"Recent posts
#1
26.1, 26,4 Series / Re: Been driving me mad STAFF ...
Last post by wincent - Today at 03:54:32 AMQuote from: cookiemonster on Today at 01:17:47 AMOnly thing I can think of is if the ACL for this network is being unhelpful. Anything looking odd in /var/unbound/unbound.conf ?
QuoteUnbound config: Enabled, Listen Port 53, Network Interfaces = All (recommended), DNSSEC off, transparent local zone, ACL explicitly allows 192.168.20.0/24. Full stop/start performed. Reboot performed.
Unbound ACL default action set to "Allow" and then check the UDP53 on Vlan20 client using nc. Secondly, I thank you need to check the ACL of the switch side.
#2
26.1, 26,4 Series / Re: OPNSense forwarding packet...
Last post by ChristopherL - Today at 03:24:43 AMNot sure if I can really go into the specifics here (in part because I am not really across them, my brief is getting the office firewalls working).
But in the general case you might have a mismatch between the performance, scaling, service levels, operational requirements, etc. required for the office and what's required for the services on those hosts, and putting a host behind a server running PF isn't necessarily a significantly more secure set-up than running PF on the host itself.
But in the general case you might have a mismatch between the performance, scaling, service levels, operational requirements, etc. required for the office and what's required for the services on those hosts, and putting a host behind a server running PF isn't necessarily a significantly more secure set-up than running PF on the host itself.
#3
26.1, 26,4 Series / Re: IPsec IKEv1 Phase 2 reject...
Last post by lmoore - Today at 03:19:30 AMWhen configuring the FortiGate with IPSEC in Policy Based mode, you require seperate P2's for each subnet, which works fine when FortiGates are at each end.
FortiNet introduced IPSEC interface mode quite a long time ago. The adavantage is that you only have one P2 configuration and you control network access via FortiGate's standard interface policies.
My advice is to convert the FortiGate Policy based IPSEC configurations to Interface based configurations and set up appropriate Interface policies. The changes should be made using the CLI, either via SSH or the CLI in their Web GUI.
As you appear to be using NAT-T for IPSEC, your last resort would be to download and install FortiClient VPN Only edition (free version) on a supported platform and configure IPSEC there.
FortiNet introduced IPSEC interface mode quite a long time ago. The adavantage is that you only have one P2 configuration and you control network access via FortiGate's standard interface policies.
My advice is to convert the FortiGate Policy based IPSEC configurations to Interface based configurations and set up appropriate Interface policies. The changes should be made using the CLI, either via SSH or the CLI in their Web GUI.
As you appear to be using NAT-T for IPSEC, your last resort would be to download and install FortiClient VPN Only edition (free version) on a supported platform and configure IPSEC there.
#4
26.1, 26,4 Series / Re: Unbound reporting stop wor...
Last post by wincent - Today at 02:59:31 AMThis is not an urgent matter, so anything can be tried. ^-^
#5
Hardware and Performance / Re: cpu-microcode-intel: no ma...
Last post by BrandyWine - Today at 01:54:22 AMAll,
I downloaded the latest _1 ucode pkg, and iucode_tool pkg to my ubuntu.
Some interesting results.
I am using gemini ai for help.
I then do some more asking about the exact cpu model, ai now says that mobile cpu is a pf_mask 0x80, not the 0x40 file.
Hmmmmmm.
Ok, so i turn the tool onto the 40 and 80 and bin files. All files indeed handle the 06-9a-04 (cpuid) but have different platform ID's , 6 for 0x40 and 7 for 0x80.
The 0x40 only has ucode 2025-07-10 rev 0x000c (single cpuid)
The 0x80 has ucode 2025-10-12 rev 0x043b (which covers two cpuid's)
So, need to verify if the info found in early posts was correct or not, mobile cpu is x80(bit 7) or a x40(bit 8).
Or, the actual cpu is a real 0x40 (not a mobile cpu).
I would start looking at actual cpu make/model/masks, etc etc.
I downloaded the latest _1 ucode pkg, and iucode_tool pkg to my ubuntu.
Some interesting results.
I am using gemini ai for help.
I then do some more asking about the exact cpu model, ai now says that mobile cpu is a pf_mask 0x80, not the 0x40 file.
Hmmmmmm.
Ok, so i turn the tool onto the 40 and 80 and bin files. All files indeed handle the 06-9a-04 (cpuid) but have different platform ID's , 6 for 0x40 and 7 for 0x80.
The 0x40 only has ucode 2025-07-10 rev 0x000c (single cpuid)
The 0x80 has ucode 2025-10-12 rev 0x043b (which covers two cpuid's)
So, need to verify if the info found in early posts was correct or not, mobile cpu is x80(bit 7) or a x40(bit 8).
Or, the actual cpu is a real 0x40 (not a mobile cpu).
I would start looking at actual cpu make/model/masks, etc etc.
#6
26.1, 26,4 Series / Re: Been driving me mad STAFF ...
Last post by cookiemonster - Today at 01:17:47 AMOnly thing I can think of is if the ACL for this network is being unhelpful. Anything looking odd in /var/unbound/unbound.conf ?
#7
26.1, 26,4 Series / Re: CVE-2026-45257
Last post by passeri - Today at 12:30:54 AMQuote from: sopex on June 15, 2026, 03:07:24 PMI also install nano, much better experience :) Editor wars 2.0:-)
I first used Unix in the 1980s and only occasionally since then, enough to be familiar but never regular. At that time vi was clearly better to use than ed so I did, and have ever since. Also, ZZ is quicker than :wq
#8
26.1, 26,4 Series / Redirect URL After Successful ...
Last post by Al Muckart - Today at 12:20:05 AMWith password login if someone clicks on a URL like
With OIDC, it seems as though the path is ignored and whatever the original URL was the user gets redirected to the dashboard after authenticating.
Is this a configuration error on my end, or is there something missing in the auth flow here?
Thanks.
Code Select
https://my.opnsense.fw/ui/auth/user when not logged in they can log in and the correct page will load after they authenticate.With OIDC, it seems as though the path is ignored and whatever the original URL was the user gets redirected to the dashboard after authenticating.
Is this a configuration error on my end, or is there something missing in the auth flow here?
Thanks.
#9
26.1, 26,4 Series / Re: WAN Interface Statistics n...
Last post by cookiemonster - Today at 12:03:31 AMQuote from: nero355 on June 16, 2026, 01:33:48 PMI beg to differ. The config backup contains the RRD data unless it's actively unselected. Therefore if it was saved (as per default) then the import would have contained this data.Quote from: cookiemonster on June 16, 2026, 12:00:46 AMAfter the interface change the reporting database might have become corrupted. Just a guess.He wrote :Quote from: Component0002 on June 15, 2026, 11:17:31 PMI reinstalled OpnsenseSo that can't be it ;)
#10
26.1, 26,4 Series / Re: Update issues when upgradi...
Last post by cookiemonster - June 16, 2026, 11:51:31 PMQuote from: LP on June 16, 2026, 10:30:04 AMDoes the configuration backup save everything, or do any manual adjustments need to be made after restoring the config?What is set or changed using the UI gets committed to the config file that is then used for import. Anything else is not i.e. done in the filesystem directly.
