"Recent posts
#1
Virtual private networks / Re: Floating firewall rules do...
Last post by pfry - Today at 08:14:18 AMQuote from: onnieoneone on February 23, 2026, 02:41:18 PM[...]The SSH outbound fails because it disappears into the IPsec SPD _before_ it hits enc0, and so gets tracked from lagg0_vlan1018, so the returning traffic that _does_ appear on enc0 has no matching state and gets dropped unless I put some funky firewall rules in place.[...]
Did you check states? The reverse session/state should be created unless "keep state" is deselected (apparently not the case) or the outbound "let anything out of the firewall" is overridden (normally by an outbound first-match rule). In the latter case I'd expect a log for said rule... assuming it has logging enabled.
#2
Virtual private networks / Re: Problem with an IPsec site...
Last post by vpx - Today at 08:13:32 AMQuote from: viragomann on February 25, 2026, 05:35:49 PMI've read a recommendation to disable the default and specify certain proposal instead.I doubt the proposals are the problem because as you can see in the log a cipher is already negotiated.
Quote from: viragomann on February 25, 2026, 05:35:49 PMMaybe it is complaining about the remote site's id. Possibly it's different from the IP address?As you can see or can't see because I redacted the rest of the IP, the remote IP and remote ID are identical.
The FAQs of strongSwan have a section for the error message "no matching peer config found":
https://docs.strongswan.org/docs/5.9/support/faq.html#_no_matching_peer_config_found
So the problem can only be the ID or the proposals (which I already exluded as a cause).
The FAQ also mentions the allowed format for the ID: https://docs.strongswan.org/docs/5.9/config/identityParsing.html
I already tried to change the ID to the explicit <type>:<value> format under "VPN: IPsec: Connections: Local Authentication" to force the ID but it still shows "%any" in the log file.
I downloaded the swanctl.conf and it doesn't mention "%any" anwhere, this doesn't look right.
I also set the debugging level of "IKE_SA/ISAKMP SA" in "VPN: IPsec: Mobile & Advanced Settings: Syslog" to 2 ("More detailed debugging control flow") for some seconds, see also https://docs.strongswan.org/docs/latest/config/logging.html.
Here is the more detailed log, I don't think level 3 would make sense, it just shows hex data and "natd_chunk => 22 bytes @ 0x..." and similar messages.
Code Select
2026-02-26T07:52:41 Informational charon 10[ENC] <421129> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2026-02-26T07:52:41 Informational charon 10[CFG] <421129> no matching peer config found
2026-02-26T07:52:41 Informational charon 10[CFG] <421129> looking for peer configs matching 185.xxx.xx.xx[%any]...195.yyy.yyy.yyy[195.yyy.yyy.yyy]
2026-02-26T07:52:41 Informational charon 10[ENC] <421129> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
2026-02-26T07:52:41 Informational charon 10[NET] <421129> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (480 bytes)
2026-02-26T07:52:41 Informational charon 10[NET] <421129> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (456 bytes)
2026-02-26T07:52:41 Informational charon 10[ENC] <421129> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2026-02-26T07:52:41 Informational charon 10[CFG] <421129> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2026-02-26T07:52:41 Informational charon 10[IKE] <421129> IKE_SA (unnamed)[421129] state change: CREATED => CONNECTING
2026-02-26T07:52:41 Informational charon 10[IKE] <421129> 195.yyy.yyy.yyy is initiating an IKE_SA
2026-02-26T07:52:41 Informational charon 10[IKE] <421129> remote endpoint changed from 0.0.0.0 to 195.yyy.yyy.yyy[500]
2026-02-26T07:52:41 Informational charon 10[IKE] <421129> local endpoint changed from 0.0.0.0[500] to 185.xxx.xx.xx[500]
2026-02-26T07:52:41 Informational charon 10[ENC] <421129> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2026-02-26T07:52:41 Informational charon 10[NET] <421129> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (672 bytes)
2026-02-26T07:52:40 Informational charon 10[IKE] <421128> IKE_SA (unnamed)[421128] state change: CONNECTING => DESTROYING
2026-02-26T07:52:40 Informational charon 10[NET] <421128> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (80 bytes)(By the way when did the logs change direction from down to up because I saw old posts where the log goes from up to down? :) )Also how would I know the default proposals? Even the swanctl.conf just says "proposals = default" and "esp_proposals = default".
It would be nice if there was a place in the GUI where you can actually see them.
I actually found the default proposals by setting CFG ("Configuration management and plugins") to level 2, here they are:
Code Select
2026-02-26T08:18:01 Informational charon 15[CFG] <422831> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 #3
26.1 Series / Re: Kea DHCPv4 How to remove d...
Last post by Netlearn - Today at 05:32:54 AMQuote from: Lip90 on February 23, 2026, 10:24:01 PMNo, unless you have turned on some kind of "Don't allow Clients that don't have a Static DHCP Mapping configured" setting which some DHCP Servers have ??
Regarding this, I opened a thread and an issue on Github on the General Discussion forum, maybe not the right place... This is the thread.
I don't use random DHCP addressing. Some nets are fully static assignment, an if DHCP is in use, I always use reservations. Exceptions apply on labs and similar, things that are disposable.
I really miss the "Deny unknown clients" feature from ISC exposed in the web GUI. With this option checked, I can find the MAC address of the device before it receives an IP, make the reservation and rules if apply, and let it connect afterwards.
#4
German - Deutsch / Re: DSL Zwangstrennung verschi...
Last post by k0ns0l3 - Today at 05:16:59 AMIst eine tägliche Zwangstrennung eines DSL-Anschlusses notwendig ?
Lg
Lg
#5
26.1 Series / Re: How does SLAAC for ipv6 wo...
Last post by allebone - Today at 03:14:46 AMSo the answer is yes, they conflict.
#6
25.7, 25.10 Series / Re: BIOS halted with 0x06 Inva...
Last post by txr13 - Today at 01:20:37 AMOn the contrary, the release notes on the page I linked for the 1.15 version also notes the following points:
- Fix PXE boot fails when there is boot option is listed as the last entry in the boot sequence and set by Virtual Console.
- This product release contains security update DSA-2026-012 and DSA-2026-040. Any security fix information will be accessible on the Dell Security Advisories and Notices website.
DSA-2026-012 appears to be an Intel CVE that is fixed in microcode, so the plugin would certainly mitigate that. DSA-2026-040 does not appear to be available at the present time, so who knows what that's about. Regardless, the release notes definitely do mention security updates, and also a functional reason (though that doesn't apply to me, since I disable PXE boot on perimeter devices anyway).
Still, I wouldn't consider "just don't do updates for that" a valid response in general. I do read the release notes for what I update, and I'm generally happy to postpone or skip individual updates if I don't have a burning reason to install them... but I will install them eventually, and other users may have them installed even before installing OPNsense. Hence why I wanted to flag the possibility that a new platform update might affect some versions of the bootloader.
If the general thought is "you don't need to update your BIOS, so use of a newly-illegal operand isn't a concern," then I'll drop it, even if I do find that an unsatisfying answer. I realize the issue may also need more investigation. I may do some of that investigation myself, when I get a chance. (I think updating the bootloader again and then trying to upgrade to 1.15 might be informative, and if nothing else I'll have the presence of mind to capture the registers visible in the halt screen for further analysis.)
- Fix PXE boot fails when there is boot option is listed as the last entry in the boot sequence and set by Virtual Console.
- This product release contains security update DSA-2026-012 and DSA-2026-040. Any security fix information will be accessible on the Dell Security Advisories and Notices website.
DSA-2026-012 appears to be an Intel CVE that is fixed in microcode, so the plugin would certainly mitigate that. DSA-2026-040 does not appear to be available at the present time, so who knows what that's about. Regardless, the release notes definitely do mention security updates, and also a functional reason (though that doesn't apply to me, since I disable PXE boot on perimeter devices anyway).
Still, I wouldn't consider "just don't do updates for that" a valid response in general. I do read the release notes for what I update, and I'm generally happy to postpone or skip individual updates if I don't have a burning reason to install them... but I will install them eventually, and other users may have them installed even before installing OPNsense. Hence why I wanted to flag the possibility that a new platform update might affect some versions of the bootloader.
If the general thought is "you don't need to update your BIOS, so use of a newly-illegal operand isn't a concern," then I'll drop it, even if I do find that an unsatisfying answer. I realize the issue may also need more investigation. I may do some of that investigation myself, when I get a chance. (I think updating the bootloader again and then trying to upgrade to 1.15 might be informative, and if nothing else I'll have the presence of mind to capture the registers visible in the halt screen for further analysis.)
#7
26.1 Series / Re: Enable SSH at Console
Last post by nero355 - Today at 01:14:22 AMYou have sparked my curiosity :
Since OPNsense is basically "FreeBSD + a lot of code on top of it" I would expect this to be enough to get OpenSSH Server running : https://docs.freebsd.org/en/books/handbook/security/#_enabling_the_ssh_server
Did you try that by any chance ?!
Your eventual solution (Written bij some Machine Learning Chatbots it seems ?!) also mentions this :
(And IIRC since it's from /usr/local/etc/ it has to be the OpenSSH Server you install separately and not the one included in the OS itself!)
Since OPNsense is basically "FreeBSD + a lot of code on top of it" I would expect this to be enough to get OpenSSH Server running : https://docs.freebsd.org/en/books/handbook/security/#_enabling_the_ssh_server
Did you try that by any chance ?!
Your eventual solution (Written bij some Machine Learning Chatbots it seems ?!) also mentions this :
Code Select
/usr/local/etc/rc.sshd restartThat's a pure FreeBSD command used "before the service era" so if that worked too then the good old FreeBSD Handbook was all you needed ;)(And IIRC since it's from /usr/local/etc/ it has to be the OpenSSH Server you install separately and not the one included in the OS itself!)
#8
General Discussion / Reoccurring Unbound DNS failur...
Last post by MaeveFirstborn - Today at 12:51:07 AMWe have two virtual firewalls in a CARP pair. They each have two WANs set up in a gateway group. In addition, on the LAN network we have an active directory domain controller. The end goal is that Unbound recursively resolves using its root hints, communicating on whichever WAN interface is currently the primary, unless the query belongs to local.example.com, in which case it forwards through the LAN interface to the domain controller.
I have all three interfaces selected as the Outgoing Network Interfaces in Unbound's advanced settings. The problem is that if you read the fine-print on the documentation page for Unbound it reveals that it will use the Outgoing Network Interfaces at random to counter spoofing. The behavior I'm seeing is that some local DNS queries get sent out to either of the WANs, in which case they get dropped obviously, or alternatively in some cases it tries to resolve public DNS information through the domain controller. We were originally using Domain Overrides but it's our understanding this is no longer supported.
How should we approach this?
For example:
> all the configured stub or forward servers failed, at zone local.example.com. no server to query nameserver addresses not usable have no nameserver names
I have all three interfaces selected as the Outgoing Network Interfaces in Unbound's advanced settings. The problem is that if you read the fine-print on the documentation page for Unbound it reveals that it will use the Outgoing Network Interfaces at random to counter spoofing. The behavior I'm seeing is that some local DNS queries get sent out to either of the WANs, in which case they get dropped obviously, or alternatively in some cases it tries to resolve public DNS information through the domain controller. We were originally using Domain Overrides but it's our understanding this is no longer supported.
How should we approach this?
For example:
> all the configured stub or forward servers failed, at zone local.example.com. no server to query nameserver addresses not usable have no nameserver names
#9
26.1 Series / Re: How does SLAAC for ipv6 wo...
Last post by nero355 - Today at 12:25:53 AMQuote from: allebone on February 25, 2026, 10:04:57 PMIf I follow this guide: https://docs.opnsense.org/manual/dnsmasq.html#configuration-examplesPlease read : https://docs.opnsense.org/manual/radvd.html :)
And enable slaac in Services ‣ Dnsmasq DNS & DHCP ‣ General
Must I then disable Router advertisements on that interface under Services ‣ Router Advertisements? Are these 2 services in conflict?
Quote from: OPNenthu on February 25, 2026, 07:46:02 PMWas a quick reply so did not check everything, but you were on the right track for sure and that's what matters ;)Quote from: nero355 on February 25, 2026, 07:01:03 PMThis document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.htmlAh, actually it looks like I was wrong about the NIC with "stable privacy" mode. Per this document:
"Also, the address is stable when the network interface hardware is replaced."
#10
25.7, 25.10 Series / Re: BIOS halted with 0x06 Inva...
Last post by meyergru - Today at 12:22:22 AMAfter OpnSense has booted, the BIOS does not control much any more (except from vPro features, that is). So if the BIOS is viable to control your hardware (fan control, disk drivers for boot phase), it should never need an update, unless hardware is changed or CPU microcodes must be applied.
Since OpnSense offers a way to update the microcode independend of the BIOS, you actually do not need to update the BIOS any more - this is even more true if the only reason to update the BIOS is in fact updated microcode. I think this may be true for most systems older than 5 years.
I think this is true of your BIOS 1.15, especially, because there are no release notes as to why there is an update - maybe security patches are not even mentioned for "security by obscurity" reasons. Matter-of-fact, there are no functional reasons given, either.
Since OpnSense offers a way to update the microcode independend of the BIOS, you actually do not need to update the BIOS any more - this is even more true if the only reason to update the BIOS is in fact updated microcode. I think this may be true for most systems older than 5 years.
I think this is true of your BIOS 1.15, especially, because there are no release notes as to why there is an update - maybe security patches are not even mentioned for "security by obscurity" reasons. Matter-of-fact, there are no functional reasons given, either.
