Recent posts

#1

26.1, 26,4 Series / DNSCrypt service did not autom...

Last post by MrHappyHippo - Today at 08:10:15 PM

Hi everyone,

I recently configured a cron job for a scheduled reboot every 3 days on my OPNsense firewall.

After the reboot this morning, I noticed that I had no internet connectivity. The issue turned out to be that the DNSCrypt service did not automatically start after boot. I had to manually start DNSCrypt first and then restart the Unbound service afterward to restore internet access.

My setup is currently:

Destination NAT rule redirecting all DNS traffic to Unbound
Unbound configured with query forwarding to DNSCrypt


I am trying to understand:

Should DNSCrypt normally start automatically after reboot?
Is there additional configuration required to ensure proper startup order?
Could this have been a one-time startup failure?
Where can I find DNSCrypt startup/error logs in OPNsense to troubleshoot this?
Is there a recommended way to ensure Unbound waits for DNSCrypt before starting?

Any suggestions or troubleshooting tips would be appreciated.

Thanks!

#2

Q-Feeds (Threat intelligence) / blocking https://internet.nl/

Last post by RamSense - Today at 07:13:06 PM

another false positive. you seem to block https://internet.nl/ their ip.
As soon when I disable Q-feeds it is working.

#3

Q-Feeds (Threat intelligence) / Re: False positives, probably ...

Last post by wirehire - Today at 06:31:21 PM

There are still a lot of Vodafone numbers on the list. can you share why?

[there is a manual step required]

#4

26.1, 26,4 Series / Re: Intel ucode Plugin vs Pack...

Last post by BrandyWine - Today at 05:50:54 PM

If you install the package on FreeBSD, there is a manual step required to effect loading of the microcode on boot.

Side-note: stock FreeBSD 14.3 currently installs Intel microcode version 20260227 too..

OPNsense is an installer. No manual step needed. Just sayin.

It (std freeBSD ucode pkg) can be activated during the install, or, the package can be there installed but the option for user to activate it can be a checkbox in the webgui, and handled via .py. ;)

There's no need to have an additional pkg installed ("plugin") if cpucontrol handles ucode.bin.

What comes with the OPNsense installer is what they bundle into the installer. Having the ucode packages there makes sense to me.

#5

General Discussion / Crash Reporter on syslog ?

Last post by nono - Today at 05:45:37 PM

Is there a way to have the information on syslog when a crash reporter is available following an issue ?

#6

General Discussion / Re: IPv6 ND proxy for multi-LA...

Last post by georgeman - Today at 05:07:26 PM

That's awesome, thanks! I will give it a try next week and will report back.

#7

26.1, 26,4 Series / Re: "Inverting destinations is...

Last post by Patrick M. Hausen - Today at 04:59:05 PM

Source or destination invert used to be allowed for multiple entries, but lead to undesired effects confusion because the underlying logic created "not this OR not that" which essentially applied to anything.

Since the logic cannot easily be changed, the check and error message was created and the solution for your requirement is to create a group alias and use that with invert.

#8

German - Deutsch / Re: [gelöst] - Benötige Hilfe ...

Last post by kruemelmonster - Today at 04:43:21 PM

Allerdings habe ich auf meiner Sense (reiner Heimgebrauch) die LANs/VLANs nur ausgehend dicht und regele hauptsächlich dort die Querzugriffe zwischen den Netzen.

Hoffentlich nicht und Du verwendest nur die falsche Begrifflichkeit. Hover mal mit der Maus über den Pfeil in deinen Regelen und da wird Dir vermutlich "in" angezeigt und nicht "out".

Das passt schon so. Ich lasse alle Geräte im Grundsatz ins Internet. Da alles  eingehend dicht machen und dann Regeln einzeln für jedes Protokoll... ich habe besseres zu tun. Aber zwischen den Netzen regele ich die Zugriffe. Habe 2 ..3 Kleine Dienste zu laufen, die ich per Handy im WLAn und auch über Wireguard erreichen will. Das löse ich auf dem betreffenden Interface mit ausgehender Regel. Funktioniert sehr gut.

Demnach kann ich die unter "Rules [New]" also löschen.

Du hast doch gerade dahin migriert, warum willst Du ausgerechnet dort Regeln löschen.

Stimmt. habe mich vertippt. Ich meinte natürlich die alten Regeln.

#9

26.1, 26,4 Series / "Inverting destinations is onl...

Last post by techturtle - Today at 04:10:57 PM

Setting multiple aliases as "Destination" and ticking "Invert destination" within a firewall rule declaration currently triggers error:

Inverting destinations is only allowed for single targets to avoid mis-interpretations

I am a bit buffled, what is meant by "mis-interpretations" - isn't this the application of De Morgan's laws?

Let's say, two firewall aliases A and B exist, each with couple of IPs. Then setting A and B in "Destination" creates the union of those two aliases A ∨ B ("match, if destination is in any of those aliases"). Additionally enabling "Invert destination" should lead to ¬ ( A ∨ B ) = ¬ A ∧ ¬ B ("match, if destination neither is in A nor in B").

I am not asking from a theoretical or academical standpoint, but would really like to express:

• If destination does not match any of the hosts in those aliases, block connection => block rule.
• Fail fast => quick/first match rule is to be used.
• Keep firewall rules strict.

Especially with regards to point 3, if splitting up into

• a pass rule for A ∨ B
• followed by blocking rule for non-matching hosts

, then anything with destination in either A or B is immediately allowed. But according to principle of least privilege, it would be better to preserve the possibility to block traffic for other reasons by subsequent rules. Current rule logic cannot express this pattern AFAIK.

I definitely agree, these logic expressions sometimes can get confusing. So it might be worth to add a help message for "Invert destination":

Without inversion, the union of destinations is matched = "match if any destination A OR B matches".
With inversion, selected destinations A and B are processed as follows: ¬ ( A ∨ B ) = ¬ A ∧ ¬ B = "match, if destination neither is in A nor in B"

Btw: https://forum.opnsense.org/index.php?topic=51467.msg263889#msg263889 is a bit similar, at least error message. But my issue does not have to do anything with migration. Above error already appeared with the old firewall rules format.

Happy to read any feedback.

#10

Hardware and Performance / Re: Recommended OPNsense SFP+ ...

Last post by Kets_One - Today at 03:32:28 PM

No, you cannot reliably use a 9/125µm (single-mode) cable with a 50/125µm (multimode) module.
While the connectors physically fit, the core diameter mismatch (9µm vs 50µm) causes catastrophic signal loss.

The cable we are using is a 2 fibers LC UPC Duplex to LC UPC Duplex OS2

You can't use single mode cables with multimode transceivers. Gotta be OM (usually OM3 or OM4)

https://en.wikipedia.org/wiki/Multi-mode_optical_fiber

Indeed, @Patient0