output as it's crashing?

You could also try running a live Linux USB (Ubuntu or something) and see if it's stable under some load, at least to rule out hardware.
#7
General Discussion / Re: opnsense shutting down
Last post by sigma - Today at 02:24:13 PM
on the console (direct on the monitor connected to the opnsense computer) I get an error "iflib_netmap_config txr 2 rxr 2 txd 1024 rxd 1024 rbufsz 2048", after this comes up 7 times a few minutes later a bunch of lines(not the same lines) scroll down very fast and then it reboots or shuts down.
#8
General Discussion / Specific website cannot be rea...
Last post by Edwin70 - Today at 02:04:59 PM
Hi All,

I have a strange issue. There is one specific site/service that I cannot reach through OPNsense. The site my.dhlcommerce.nl fails to load and als the app which connects to the same domain does not work.

When I look in the unbound log I see the following log entries when starting the app:
2025-12-22T13:52:54 Informational unbound [92545:1] reply: *.*.*.* my.dhlecommerce.nl. HTTPS IN SERVFAIL 0.174887 0 36
2025-12-22T13:52:54 Informational unbound [92545:1] info: validation failure <my.dhlecommerce.nl. HTTPS IN>: no signatures from 86.54.11.201
2025-12-22T13:52:54 Informational unbound [92545:3] reply: *.*.*.* my.dhlecommerce.nl. A IN SERVFAIL 0.158761 0 36
2025-12-22T13:52:54 Informational unbound [92545:3] info: validation failure <my.dhlecommerce.nl. A IN>: no signatures from 86.54.11.201
2025-12-22T13:52:54 Informational unbound [92545:2] reply: *.*.*.* my.dhlecommerce.nl. AAAA IN SERVFAIL 0.139982 0 36
2025-12-22T13:52:54 Informational unbound [92545:2] info: validation failure <my.dhlecommerce.nl. AAAA IN>: no signatures from 86.54.11.201
2025-12-22T13:52:54 Informational unbound [92545:3] query: *.*.*.* my.dhlecommerce.nl. A IN
2025-12-22T13:52:54 Informational unbound [92545:2] query: *.*.*.* my.dhlecommerce.nl. AAAA IN
2025-12-22T13:52:54 Informational unbound [92545:1] query: *.*.*.* my.dhlecommerce.nl. HTTPS IN

I also have some logging from Firefox console when trying to load the website:
[codee]
HTTPS-First Mode: Upgrading insecure speculative TCP connection "http://dhlcommerce.nl/" to use "https".
HTTPS-First Mode: Upgrading insecure request "http://dhlcommerce.nl/" to use "https".
HTTPS-First Mode: Upgrading insecure request "https://dhlcommerce.nl/" failed. Downgrading to "http" again.
HTTPS-First Mode: Adding exception to temporarily prevent further attempts to automatically load "http://dhlcommerce.nl" securely.
[/code]

It looks like a problem with the certificate (?)

When I connect to the website using a VPN or a different network, everything works fine. So the service itself is OK.

I have a pretty simple setup: OPNsense 25.7.10 with Unbound as the resolver with DNS over TLS enabled. I also use a blocklist; disabling that does not make a difference. The internet connection is through a Ziggo Cable modem in bridge mode.

Any ideas? I have no problems with other websites. Any help is greatly appreciated.
#9
Quote from: Armani on December 16, 2025, 03:09:08 AMIncluding more comprehensive and regularly updated community lists would significantly improve the default security level of OPNsense installations.
When editing blocklist you can enable advanced mode to get the `URLs of Blocklists` field, where you can add urls to all blocklists you want.
They don't necessarily have to be provided by opnsense itself.
#10
Is this a hosted environment? Is the OPNsense VM permitted to use a different MAC address than the host on WAN?