Recent posts

#1
26.1 Series / Re: Pointers on how to manuall...
Last post by allenlook - Today at 02:57:47 AM
Thank you for the replies!
#2
Quote from: nero355 on Today at 01:59:22 AMI hope you see now what I was trying to say in my previous reply ?
Got it... thanks for the examples.

Also, my earlier point about CPU frequency being the limiting factor is based on the idea that when limited to a single core then performance only scales with clock speed (assuming all other optimizations have been exhausted).  This seems to be the limiting factor for the home license version of ZA.

For Suricata (and here I think you're correct- it has a setting for "Listeners," but I don't know much about it), I think we can use the Deciso specs for "Threat Protection Throughput" as a guide.  This is cut and dry because the footnote of the specsheet says:

QuoteIPS performance is measured using ET Open and standard 1500 byte package size.
#3
26.1 Series / Re: Track Interface with 26.1
Last post by nero355 - Today at 02:09:25 AM
Quote from: franco on February 04, 2026, 08:33:27 PMWhy not.  It's probably the smarter approach. :)
I thought so too :)

Thank you for the full reply!
#4
Quote from: OPNenthu on February 04, 2026, 07:48:20 PMI am referring to this: https://forum.opnsense.org/index.php?topic=41295.0
Ahh, OK :)

QuoteI don't know what you mean by this:

Quotethere are always multiple threads within any application that is just one big single thread,

If I wrote a simple C program with just an infinite control loop, it would peg a single hardware thread if I'm not mistaken?
I am not a programmer/developer but let me put it this way =>

A simple browser comparison :
- Mozilla Firefox
- Pale Moon

Pale Moon is a piece of software that will never use more than 1 CPU/Core to render a website.
However, it is multi-threaded because otherwise it would be extremely slow/unusable as a browser.
It also runs as one thread that is spread amongst the cores of your CPU but it will in total never use more than 1 Core.

Mozilla Firefox is a piece of software that can use as much CPU's or Cores as you allow it to basically.
It is extremely multi-threaded and a lot faster on older multi-Cored CPU's than Pale Moon.
It starts multiple threads spread over all the cores of your CPU and does a lot of things at the same time when rendering a website.

The same comparison can be made for example for PPPoE connections handled by FreeBSD vs. Linux which is one of the drawbacks using OPNsense/pfSense for such a connection instead of let's say OpenWRT or so...

In that case Linux is Mozilla Firefox and FreeBSD is Pale Moon when it comes to their PPPoE modules/libraries:)



I hope you see now what I was trying to say in my previous reply ?
#5
26.1 Series / Re: Management Interface openi...
Last post by niwmik - Today at 01:34:33 AM
Thanks, I set it to 10.10.60.0/24 and now it's working.
#6
26.1 Series / Re: Firewall log live view - o...
Last post by pseudonym3k - Today at 01:12:47 AM
I've used multiple machines and multiple browsers. Auto refresh is on.

Firewall just updated to 26.1.1 and I still have the same problem.

Did you try the specific example I gave? It looks like that might be the only one that doesn't work. I tried a query src_port contains and that one worked.

I tried the above specific criteria (address, is, <value>) with multiple LAN and public IPs and none of them worked for me.
#7
General Discussion / Yet another Shaper question (U...
Last post by stanps - Today at 12:49:22 AM
Hey everyone.  I've got high and low priority download pipes/queues/rules that APPEAR to be working just how I expect and want.

But I've got upload pipes/queues/rules that don't seem to be passing any information at all.  I'm generating download and upload traffic using speedtest.net.

I've attached pics of my pipe, queue and rules, as well as the Status showing no activity after a couple full runs of speedtest.net download and upload measurements.  What am I missing?
#8
26.1 Series / Re: DNAT auto firewall [Regist...
Last post by TheSHAD0W - Today at 12:44:21 AM
I should also mention that my setup is rather complex and that would complicate picking out the issue. I could maybe set up a test rig but then there's still so much that needs to be passed around.

If you really need it, I can set up said test rig, but it would be best if we could communicate more directly.
#9
26.1 Series / Re: DNAT auto firewall [Regist...
Last post by TheSHAD0W - Today at 12:38:15 AM
You should be able to do a dual wan test just by plugging both interfaces into the same source network with dhcp, then watching packets out of both using tcpdump.
#10
25.7, 25.10 Series / Re: OpenVPN connection causes ...
Last post by adv - Today at 12:32:41 AM
Quote from: nero355 on February 04, 2026, 07:18:33 PMSome questions =>

Quote from: adv on February 04, 2026, 06:50:45 PMFrom my local Windows 11 computer:
Local network:
ping -n 1 192.168.1.24

Pinging 192.168.1.24 with 32 bytes of data:
Reply from 192.168.1.24: bytes=32 time=22ms TTL=64

Ping statistics for 192.168.1.24:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 22ms, Average = 22ms
Who is this IP address ?

Another PC ? Your Router ? Something else ?

192.168.1.24 is another PC on the local network.

Quote
QuoteRemote network:
ping -n 1 192.168.90.17

Pinging 192.168.90.17 with 32 bytes of data:
Reply from 192.168.90.17: bytes=32 time=23ms TTL=63

Ping statistics for 192.168.90.17:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 23ms, Average = 23ms

This is the subnet on the OpenVPN connection and the IP address of the Remote Desktop PC ?!

No, 192.168.90.0/24 is a subnet at the remote location and 192.168.90.17 is a device on that subnet.

Quote
QuoteInternet:
ping -n 1 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=19ms TTL=114

Ping statistics for 8.8.8.8:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms
You ping without DNS resolving, but is the VPN active ? On which Client/Server ?

Yes, VPN was active then and it did ping Google.

Quote
QuotePing of local network, remote network, and Google get quick replies.  So, there is some Internet connectivity but I am still unable to browse.
On the Remote Desktop PC or your Local PC ?

On the local PC.  Browsing on the remote PC works fine.

Quote
Quotetracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1    1 ms    1 ms    1 ms  192.168.1.1
  2    10 ms    12 ms    10 ms  10.61.193.35
  3    12 ms    13 ms    10 ms  162.151.216.241
  4    12 ms    9 ms    18 ms  po-2-rur201.exeter.nh.boston.comcast.net [68.86.224.229]
  5    38 ms    19 ms  124 ms  po-200-xar01.exeter.nh.boston.comcast.net [96.110.22.29]
  6  109 ms    16 ms    23 ms  be-301-arsc1.needham.ma.boston.comcast.net [162.151.150.125]
  7    23 ms    28 ms    18 ms  96.110.42.9
  8    25 ms    22 ms    20 ms  96.110.34.26
  9    *        *        *    Request timed out.
 10    25 ms    18 ms    19 ms  142.251.225.89
 11    25 ms    19 ms    21 ms  142.251.60.235
 12    20 ms    18 ms    18 ms  dns.google [8.8.8.8]

Trace complete.
Who is :
  2    10 ms    12 ms    10 ms  10.61.193.35Exactly ?

No idea who 10.61.193.35 is nor 162.151.216.241.  I was guessing they were part of my ISP's infrastructure???

Quote
Quotenslookup 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  207.172.3.9

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
This should tell you dns.google as answer, but usually you nslookup opnsense.org for example and then it gives you an IP address.

That is the reason you "Have no internet" in your browser I think.

So you are saying there is no DNS?  Is that the cause of all of this.  My thought is that it could be.  So, what I want to do is to have the local computer runs its Internet traffic and its DNS through its own Internet connection and NOT through the tunnel.  That is known as Split-Horizon, right?  I just can't find a good how-to article on the most recent version of OpenVPN.