Recent posts

#1
26.1, 26,4 Series / Re: 26.1.6_2 Destination NAT ...
Last post by lmoore - Today at 01:52:41 PM
Quote from: OPNsense4ever on April 27, 2026, 04:55:25 PMFantastic! This should be documented somewhere though. Is it written somewhere that I missed?

I referred to the online OPNsense manual like you did. Alas, the specifics aren't there.

The information is in the The Fine Manual - look at the section for rdr in pf.conf. However, the behaviour I'm seeing in OPNsense is a little different to what is described in this manual page.

This behaviour was in the firewall product which PF replaced. If you would like some historical information, you could have a look in ipnat.conf from the paragraph beginning with;

QuoteFor  TCP    and  UDP  packets,  it    is possible to   both match on the des-
tiantion port number and to modify it.  For example, to change the des-
tination port from 80 to 3128, we would use a rule like this:

I've tested a rule using a Port Alias, which has two non-sequential ports entered, and set the Redirect Target Port to any. Connections to the destination ports of 53 & 853, are redirected to the same ports on the target host.

Attached are images of a test rule I used with a Port Alias:

I'm sure more examples in the OPNsense documentation would be welcomed.
#2
26.1, 26,4 Series / Re: 26.1.6_2 - All traffic blo...
Last post by nero355 - Today at 01:45:37 PM
Quote from: thormir84 on April 27, 2026, 11:49:57 PMI see that you are talking about static assignments and Unbound; since i use both, it could be a configuration issue on my side. 

With ISC DHCP, i used static assignments even for devices with fixed IPs, so that the name would be visible on Unbound; since when migrating to KEA i exported the assignments to CSV and imported them, maybe the problem is there.
I do the same for many years now in combination with different Routers and IMHO that should not be your issue! :)
#3
German - Deutsch / DNS-Rebind-Schutz deaktiviert ...
Last post by tpf - Today at 11:01:14 AM
Servus,
habe den Rebind-Schutz zentral deaktiviert. Dennoch kommen keine Antworten vom DNS (außerhalb der OPNsense), welche eine Antwort aus den im Unbound hinterlegten privaten Netzen enthält.

Ich muss entweder die Domains im Unbound explizit als erlaubt hinterlegen, und / oder das Query-Forwarding für jede Domain aktivieren.

Sehr nervig...

Was mach ich falsch?

Danke und Grüße
#4
But why? If it does no harm, then fine. If it does (which is seldomly the case), just disable it again. Also, the plugin is not "constantly looking for" anything - it only gets updated alongside an OpnSense upgrade iff there is a new upgrade available from the CPU manufacturer.

The package is just a stand-in for a microcode update from the BIOS, especially when that is unavailable. This is often the case with badly supported china boxes, as well as older brand equipment. So having it, is a plus, IMHO, and I do not understand the constant fuss about it.
#5
26.1, 26,4 Series / Re: 26.1.6_2 - All traffic blo...
Last post by thormir84 - April 27, 2026, 11:49:57 PM
Quote from: nero355 on April 27, 2026, 05:53:06 PM
Quote from: thormir84 on April 27, 2026, 04:18:34 PMI did further tests and took a look at the configuration options of Kea DHCP, and i confirm that the crash occurs when i activate the service.
What kind of crash ?!

This topic started with a Firewall Rule issue and now there is something crashing ?!

QuoteI saw that there is a section related to DDNS, but in my case everything is managed via Docker with Nginx Proxy Manager;
even on ISC DHCP there is an option related to DDNS, but i have never enabled it.
KEA DDNS is meant for Hostname DNS Registration in combination with Unbound as the DNS Server because initially it only worked for a Static DHCP IP Address Mapping based on the MAC Address and not for a regular Dynamic DHCP IP Address.

Is there any chance that some of your Docker stuff got upgraded too within the same timeframe and is causing issues now ?
Reason I am asking : A lot of people let something like WatchTower update/upgrade their Docker Containers completely automatically.


Ahahah sorry, i made a copy and paste mistake from another forum!

I see that you are talking about static assignments and Unbound; since i use both, it could be a configuration issue on my side. 
With ISC DHCP, i used static assignments even for devices with fixed IPs, so that the name would be visible on Unbound; since when migrating to KEA i exported the assignments to CSV and imported them, maybe the problem is there.

I rule out a problem with Docker or updated containers, because the problem occurs only with KEA and only shortly after its activation; as long as i use ICS there are no problems.
#6
Hardware and Performance / Re: "Intel CPU microcode updat...
Last post by BrandyWine - April 27, 2026, 11:14:50 PM
Sorry, my bad, Patrick is correct. uCode is lost during cpu boots.
It would however be better to have uCode in UEFI area, vs via OS.

That said, IIRC, in the past the plugin was constantly looking for uCode updates and would apply anything new. If my IIRC is correct than that feature should still be a manual check from GUI allowing end-user to decide when to allow new uCode to install.
#7
General Discussion / Re: OpnSense with 802.11 b/g/...
Last post by BrandyWine - April 27, 2026, 11:05:11 PM
What would be the issue?
Use gateway monitoring to do wan switching. This does however suggest the radio on OPNsense is STA mode, not AP mode.

If not STA mode then you could run it as AP for wifi clients to connect to, but lose wan switching ability.

That said, it's doable on some radios to have a STA_AP mode (like we can do on ESP32), but having it hairpin the clients on the AP through FW based on .1q traffic then back out via STA when the gateway monitoring wants wifi as DFG, is something you would have to investigate.

If you're using a wifi radio to connect a 2nd wan, what's the actual 2nd wan, is it another ISP?
#8
Quote from: BrandyWine on April 27, 2026, 10:22:51 PMcpu uCode should only need to be run once, when new uCode is available. Most times new uCode is for security reasons.

A BIOS or OS microcode update will be lost after each power cycle and needs to be loaded at each boot - either by the BIOS (best) or by the operating system.

The OPNsense plugin provides an OS microcode update. No permanent changes to the CPU are done.

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/microcode-update-guidance.html
#9
Hardware and Performance / Re: TopTon Intel N150 with Int...
Last post by BrandyWine - April 27, 2026, 10:47:16 PM
What do you mean by "throttled"? You get a pop of speed and then the download slows well below 500Mb? Or you get way less than 500Mb immediately after the FW is connected?

Some basic troubleshooting 1st.

What link speed does your OPNsense show when connected to the ISP mux? Did it fall back to 100Mb ?

OPNsense directly after an initial install (with basic config) on very small hardware with 1G ports, will handle 500Mb easily. I suspect not a OPNsense issue here.
#10
Hardware and Performance / Re: Disk Memory Settings
Last post by BrandyWine - April 27, 2026, 10:39:00 PM
103% ?
What does that tell you about swap usage. Probably means "non-optimal behavior".

If you dont need much history in the logs, then create a cron that runs every 15min or so (or whenever you need it) to prune or truncate the logs (if possible). Kinda depends on what the logs files are being used for.

Zenarmor Database has it's own RAM disk settings in gui, no?