Recent posts

#1
Hardware and Performance / Re: DEC750 NVMe thermal pad?
Last post by pfry - Today at 02:27:44 PM
Quote from: foxxx0 on Today at 10:15:11 AM[...]I'm kinda hoping I could just purchase a thermal pad of the necessary thickness (guessing somewhere between 0.5-3mm) to improve the NVMe temperature.[...]

Some things to consider:
  • Thermal pad will be better than air;
  • ...But contact/pressure is important, and M.2 boards are worthless/weak and generally unsupported;
  • The controller is the major power consumer, so your focus should be on it;
  • Be aware of component height - I have M.2 SSDs where the controller is .25mm lower than surrounding components, a critical but hard-to-see issue.

You'll want a dead soft pad. I'd recommend getting a few and seeing what you can work with. Ideally you can trial the thing (such that you can directly view contact) or take an impression (via, say, very soft clay) to try to see how applying pressure to the controller will flex the board. Some motherboards use medium foam supports under the board, but sourcing something like that might be tough. On one of my tiny ARMs I had to trial several pads and thicknesses to find one that didn't simply flex the board such that the controller surface was no longer parallel to the opposite surface, resulting in limited contact. Foam pads are garbage from a thermal standpoint, but may be better from a physical standpoint.

Good luck.
#2
German - Deutsch / Re: Probleme mit Aktualisierun...
Last post by TheExpert - Today at 01:58:09 PM
Ping geht nicht, das habe ich ja schon geschrieben.

ifconfig: Ich habe die Netzwerk-Einstellungen in der Schnittstellen-Übersicht der OPNsense im WebUI geprüft und finde keinen Fehler.

netstat -r: Hilft mir da nicht weiter.

Wie ich bereits geschrieben habe, hat das bis vor kurzem noch funktioniert. Ich weiß aber nicht, was ich möglichweise geändert habe, das zu dem Problem führt. Ich hatte das Captive Portal im Verdacht, aber wenn ich das deaktiviere, ändert sich nichts.

Und seltsam ist, dass die OPNsense in den Nachbarn alle Geräte im WAN-Segment sieht.

Ich starte jetzt mal beide Knoten durch, vielliecht hilft das ja...
#3
The OP stated that they are using ULA and asked if they should add that address range to the "Home Networks" list. I don't understand why you mention link local at all?
#4
Virtual private networks / Re: Wireguard Logging
Last post by mtchetch - Today at 01:21:47 PM
Peer names need to be unique for the logging to successfully work.
#5
Virtual private networks / Re: Wireguard Logging
Last post by mtchetch - Today at 01:20:05 PM
Because of the acute lack of solutions I decided to roll my own and share it.

An easy way of doing this with minimal modifications is to use userscripts.

The scipt has been tested on OPNsense 26.1.1-amd64

Steps to implement:

Log into the firewall shell with SSH and create the script file:

vi /usr/local/opnsense/service/conf/actions.d/actions_wireguardlogger.conf
Add the content (if not familiar with VI press i and then paste content and press esc and :wq and enter)

[restart]
command: /bin/sh -c 'S=/var/db/wg-peer-cron.state; T=$(mktemp /tmp/wg-peer-cron.XXXXXX) || exit 1; M=$(mktemp /tmp/wg-peer-map.XXXXXX) || exit 1; N=$(date +%s); mkdir -p /var/db; python3 -c '\''import xml.etree.ElementTree as ET; root=ET.parse("/conf/config.xml").getroot(); [print(((c.findtext("pubkey") or "").strip())+"|"+((c.findtext("name") or "").strip()))
 for c in root.findall("./OPNsense/wireguard/client/clients/client")]'\'' > "$M"; /usr/bin/wg show all dump | awk -F "\t" -v now="$N" '\''NF==9{hs=$6+0; age=(hs>0?now-hs:999999999); st=(hs>0&&age<=300?"connected":"disconnected"); print $1 "|" $2 "|" st "|" hs "|" $4 "|" $5 "|" age}'\'' > "$T" && [ -s "$T" ] || { rm -f "$T" "$M"; exit 0; }; [ -f "$S" ] || : > "
$S"; while IFS="|" read -r IF PK ST HS EP AL AGE; do O=$(awk -F "|" -v i="$IF" -v p="$PK" '\''$1==i && $2==p {print; exit}'\'' "$S"); OS=$(printf "%s" "$O" | awk -F "|" '\''{print $3}'\''); [ -n "$OS" ] || OS=unknown; PN=$(awk -F "|" -v p="$PK" '\''$1==p {print $2; exit}'\'' "$M"); [ -n "$PN" ] || PN=unknown; [ -n "$EP" ] && [ "$EP" != "(none)" ] || EP=unknown
; [ "$ST" = connected ] && [ "$OS" != connected ] && logger -t wireguard -p auth.notice "wireguard peer connected: instance=$IF, peer_name=$PN, peer_pubkey=$PK, endpoint=$EP, allowed_ips=$AL, handshake_age=${AGE}s"; [ "$ST" = disconnected ] && [ "$OS" != disconnected ] && logger -t wireguard -p auth.notice "wireguard peer disconnected: instance=$IF, peer_name=
$PN, peer_pubkey=$PK, endpoint=$EP, allowed_ips=$AL, handshake_age=${AGE}s"; done < "$T"; cut -d"|" -f1-6 "$T" > "$S"; rm -f "$T" "$M"'
parameters:
type: script
message: checking wireguard connections
description: Wireguard connection monitor and logger

Restart the configd service to see the new script:
service configd restart
Log into web management and go to system -> settings -> cron

Create a new job and set it to run every minute


If you did everything correctly the Wireguard log will start logging events every minute. These are accessible directly in the wireguard VPN log menu.

2026-03-13T14:04:00 Notice wireguard wireguard peer connected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=56s
2026-03-13T14:03:00 Notice wireguard wireguard peer disconnected: instance=wg0, peer_name=laptop, peer_pubkey=9V3VB9ALJtB0lgvhpCetVVEbZW6YH6Rnk=, endpoint=192.168.11.228:54553, allowed_ips=192.168.12.3/32, handshake_age=513s
2026-03-13T13:58:12 Notice wireguard wireguard peer disconnected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=381s
2026-03-13T13:54:36 Notice wireguard wireguard peer connected: instance=wg0, peer_name=laptop, peer_pubkey=9V3VB9ALJtB0lgvhpCetVVEbZW6YH6Rnk=, endpoint=192.168.11.228:54553, allowed_ips=192.168.12.3/32, handshake_age=9s
2026-03-13T13:51:57 Notice wireguard wireguard peer connected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=6s

Peers are marked disconnected when they have not handshaked in 300 seconds / 5 min.

For the life of me I do not understand why this simple logging is not part of the Wireguard implementation on every firewall, since it is essential to know who is accessing your firewall and from where.


#6
True. But I assume that the clients only get link lokal from RA?
#7
This morning Google Chrome released a new update 146.0.7680.76 and now everything is fine.

OPNsense is a good firewall, it noticed something was wrong and blocked traffic to the Google Chrome browser.

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
https://thehackernews.com/2026/03/google-fixes-two-chrome-zero-days.html
https://www.mirror.co.uk/tech/google-chrome-update-pc-now-36861847
#8
General Discussion / Re: LTE USB Dongle as Failover...
Last post by d3dl3g - Today at 12:27:49 PM
Quote from: alphatrianguli on September 24, 2025, 07:31:59 AMThanks for your info on this! I am trying to achieve the same, but somehow I seem to miss something.

Do I understand correctly, that you put in different IP addresses in the interface static IP address and the gateway address? In your description it seems, you take the IP address of the dongle itself as interface ip, but the DMZ address as gateway? This always shows me "Misconfigured Gateway IP" under the gateway configuration.

Thanks for your help - much appreciated.

hi Alpha, sorry for the super late reply, it would seem i have overlooked the notification or missed it all together... i assume you have sorted this by now but here's my experience.

"Misconfigured Gateway" is usually when the "CIDR" dropdown is not set correctly for the interface

Interfaces > [WAN_Failover] > Static IPv4  configuration > address field, change the 32 to 24

see how you get on.

#9
26.1 Series / Re: OPNsense 26.1.2_5 → 26.1.4...
Last post by franco - Today at 12:21:07 PM
Can you run the cleanup audit and retry?


Cheers,
Franco
#10
26.1 Series / OPNsense 26.1.2_5 → 26.1.4 Upg...
Last post by nmthang282 - Today at 11:29:59 AM
***GOT REQUEST TO UPDATE***
Currently running OPNsense 26.1.2_5 (amd64) at Fri Mar 13 16:40:51 +07 2026
Updating OPNsense repository catalogue...
Waiting for another process to update repository OPNsense
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (117 candidates): .......... done
Processing candidates (117 candidates): .. done
The following 68 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
colordiff: 1.0.22
py313-Babel: 2.18.0
py313-Jinja2: 3.1.6
py313-aioquic: 1.3.0_1
py313-anyio: 4.12.1
py313-async_generator: 1.10_1
py313-attrs: 25.4.0
py313-bottleneck: 1.6.0
py313-certifi: 2026.1.4
py313-cffi: 2.0.0
py313-charset-normalizer: 3.4.4
py313-cryptography: 46.0.4,1
py313-dnspython: 2.8.0_1,1
py313-duckdb: 1.4.4
py313-h11: 0.16.0
py313-h2: 4.1.0_1
py313-hpack: 4.0.0_1
py313-httpcore: 1.0.9
py313-httpx: 0.28.1_1
py313-hyperframe: 6.0.0_1
py313-idna: 3.11
py313-jq: 1.11.0
py313-ldap3: 2.9.1_1
py313-markupsafe: 3.0.3
py313-numexpr: 2.14.1
py313-numpy: 1.26.4_12,1
py313-outcome: 1.3.0_2
py313-packaging: 26.0
py313-pandas: 2.3.3,1
py313-pyasn1: 0.6.0
py313-pyasn1-modules: 0.4.1
py313-pycparser: 2.23
py313-pylsqpack: 0.3.23
py313-pyopenssl: 25.3.0_1,1
py313-pysocks: 1.7.1_1
py313-python-dateutil: 2.9.0
py313-pytz: 2025.2_1,1
py313-pyyaml: 6.0.3
py313-requests: 2.32.5
py313-service-identity: 24.2.0
py313-six: 1.17.0
py313-sniffio: 1.3.1
py313-socksio: 1.0.0_1
py313-sortedcontainers: 2.4.0_1
py313-sqlite3: 3.13.12_10
py313-trio: 0.33.0
py313-truststore: 0.10.4
py313-tzdata: 2025.3
py313-ujson: 5.11.0
py313-urllib3: 2.6.3,1
py313-vici: 6.0.3
python313: 3.13.12

Installed packages to be UPGRADED:
dnsmasq: 2.92,1 -> 2.92_2,1
jansson: 2.14.1 -> 2.15.0
libucl: 0.9.3 -> 0.9.4
libunistring: 1.4.1 -> 1.4.2
libxml2: 2.15.1_1 -> 2.15.2
nss: 3.120 -> 3.121
opnsense: 26.1.2_5 -> 26.1.4
opnsense-installer: 25.1_1 -> 25.1_2
opnsense-lang: 26.1.1 -> 26.1.4
opnsense-update: 26.1.1_1 -> 26.1.3
strongswan: 6.0.3_1 -> 6.0.4
suricata: 8.0.3_1 -> 8.0.3_2
syslog-ng: 4.10.2 -> 4.11.0

Installed packages to be REINSTALLED:
glib-2.84.4,2 (direct dependency changed: python313)
kea-3.0.2_1 (direct dependency changed: python313)
unbound-1.24.2_1 (direct dependency changed: python313)

Number of packages to be installed: 52
Number of packages to be upgraded: 13
Number of packages to be reinstalled: 3

The process will require 500 MiB more space.
120 MiB to be downloaded.
[1/52] Fetching python313-3.13.12.pkg:
pkg-static: cached package python313-3.13.12: missing or size mismatch, fetching from remote
[2/52] Fetching python313-3.13.12.pkg:
pkg-static: cached package python313-3.13.12: missing or size mismatch, cannot continue
Consider running 'pkg update -f'
[3/52] Fetching python313-3.13.12.pkg: ..

Hi OPNsense team,

I'm currently running:

OPNsense 26.1.2_5 (amd64)
Fri Mar 13 16:40:51 +07 2026

When attempting to upgrade to 26.1.4, the update process fails with the following error:

pkg-static: cached package python313-3.13.12: missing or size mismatch, fetching from remote
pkg-static: cached package python313-3.13.12: missing or size mismatch, cannot continue
Consider running 'pkg update -f'

Upgrade summary:

52 new packages (mostly python313 related)

13 upgrades

3 reinstalled (glib, kea, unbound – direct dependency changed: python313)

120 MiB download

500 MiB additional space required

The process stops during fetching python313.

Questions:

Is this related to repository sync issues?

Is it safe to run pkg clean -a -f and pkg update -f on production?

Is there any known issue with the Python 3.13 migration in 26.1.4?

Thank you for your assistance.