"Recent posts
#1
Virtual private networks / Open media vault server issue
Last post by Staysail - Today at 04:50:09 AMHi all,
First time posting here and I am new to OPNsense. Thanks in advance for your help! I have AT&T giga internet with BGW320 RG and used BGW320 for router function without any issues. Then I decided to use OPNsense behind BGW320 with 'Passthrough' connection. I installed Proxmox in Beelink mini pc and created OPNsense VM. OPNsense works fine as a router with basic settings and all devices connected to it work fine after transition except OMV(Open Media Vault server). I use fixed ip 10.0.0.xx for OMV and I have this error: ERR_CONNECTION_REFUSED from my macbook pro when I try to login Web UI using 10.0.0.xx. When I use my windows 11 laptop I can login Web UI and access to shared folders in OMV but after a few min I get red 'Software Failuare.....' message on the Web UI and no access to shared folders. I tried a few tweaks in OPNsense settings in Firewall and Interfacesbut nothing has worked so far. Is there any important basic settings I need to follow to make this work? As I am a newbie to OPNsense your help will be greatly appreciated!
First time posting here and I am new to OPNsense. Thanks in advance for your help! I have AT&T giga internet with BGW320 RG and used BGW320 for router function without any issues. Then I decided to use OPNsense behind BGW320 with 'Passthrough' connection. I installed Proxmox in Beelink mini pc and created OPNsense VM. OPNsense works fine as a router with basic settings and all devices connected to it work fine after transition except OMV(Open Media Vault server). I use fixed ip 10.0.0.xx for OMV and I have this error: ERR_CONNECTION_REFUSED from my macbook pro when I try to login Web UI using 10.0.0.xx. When I use my windows 11 laptop I can login Web UI and access to shared folders in OMV but after a few min I get red 'Software Failuare.....' message on the Web UI and no access to shared folders. I tried a few tweaks in OPNsense settings in Firewall and Interfacesbut nothing has worked so far. Is there any important basic settings I need to follow to make this work? As I am a newbie to OPNsense your help will be greatly appreciated!
#2
26.1 Series / Re: 26.1.3 and Intel X710 (ixl...
Last post by felipe0123 - Today at 03:23:40 AM@OPNenthu
FYI, since I started experiencing the issue with x710, I moved my LAN connection to i226. Once I did that I started to experience a different issue, from time to time one of the rx-queues would just stop processing traffic. I tried forcing a single queue and the issue happened with the single queue as well. So I decided to apply the coreboot v0.9.1-rc3.
It's too early to be completely sure, but once I applied the update Ierrs on both igc0 and igc1 dropped to zero (igc0, WAN) had IErrs > 0 almost immediately after boot. As a test I had two internal hosts concurrently running speediest-cli in loop and Errs on WAN is still zero, LAN is 103 but on a deeper inspection it seems to be due to queue saturation probably because I'm still running with a single queue, I will revert that once I get more confident the coreboot update helped.
Although this is not related to the original issue I posted about for x710, I'm posting this here so people facing issues with Protectli VP2440 and v226 interfaces are aware the update helps. Before the update I had hw.pci.enable_aspm set to zero, but that workaround clearly wasn't enough.
Quote from: OPNenthu on March 06, 2026, 07:17:25 AMThis must be the VP2440. Did you recently install coreboot v0.9.1-rc3 (the one that fixes the i226-v ASPM issue)? I wonder if that firmware maybe introduced a new issue.
FYI, since I started experiencing the issue with x710, I moved my LAN connection to i226. Once I did that I started to experience a different issue, from time to time one of the rx-queues would just stop processing traffic. I tried forcing a single queue and the issue happened with the single queue as well. So I decided to apply the coreboot v0.9.1-rc3.
It's too early to be completely sure, but once I applied the update Ierrs on both igc0 and igc1 dropped to zero (igc0, WAN) had IErrs > 0 almost immediately after boot. As a test I had two internal hosts concurrently running speediest-cli in loop and Errs on WAN is still zero, LAN is 103 but on a deeper inspection it seems to be due to queue saturation probably because I'm still running with a single queue, I will revert that once I get more confident the coreboot update helped.
Although this is not related to the original issue I posted about for x710, I'm posting this here so people facing issues with Protectli VP2440 and v226 interfaces are aware the update helps. Before the update I had hw.pci.enable_aspm set to zero, but that workaround clearly wasn't enough.
#3
25.7, 25.10 Series / Re: Router not having WAN acce...
Last post by justjake - Today at 02:11:08 AMQuote from: nero355 on March 24, 2026, 11:15:41 PMQuote from: justjake on March 24, 2026, 09:02:22 PMOn windows?Yes, but it seems we got some kind of misunderstanding here ?!QuoteThe whole Opnsense network has no WAN access.OK, but how far does aQuotetraceroutego for example ?
Two things I can think of :
- Your ISP's Router uses 192.168.1.0/24 just like OPNsense does on the Default LAN.
This will cause a conflict and you will have no Internet access at all.
- You changed something to the Default OPNsense LAN or are using an additional self created LAN/VLAN and have no Default Allow Any/Any Firewall Rule(s) which will make sure there is Internet access for all the Clients on that network.
The LAN is set to a 10.0.0.X network on opnsense so shouldn't have any conflict, right?
Traceroute simply times out, doesn't even start.
I'm not completely sure what you mean by the last part but all my settings are in the screenshots, could you point me to some part of the menu system I might be missing please?
#4
26.1 Series / Re: What validation is recomme...
Last post by OPNenthu - Today at 01:21:49 AMIf you are on ZFS you can take a system snapshot before deleting the legacy rules (ideally take one before the import step as well, but you are already past that).
Maybe do another export from "Firewall->Rules [new]" after the migration and compare the two .csv files if you really want to?
Indeed, though don't expect the legacy rules UI to not show anything afterward. This part has caused some confusion.
What you will see is that each of the sections in the legacy UI will be blank in terms of the rules that would have been managed from there, but you will still see folders for the rules on other levels. Some have speculated that those are leftover legacy rules or somehow redundant with the ones imported to the new UI, but they aren't.
So for example if you click on an interface in the legacy UI, there won't be any interface level rules there. However the Floating, Group, and Automatic rules will still show up:
You cannot view this attachment.
They're just being reflected there because they still exist as rules, regardless of which UI (legacy or new) they reside in.
Hope this helps.
Maybe do another export from "Firewall->Rules [new]" after the migration and compare the two .csv files if you really want to?
Quote from: kwo1 on March 24, 2026, 11:20:01 PMI assume "Remove all legacy rules" will clear out any rules seen under under Firewall > Rules.
Indeed, though don't expect the legacy rules UI to not show anything afterward. This part has caused some confusion.
What you will see is that each of the sections in the legacy UI will be blank in terms of the rules that would have been managed from there, but you will still see folders for the rules on other levels. Some have speculated that those are leftover legacy rules or somehow redundant with the ones imported to the new UI, but they aren't.
So for example if you click on an interface in the legacy UI, there won't be any interface level rules there. However the Floating, Group, and Automatic rules will still show up:
You cannot view this attachment.
They're just being reflected there because they still exist as rules, regardless of which UI (legacy or new) they reside in.
Hope this helps.
#5
General Discussion / Re: Help with a comples scenar...
Last post by gilberto.ferreira41 - Today at 12:17:13 AMok Everybody!
I found the goddamn culprit
Since I set it to Never, everything is fine...
Thanks
I found the goddamn culprit
Since I set it to Never, everything is fine...
Thanks
#6
General Discussion / Re: Help with a comples scenar...
Last post by gilberto.ferreira41 - Today at 12:09:55 AMQuote from: nero355 on March 24, 2026, 11:34:48 PMWhen you leave a working SSH session open/IDLE : Does it ever time-out or simply freeze ?!
Nope... But the connection has a lot o delay to be stablished.
See here I need to use control + C 5 times, until got a prompt.
After that, everything is ok.
debian-172-16-0-70:~# ssh administrador@172.17.0.70
^C
debian-172-16-0-70:~# ssh administrador@172.17.0.70
^C
debian-172-16-0-70:~# ssh administrador@172.17.0.70
^C
debian-172-16-0-70:~# ssh administrador@172.17.0.70
^C
debian-172-16-0-70:~# ssh administrador@172.17.0.70
administrador@172.17.0.70's password:
Linux debian-172-17-0-70 6.12.74+deb13+1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.74-2 (2026-03-08) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 24 19:59:16 2026 from 172.16.0.70
administrador@debian-172-17-0-70:~$ su -
Senha:
debian-172-17-0-70:~# journalctl -f
mar 24 20:02:03 debian-172-17-0-70 systemd[1145]: Listening on ssh-agent.socket - OpenSSH Agent socket.
mar 24 20:02:03 debian-172-17-0-70 systemd[1145]: Reached target sockets.target - Sockets.
mar 24 20:02:03 debian-172-17-0-70 systemd[1145]: Reached target basic.target - Basic System.
mar 24 20:02:03 debian-172-17-0-70 systemd[1145]: Reached target default.target - Main User Target.
mar 24 20:02:03 debian-172-17-0-70 systemd[1145]: Startup finished in 253ms.
mar 24 20:02:03 debian-172-17-0-70 systemd[1]: Started user@1000.service - User Manager for UID 1000.
mar 24 20:02:03 debian-172-17-0-70 systemd[1]: Started session-6.scope - Session 6 of User administrador.
mar 24 20:02:07 debian-172-17-0-70 sshd[754]: Timeout before authentication for connection from 172.16.0.70 to 172.17.0.70, pid = 1106
mar 24 20:02:09 debian-172-17-0-70 su[1176]: (to root) administrador on pts/0
mar 24 20:02:09 debian-172-17-0-70 su[1176]: pam_unix(su-l:session): session opened for user root(uid=0) by administrador(uid=1000)
^C
Attache some screenshot regarding Firewall Rules.
#7
General Discussion / Re: Help with a comples scenar...
Last post by nero355 - March 24, 2026, 11:34:48 PMQuote from: gilberto.ferreira41 on March 24, 2026, 08:36:24 PMBut now, here the problem:I think you have made a mistake with your Firewall Rules so it would be a good idea to let us know how they look like.
From OPNSense, I can do ssh to Debian-A, 172.16.0.70. GW 172.16.0.254 (OPN)
From OPNSense, I can do ssh to Debian-B, 172.17.0.70. GW 172.17.0.254 (OPN)
But, once inside Debian-A, I can reach Debian-B, and vice-versa.
I already tried to allow everything from LAN (172.16.0) to LAN100 (172.17.0) and vice-versa.
So the ssh works 2 or 3 times, and then is blocked.
I can't do ssh to 172.17.0.70, but I can ping it, both GW and the IP 172.17.0.70.
What I would like to know :
When you leave a working SSH session open/IDLE : Does it ever time-out or simply freeze ?!
#8
26.1 Series / Re: [SOLVED] dnat not register...
Last post by OPNenthu - March 24, 2026, 11:20:17 PMIf you used the "Register rule" option then it creates an associated system-generated F/W rule. There's a separate category for those that you can only see if you enable the "Inspect" mode in Firewall->Rules [new]. The category is labeled as "Automatically generated rules."
There are actually two such buckets, one at the start of the ruleset and one at the end: https://docs.opnsense.org/manual/firewall.html#processing-order
The DNAT F/W rule goes in the second one (at the end of ruleset).
Example screenshot from a test VM attached.
There are actually two such buckets, one at the start of the ruleset and one at the end: https://docs.opnsense.org/manual/firewall.html#processing-order
The DNAT F/W rule goes in the second one (at the end of ruleset).
Example screenshot from a test VM attached.
#9
26.1 Series / What validation is recommended...
Last post by kwo1 - March 24, 2026, 11:20:01 PMHi,
I apologize if this has been asked already. I did a search and didn't find anything that answered my question.
I'm testing the new 26.1.2 release. As part of the rule migration assistant, the last step is to perform the "Remove all legacy rules" action.
I've imported the rules and compared what's listed under "Rules" vs "Rules [New]" and I don't see anything missing/different. Beyond that, what other validation checks should I perform before I proceed with the last step of removing legacy rules?
I assume "Remove all legacy rules" will clear out any rules seen under under Firewall > Rules.
Thanks
I apologize if this has been asked already. I did a search and didn't find anything that answered my question.
I'm testing the new 26.1.2 release. As part of the rule migration assistant, the last step is to perform the "Remove all legacy rules" action.
I've imported the rules and compared what's listed under "Rules" vs "Rules [New]" and I don't see anything missing/different. Beyond that, what other validation checks should I perform before I proceed with the last step of removing legacy rules?
I assume "Remove all legacy rules" will clear out any rules seen under under Firewall > Rules.
Thanks
#10
25.7, 25.10 Series / Re: Router not having WAN acce...
Last post by nero355 - March 24, 2026, 11:15:41 PMQuote from: justjake on March 24, 2026, 09:02:22 PMOn windows?Yes, but it seems we got some kind of misunderstanding here ?!
QuoteThe whole Opnsense network has no WAN access.OK, but how far does a
Quotetraceroutego for example ?
Two things I can think of :
- Your ISP's Router uses 192.168.1.0/24 just like OPNsense does on the Default LAN.
This will cause a conflict and you will have no Internet access at all.
- You changed something to the Default OPNsense LAN or are using an additional self created LAN/VLAN and have no Default Allow Any/Any Firewall Rule(s) which will make sure there is Internet access for all the Clients on that network.
