Recent posts

#1
26.1, 26,4 Series / Re: Large number of files accu...
Last post by lmoore - Today at 05:57:09 PM
Quote from: franco on Today at 03:23:34 PM# md5sum /tmp/tmpcfd_* | awk '{ print $1 }' | sort | uniq -c | sort -rn

Hi Franco,

Here are the results.

Quote9331 d41d8cd98f00b204e9800998ecf8427e
  2 d8a70aede1c95108c0296f6a6abfebaa
  1 db76c9261e5dad81b34d8d7d48a9002f
  1 b253f2bcc48d5ccd8d9652904a6131a0
  1 a3ed12d95eaf83edc4055da9c8aebf8f
  1 9f52409143ef46ab2ee11604782c2ddf
  1 86bd9ded6a0fbd4a09404a43cfc743b3
  1 7ef1d48bb1e01cee7fcccaa91ad54799
  1 761219420eb10521cf4087b6912ba82b
  1 70706585f8924f2a30bc3cb176e6976f
  1 5f428cbec633eaa1410f433bbafb2d08
  1 5eede87a3adb1956a1312c4d97ab0b5a
  1 58e0494c51d30eb3494f7c9198986bb9
  1 4df0fd0be6ddaddf44fc689c489a14ea
  1 2ec68f745b73b7403f0852ed559e9430
  1 24b23c602450824808ff0221c6923377
  1 1c01c224b68add24f6c6ba2e6afe9273

The vast majority of 0 byte files were created on the 8th of July with the first one being at 15:21:21.

The time stamp for dmesg.boot is 'Jul  8 13:04:55 2026' and uptime is: 11:55PM  up 6 days, 10:50

On the 8th of July we had an extended power outage commencing in the morning. The power was restored around 1:00 PM.

I updated OPNsense from 26.1.11_5 to 26.1.11_6 recently and I believe it was after the power event.

Is there a command to list the time the updates were installed?

I'll reboot OPNsense so the /tmp folder is cleared.

Reviewing System -> Log Files -> Backend and filtered the Error events using '2026-07-08T15:2'.

Between 15:21:21 and 15:29:59, there were 1992 entries which appear to be all the same except for the GUID in the 4th column. I'm including only one line.

Quote2026-07-08T15:21:21    Error    configd.py    [f83c44bd-7bb0-443d-975c-a47f6f5953f6] Script action failed with Command '/usr/local/opnsense/scripts/filter/read_log.py --limit '1000' --digest '9eb69a9b6e1717db6f9b0b7ecd7ba451'' returned non-zero exit status 1. at Traceback (most recent call last):  File "/usr/local/opnsense/service/modules/actions/script_output.py", line 93, in execute    subprocess.run(script_command, env=self.config_environment, shell=True,    ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                    check=not self.disable_errors, stdout=output_stream, stderr=error_stream)                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  File "/usr/local/lib/python3.13/subprocess.py", line 577, in run    raise CalledProcessError(retcode, process.args,                              output=stdout, stderr=stderr) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/filter/read_log.py --limit '1000' --digest '9eb69a9b6e1717db6f9b0b7ecd7ba451'' returned non-zero exit status 1.

Cheers,

Larry.
#2
26.1, 26,4 Series / Re: Help me with assigning a n...
Last post by teddybearnemo - Today at 05:27:10 PM
Quote from: viragomann on Today at 04:55:42 PM
Quote from: teddybearnemo on Today at 04:34:18 PMPort range : 80 to 443
Which port range is this?

You can state the source port and the destination port. Source should be "any", the destination that one your GUI is listening on. Is it 443?

Also range from 80 to 443 is a bad idea. You can create an alias and add both ports to it. So the rule covers 80 + 443.

Also ensure that the new interface is selected in System: Settings: Administration > Listen Interfaces.


Yes its listening om 443

Im not comfortable making aliases yet, im still new to this, but i will take a look at it tonight, or i change the rule in the firewall

And i will also look into listen interfaces option. Because i dont think i did that.
#3
I am using MSS clamping, though I never had ZenArmor installed in my case.

I just went back and disabled LRO and MSS clamping - I was using both - and still have the same problem.

Possibly relevant -

1) Works fine from the firewall itself, which is why the SOCKS proxy works.
2) Both LAN and WAN are VLAN interfaces. (WAN strictly has to be unless I want double-NAT.)
3) WAN is an Intel chipset (em0), LAN is a Mellanox chipset (mlxen0/mlxen1, though the latter is not in use).
4) I've tried the following workarounds too:
  A) Set up an outbound rule for HTTPS with "synproxy state" (OK, more clarification needed here. Setting up a "pass in on LAN to port 443 synproxy state" did not help, setting up a "pass out on WAN from LAN to any port 443 synproxy state" rule did work around the problem.)
  B) Disable scrubbing
#4
26.1, 26,4 Series / Re: Help me with assigning a n...
Last post by patient0 - Today at 05:08:38 PM
Quote from: teddybearnemo on Today at 04:34:18 PMProtocol tcp
Port range : 80 to 443
You set that for the destination port range, not the source. But as @viragomann writes, better to create an alias and use that. Or allow all access to destination 'This Firewall', not sure you want to be restricted in an case of emergency.
#5
26.1, 26,4 Series / Re: Help me with assigning a n...
Last post by viragomann - Today at 04:55:42 PM
Quote from: teddybearnemo on Today at 04:34:18 PMPort range : 80 to 443
Which port range is this?

You can state the source port and the destination port. Source should be "any", the destination that one your GUI is listening on. Is it 443?

Also range from 80 to 443 is a bad idea. You can create an alias and add both ports to it. So the rule covers 80 + 443.

Also ensure that the new interface is selected in System: Settings: Administration > Listen Interfaces.
#6
26.1, 26,4 Series / Re: Help me with assigning a n...
Last post by teddybearnemo - Today at 04:34:18 PM
I did apply a firewall rule and still nothing happend

I tried it before the rule and after

Action: pass
Interface: emergency exit
Direction: in
Protocol tcp
Port range : 80 to 443
Source: any
Destination: any
Test rule
#7
26.1, 26,4 Series / Re: Help me with assigning a n...
Last post by dseven - Today at 04:17:23 PM
It's a firewall. Nothing(*) is allowed by default. You'll need to define firewall rules for your new interface to allow whatever you deem appropriate.

(*) there is an anti-lockout rule, but since you have a LAN interface, it will be applied there (only)
#8
26.1, 26,4 Series / Re: How reliable is Firewall:D...
Last post by franco - Today at 03:56:41 PM
If I read this correctly the state dump only gives us the rule number "nr" but since there is a rule pointer which can be dereferenced we could try to push something more clever to userland if it is actually there.

https://github.com/opnsense/src/blob/stable/26.1/sys/netpfil/pf/pf_ioctl.c#L5870-5873

But you see the point here is as long as pfctl/pf insists the rule nr is the same (which it isn't across reloads in a dynamic network as rules can be added and removed as networks/gateways are up and down) there is little to do from the core side.


Cheers,
Franco
#9
26.1, 26,4 Series / Help me with assigning a new i...
Last post by teddybearnemo - Today at 03:56:30 PM
Hello everyone,

I got this lenovo m720q tiny with a 4 port intel nic and installed opnsense on it.

I already assignd the WAN and LAN interface, but eventually i want to delete the LAN interface and move it to VLAN. So i wanted to create an emergency exit on a new interface thats not going to be used unless i lock myself out from the LAN

So i assigned the new interface on a different port, after that i enable it and gave it a static ip, then i set up dhcp for that new interface.

But when i look in the menu assignment i see that the plug on that new interface stays red and te other WAN and LAN are green ( im building it offline for now so WAN is not plugged id)

And even when i plug my pc in that new port i see it get connected but i cant visit the opnsense gui...the page stays loading for a while....and even when i try to ping it from my pc it gets stuck at the first byte.

The LAN interface ip i got that on 192.168.1.1
The Emergency exit port on 192.168.99.1

So i dont know what im doing wrong or missing and can someone help me ?

Thanks!
#10
26.1, 26,4 Series / Re: TLS issues when trying to ...
Last post by Lucid1010 - Today at 03:40:14 PM
$ curl -sv --connect-timeout 10 "https://s3.eu-west-1.amazonaws.com"
* Host s3.eu-west-1.amazonaws.com:443 was resolved.
* IPv6: (none)
* IPv4: 3.5.75.39, 3.5.67.235, 3.5.66.27, 3.5.71.89, 52.92.32.24, 3.5.67.45, 3.5.71.84, 3.5.74.68
*   Trying 3.5.75.39:443...
*   Trying 3.5.67.235:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*   subject: CN=*.s3-eu-west-1.amazonaws.com
*   start date: Nov 14 00:00:00 2025 GMT
*   expire date: Nov  6 23:59:59 2026 GMT
*   issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M04
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   subjectAltName: "s3.eu-west-1.amazonaws.com" matches cert's "s3.eu-west-1.amazonaws.com"
* OpenSSL verify result: 0
* SSL certificate verified via OpenSSL.
* Established connection to s3.eu-west-1.amazonaws.com (3.5.75.39 port 443) from x.x.x.x port 33241
* using HTTP/1.x
> GET / HTTP/1.1
> Host: s3.eu-west-1.amazonaws.com
> User-Agent: curl/8.21.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 307 Temporary Redirect
< x-amz-id-2: xxxxxxxxxxxxxxxxx
< x-amz-request-id: xxxxxxxxxxxxxxxxxx
< Date: Tue, 14 Jul 2026 13:37:25 GMT
< Location: https://aws.amazon.com/s3/
< Content-Length: 0
< Server: AmazonS3
<
* Connection #0 to host s3.eu-west-1.amazonaws.com:443 left intact

 No issues here either, on both my OPNsense host and another computer.
v26.1.11