Recent posts

#1

German - Deutsch / Re: DHCP läuft nicht v.26.1

Last post by Zapad - Today at 07:10:44 AM

hatte Problem mit KEA IP6 DHCP.

egal was ich als ip range/scope eingetragen habe alles falsch>fehler.

Gut das ich noch ISC konfig behalten habe, KEA weg ISC wieder aktiv > Läuft.

#2

26.1 Series / Re: Suricata - Divert (IPS)

Last post by Monviech (Cedrik) - Today at 07:07:32 AM

Hello, please open an issue on github asking about the interface in suricata when divert is used. Its easier to track, thank you.

https://github.com/opnsense/core/issues

#3

25.7, 25.10 Series / Re: New site PPPoE PMTU woes

Last post by ToasterPC - Today at 07:00:25 AM

What is the question?

If that MTU works for you, you could probably distribute it network-wide with DHCP option 26 and there is also an RA option to send it, but as I said, IDK if those work for most clients.

Hmm, I'm not sure if this is the right way to frame it, but I'm wondering what's the proper way to describe the issue.

cURL will still fail even if the NIC's MTU is set to the proper value, and the only way to get ping to connect reliably is by setting the ICMP packet size in every run of it.

It looks like the problem resides in how the MTU is being handled when going from the LAN interface to the WAN, as even a device being physically the same as the VM (testing from the Proxmox host, that is) will suffer from the same problems that every downstream device has regardless of medium (be it WiFi, Ethernet, a VPN, or a combination of all of them).

From where I'm standing, I'm using two identical installations of the same software and hardware on every part of the chain, yet the issues are only reflected on one of them. I'd like to consider this a reproducible problem that might be a bug, but as you've mentioned, my connection to the outside world through my ISP is hard to come by for better or for worse.

I'd like to find a way to both figure out how and why this problem is happening in the first place and help out debug it in the event the problem is something reproducible.

The first thing I'm imagining as a potential first step is running packet captures simultaneously at every point in the chain, though as I'm not certain what to look for, I'm wondering if doing so could make more noise instead of actually being useful.

TL;DR: I think the problem is more complex than just setting the proper MTU value, and I'd like to know how to properly present my case for a bug report to be able to look into it.

#4

26.1 Series / Re: Can't import rules in new ...

Last post by hsv216 - Today at 06:54:54 AM

Hi all, please let me know if I should open a new topic, but I am having exactly the same issue. When I try to import (select the previously exported file at step 3 and click the tick box), no rules appear in the new section.  I have opened and had a look at the file itself, and all looks to be "normal". Have tried rebooting the box and import again.  Have tried exporting and importing new file with same result. Not sure where I can find logs to see what is going on.  Any help appreciated (even if just to point me at the logs).  Thank you.

[Edit:  I didnt realise you have to click the drop down and can then see the rules.  My bad]

#5

26.1 Series / Re: Let's talk firewall rule o...

Last post by RES217AIII - Today at 06:54:11 AM

These are the rules for the "Restricted" group:

Thank you for sharing.
May I ask what the aliases for the local network IPv4 and IPv6 actually look like?

You cannot view this attachment.

In your opinion, you could also use the interface group restricted itself, something like this
source: restricted net
destination: restricted net ?

#6

26.1 Series / Re: OPNsense 26.1 on Sophos XG...

Last post by patient0 - Today at 06:44:27 AM

Most likely igb0 is not the port you thing it is. Ask the internet for how the ports are numbered, e.g.

https://www.reddit.com/r/PFSENSE/comments/1i03vrp/using_sophos_xg115_rev_3_in_2025/

Code Select Expand

              1       2       3       4
[ SFP ]    [RJ-45] [RJ-45] [RJ-45] [RJ-45]
   4         LAN     WAN     DMZ      |
   |______________Shared______________|
 igb0       igb1    igb2    igb3    igb0 (again)
Or in the shell use ifconfig <interface> to see which one is up.

#7

25.7, 25.10 Series / Re: Let's Encrypt IP address c...

Last post by rajiv - Today at 04:54:17 AM

The code change to support profiles in the os-acme-client plugin was merged today, after the 26.1 release. So I would guess it will be in the next version. I do not know the details of the OPNSense release process, so we'll have to wait and see. You can see the code in opnsense/plugins/pull/5154.

The code shows that once the feature is available, there will be a "Certificate Profile" text field in the "Edit Certificate" dialog.

#8

26.1 Series / os-ddclient and easyDNS

Last post by 0n3man - Today at 04:28:01 AM

I spent a while trying to come up with a way to update my dynamic DNS entries at easyDNS from opnsense.  Sadly the os-ddclient doesn't have native support for easyDNS. Their is however a custom option under service that allows you select "custom GET" for the protocol.  For the server you enter this URL: https://api.cp.easydns.com/dyn/generic.php?hostname=example.com.  Modify example.com as appropriate. You have to put the same domain name that's in the the previous URL in the Hostname field. Actually I suspect you can put anything in the hostname field as it doesn't seems to have an impact. The Wildcard box should not be checked, as I don't think it would update the URL correctly.  I checked the Force SSL field, as the easyDNS site indicate SSL was required.  And lastly you need to generate a "DYN Authentication Token" on dynamic records page, off the DNS Setting page from your easyDNS account.  This value is used for the password field.  No log entries are generated, but in my test my IP address was updated. 

#9

26.1 Series / Re: Identity Association IPv6 ...

Last post by bazineta - Today at 04:27:38 AM

I think this to be a bug, as I believe you'll find that you can't set the IPv6 Configuration Type to 'None' on the affected interface, either. In short, you're pretty much stuck with whatever settings that interface has at the moment, it seems.

#10

26.1 Series / Re: Identity Association IPv6 ...

Last post by nero355 - Today at 04:18:49 AM

So after updating to 26.1 today I uninstalled the os-isc-dhcp plugin, so far so good, things still appear to work as intended.

However when trying to change the "IPv6 Configuration Type" in either my home or guest vlan/interface from "Track Interface (legacy)" to  the new "Identity association" and try to save the changes I get an error message:

The following input errors were detected:

The DHCPv6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.

which makes me wonder what the actual problem is since "Track Interface (legacy)" works without any issue, is it because I use "Dnsmasq DNS & DHCP"? I can't seem to find an option to do what I'm instructed by "disable the DHCPv6 Server service on this interface first" like in only use Dnsmasq DNS & DHCP for IPv4, like there was for ISC-DHCP and probably also is for Kea with its two separate Kea DHCPv4 & Kea DHCPv6 services to enable/disable.

There were some reports of the option "Track Interface (legacy)" not properly disabling I believe in another topic so maybe the fix for that bug didn't work out completely as it should have ?!

My guess is it still thinks you are using ISC DHCPv6 for some reason...

On another more or less unrelated note, some parts of the release notes are harder to read/understand for me than they maybe could be, for example:

One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.

"the upstream software": which one? supposedly Dnsmasq? Why not call it by it's name?
"Use another DHCPv6 server in this case": when Dnsmasq doesn't work in this case and Kea is the new alternative to the now deprecated ISC-DHCP, why not just write "Use Kea DHCPv6" in this case? Or doesn't Kea work here as well, or are there too many other alternatives to mention them?

And another thing I was kind of scared is because the talk is all about DHCP and IPv6, I was afraid that removing the ISC plugin would also remove the option for the WAN interface to select "DHCPv6" in its "IPv6 Configuration Type" option, so a small mention that it doesn't touch that part and/or that they're completely unrelated and this option will stay would've probably been reassuring as well.

I was wondering the same and totally agree with you :)