Recent posts

#1
26.1, 26,4 Series / Re: Constant delay in TLS hand...
Last post by nero355 - Today at 04:10:32 PM
Quote from: odites999 on Today at 02:40:05 PMmy provider is Movistar in Spain.
Is there a chance that you could get kicked into a CG-NAT segment of their network after rebooting your Router ??

I can imagine a congested CG-NAT network can cause all sorts of issues...

Could you do a tracert/traceroute to the websites you are having issues with ?
#2
Hi Franco,

Can you clarify as to what steps am required to take please ?

I did find 'pkg' on the packages list and clicked on reinstall, if this was the correct action the system is still referring to 2.3.1-1

Noted this line :
Upgrading package manager from version '2.5.1' to '2.3.1_1'

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 26.1.6_2 (amd64) at Fri Apr 24 14:57:48 BST 2026
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 26.1.6 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 26.1.6 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
mimugmail (Priority: 5)
OPNsense (Priority: 11)
SunnyValley (Priority: 7)
>>> Check installed plugins
os-acme-client 4.15
os-clamav 1.8.1
os-clash-maxit 1.0
os-collectd 1.4_1
os-cpu-microcode-intel 1.1
os-crowdsec 1.0.12
os-ddclient 1.30_2
os-dmidecode 1.2
os-isc-dhcp-devel 1.0_4
os-maltrail 1.10_1
os-net-snmp 1.6_1
os-node_exporter 1.2
os-postfix 1.24.1
os-q-feeds-connector 1.5_2
os-sensei 2.4.2
os-sensei-agent 2.4.1
os-sensei-updater 2.0
os-smart 2.4
os-sunnyvalley 1.5_2
os-tailscale 1.4
os-telegraf 1.12.14
os-theme-advanced 1.1
os-theme-cicada 1.41_1
os-theme-rebellion 1.9.4
os-theme-solarized-community 0.4_1
os-theme-tukan 1.31
os-theme-vicuna 1.51
os-tinc 1.8
os-vnstat 1.3_1
os-wazuh-agent-devel 1.3_1
os-wol 2.5_4
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 26.1.6_2 has 68 dependencies to check.
Checking packages: ................................................
pkg-2.5.1 repository mismatch: FreeBSD
pkg-2.5.1 version mismatch, expected 2.3.1_1
Checking packages: ..................... done
***DONE***

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 26.1.6_2 (amd64) at Fri Apr 24 14:56:32 BST 2026
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data: .......... done
Processing entries: .......... done
OPNsense repository update completed. 931 packages processed.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
Fetching data: ....... done
Processing entries: .. done
SunnyValley repository update completed. 15 packages processed.
Updating mimugmail repository catalogue...
Waiting for another process to update repository mimugmail
All repositories are up to date.
Child process pid=40754 terminated abnormally: Segmentation fault
Upgrading package manager from version '2.5.1' to '2.3.1_1'
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
OPNsense is up to date.
process with pid 45194 still holds the lock
Checking integrity... done (0 conflicting)
Your packages are up to date.
Child process pid=56984 terminated abnormally: Segmentation fault
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data: .......... done
Processing entries: .......... done
OPNsense repository update completed. 931 packages processed.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
Fetching data: ........ done
Processing entries: .. done
SunnyValley repository update completed. 15 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching data: ..... done
Processing entries: .......... done
mimugmail repository update completed. 199 packages processed.
All repositories are up to date.
Child process pid=67194 terminated abnormally: Segmentation fault
Checking for upgrades (260 candidates): .......... done
Processing candidates (260 candidates):
pkg: glib has a missing dependency: python311
Processing candidates (260 candidates)... done
Checking integrity... done (0 conflicting)
Your packages are up to date.

Cheers
#3
Quote from: francescofff on Today at 09:39:58 AMI bought a TopTon mini-PC with an Intel N150 (Alderlake ULX) quad-cores processor and Intel i226-v Ethernet cards.
Please note that those NICs sometimes need a firmware update in order to function properly : https://forum.opnsense.org/index.php?topic=48695.0
Not always the case, but just FYI :)

QuoteMy internet service provider is currently Proximus Fiber with 500 Mbps download and upload speeds.
- DHCP WAN or PPPoE ??
- Any VLAN needed ?

QuoteIf I connect my PC directly to the Proximus box, I get the correct speed.
Proximus Box = Modem/Router in NAT Mode or Bridged Mode ??

QuoteI tried disabling hardware checksum offload, hardware TCP segmentation offload, and hardware large receive offload, but nothing changed. I also disabled ASPM in the BIOS. I added a few tunables in OPNsense. But still nothing.
I believe it's recommended to have all of those disabled anyway.

ASPM can be a whole seperate story...

Do you mean by tunables in OPNsense the ASPM related ones ?

QuoteAs a last resort, I booted Linux Mint in Live Session mode from a USB drive, and there I got a speed of 500 Mbps.
You could have tried FreeBSD 14.x instead to be as equal to OPNsense as possible ;)

QuoteI don't understand why I'm being throttled as soon as I install OPNsense.
I thought it was a powerful tool, but I can't even achieve a decent speed.
My TopTon with less CPU and i225 NICs does all of this without any issue and so should yours!

My guess is you have encountered some weird issue and that needs to be resolved.
#4
26.1, 26,4 Series / Re: KeaDHCP dynamic DHCP quest...
Last post by nero355 - Today at 03:41:31 PM
Quote from: franco on Today at 08:55:35 AMNot at the moment. It's on my wishlist for the next nano images, but it hasn't been discussed internally yet.
Oww... OK... I misunderstood then...

** Editing previous post now!
#5
Quote from: drosophila on Today at 01:49:46 AMHehe, looks like you didn't buy the Venus to show it off, given that I can barely make it out behind all those fans and heatsinks! :D
Was that a NAS with all those harddrives?
I just had a lot of storage for that time and it was mostly used for gaming :)

2 x WD Raptor 36 GB ADFD Nvidia RAID 0 for Windows
2 x WD Raptor 150 GB ADFD Nvidia RAID 0 for Games
2 x 250 GB Hitachi HDD for Storage
2 x 250 GB Samsung HDD for Backup of the Storage

I have always been a fan of a lot of storage so after thuis build it only got worse up to a beautiful AsRock X79 Extreme11 with 14 SATA Ports :P

QuoteHmm, Marvell was one but the other was a Vitesse PHY that was fed from the nForce4 and thus would likely also have used the nVidia PXE boot... I think it used the "forcedeth" driver, anyway. Oh well. :)
IIRC driver-wise there was not much difference between the two NICs in Windows at least...

Not sure about Linux/*BSD because even when using some kind of Live CD or whatever option there was at the time I have never done anything with PXE Boot or paid attention to the dmesg output for example.

QuoteBTT: I believe I've found the problem: the nVidia boot agent seems to terminate the boot file name with some illegal character, or rather, with something while there shouldn't be anything there. The server log viewer would show just two blank lines (which is a bug in the server GUI...), but its syslog shows this:
RRQ from x.x.x.x filename /pxelinux.0<FF>The working Realtek boot agents send the same request but without the postfixed "<FF>" (which probably translates to a single byte of all ones). Obviously that should not be there but now the question is: why does it work with udhcpd and Dnsmasq, just not with KEA? Is it possible that KEA incorrectly sends this but Realtek just discards it while nVidia keeps it? Or could this be a config problem?
I seem to recall that 0xff is the UTF-8 "continuation" marker, but even if that is correct that still doesn't explain why it's there.
Would it be an option to have a dedicated PXE Boot VLAN on your network ?

In the past I have worked for a company that had this and the software doing the PXE Boot stuff was some kind of dedicated Linux distro at the time.
So in this case OPNsense would be just the Router providing internet access for all those NetBoot images :)
#6
General Discussion / Re: Policy Based Routing ignor...
Last post by viragomann - Today at 03:03:23 PM
Quote from: Residence0886 on Today at 02:48:14 PMSo I created a new firewall rule on the transfer-LAN adapter that covers all traffic and set it on top of the list. Source is my test-client and destination is any.
You have to add this rule to the LAN interface. But maybe, that's just a typo.

Also you have to state the new gateway in the rules advanced settings.
#7
Zenarmor (Sensei) / Re: os-sunnywalley plugin inst...
Last post by sy - Today at 02:58:09 PM
Hi,

Is there any news on the issue?
#8
Zenarmor (Sensei) / Re: Zenarmor - Secure Connecti...
Last post by sy - Today at 02:54:26 PM
Hi,

You should see the UDP on port 53 traffic in Live Sessions - Connections report.
#9
Hi everyone,

I have been using OPNSense for quite a while now and in generel I tend to get to the bottom of things really fast. Bur for this specific issue I really got stuck und I don't know where to look at.

So this is my basic network configuration:

LAN -- [OPNSense] --- Transfer-LAN --- [External-FW] --- [ISP-Router]

I need to replace the external firewall with a new one which I already installed and assigned an IP address in the transfer LAN.
In OPNSense I created a new upstream-gateway with a lower priority.
When deactivating the primary gateway all traffic takes the new gateway so I assume that routing in general is working fine and the new gateway itself is functional.

For testing purposes I need to make sure that only a s single client will use the new gateway for now. So I created a new firewall rule on the transfer-LAN adapter that covers all traffic and set it on top of the list. Source is my test-client and destination is any. From my test-client internet access is working fine and the live-log proves that the correct rule is used for this host. However traffic still takes the old route via the old external firewall.

None of the interfaces is configured as WAN-Interface. I do not use NAT or any type of VPN.

What I tried so far:

- Created an correspondig inbound-rule on LAN side.
- Flushed all states of this host.
- Rebooted the firewall.
- Set relpy-to to disabled in the rule settings.
- Set Disable reply-to in the firewall settings itself.
- Disabled the primary gateway - now the new gateway is used as expected.

Unfortunately I'm running out of ideas. Do you have any ideas? I'm using version 26.1.5.

Thanks in Advance
Daniel
#10
26.1, 26,4 Series / Re: Constant delay in TLS hand...
Last post by meyergru - Today at 02:48:05 PM
The provider test is crap, for me, it shows "OPALTELECOM-AS TalkTalk Communications Limited, GB", while I am in Germany.

If you still use the parameter in Firefox, the test should probably fail, because that setting essentially disables IPv6.

There were several changes in 26.1.6 for IPv6. If you only did an 26.1.6 -> 26.1.6_2 upgrade, everything should work.

What do you mean by "the DNS server is the upstream router"? Do you use a router-behind-router setup, do you mean the ISP router or your OpnSense? If so, its IPv4 or IPv6 address? Please be more specific.