"Recent posts
#1
26.1 Series / OPNsense 26.1.3 / os-caddy 2.1...
Last post by hansen-pansen - Today at 10:13:38 AMDear OPNsense users,
this post is only to make you aware of an important Caddy upstream change that is carried with os-caddy 2.1.0 in OPNsense 26.1.3:
The "Host" header of the upstream connection is now set to the address of the upstream host ("{upstream_hostport}"). Before Caddy 2.11.0 it was set to "{host}".
This might bite you in case you are running the upstream servers in a DMZ, depending on your setup. This can be easily fixed by adding a new "Header" object that carries the value of {host}, and in the "Handlers" sections at this header to the reverse_proxy handler.
Upstream commit that introduced this change: https://github.com/caddyserver/caddy/pull/7454.
this post is only to make you aware of an important Caddy upstream change that is carried with os-caddy 2.1.0 in OPNsense 26.1.3:
The "Host" header of the upstream connection is now set to the address of the upstream host ("{upstream_hostport}"). Before Caddy 2.11.0 it was set to "{host}".
This might bite you in case you are running the upstream servers in a DMZ, depending on your setup. This can be easily fixed by adding a new "Header" object that carries the value of {host}, and in the "Handlers" sections at this header to the reverse_proxy handler.
Upstream commit that introduced this change: https://github.com/caddyserver/caddy/pull/7454.
#2
German - Deutsch / Re: Kaufberatung
Last post by fastboot - Today at 09:48:04 AM@iani Das ist keine FW Appliance, sondern in Mini-PC mit zwei NICs. Dazu auch noch mit nem Realtek Chipset. Leider ist es bei den meisten dieser Geräte so, dass man keine Ersatzteile bekommt.
In meinem Fall für den Mini-PC auf den mein Home Assistant läuft, durfte ich einen Ersatzlüfter aus China bestellen. Kostenpunkt mit Shipping 42,xx€
Ich hätte Dir auch noch ne FW4B für ~100€ anbieten können. Liegt bei mir nur noch rum.
Living and Learning. Oder Learning by Burning :D
Viel Spass && Erfolg
In meinem Fall für den Mini-PC auf den mein Home Assistant läuft, durfte ich einen Ersatzlüfter aus China bestellen. Kostenpunkt mit Shipping 42,xx€
Ich hätte Dir auch noch ne FW4B für ~100€ anbieten können. Liegt bei mir nur noch rum.
Living and Learning. Oder Learning by Burning :D
Viel Spass && Erfolg
#3
25.7, 25.10 Series / Re: Random blocking UDP packet...
Last post by noahharold - Today at 09:13:39 AMQuote from: vlnc on October 11, 2025, 03:33:35 PMHi everyone,It sounds like a frustrating issue! Try flushing the state table with pfctl -F states and adjusting your UDP timeout settings in the Tunables (set net.pf.udp_first and net.pf.udp_single to 120, and net.pf.udp_multiple to 180). Also, make sure your firewall rules are allowing all necessary UDP traffic for your game. Good luck!
I'm running this version of OPNSense in a VM ESXi hosted:
OPNsense 25.7.5-amd64
FreeBSD 14.3-RELEASE-p4
OpenSSL 3.0.18 bat smash game
Since I don't really know when this is happening (I mean since which opnsense update), I got this side effect :
While playing online on a server on my favorite game (squad on pc as an example), I got huge lags for a limited time (dozen of seconds) with effects like no more VOIP, everyone running into walls ect... cause of UDP packets are blocked/not processed by OPNSense. Result is sometimes after the lag and UDP packets transmitted again, I'm disconnected from the server, sometimes I'm not.
My network setup is pretty simple :
My PC : 192.168.2.2/24 using 192.168.2.1/24 (opnsense) as default gateway
Opnsense : using my ISP router as main and only gateway / DNS server (I need to SNAT traffic from/to 192.168.2.0/24 by 192.168.2.1 to my ISP router to access Internet cause I can't setup a static route on my ISP router (which is in 192.168.1.0/24) like "ip route 192.168.2.0/24 via 192.168.2.1/32".
Firewall rules on User interface is : 192.168.2.0/24 any any allow
As drawing is better than writing :
For your understanding of my OPNSense current configuration, list of services (enabled/disabled) :
- Captive portal -> Disabled
- DHCRelay -> Disabled
- Dnsmasq DNS & DHCP -> Disabled
- Intrusion Detection -> Disabled
- ISC DHCPv4 -> Enabled
- ISC DHCPv6 -> Disabled
- Kea DHCP -> Disabled
- Monit -> Enabled
- Network Time -> Enabled
- OpenDNS -> Disabled
- Unbound DNS -> Enabled
Start ask chatgpt, redirected me to :
-> bug in opnsense since switching to pf (XD)
-> flush state table (pfctl -F states)
-> UDP State timeout to short
-> Service IDS/IPS suricata (disabled as you seen)
-> Update Bogons / GeoIP (weird cause I shouldn't be able to connect to the game server at the first place no ?)
-> Normalization rules on WAN interface (timeout parameter is missing in GUI)
-> System > Settings > Tunables then add these parameters net.pf.udp_first to 120, net.pf.udp_single to 120 and net.pf.udp_multiple to 180
I don't really know where to look for right now and I don't want to change parameters that I don't really know it will have a good or bad effect without your advices.
Anyone as an idea ? I'm only using GUI, doesn't made in changes via CLI/SSH.
I will investigate if this impact TCP traffic too.
Thanks for your help.
Regards,
vlnc
#4
General Discussion / Re: cant see DHCP option anymo...
Last post by franco - Today at 09:05:32 AMIt may seem counter intuitive to UX at first, but it a) reduces complexity of the interfaces settings page and b) better aligns with how the system is supposed to work underneath. It's also very seldom that someone changes from PPPoE to DHCP and now we don't have to make guesses about to which interface the user wants to switch to in that case. It may be the one where PPPoE sits, but it also may not.
Cheers,
Franco
Cheers,
Franco
#5
German - Deutsch / Re: kea wie zum laufen bringen
Last post by Monviech (Cedrik) - Today at 08:57:49 AMDer Filter funktioniert schon, da es in dieser Ansicht keine Interfaces gibt, wird auch nichts angezeigt. Aber auf der selben Seite gibt es Tags. Jetzt nur für eine Ansicht den Selectpicker anzupassen sodass er keine Interfaces anzeigt hat zu wenig benefits. Interfaces sind nämlich auch "tags" bei dnsmasq.
#6
26.1 Series / Re: Unbound won't start 26.1.1...
Last post by franco - Today at 08:56:46 AMYou are right. I'm sorry, too late yesterday for me.
It's a bit odd the package manager decided to remove the core package:
> [9/111] Deinstalling opnsense-26.1...
> Stopping configd...done
> Resetting root shell
> Updating /etc/shells
> Unhooking from /etc/rc
> Unhooking from /etc/rc.shutdown
> [9/111] Deleting files for opnsense-26.1: .......... done
But it doesn't matter too much since in the end if finishes the installation and the integrity checks are ok.
I still expect some Python files to be cached that shouldn't. Can you list the files inside the Unbound chroot?
# find /var/unbound/unbound-dnsbl -type f -name "*.pyc"
Thanks,
Franco
It's a bit odd the package manager decided to remove the core package:
> [9/111] Deinstalling opnsense-26.1...
> Stopping configd...done
> Resetting root shell
> Updating /etc/shells
> Unhooking from /etc/rc
> Unhooking from /etc/rc.shutdown
> [9/111] Deleting files for opnsense-26.1: .......... done
But it doesn't matter too much since in the end if finishes the installation and the integrity checks are ok.
I still expect some Python files to be cached that shouldn't. Can you list the files inside the Unbound chroot?
# find /var/unbound/unbound-dnsbl -type f -name "*.pyc"
Thanks,
Franco
#7
Zenarmor (Sensei) / Error updating from 26.1.2_5 t...
Last post by mic - Today at 08:52:49 AMHello,
we're trying to upgrade OPNsense 26.1.2_5 to 26.1.3, but we're getting the following error, as per the attachment: "Could not find the repository on the selected mirror." This is most likely caused by the SunnyValley repositories.
How can I fix this?
Thank you very much.
we're trying to upgrade OPNsense 26.1.2_5 to 26.1.3, but we're getting the following error, as per the attachment: "Could not find the repository on the selected mirror." This is most likely caused by the SunnyValley repositories.
How can I fix this?
Thank you very much.
#8
26.1 Series / Re: configuration backup alway...
Last post by franco - Today at 08:47:13 AMThe only provider of rrddata to the config.xml is rrd_export() which is once called in the manual export from System: Configuration: Backups's "Download configuration" button. It's true that it will add another rrddata section, but this is entirely independent from periodic backups such as os-sftp-backup.
I'd simply suggest going to your console and dropping the section from the config.xml:
# pluginctl -f rrddata
Not sure if you need to do this twice but just make sure it's gone from the current config.xml and it won't be back unless you export from the GUI page and feed it into the system without using the GUI page.
Cheers,
Franco
I'd simply suggest going to your console and dropping the section from the config.xml:
# pluginctl -f rrddata
Not sure if you need to do this twice but just make sure it's gone from the current config.xml and it won't be back unless you export from the GUI page and feed it into the system without using the GUI page.
Cheers,
Franco
#9
General Discussion / Re: cant see DHCP option anymo...
Last post by robertkwild - Today at 08:39:04 AMahhh i see nice, so if i do this and go in wan again i will see DHCP option under "IPv4 configuration type"
#10
26.1 Series / Re: ReflectionException trying...
Last post by franco - Today at 08:25:24 AM@ltcptgeneral can you try this patch?
# opnsense-patch https://github.com/opnsense/core/commit/df6d9ea77
Cheers,
Franco
# opnsense-patch https://github.com/opnsense/core/commit/df6d9ea77
Cheers,
Franco
