Recent posts

#1
General Discussion / Re: Unifi VLANs with new OPNse...
Last post by Yosh1 - Today at 02:26:29 AM
Ok, thanks for the tips. I tore-down the whole system and rebuilt it - it's better, but it's not working yet.

Now, I can connect to the Unifi APs, and am given a valid IP address from DHCP... but no internet access. I am given the firewall IP (192.168.1.1) for the DNS, which is correct since I'm using Unbound. Again, using the other NIC port setup on my OPNsense box as "DEBUG" with a different IP range works and has internet access.

Everything looks much better in my Unifi Network now (Dream Machine Pro) - none of the devices are dropping in/out and all switches and APs are identified - though I set them to use unique static IPs as they kept falling back to the 192.168.1.20 default which was causing chaos. They didn't appear to get their static ARP addresses from the DHCP server in OPNsense.

I believe that it must still be something with the tagging/trunking on my Unifi chain, if you could take a look - I made a picture to make it easier to follow, this is what I have now:

You cannot view this attachment.
#2
Hi All,

We are currently have 60+ tunnels in our existing VPN software which we want to migrate to opnsense.

1) How many maximum number of VTIs can opnsense handle without performance issues in UI?
2) Is there a way to arrange the interfaces in groups so as make them not appear as a long list in UI?
3) How does search option at top right perform if i search an interface when count is 100+ ?
#3
26.1 Series / Re: Destination NAT port range...
Last post by shagnome - Today at 12:35:29 AM
Thanks. Changing to a dash worked.
#4
German - Deutsch / Re: Business OPNWAF - Fragen /...
Last post by sim_on - March 02, 2026, 11:32:29 PM
Danke für die schnelle Rückmeldung!

Punkt 2) habe ich dann jetzt einfach wie folgt gelöst:

Zertifikat erstellen:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /usr/local/etc/ssl/catch-all.key \
    -out /usr/local/etc/ssl/catch-all.crt \
    -subj "/CN=catch-all.invalid"

000-default.conf erstellen unter "/usr/local/etc/apache24/Includes":
# Default VirtualHost
SSLStrictSNIVHostCheck On

<VirtualHost *:80>
    ServerName catch-all.invalid
    <Location />
        Require all denied
    </Location>
</VirtualHost>

<VirtualHost *:443>
    ServerName catch-all.invalid
    SSLEngine on
    SSLCertificateFile "/usr/local/etc/ssl/catch-all.crt"
    SSLCertificateKeyFile "/usr/local/etc/ssl/catch-all.key"
    <Location />
        Require all denied
    </Location>
</VirtualHost>
#5
German - Deutsch / Re: OpenVPN: User oder Group -...
Last post by sashak - March 02, 2026, 11:12:44 PM
Quote from: stefanpf on March 02, 2026, 06:28:25 PMIch habe es nie probiert

Ich habe es ausprobiert und das erfüllt meine Aufgabe. Vielen Dank!
#6
Tutorials and FAQs / Re: How to enable automatic mi...
Last post by Flynn84 - March 02, 2026, 11:01:33 PM
For anyone not being able to display the microcode level after using

x86info -a | grep -i micro
and getting

/dev/cpuctl0: No such file or directory
/dev/cpuctl0: No such file or directory

Enter the following:

kldload cpuctl
The microcode level should now display successfully.

If you want to make this persistent add

cpuctl_load="YES"to /boot/loader.conf
#7
26.1 Series / Re: Destination NAT port range...
Last post by falken - March 02, 2026, 10:26:54 PM
Port range needs to be specified with "-" and not ":" so you would use 4500-65535
#8
26.1 Series / Re: Upgrade Failed, signature ...
Last post by LineF - March 02, 2026, 09:14:23 PM
Quote from: LineF on March 02, 2026, 05:56:33 PMFor me the same. No LTE connection but standard DSL connection. signature invalid

Problem solved - mirror probably has incomplete files. Changing mirror to "default" solved the problem. All files were downloaded witout problems.
#9
German - Deutsch / Re: Captive Portal: Diverse Fr...
Last post by viragomann - March 02, 2026, 08:59:55 PM
Quote from: TheExpert on March 02, 2026, 06:17:26 PMDu meinst vermutlich das Captive Portal und nicht CARP Service, oder?
Ja, sorry.

Quote from: TheExpert on March 02, 2026, 06:17:26 PMWenn man die URL des Captive Portal mit http://<CARP-IP-Adresse>:8000/ aufruft, kommt ein Timeout. Wenn man http://<IP-Adresse des HA-Knotens>:8000/ aufruft, dann erscheint das Captive Portal.
Eigentlich sollte nichts davon funktionieren. Der Port 8000 ist für https gedacht. Mit http müsste der Aufruf fehlschlagen.

Wenn das aber ein Schreibfehler ist oder der Browser automatisch unbemerkt auf https gewechselt ist, würde das heißen, die Webseite ist nur an die Interface-Adresse gebunden.

Ich verstehe aber immer noch nicht, weswegen es die CARP IP sein muss. Ebenso gut kannst du die IP der Backup-Node in den URL reinsetzen und die Webseite sollte auch aufgehen.
Wie oben geschrieben, wenn CP synchronisiert wird, sollte auf der Backup die Loginseite ebenso auf der Interface IP bereitstehen.
Also wenn diese Master ist, macht sie eben die Umleitung auf ihre Interface IP. Dem Client sollte das egal sein.

Wenn du es aber dennoch auf der CARP VIP haben möchtest, dann leite die Anfragen eben auf die Interface-Adresse weiter.
Also eine Destination NAT Regel am jeweiligen Interface erstellen mit der CARP VIP als Destination und Port 8000 (f. Zone 0) und als Redirect Target die Interface Adresse (die vordefinierte Variable, damit die Regel auch auf der Backup funktioniert) und Port 8000.
Dies ist für https. Für http wäre noch eine Regel mit Zielport 9000 nötig.
#10
26.1 Series / Re: list_hosts.py -n (python3....
Last post by qballcow - March 02, 2026, 06:33:30 PM
I had the same things, and tons and tons of I/O during it.
Turned out my hosts.db-wal was very large.
On every run it would read for 10s of seconds and re-create hosts.db-shm that each time grew to 100s of mbytes.

-rw-r--r--  1 hostd hostd  4.0M Mar  2 17:14 hosts.db
-rw-r--r--  1 hostd hostd  197M Mar  2 17:13 hosts.db-shm
-rw-r--r--  1 hostd hostd   99G Mar  2 17:14 hosts.db-wal

After executing a checkpoint with truncate and vacuuming it now runs pretty normal again, still keeping an eye on it.
(Not sure if that was a safe action to do, but current state was not sustainable).